Each year, college campuses must navigate the trials associated with successfully connecting thousands of new students to the wireless network. This may have been moderately challenging 10 years ago, but the explosion of wireless devices in the past few years has added significant complications. On average, each student will want to connect 3 to 4 different devices. To add to the difficulty, device diversity has increased dramatically in recent years, and different devices require different onboarding solutions. So the question remains, how do you ensure that everyone on the network is protected, can browse securely, and keep wireless connection support tickets to a minimum? It may seem like a herculean task, but the key lies in the onboarding solution that is deployed.
Your first action is to select a network type, and for an organization the size of a university, the logical choice is a WPA2-Enterprise network. This encrypted network type is scalable across the organization and can be set up for a variety of authentication methods. The drawback is that it requires a more involved configuration process to get devices onboarded to the network, especially if the organization is using certificate-based authentication; therefore, the network must be set up for users to self-register. SecureW2’s onboarding solution configures users’ devices for WPA2-Enterprise in just a few steps, simplifying the configuration process so it only takes a couple minutes.
Every university is accountable for troves of valuable data about their students and staff, such as financial records, social security numbers, and personnel information. Given this, choosing an effective authentication method is a top priority to ensure no malicious users gain access to the network.
The simplest form of authentication is Pre-Shared Key (PSK), but it should be avoided by any sizable organization. Credentials are extremely vulnerable to several types of hacking attacks that seek to compromise the network. They can leave staff and students vulnerable to sophisticated phishing attacks, or a common accident could occur and a password could be leaked, leaving the rest of the network vulnerable. One compromised user could have broad implications across the network. To avoid this, many organizations institute a password expiration policy, but most often users simply change a password’s capitalization or add a number without significantly changing it. Additionally, once a password expiration policy kicks in, the entire network is disconnected, and many users are bound to experience issues reconnecting and will need to file a support ticket. The shortcomings of passwords don’t stop there, so avoiding credential-based security is a best practice for organizations with so much sensitive data.
PSKs are extremely unscalable. Would you install the same lock on every door at your company and give everyone the key? This is where WPA2-Enterprise comes in. It’s an encrypted authentication method designed to prevent outside users from swiping credentials. A RADIUS server is used to authenticate credentials in a protected EAP tunnel, preventing over-the-air credential theft. The first authentication protocol to consider deploying with WPA2-Enterprise is PEAP-MSCHAPv2. While this method is credential-based, it is a RADIUS server protocol and benefits from enhanced security measures. The RADIUS server can be configured for server certificate validation, which configures the device to validate the identity of the RADIUS and confirm that it is the correct network, but often networks are not configured for this due to lack of information and difficulty configuring it without a configuration guide. This leaves the user vulnerable to Evil Twin and Man-In-The-Middle (MITM) attacks where an outside user could set up a phony Access Point (AP) and RADIUS equipped with a certificate from the same certificate authority to trick users into connecting and entering their credentials. This form of attack can be performed using minimum tools, in some cases only a laptop. A user who is unknowingly tricked could accidentally give up their credentials and put the safety of the network at risk.
The authentication method that is most highly recommended uses an EAP-TLS protocol. This top-notch authentication method authenticates a device’s certificate or credentials in an EAP tunnel, protecting it from over-the-air attacks. When using the EAP-TLS authentication method, deploying server certificate validation adds a layer of added security. The identity of the network and RADIUS is confirmed to the connecting user, which is important to avoid Evil Twin or MITM attacks. Once a user is successfully onboarded to the network, they never have to be concerned about connecting to an illegitimate network.
The trials associated with onboarding a new class of students don’t have to become pitfalls that drastically slow down your IT department. For universities that seek opportunities to increase efficiency and lower costs, they should examine onboarding strategies for potential improvements. Processes that worked in the past are now defunct, leading to mass support tickets and frustrated network users. It’s important to evaluate all the possibilities laid out above and decide how you want the network to operate and what features to emphasize.