802.1x vs. VPN
Relying upon WEP for link layer encryption is not the best idea in the world. Sure, it might be okay for a very small environment if you have no other options and you manually change keys on a regular basis. However, for enterprise deployments, you should not rely upon WEP alone (especially with static keys that never change).
As we have seen in Chapter 6, 802.1x offers a number of advantages over WEP alone, which allows us to rely on link layer encryption. For example, when using 802.1x and PEAP, it would be acceptable to place our APs on our internal network, because we are relying upon 802.1x authentication (against a back-end RADIUS server) and dynamic key rotation to provide our security. There is, however, an important distinction that needs to be made between 802.1x and VPNs. 802.1x secures the link between your 802.11 client and an AP. A VPN secures the link between a remote client and your corporate network.
What does this mean to you? If your clients are going to associate from remote locations that you do not control (such as coffee shops, airports, or hotels), then 802.1x authentication is simply not useful for you. Public hotspots will not require 802.1x and your entire session will float through the air unencrypted. A VPN is absolutely essential in this case.
On the other hand, VPN technology was not designed with wireless networking in mind and this introduces a number of issues. First, roaming between APs that try to reassign an IP address will break your VPN session. Natively, the 802.11 protocol is not smart enough to hand-off an IPSec tunnel. Therefore, the client must reauthenticate every time they move from one AP to the next.
VPNs are also not very resilient to service interruptions (which may occur more frequently in a wireless network then with a Cat5 cable plugged into the wall). This means that if your design requirements include a great deal of mobility (larger then can be covered by one AP), you may need a third-party solution to maintain the integrity of your VPN tunnels.