Review: Best tools to set up secure Wi-Fi for BYOD

Deploying the enterprise mode of Wi-Fi Protected Access (WPA2) with 802.1X authentication provides great Wi-Fi security, but complicates the client configuration and connection process. In bring-your-own-device (BYOD) environments, this can cause user frustration and a spike in help desk calls. The solution is to deploy an automated configuration process so users can easily connect their devices without intervention from IT staff.

In this review, we looked at three tools to help distribute your Wi-Fi and 802.1X settings to users: ClearPass QuickConnect from Aruba, XpressConnect from CloudPath, and the open source SU1X. Though there are differences between them, all help you generate a custom configuration program or app that users can run on their computers, smartphones, or tablets to configure it with wired or wireless network settings. The configuration program or app can be distributed to users via a website, captive portal on a separate "setup" SSID, or other means, like a CD or flash drive.

Additionally, each tool can also install your RADIUS server's Certificate Authority certificate on the clients. And some of them also support configuring or installing other non-wireless settings or features, like third-party applications, modifying a browser's proxy settings, enabling Windows Updates and Windows Firewall, and even installing a network printer.

IN PICTURES: How to set up secure Wi-Fi for BYOD

BYOD: Where the costs are

Here are the individual reviews:

ClearPass QuickConnect

ClearPass QuickConnect from Aruba is a cloud-based service that supports clients using Windows, Mac OS X, iOS, and Android. In addition to the 802.1X settings, it can also install the RADIUS server's Certificate Authority certificate; but not user certificates — though this functionality is being added in an update slated for next month.

QuickConnect supports the third-party SecureW2 supplicant in addition to a device's native supplicant. It also supports the client configuration of both WPA modes: 802.1X and pre-shared key (PSK). However, unlike the other solutions, you have to choose between WPA or WPA2, but can't choose both; one as the preferred option and one as a fall-back. For 802.1X QuickConnect lets you enable Network Access Protection (NAP) on the client and install a NAP client (or any other program/installer).

Unlike the other solutions, QuickConnect lets you easily package third-party applications or installers with the client configuration program. In addition to installing the third-party SecureW2 supplicant, this could give you the opportunity to install other network applications/clients or other organization-wide applications.

To get started with QuickConnect, you log into their website where you'll find a simple interface. To define the network and client program settings you add a Network.

The settings are fairly straight-forward but lack tooltips or other method of description for the settings. The administration user guide provides a thorough description for most settings, but could use some improvement to the layout and flow of the documentation.

One major inconvenience of QuickConnect is that you must define separate settings for each OS type: Windows XP, Windows Vista and later, Mac OS X 10.5/10.6, Mac OS X 10.7 and iOS, and Android. For each you must also separately define the wireless and wired settings, even if you'd like them to be the same.

QuickConnect lets you perform basic customization of the user interface of the client program, such as your organization name, reset password and help desk links, and logo.

Once you're done you can generate and download the package of files. And then you can upload to a web server for users to access that will automatically download the appropriate program/app for their OS, or distribute them individually via other means.

Testing the client configuration process via a web server went smoothly for each OS type. But I should note that when configuring an Android device, it required that a device PIN/password be set in order to install the RADIUS server's Certificate Authority certificate. Though this is a requirement of Android to store the Certificate Authority certificate in the local keystore, the next solution we'll discuss (XpressConnect) lets you optionally store the certificate in another location to bypass this requirement.

In Windows and Mac OS X 10.6 and earlier, it downloads a simple wizard-type application where you type in your username and password to configure the network settings and then you can choose to Connect or Close the application.

In Mac OS X 10.7 and later and on iOS devices, it downloads and installs the wireless configuration profile. On Android devices, it prompts the user to download the QuickConnect app, where they'd enter their username and password in order to configure the Wi-Fi network.

XpressConnect

XpressConnect from Cloudpath Networks is a cloud-based service similar to ClearPass QuickConnect and supports Windows, Mac OS X, Ubuntu, iOS, and Android devices. In addition to the 802.1X settings, it can also distribute the RADIUS server Certificate Authority certificate and any user certificates by pulling them from your Microsoft CA XpressConnect via Microsoft CA Integration Module.

Keep in mind, Cloudpath Networks also provides another service targeted for BYOD environments as well, called XpressConnect Enrollment System. It's designed to handle a wide array of use cases, includes both an on-board PKI and the ability to talk to other Certificate Authorities, including a Microsoft Certificate Authority.

XpressConnect supports a device's native supplicant or it can also work with the third-party supplicants XSupplicant or SecureW2. Like QuickConnect, it also supports wireless networks secured with the pre-shared key (PSK) mode of WPA/WPA2 (or even the old WEP) as well. And for either 802.1X or PSK mode, you can force the use of WPA (with TKIP) or WPA2 (with AES), or select WPA2 preferred and WPA as a fallback. You can even choose the required/preferred wireless standards: 802.11n then G then B, N only, G only, etc.

XpressConnect also lets you address conflicting SSIDs by allowing you to list wireless network names to have the configuration application set them as either connect manually or remove them from the network list. This can help reduce the chances of a client roaming to other wireless networks, so they stay connected to the secure network.

You can also define just about any other supplicant settings. For instance, server certificate validation settings for Windows. You can even have it check the client's system clock; an inaccurate date can cause problems with server certificate validation.

XpressConnect lets you set some non-wireless settings too, like enabling automatic Windows Updates and Windows Firewall if they aren't already active. You can have it enable NAC or even install a NAC Agent. It can also set the proxy settings for web browsers. And for Android and iOS devices, you can even enable lock screen restrictions to help better secure users' devices, like password strength, expirations, and requirements.

To set the network settings and customize the branding of the XpressConnect client program, you use the web-based Cloudpath Administrative Console. The settings are presented in a wizard fashion and are well-explained, and the documentation is thorough. In addition to the text and images of the client interface being customizable, so is the look and feel by changing the text and line colors.

After the initial configuration, you can access the advanced settings and adjust the settings for each individual OS type.

After you've defined your network and visual settings for the client application, you have several methods you can use to deploy: web server, standalone (for CD, flash drive, etc), or integration with a Microsoft CA by hosting it on a domain-joined web server so it can automatically hand out user certificates for networks utilizing EAP-TLS.

When a user visits the URL where you've uploaded the XpressConnect files, they will see your customized welcome page, which by default makes them accept your End-User agreement.

Then it will download the application for their detected operating system, and in our tests each operating system's configuration yet smoothly. Like with the previous solution (QuickConnect), installing the Certificate Authority certificate on Android devices requires the device to have a lock screen password/PIN set. But with XpressConnect you can optionally waive this requirement by enabling storage of the certificate in a location other than the default local keystore.

In Windows, Mac OS X 10.6 and earlier, and Ubuntu, a wizard-type of application is downloaded where you can input the username and password to configure and connect to the network.

In Mac OS X 10.7 and later and on iOS devices, it downloads and installs the wireless configuration profile. On Android devices, it prompts the user to download the XpressConnect app, where they'd enter their username and password in order to configure the Wi-Fi network.

SU1X

SU1X is an open source software solution written by Gareth Ayres of Swansea University and released under the Educational Community License, Version 2.0. Use outside of the academic environments is allowed but requires approval from the developer.

SU1X supports Windows XP (SP2), Vista (any SP), 7, or 8 to configure the wired or wireless 802.1X settings. Though it doesn't support smartphones and tablets, it does include step-by-step directions on how to create an automated configuration app for iOS devices using an Apple utility called the iPhone Configuration Utility (IPCU). SU1X also can't distribute user certificates, but it does support the silent installation of a RADIUS server's Certificate Authority certificate.

SU1X can detect third-party supplicants, warn the user, and automatically start the Windows supplicant. It also features support checks with custom API scripts, like for username format or user registration checks. It can then output check results to the user with a tooltip and/or write them to a file. It can also intercept re-authentications, handling them instead of the Windows supplicant. It can even configure and connect to a fallback wireless network for use in performing the checks and reporting problems.

You can configure SU1X to remove SSID profiles, set SSID priorities, and automatically connect to the secure SSID it configures. For clients that don't support WPA2, you can have SU1X fallback to a WPA profile.

SU1X also supports a few non-wireless functions. You can have it enable Network Access Protection (NAP) on the client. It can also configure proxy server settings for the client's Internet Explorer, Google Chrome, or Firefox browser. Additionally, the user GUI can have a Printer tab on it so users can add/remove a network printer to Windows.

After downloading and extracting the SU1X zip you'll find a couple folders of files. In the Docs folder you'll find the User Guide, which steps you through the process of configuring and distributing the SU1X client program that users will run to configure the network settings. The process includes capturing the wireless settings from a PC already connected to your 802.1X network, editing the configuration (.ini) file, and adding custom images for the client GUI. Then you'll gather the required files and distribute them to the users, like in a self-extracting ZIP/EXE via whatever means, such as a flash drive, website, or captive portal.

When a user runs the SU1X setup program all they have to do is enter their Username and Password and hit Start Setup.

If problems are found it will notify them or when the configuration is complete it will connect. They can also select the Help tab to have it run checks and get help. And if you've enabled the Printing tab, they can select it to setup or remove the printer settings you've defined in the configuration (.ini) file.

Summary

ClearPass QuickConnect and XpressConnect are the most similar. Both are cloud-based services that support clients running Windows, Mac OS X, iOS, and Android -- while XpressConnect also supports Ubuntu. But XpressConnect provides more customization, advanced functionality, and better help and documentation than QuickConnect. On the other hand, Aruba is promising major updates to QuickConnect in December 2012, which includes a streamlined interface, distribution of user certificates, and more deployment options.

The open source SU1X solution is different from the other two solutions. It involves more of a manual customization process and only supports Windows clients. But in addition to including many of the same functionality from the other two solutions, it provides one unique feature: the ability for users to add a network printer to Windows. And best of all, SU1X is completely free to use.

Eric Geier is a freelance tech writer — keep up with his writings on his Facebook Fan Page. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.