Although it's tempting to use the Personal mode of Wi-Fi security, which is easy to setup and use, businesses and organizations really need to use the Enterprise mode of WPA2—also known as 802.11i. Although it requires a RADIUS server to do the 802.1X authentication and is more complex to setup, it provides superior Wi-Fi security and can save you time and money in the long run.
Here are several reasons why businesses and organization should utilize Enterprise-level Wi-Fi security.
1. Eliminates the security risks of shared passwords
When enabling the Personal mode—technically called the Pre-shared Key (PSK) method—of WPA or WPA2 security, you create one unique global password. Everyone enters this same password before connecting to the wireless network, which is then saved to the device. The problem here is that when a laptop or smartphone is lost or stolen, whoever gets their hands on it will have the password and can go to the location to connect to the network. Plus, when employees or staff leave the organization they still have the Wi-Fi password and access on any device they used to connect.
+ ALSO ON NETWORK WORLD How to use public Wi-Fi hotspots safely +
In order to properly protect your network you’d have to change the global Wi-Fi password every time someone loses a device or leaves the organization. This means informing everyone of the password change and entering the new password on every Wi-Fi device. Plus, with some Windows versions and other mobile devices, you have to delete or modify the existing saved password, since it will try to connect with the old one and not let you simply enter the new one when connecting. This may cause confusion with end users and thus more work for the IT staff to help them.
The Enterprise mode of WPA or WPA2 security, however, enables you to assign users a unique username and password to log into the Wi-Fi, if you implement the popular PEAP method. If someone loses a device or leaves, simply change their individual password or delete their username.
Keep in mind, with Windows Vista and later you can easily find saved Wi-Fi passwords in the wireless network’s profile. And with Windows XP, you can use a utility to reveal the passwords as well. Although Windows also caches the 802.1X login credentials, the password is stored encrypted. Plus even if the password is recovered somehow, you can always easily change a single user’s password.
Although some wireless vendors have implemented dynamic PSK solutions to remedy the static-key issue, those would be a proprietary feature of their wireless controller.
2. Puts a damper on snooping
With the Personal mode of Wi-Fi security, anyone with the wireless password can capture and read the traffic on the wireless network. In addition to seeing everyone’s web browsing, they could capture or hijack logins to unencrypted sites and services such as some social networks and email providers.
However with the Enterprise mode of Wi-Fi security, the way the encryption keys are assigned and exchanging in the background prevents users from decrypting and seeing other’s wireless traffic. This doesn’t affect network sharing, so users can still access any shared folders or printers, but they can’t snoop on the actual traffic of other users.
3. Enables enhanced security methods
In addition to providing the ability to hand out unique passwords with the PEAP method of 802.1X, Enterprise mode gives you the option of requiring an SSL (X.509) security certificate on the client when using the EAP-TLS method. Though it requires distributing and installing client certificates, it can be a more secure method than passwords. Plus, for even more security, you can implement user certificates with private keys that are stored on smart cards, thus also requiring a physical card plugged into the client in order complete the 802.1X authentication.
4. Authentication methods can be extended to the wired network
The 802.1X authentication that’s required by Enterprise mode and provided by a RADIUS server can also be used to provide authentication on the wired side of the network. Though the 802.1X alone won’t provide encryption on the wired Ethernet network to prevent those plugged in from snooping, it does require those that plug in to provide login credentials before successfully connecting.
5. VLANs can be dynamically assigned
Using 802.1X authentication also gives you a way to dynamically assign clients to VLANs. For instance, instead of having to assign everyone that connects to an SSID the same VLAN, you can define a particular VLAN ID for each user in the RADIUS server and they’re automatically put onto that VLAN when connecting to any SSID with their unique username.
6. Enables additional controls
When using Personal mode, everyone logs into the Wi-Fi with the same password and you usually don’t have any control over the connectivity of individual clients. But when using the Enterprise mode, RADIUS servers typically support attributes you can optionally apply to individual users or groups of users, which are then checked when users login with their unique username.
Common attributes RADIUS servers support include Login-Time, allowing you to define the exact days and times they can login, Called-Station-ID to specify which access points they can connect through, and Calling-Station-ID to specify which client devices they can connect from.
7. Supports Network Access Protection (NAP)
In addition to any basic client access attributes supported by the RADIUS server; you can utilize any Network Access Protection (NAP) capabilities of the server along with the 802.1X authentication. For instance, with Windows Server 2008 and later you can configure the Network Policy Server (NPS) to perform both NAP functionality and 802.1X authentication.
NAP is a technology designed by Microsoft to allow you to control user access to the network based upon your desired system health of the client. For instance, in order for clients to receive full network access you could ensure the OS and antivirus are up-to-date, a personal firewall is enabled, and other security settings are to your liking.
Implementation tips
Although there are commercial RADIUS servers, software and hardware appliances, that can cost into the thousands of dollars, there are more cost effective solutions for small and midsized networks that pretty much any tech or IT person can understand. So don’t let the lack of money or experience prevent you from using Enterprise Wi-Fi security.
First check if any server or component on the network already can provide RADIUS server functionality. For instance, if you already have a Windows Server you can use the Internet Authentication Service (IAS) component of Windows Server 2003 R2 and earlier or the Network Policy Server (NPS) component of Windows Server 2008 and later.
If you don’t want to setup your own RADIUS server, consider hosted or cloud-based services that can perform the 802.1X authentication via the Internet for you. Click here for a recent review of RADIUS servers.
Back with Windows XP, you had to pre-configure the 802.1X authentication settings before connecting to a Wi-Fi network with Enterprise security. However, with Windows Vista and later you can usually just connect and enter your username and password without configuring anything beforehand. Plus the same applies to most other mobile devices or operating systems (like iOS and Android).
For instances where you’d like the 802.1X settings pre-configured to ensure certain security settings are configured or to distribute user certificates when using EAP-TLS, there are solutions out there to help. For domain-joined machines you may be able to distribute network profiles via Group Policy. Also there’s always the netsh command-line tool in Windows Vista and later that can push network settings to users. Or for a third-party tool, consider the free SU1X 802.1X Configuration Deployment Tool, or commercial options like Xpressconnect or ClearPass QuickConnect.
In the past you may have forgone implementing 802.1X authentication if you had legacy machines or devices that may have only supported WEP or just the PSK mode of WPA. If that’s the case you may want to re-evaluate those clients. See if there are any software updates to add 802.1X support or ways you can upgrade the wireless adapter. And if not, consider even creating a separate SSID with the PSK mode of WPA/WPA2 for any non-802.1X clients.
Eric Geier is a freelance tech writer—keep up with his writings on Facebook or Twitter. He’s also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, a tech support company.