The importance of wireless security cannot be understated as the threat of data theft continues to rise. WPA2-Enterprise networks are the first line of defense – they’ve been proven time and again to keep networks secure by protecting against over-the-air attacks and preventing credential theft.
However, many are cautious about implementing WPA2-Enterprise on 8021.x due to the perceived difficulty of configuring cloud-based networking (the preferred option to prepare for the future of networking). Without a proper configuration guide, setting up the network can be so difficult that it isn’t worth the benefits. Even worse, if the network isn’t configured correctly, the security and efficiency benefits you expect go right out the window. When set up correctly, WPA2-Enterprise can bring numerous efficiency benefits, such as those experienced by the College of William & Mary when they set up 802.1x and allowed their users to take advantage of Eduroam.
We’ve compiled the most common mistakes that are made when setting up WPA2-Enterprise so you can more easily avoid them.
1. Allowing Users to Self-Configure Devices for 802.1x
One of the worst mistakes an organization can make is to allow their users to self-configure their devices without an onboarding software.
Server certificate validation is a complex process that requires high-level IT knowledge to understand the steps and complete them properly. If left to their own devices, the average network user is likely to misconfigure and be a liability to network security. Even with a step-by-step guide, there are bound to be numerous support ticket requests due to configuration mishaps.
The best practice for this situation is to deploy an onboarding software that automatically configures a user’s device when they enroll for a certificate. This takes the guesswork out of configuration and guarantees to network administrators that every network user is securely enrolled to the network and correctly configured for server certificate validation.
SecureW2’s onboarding software is the simplest and most secure solution to Bring Your Own Device onboarding. Learn more about it here.
2. Not Configuring RADIUS Efficiently
Although the RADIUS uses an identity server to identify users that are enrolling, organizations should consider minimizing their use to improve efficiency. A superior alternative is to distribute client certificates.
Certificates are extremely efficient and convenient for user authentication because the RADIUS can immediately identify the user and device that is requesting network access. The request begins automatically when the device enters the sphere of the network and sends it through an encrypted EAP-TLS tunnel. Compare this to the authentication process for credentials, which requires manual connection and entering credentials each time you reconnect. The process is less efficient and can be imitated by someone who has stolen credentials.
Certificates cannot be stolen off a device, assuring that only those who are authorized are able to efficiently connect to the network.
3. Using PEAP-MSCHAPv2 Instead of EAP-TLS
PEAP-MSCHAPv2 was once the standard of 802.1x network security but it has become increasingly insecure in recent years. Namely, the absence of server certificate validation when configuring PEAP opens the door to credential theft.
Without server certificate validation, users are vulnerable to Evil Twin and Man-In-The-Middle attacks that spoof a secure network and steal credentials as they are being sent for authorization. The alternative, an EAP-TLS authentication method, is significantly more secure. Although it is recommended to use server certificate validation with this method, even without it the credentials are still relatively safe because they are sent through an encrypted EAP tunnel and cannot be stolen over-the-air.
Read how College of William & Mary converted from PEAP to EAP-TLS to implement an efficient and secure onboarding solution for network users.
Improper configuration of WPA2-Enterprise on Your Wireless 802.1x Network
WPA2-Enterprise networks are one of an organization’s best defenses against the threat of credential theft, which makes proper configuration all the more important. If you don’t avoid the shortcomings listed above, many of the security and efficiency benefits of WPA2 are totally absent and your 802.1x network will be at high risk for credential theft. SecureW2 offers affordable options for organizations of all shapes and sizes. Click here to inquire about pricing.