Simplifying WPA2-Enterprise and 802.1X
WPA2-Enterprise has been around since 2004 and is still considered the gold standard for wireless network security, delivering over-the-air encryption and a high level of security. But don’t think that it’s gotten any easier to deploy in that time. Regardless of whether you are deploying it for the first time or a seasoned expert, there are always unique challenges ready to give you a headache.
WPA2-PSK and WPA2-Enterprise: what’s the difference?
There are only a few situations in which WPA2-PSK should be deployed:
- The network has just a few devices, all of which are trusted. This could be a home or small office.
- As a way to restrict casual users from joining an open network when unable to deploy a captive portal. This could be a coffee shop or guest network.
- As an alternative network for devices not compatible with 802.1X. An example being game consoles in a student dorm.
There is no definite number at which an enterprise network should be using 802.1X; it really depends on how much of a factor security is. Though as a rule of thumb, it should be considered anytime you care WHO is trying to connect.
The additional benefit of 802.1X is the ability to set up VLANs, which group wireless devices as if they were on a personal LAN network. This can make policy management easier, and can help optimize network traffic.
Deploying WPA2-Enterprise and 802.1X
There are just a few components that are needed to make 802.1X work. Really, if you already have access points and some spare server space, you really have all the hardware you need to make secure wireless happen. Sometimes you don’t even need the server: some access points come with built in software that can take care of it (though only for the smallest of small deployments). Regardless of whether you pay for management solutions or build one yourself from open source tools, the quality and ease of 802.1X is entirely a design aspect.
Learn more about the pieces of 802.1X
Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built in.
Thankfully, the vast majority of device manufacturers have built in support for 802.1X. The most common exceptions to this might be consumer gear such as game consoles, entertainment devices or maybe some printers. Generally speaking, these devices should be less than 10% of the devices on your network and are best treated as the exceptional cases they are.
If the RADIUS server sends an Access_Accept packet as a result of an authentication, it may contain certain attributes which may provide the switch information on how to connect the device on the network. Common attributes will specify which VLAN to assign a user or maybe a set of ACLs the user should be given once connected. This is commonly called ‘User Based Policy Assignment’ as the RADIUS server is making the decision based on user credentials. Common use cases would be to push guest users to a ‘Guest VLAN’ and employees to an ‘Employee VLAN’.
Developing more robust WPA2-Enterprise networks take more work, like setting up a PKI or Certificate Authority. But on the flip-side, you can make any of these upgrades without buying new hardware or making changes to the infrastructure. As an example, rolling out guest access or changing the authentication method. One upgrade many institutions have been doing recently is switching EAP methods from PEAP to EAP-TLS after seeing noticeable improvement in connection time and roaming ability. Again, improved wireless without changing a single piece of hardware.
Learn more about the pieces of 802.1X
For password based authentication, there are basically 2 options: PEAP and EAP-TTLS. They both are functionally similar, but TTLS is not supported in any Microsoft OS before Windows 8 without using a third party supplicant like our Enterprise Client. At this point, most institutions have deployed or made the switch to PEAP. However, you can’t deploy PEAP without either using Active Directory (a proprietary Microsoft service) or leaving your passwords unencrypted.
Physical tokens are still in use, but their popularity is waning as smartphones have made them redundant. What you used to have on a fob can now be put into an app. There are also many other ways to do two-factor authentication outside of the EAP method itself, like using text messages or emails to validate a device.