Securing home wireless networks has never been as important. An increase in remote work requires more people to handle sensitive business data at home. On top of this, our lives, in general, are becoming increasingly digital, conducted through services such as online banking and shopping.
We expect the professional organizations we trust to secure our data, but it’s equally as important to protect it on your own Wi-Fi network. That means diving into your network settings, including the security standards used by your router.
Wi-Fi Protected Access (WPA) is a wireless network security standard with several variations. WPA2-Personal is commonly used at home, but WPA2-Enterprise – widely used by businesses – is even more secure. In this article, we’ll discuss what it takes to adopt WPA2-Enterprise on your home network, and what its benefits are.
Common Wi-Fi Security Protocols Overview
The WPA protocol has a number of variations that are in common use today. Some of those WPA modes include the following:
- WPA
- WPA2-Personal
- WPA2-Enterprise
Wi-Fi Protected Access was originally introduced in 2003 as a more secure alternative to its predecessor, Wired Equivalent Privacy (WEP). Although the two were similar, WPA’s greatest improvement was the use of the temporal key integrity protocol (TKIP), which ensures that the same encryption key isn’t being used every time by all devices on the network.
WPA2 was created shortly after. Its first variation, WPA2-Personal, is common in homes and cafes. It’s secured by a Pre-shared Key (PSK) that all devices use to access the network. If you’ve ever had to ask someone for their Wi-Fi password, or used a single password to connect multiple devices to the Wi-Fi, then you’ve used WPA2-Personal.
The common alternative to WPA2-Personal is WPA2-Enterprise. On a WPA2-Enterprise network, all devices have their own unique set of credentials to access the network instead of sharing a single password. Because routers can’t store all these sets of login information, an authentication server called a RADIUS server is required. The RADIUS server verifies that the credentials of each user are valid by referencing a separate directory with user and device information.
Why Home Wi-Fi Security is Important
Without proper home Wi-Fi security standards in place, there are a number of attacks that can target your online actions. When you consider everything the average person does online, such as working remotely, online banking, or scheduling sensitive medical appointments, it’s easy to see why this matters.
If all you have safeguarding your home wireless network is a single password, your data can be easily breached. Man-in-the-Middle (MITM) attacks, for example, can intercept the data you transmit through a variety of means. Often, these attacks start through other vectors, like spoofing attacks that mimic other devices or routers on your network.
How WPA2-Enterprise Security Works
The main difference between WPA2-Enterprise and the usual WPA2-Personal you see at home is the number of credentials that are used. With WPA2-Personal, all devices gain access to your network through the use of a single password. WPA2-Enterprise, on the other hand, assigns individual passwords to every single device on the network.
This means that some additional hardware is necessary. Routers generally don’t have the capability to store and authenticate numerous different sets of credentials. That’s why a Remote Authentication Dial-In User Service (RADIUS) server is used. Rather than the router confirming the validity of each credential, the RADIUS server performs the authentication instead.
One of a RADIUS server’s main purposes is this authentication process. However, it doesn’t store the directory of username credentials locally. Instead, it references an external directory, such as an Identity Provider (IDP), to verify credentials.
WPA2-Enterprise security is often combined with the 802.1X authentication protocol standard. With 802.1X, there’s more than just a RADIUS server involved – X.509 digital certificates are issued to users and devices through a Public Key Infrastructure (PKI) to provide more context around each connection.
WPA2-Enterprise Authentication Protocols
One reason WPA2-Enterprise is so prevalent in enterprise-level network security is that it allows for different authentication protocols to be used. Each one offers varying levels of encryption, relies on varying authentication vectors, and may require its own infrastructure.
Three common authentication protocols in use today are EAP-TLS, PEAP-MSCHAPv2, and EAP-TTLS/PAP. PEAP-MSCHAPv2 and EAP-TTLS/PAP both rely on passwords for authentication, which leaves them vulnerable to compromise.
EAP-TLS, however, can use digital certificates for authentication as opposed to passwords. This drastically reduces the risk of credential theft and increases the speed of the authentication process. In order to issue certificates, though, you need a Public Key Infrastructure (PKI), which can be difficult to build and maintain if you don’t already have experience with them. Managed PKI providers, such as SecureW2, can provide you with a turnkey PKI that slots into your existing infrastructure without the need to build and maintain one yourself.
Can I Use WPA2-Enterprise at Home?
The short answer is yes. A longer and more accurate answer is yes, but it will require more expertise, software, hardware, and maintenance than what you would need to implement a simple WPA2-Personal network.
You’ll want to consider a few points before you go any further:
- Your level of network usage
- The sensitivity of the data being transmitted over your network
- Your technical expertise and willingness to do maintenance
If your network usage is purely recreational, upgrading to WPA2-Enterprise security may not be a pressing concern. However, if you are conducting business from home, regularly accessing sensitive information (such as banking, healthcare, or legal), or anything else sensitive in nature, heightened network security could be critical.
You also need to be aware of the technical skills that will be required both to set up and maintain WPA2-Enterprise properly. You’ll need to configure a RADIUS server, which will require creating network access control policies and applying regular updates.
Advantages of WPA2-Enterprise at Home
Enhanced Network Security Features
The main benefit of a home WPA2-Enterprise network is the increased security you get. If you’re only using a single password to gate access to your Wi-Fi, and people other than yourself know that password, you can never be sure your password hasn’t been spread to individuals you don’t know.
Additionally, you’re relying on a single point of failure on a PSK network. Once that password is compromised, anyone can access your Wi-Fi and spread their influence to other devices.
With separate credentials for all connected users, you can limit the spread of a breach. If an individual’s password is compromised, that’s much easier to deal with than an entire network being compromised.
Individualized User Control through Network Segmentation
Since user access is tied to individualized credentials, you have more oversight over the specific access each set of credentials has. For instance, you could have guest networks with unique settings for various users. You could create guest networks for visitors at your home, or segment different devices onto different networks depending on your needs and expertise. The moment you no longer want a specific user or device to have network access, you can update that in your directory or database.
The addition of a RADIUS server allows you to implement a number of network access control policies.
Disadvantages of WPA2-Enterprise at Home
Difficulty of Setup
The majority of homes utilize a WPA2-Personal network because it’s accessible to the average person. A router and password can be set up in just a few minutes, after all, and resources on how to do so are abundant.
WPA2-Enterprise takes more time and knowledge. Properly configuring a RADIUS server requires technical expertise beyond what most consumers have, and is undoubtedly one of the greatest barriers to entry for this type of network security.
Need for Additional Hardware and Software
For a WPA2-Personal network, you really only need a handful of things: internet service, a modem, and a router. These things are relatively easy to acquire, and once set up, connecting to your Wi-Fi is as easy as typing in a password every time you add a new device.
A WPA2-Enterprise network requires you to have a RADIUS server and a router that is compatible with it. Many consumer-grade routers aren’t compatible with RADIUS-based authentication, so you’ll likely need to look for an enterprise-grade access point instead.
The RADIUS server will need specific software configured to perform its functions. Of course, you’ll also need the computer space to set up an authentication server, or a separate machine for it entirely.
More than the Average User Needs
WPA2-Enterprise and 802.1X combined are considered the gold standard for network security. These are the standards used by large organizations all over the world to protect extremely sensitive data.
The average person may not require the same rigorous standards. Anyone who’s not home for long periods of time or anyone who uses their own Wi-Fi sparingly may not need to worry about such robust security. For those with technical aptitude and those handling sensitive or business data at home, it’s a much more relevant consideration.
How to Deploy Your Own WPA2-Enterprise Network
You’ll need additional resources beyond what is necessary for a WPA2-Personal network. Here are the additional things you’ll need:
- A user directory/identity server
- A RADIUS Server
- An enterprise-grade access point
The user directory and RADIUS server are separate servers entirely. Your user directory will need to be set up first to house the credentials users and devices will use to access your network. Historically, organizations have used on-premise identity servers, such as Microsoft’s Active Directory. Smaller operations or homes may look into free options like MySQL.
If you have spare computer space or even an extra computer entirely, you can use it to establish a RADIUS server with the right software, like Windows Server. Alternatively, you can look at free options such as FreeRADIUS.
Finally, you’ll require an access point that can interface with your RADIUS server. This usually means an enterprise access point. There are many options out there, but a common example is Ubiquiti access points. Some access points may even have RADIUS built into them.
Protecting Your Home Wi-Fi Network Without WPA2-Enterprise
Implementing WPA2-Enterprise security at a business is challenging – even when you likely have a whole team of IT professionals to help. It’s even more challenging at home when you’re relying on yourself. If you feel that WPA2-Enterprise is unnecessary for your Wi-Fi use or that you’re simply not ready to make that change, there are some smaller security practices you can put in place to make your network safer.
For starters, consider password management. Set a strong password for your home wireless network that includes capital letters, lowercase letters, special characters, and numbers. Change this password periodically, even with the inconvenience of having to reconnect your devices.
You can also monitor the devices connected to your network. Chances are, your router has an app or web portal you can log into. Through this portal, you can view a list of connected devices and confirm that they’re actually yours. If you see anything suspicious, change your Wi-Fi password immediately.
Like computers or smartphones, other devices connected to your Wi-Fi often have software patches and updates – including your router. Be sure to log into your router’s portal regularly to check for updates and install them as necessary. These updates can protect it from new threats and previously existing vulnerabilities.
Finally, ensure the password to your router’s administration account is different from passwords you use elsewhere. However, it’s a good policy, in general, to avoid reusing passwords.
Make the Transition to WPA2-Enterprise Security Easy with SecureW2
At the end of the day, WPA2-Enterprise is undoubtedly more secure than its WPA2-PSK alternative, especially when you add certificate-based authentication to the mix. The problem with this security setup is that it requires a lot of additional infrastructure that the average person may not have the ability to build and maintain.
With SecureW2, however, you don’t necessarily have to build this yourself. SecureW2 provides everything businesses need to make the upgrade to WPA2-Enterprise Wi-Fi with our managed Cloud RADIUS service, managed PKI for certificate-driven security, and our onboarding technology for both managed and unmanaged devices.
Since all our services are cloud-based, they can work from anywhere. There’s no lengthy setup process, expensive management costs, or the need to provide physical space and security for servers. We may not provide RADIUS and PKI for home use, but we have worked with organizations of all sizes and have a significant amount of experience. Talk with our expert team today to see our services in action and learn just how achievable WPA2-Enterprise is.
