You can push the 802.1X settings to domain-joined clients via Group Policy if you're running Windows Server 2008 R2 or later. Otherwise, you may consider a third-party solution to help configure the clients.
4. Do secure 802.1X client settings
The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. However, you can help prevent these attacks by securing the EAP settings of the client. For instance, in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates.
You can also push these 802.1X settings to domain-joined clients via Group Policy or use a third-party solution, such as Avenda's Quick1X.
5. Do use a wireless intrusion prevention system
There's more to Wi-Fi security than combating those directly trying to gain access to the network. For instance, hackers could set up rogue access points or perform denial-of-service attacks. To help detect and combat these, you should implement a wireless intrusion prevention system (WIPS). The design and approaches of WIPSes vary among vendors, but generally they monitor the airwaves looking for, alerting you to, and possibly stopping rogue access points or malicious activity.
There are many commercial vendors offering WIPS solutions, such as AirMagnet and AirTight Neworks. There are also open source options, such as Snort.
6. Do deploy NAP or NAC
In addition to 802.11i and a WIPS, you should consider deploying a Network Access Protection (NAP) or network access control (NAC) solution. These can provide additional control over network access, based on client identity and compliance with defined policies. They can also include functionality to isolate problematic clients and remediation to get clients back within compliance.
Some NAC solutions may also include network intrusion prevention and detection functionality, but you'd want to make sure it also specifically provides wireless protection.
If you're running Windows Server 2008 or later and Windows Vista or later for the clients, you can use Microsoft's NAP functionality. Otherwise, you may consider third-party solutions, such as the open source PacketFence.
7. Don't trust hidden SSIDs
One myth of wireless security is that disabling the SSID broadcasting of access points will hide your network, or at least the SSID, making it harder for hackers. However, this only removes the SSID from the access point beacons. It's still contained in the 802.11 association request, and in certain instances, the probe request and response packets as well. Thus, an eavesdropper can discover a "hidden" SSID fairly quickly -- especially on a busy network -- with a legitimate wireless analyzer.
Some might argue disabling SSID broadcasting still provides another layer of security, but it can have a negative impact on the network configuration and performance. You'd have to manually input the SSID into clients, further complicating client configuration. It would also cause an increase in probe request and response packets, decreasing available bandwidth.
8. Don't trust MAC address filtering
Another myth of wireless security is that enabling MAC address filtering adds another layer of security, controlling which clients can connect to the network. This has some truth, but it's very easy for eavesdroppers to monitor the network for authorized MAC addresses and then change their computer's media access control (MAC) address.