Historically, some have avoided EAP-TLS certificate-based authentication for wireless security because the overhead costs of setting up and managing this network type end up outweighing the security benefits. To properly configure the network for certificate-based authentication, you’d have to configure devices for TLS, generate and manage certificates, and configure a RADIUS server and PKI. Devices would have to be individually configured, which often proves to be too difficult of a task for most users to complete. This would put the burden on IT, and configuring hundreds, or even thousands, of devices is simply not an option for a large institution. Additionally, there wasn’t as prevalent of a threat of data theft in the past. Less software existed that aimed to exploit insecure systems and MSCHAPv2 hadn’t been cracked yet. In 2017, over 1,300 significant data breaches occurred in the US compared to only 200 in 2005. For those organizations looking for an efficient method to implement an EAP-TLS certificate-based network need look no further than SecureW2’s onboarding solution.
The process of converting to an EAP-TLS WPA2-Enterprise network begins with configuring a RADIUS server. The RADIUS will authenticate users as they enroll for network access and continually authorize them to reconnect for the duration of their certificates life. There are several vendor options for purchasing a RADIUS, although some organizations have chosen an alternate route and built one themselves using open source services such as FreeRADIUS.
Next is the configuration of a Public Key Infrastructure (PKI), which involves all the procedures and infrastructure needed to manage certificates. A private Certificate Authority (CA) is recommended over a public CA to provide access to certificates that can be distributed to end users. The process for distribution and enrollment must also be considered, as there are several options available to meet an organization’s requirements that will be evaluated further in this article. Once users have certificates, an effective method of managing them is necessary. Knowing who has certificates and who does not is crucial to network management and ensuring network security. For best practices, the network management portal of your chosen vendor should maintain a dataset of the certificates in your network that contains the identity of the user and the device they are using.
Once the network is configured, you’ll have to become familiar with the tasks involved in managing a certificate-based network. Correctly configuring users’ devices for a WPA2-Enterprise network is top priority. If devices are not configured accurately, the device and network could be at risk of a breach. There are three primary options for configuring users’ devices. First is the option of allowing users to self-configure, but even with a detailed outline, this can be a frustrating process. WPA2-Enterprise configuration requires high level IT knowledge that the typical user does not possess. It’s likely that the IT department will be overrun with support tickets. The second option is to task the IT department with configuring the devices, but considering that some organizations would have huge volumes of devices, this would be an extremely inefficient process. The final option is to utilize onboarding software from a vendor. With well-designed onboarding software, users can self-configure their devices with only a few clicks. It makes the process highly intuitive and configures devices correctly every time. Deploying an onboarding software is the most popular option because of its efficiency and accuracy.
With the network configured and users successfully onboarded, network management becomes the primary concern for IT. Those organizations that deployed an onboarding software solution would benefit from the visibility improvements of the network management portal. IT would be able to remotely monitor and diagnose connection issues that users experience, as well as confirm that users are complying with use policies. Once users are onboarded, many organizations decide to set group policies specific to their organization. This allows the segmentation of users and is often used to ensure that role policies and the use of certain applications are available to specified groups. Another important aspect of certificate management is properly revoking certificates when needed. Certificates can be set to expire at a predetermined date, but situations arise that require prematurely revoking certificates. In this situation, rather than physically combing through countless certificates for the right one, many utilize identity lookup software and a Certificate Revocation List (CRL). With these tools, network administrators can easily identify the certificate bearer and revoke their certificate. The network is now fully operational and ready to begin distributing certificates and authenticating users.
Those that support a managed device network may be skeptical and wonder what benefits they can derive from an onboarding solution. The prospect of completing a self-configuration onboarding client for every MDM device isn’t an attractive one. To address this, SecureW2 created several industry-first native integrations, as well as developed software for easier certificate distribution. Active Directory customers benefit from our industry first integration with GPO for certificate distribution. Similarly, we’ve developed the industry’s first native integration with G-Suite for certificate distribution. To streamline the actual distribution, SecureW2 utilizes a SCEP Gateway API to automate the generation and distribution of certificates. This process configures the device for WPA2-Enterprise and distributes them a certificate with no interaction from the end user. These and several more options exist because SecureW2 can integrate with all major MDMs. They’re able to confirm that MDM devices are configured for the secure network and cannot be used for purposes not approved by the institution, such as diverting from set policies or setting up a VPN.
Institutions with valuable data require the best in security to prepare for the ever-changing wireless landscape. Onboarding solutions that efficiently equip network users with certificates are well-prepared for any potential theft threat. The solution can leverage existing infrastructure or offer tools to complete a full deployment. The setup process is thoroughly outlined for network administrators, and the configuration process can be completed quickly by any network user. For organizations with various MDM and BYOD policies, SecureW2 can provide security, reliability, and convenience.