How to use enterprise Wi-Fi security in SMBs

No matter what size your business, using WPA2 security is a good first step to protecting your Wi-Fi network. Don't blow it by using the standard's not-so-secure PSK mode.

1 2 Page 2
Page 2 of 2

Connecting devices that support enterprise mode

Once you've set up a RADIUS server or service, configured your access points to utilize the RADIUS for authentication, and distributed any required certificates to those devices that need them, you're ready to connect users' devices to the enterprise-secured Wi-Fi.

When connecting from a Windows, Mac OS X or iOS device, the connection process is straightforward: Choose the network from the network list as normal and (when using PEAP) you'll be prompted to enter a username and password. (With a TLS setup, the digital certificate or smart card logs the device in.) The connection process is a little different on Android; see "How to connect to enterprise Wi-Fi security on Android devices" for details.

Connecting non-enterprise devices

Just about all the popular operating systems for computers, tablets and smartphones these days support enterprise-mode WPA2. However, there are some Wi-Fi devices that support only the personal PSK mode. These are usually either older Wi-Fi devices or those primarily designed for home or consumer use, such as gaming consoles, wireless webcams or smart thermostats. You might also find a few business devices that lack enterprise-mode support, such as wireless credit card terminals.

HP 501 wireless bridge

This HP 501 wireless bridge connects to enterprise-secured networks.

Beyond simply replacing the device, which may not be an option, there are a couple of ways you can get a non-enterprise device connected. Many RADIUS servers support MAC (media access control) authentication bypass, which allows you specify the MAC addresses of specific devices that you want to exclude from the authentication process and be allowed network access. However, given how easy it is to spoof MAC addresses, this isn't a very secure method. Another option is to create a separate SSID with personal PSK security, but this can also reduce the security of your network.

If the non-enterprise device has an Ethernet port, one option is to plug it into the wired network. If there's no available LAN port to plug into, another option is to use an enterprise-capable wireless bridge. You could disable the device's internal Wi-Fi (if any) and connect the wireless bridge to the device's Ethernet port; then the bridge would wirelessly connect to the main enterprise-secured Wi-Fi network.

Protecting against man-in-the-middle attacks

Although enterprise Wi-Fi security provides superior protection, it has vulnerabilities too, one of which is the man-in-the-middle attack. This occurs when a hacker sets up a fake wireless network or rogue access point, typically named the same as the target network, so Wi-Fi devices automatically roam to it. The fake network can also have its own RADIUS server as well.

The hacker's objective is to get devices connected to the fake network to capture the authentication attempts, which can possibly lead to the hacker capturing the login credentials. The fake network can even be set up so users are fully connected to the Internet, giving them no impression that something is wrong.

This is why it's so important to have a digital SSL certificate installed on your RADIUS server. As touched on earlier, most wireless devices can perform server validation after connecting to a Wi-Fi network. It helps ensure they are talking to the real server before passing along their login credentials.

With Windows, Mac OS X and iOS devices, server validation is usually enabled by default. The first time you connect to an enterprise Wi-Fi network, you're prompted to verify the details of the RADIUS server's digital certificate. Then by default you're usually prompted again if the server's digital certificate or the certificate's issuer changes.

server validation prompt in Windows

Example of what Windows shows when there's a new or changed RADIUS server certificate.

On Android phones or tablets, you must manually enable server validation and possibly install the server's root CA certificate as well.

server validation settings in Windows

Settings in Windows for configuring server validation and enabling the auto deny functionality.

Server validation can help you identify a possible man-in-the-middle attack, but many users will blindly accept a new certificate. To prevent users from accepting new or changed server certificates, you can use any functionality the device or operating system offers to automatically deny certificate changes.

For instance, Windows provides a setting for this in the EAP properties on the computer or other device, which can be manually enabled on each device or pushed out to computers on domain networks.

Related reading

This story, "How to use enterprise Wi-Fi security in SMBs" was originally published by Computerworld.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful companies in enterprise networking 2022