66 CHAPTER 4 Wireless Networking using a unicast session key, and then sent from the AP to the client in a much more secure manner. Mutual Authentication 802.1x and EAP provide for a mutual authentication capability. This makes the clients and the authentication servers mutually authenticating end points, and assists in the mitigation of attacks from man-in-the-middle (MITM) types of devices. Any of the following EAP methods provide for mutual authentication: TLS requires that the server supply a certificate and establish that it has possession of the private key. IKE requires that the server show possession of a preshared key or private key (this can be considered certificate authentication). GSS_API (Kerberos) requires that the server can demonstrate knowledge of the session key. Per-Packet Authentication EAP can support per-packet authentication and integrity protection, but it is not extended to all types of EAP messages. For example, negative acknowledg-