The importance of wireless security cannot be understated as the threat of data theft continues to rise. WPA2-Enterprise networks have proven time and again to keep networks secure by protecting against over-the-air attacks. The caveat that has made many cautious about implementing this network type is the reputation surrounding it. Without a proper configuration guide, setting up the network can be so difficult that it isn’t worth the benefits. If the network isn’t configured correctly, the security and efficiency benefits you expect go right out the window, so we’ve compiled the most common mistakes that are made when setting up WPA2-Enterprise so you can easily avoid them.
Consider How You Set Up Server Certificate Validation
An impactful mistake that some organizations will make is to allow their users to self-configure their devices without an onboarding software. Server certificate validation is a complex process that requires high level IT knowledge to understand the steps towards a successful configuration. If left to their own devices, the average network user is likely to misconfigure and not experience the security benefits. Even with a step-by-step guide, there are bound to be numerous support ticket requests due to configuration mishaps. The best practice for this situation is to deploy an onboarding software that automatically configures a user’s device when they enroll for a certificate. This takes the guesswork out of configuration and guarantees to network administrators that every network user is securely enrolled to the network and correctly configured for server certificate validation.
Not Examining Performance Capabilities
Although the RADIUS uses an identity server to identify users that are enrolling, organizations should consider minimizing their use to improve efficiency. As a replacement, consider distributing client certificates. These are extremely efficient and convenient for user authentication because the RADIUS can immediately identify the user and device that is requesting network access. The request begins automatically when the device enters the sphere of the network and sends it through an encrypted EAP-TLS tunnel. Compare this to the authentication process for credentials, which requires manual connection and entering credentials each time you reconnect. The process is less efficient and can imitated by someone who has stolen credentials. Certificates cannot be stolen off a device, assuring that only those who are authorized are able to efficiently connect to the network.
Using PEAP-MSCHAPv2 Incorrectly and Not Embracing EAP-TLS
This encrypted authentication protocol was once the standard of network security, but it has exposed vulnerabilities in recent years that has led many to reevaluate. Namely, the absence of server certificate validation when configuring PEAP can directly lead to credential theft. Without server certificate validation, users are vulnerable to Evil Twin and Man-In-The-Middle attacks that spoof a secure network and steal credentials as they are being sent for authorization. The alternative, an EAP-TLS authentication method, is significantly more secure. Although it is recommended to use server certificate validation with this method, without it the credentials are still relatively safe because they are sent through an encrypted EAP tunnel and cannot be stolen over-the-air.
WPA2-Enterprise networks are an organization’s best defense against the threat of data theft, which makes proper configuration all the more important. If you don’t avoid the shortcomings listed above, many of the security and efficiency benefits of WPA2 are missed and the could be network is under threat. Network users value convenience and safety when browsing online, and a properly configured WPA2-Enterprise network is designed to deliver just that.