It's become de rigeur to protect wireless networks with Wi-Fi Protected Access II (WPA2) security, but many small and even midsize businesses default to using the personal or pre-shared key (PSK) mode of WPA2, rather than its enterprise mode. Despite its name, however, the enterprise mode isn't only for large networks; it has a place in all businesses. Though you might think the simple personal mode is easier to use, the exact opposite can be true if you factor in the ongoing effort required to properly secure the business's network.
The enterprise mode of WPA2 uses 802.1X authentication, which provides an extra layer of security for a network, and is designed much better for business networks than the personal mode is. Though it does initially require more effort and resources to set up — for instance, you'll need a Remote Authentication Dial In User Service (RADIUS) server or service — it doesn't have to be complicated or costly, either for individual organizations or for IT/managed service providers who manage networks for multiple organizations.
Full disclosure: I own a business that provides cloud-based RADIUS service. However, it is my honest opinion as an experienced networking professional that enterprise-level Wi-Fi security is recommended for all business networks, for the reasons outlined below. And note that there's no need to use a hosted RADIUS service at all; this story presents many other RADIUS server options, several of which won't cost you anything. I'll walk you through the choices and the steps to a more secure Wi-Fi network.
How the enterprise mode is better
Each mode has its advantages, of course. The initial setup of the PSK mode is very simple. You just set a single password on the access points (APs), and then the users enter that global password when connecting to the Wi-Fi network. Seems effortless, but there are several problems with this method.
With the personal or pre-shared key (PSK) mode, there's just one global Wi-Fi password.
First, since everybody on the network uses the same Wi-Fi password, any users who leave the organization will continue to have wireless access until you change the password. A password change requires you to modify the AP settings and inform all the other users of the new password — and they have to enter it correctly the next time they connect, after which it's saved for future connections.
With enterprise mode, each user or device has individual login credentials that you can change or revoke when needed — no other users or devices are affected.
With the enterprise mode, users enter their own unique login credentials.
And here's another problem when using the PSK mode: The Wi-Fi password is typically stored on the client devices. Thus, if a device becomes lost or stolen, the password is comprised and should be changed to prevent unauthorized access by anyone who gets his or her hands on the device. Again, if the enterprise mode is used, you can change just that individual's password if the device is lost or stolen.
It's easy for anyone to see saved PSK Wi-Fi passwords in Windows Vista or later Windows versions, posing a security risk if a device is lost or stolen.
Additional benefits of the enterprise mode
There are many more advantages to using enterprise Wi-Fi security:
Better encryption: Since the encryption keys for the enterprise mode are unique for each user, it's more difficult for hackers to perform brute-force password cracking and other Wi-Fi attacks than with PSK mode.
Prevents user-to-user snooping: Since each user is assigned the same encryption keys with personal mode, it allows anyone with the Wi-Fi password to decrypt the raw data packets from the airwaves, which could include passwords for unsecured sites and email services. With enterprise mode, users can't decrypt each other's wireless traffic.
Dynamic VLANs: If you use virtual LANs to segregate network traffic without 802.1X authentication, as is the case with PSK mode, you likely have to manually assign Ethernet ports and wireless SSIDs to a static VLAN. However, with enterprise mode you can use 802.1X authentication for dynamic VLANs, which automatically put users onto the VLAN they've been assigned to via the RADIUS server or user database.
Additional access control: Most of the RADIUS servers that offer 802.1X authentication for the enterprise mode also support additional access polices that you can optionally impose upon the users. For instance, you may be able to set time limits to when they can connect, restrict which devices they can connect from and even restrict which APs they connect through.
Wired support: The 802.1X authentication used by enterprise Wi-Fi security can also be used for the wired portion of the network if the switches support it. When enabled, users who plug into an Ethernet port on the network must enter their login credentials before they're able to access the network and Internet.
RADIUS server options
As mentioned above, you must have some sort of RADIUS server or service to use enterprise Wi-Fi security. It performs the 802.1X authentication and serves as, or connects to, the user database where you define the login credentials for the users. There are many different RADIUS options out there:
Windows Server or OS X Server: If you have a Windows Server, consider using its RADIUS capabilities. In older versions, you'd use what Microsoft calls the Internet Authentication Service (IAS) or, with Server 2008 and later, the Network Policy Server (NPS). Likewise, Apple's OS X Server has RADIUS capabilities built in.
Other servers: Check the documentation or online specs for any other existing servers on the network, like directory servers or network-attached storage, for any RADIUS server functionality.
Access points: Many business-class access points these days include a built-in RADIUS server, usually powerful enough for two or three dozen users. Again, check the documentation or online specs.
Cloud services: Hosted RADIUS services can be a good fit for those who don't want to set up or run their own server, or who need to secure multiple locations that aren't tied together on a WAN. Options include Cloudessa, IronWifi and my own service, AuthenticateMyWiFi.
Open or free software: The open-source FreeRADIUS is one of the most popular servers. It runs on Mac OS X as well as Linux, FreeBSD, NetBSD and Solaris, but it requires some experience with Unix-like platforms. For those more comfortable with a GUI, consider the free edition of TekRADIUS, which runs on Windows.
Commercial software: Of course there are many hardware and software-based commercial options as well, such as ClearBox (for Windows) or Aradial (for Windows, Linux and Solaris) RADIUS servers.
Choosing an EAP type
The authentication mechanism for the 802.1X standard is called the Extensible Authentication Protocol (EAP). There are various EAP types to choose from; the most popular are Protected EAP (PEAP) and EAP Transport Layer Security (or just TLS for short).
Most traditional RADIUS servers and wireless clients support both PEAP and TLS, possibly among many other types. However, some RADIUS servers, such as cloud services or those built into APs, might only support PEAP.
PEAP is the simpler EAP type: With it, users simply enter their usernames and passwords when connecting to the Wi-Fi network. This connection process is straightforward for users on most devices.
TLS is more complex but more secure: Instead of usernames and passwords, digital certificates or smart cards act as users' login credentials. On the downside, it requires more effort from administrators and users. With smart cards, you'd have to purchase the readers and cards, and then handle their distribution. And digital certificates must be installed onto the devices, which is likely not straightforward for users. As we'll see shortly, however, you can use deployment tools to help ease the distribution and installation of the certificates.
Dealing with digital certificates
Every RADIUS server, even if it's using PEAP, should have a digital SSL certificate installed. This allows user devices to validate the RADIUS server before initiating the authentication. If you're using TLS, you'll also have to create and install client-side certificates for users. Even if you're using PEAP, you might have to distribute the root certificate authority (CA) certificate to each client device if it doesn't already have it installed (more on this in a minute).
You can generate digital certificates yourself, typically called self-signing, using a utility provided by the RADIUS server, or purchase them from a public CA such as Symantec SSL (formerly VeriSign) or GoDaddy.
With a TLS setup it's usually best to create your own public key infrastructure (PKI) and self-signed certificates. This is more feasible for networks where most of the Wi-Fi clients belong to a single network domain, so you can easily distribute and install the certificate. Users with devices not on a domain typically must manually install the certificates.
There are some third-party products you can use to ease the process of distributing the server's root CA and client-side certificates in a non-domain network, such as the SU1X tool for Windows devices and XpressConnect for Windows, OS X, Ubuntu Linux, iOS and Android devices.
For PEAP setups, buying the server-side certificate from a public CA can save a lot of effort if the majority of your users' Wi-Fi devices aren't joined to a domain. This is because the root CA certificate from where the server certificate was generated must be on the client devices if you want them to have the ability to do server validation. Devices with Windows, Mac OS X and Linux usually pre-install the root CA certificates from most popular CAs.