How to use enterprise Wi-Fi security in SMBs
By Eric Geier (Our Owner & Lead Wi-Fi Consultant)
Originally published on NetworkWorld
It's become de rigeur to protect wireless networks with Wi-Fi Protected Access II (WPA2) security, but many small and even midsize businesses default to using the personal or pre-shared key (PSK) mode of WPA2, rather than its enterprise mode. Despite its name, however, the enterprise mode isn't only for large networks; it has a place in all businesses. Though you might think the simple personal mode is easier to use, the exact opposite can be true if you factor in the ongoing effort required to properly secure the business's network.
The enterprise mode of WPA2 uses 802.1X authentication, which provides an extra layer of security for a network, and is designed much better for business networks than the personal mode is. Though it does initially require more effort and resources to set up — for instance, you'll need a Remote Authentication Dial In User Service (RADIUS) server or service — it doesn't have to be complicated or costly, either for individual organizations or for IT/managed service providers who manage networks for multiple organizations.
Full disclosure: I own a business that provides cloud-based RADIUS service. However, it is my honest opinion as an experienced networking professional that enterprise-level Wi-Fi security is recommended for all business networks, for the reasons outlined below. And note that there's no need to use a hosted RADIUS service at all; this story presents many other RADIUS server options, several of which won't cost you anything. I'll walk you through the choices and the steps to a more secure Wi-Fi network.
How the enterprise mode is better
Each mode has its advantages, of course. The initial setup of the PSK mode is very simple. You just set a single password on the access points (APs), and then the users enter that global password when connecting to the Wi-Fi network. Seems effortless, but there are several problems with this method.
First, since everybody on the network uses the same Wi-Fi password, any users who leave the organization will continue to have wireless access until you change the password. A password change requires you to modify the AP settings and inform all the other users of the new password — and they have to enter it correctly the next time they connect, after which it's saved for future connections.
With enterprise mode, each user or device has individual login credentials that you can change or revoke when needed — no other users or devices are affected.
And here's another problem when using the PSK mode: The Wi-Fi password is typically stored on the client devices. Thus, if a device becomes lost or stolen, the password is comprised and should be changed to prevent unauthorized access by anyone who gets his or her hands on the device. Again, if the enterprise mode is used, you can change just that individual's password if the device is lost or stolen.
Additional benefits of the enterprise mode
There are many more advantages to using enterprise Wi-Fi security:
Better encryption: Since the encryption keys for the enterprise mode are unique for each user, it's more difficult for hackers to perform brute-force password cracking and other Wi-Fi attacks than with PSK mode.
Prevents user-to-user snooping: Since each user is assigned the same encryption keys with personal mode, it allows anyone with the Wi-Fi password to decrypt the raw data packets from the airwaves, which could include passwords for unsecured sites and email services. With enterprise mode, users can't decrypt each other's wireless traffic.
Dynamic VLANs: If you use virtual LANs to segregate network traffic without 802.1X authentication, as is the case with PSK mode, you likely have to manually assign Ethernet ports and wireless SSIDs to a static VLAN. However, with enterprise mode you can use 802.1X authentication for dynamic VLANs, which automatically put users onto the VLAN they've been assigned to via the RADIUS server or user database.
Additional access control: Most of the RADIUS servers that offer 802.1X authentication for the enterprise mode also support additional access polices that you can optionally impose upon the users. For instance, you may be able to set time limits to when they can connect, restrict which devices they can connect from and even restrict which APs they connect through.
Wired support: The 802.1X authentication used by enterprise Wi-Fi security can also be used for the wired portion of the network if the switches support it. When enabled, users who plug into an Ethernet port on the network must enter their login credentials before they're able to access the network and Internet.
RADIUS server options
As mentioned above, you must have some sort of RADIUS server or service to use enterprise Wi-Fi security. It performs the 802.1X authentication and serves as, or connects to, the user database where you define the login credentials for the users. There are many different RADIUS options out there:
Windows Server or OS X Server: If you have a Windows Server, consider using its RADIUS capabilities. In older versions, you'd use what Microsoft calls the Internet Authentication Service (IAS) or, with Server 2008 and later, the Network Policy Server (NPS). Likewise, Apple's OS X Server has RADIUS capabilities built in.
Other servers: Check the documentation or online specs for any other existing servers on the network, like directory servers or network-attached storage, for any RADIUS server functionality.
Access points: Many business-class access points these days include a built-in RADIUS server, usually powerful enough for two or three dozen users. Again, check the documentation or online specs.
Cloud services: Hosted RADIUS services can be a good fit for those who don't want to set up or run their own server, or who need to secure multiple locations that aren't tied together on a WAN. Options include Cloudessa, IronWifi and my own service, AuthenticateMyWiFi.
Open or free software: The open-source FreeRADIUS is one of the most popular servers. It runs on Mac OS X as well as Linux, FreeBSD, NetBSD and Solaris, but it requires some experience with Unix-like platforms. For those more comfortable with a GUI, consider the free edition of TekRADIUS, which runs on Windows.
Commercial software: Of course there are many hardware and software-based commercial options as well, such as ClearBox (for Windows) or Aradial (for Windows, Linux and Solaris) RADIUS servers.
Choosing an EAP type
The authentication mechanism for the 802.1X standard is called the Extensible Authentication Protocol (EAP). There are various EAP types to choose from; the most popular are Protected EAP (PEAP) and EAP Transport Layer Security (or just TLS for short).
Most traditional RADIUS servers and wireless clients support both PEAP and TLS, possibly among many other types. However, some RADIUS servers, such as cloud services or those built into APs, might only support PEAP.
PEAP is the simpler EAP type: With it, users simply enter their usernames and passwords when connecting to the Wi-Fi network. This connection process is straightforward for users on most devices.
TLS is more complex but more secure: Instead of usernames and passwords, digital certificates or smart cards act as users' login credentials. On the downside, it requires more effort from administrators and users. With smart cards, you'd have to purchase the readers and cards, and then handle their distribution. And digital certificates must be installed onto the devices, which is likely not straightforward for users. As we'll see shortly, however, you can use deployment tools to help ease the distribution and installation of the certificates.
Dealing with digital certificates
Every RADIUS server, even if it's using PEAP, should have a digital SSL certificate installed. This allows user devices to validate the RADIUS server before initiating the authentication. If you're using TLS, you'll also have to create and install client-side certificates for users. Even if you're using PEAP, you might have to distribute the root certificate authority (CA) certificate to each client device if it doesn't already have it installed (more on this in a minute).
You can generate digital certificates yourself, typically called self-signing, using a utility provided by the RADIUS server, or purchase them from a public CA such as Symantec SSL (formerly VeriSign) or GoDaddy.
With a TLS setup it's usually best to create your own public key infrastructure (PKI) and self-signed certificates. This is more feasible for networks where most of the Wi-Fi clients belong to a single network domain, so you can easily distribute and install the certificate. Users with devices not on a domain typically must manually install the certificates.
There are some third-party products you can use to ease the process of distributing the server's root CA and client-side certificates in a non-domain network, such as the SU1X tool for Windows devices and XpressConnect for Windows, OS X, Ubuntu Linux, iOS and Android devices.
For PEAP setups, buying the server-side certificate from a public CA can save a lot of effort if the majority of your users' Wi-Fi devices aren't joined to a domain. This is because the root CA certificate from where the server certificate was generated must be on the client devices if you want them to have the ability to do server validation. Devices with Windows, Mac OS X and Linux usually pre-install the root CA certificates from most popular CAs.
onnecting devices that support enterprise mode
Once you've set up a RADIUS server or service, configured your access points to utilize the RADIUS for authentication, and distributed any required certificates to those devices that need them, you're ready to connect users' devices to the enterprise-secured Wi-Fi.
When connecting from a Windows, Mac OS X or iOS device, the connection process is straightforward: Choose the network from the network list as normal and (when using PEAP) you'll be prompted to enter a username and password. (With a TLS setup, the digital certificate or smart card logs the device in.) The connection process is a little different on Android; see "How to connect to enterprise Wi-Fi security on Android devices" for details.
Connecting non-enterprise devices
Just about all the popular operating systems for computers, tablets and smartphones these days support enterprise-mode WPA2. However, there are some Wi-Fi devices that support only the personal PSK mode. These are usually either older Wi-Fi devices or those primarily designed for home or consumer use, such as gaming consoles, wireless webcams or smart thermostats. You might also find a few business devices that lack enterprise-mode support, such as wireless credit card terminals.
Beyond simply replacing the device, which may not be an option, there are a couple of ways you can get a non-enterprise device connected. Many RADIUS servers support MAC (media access control) authentication bypass, which allows you specify the MAC addresses of specific devices that you want to exclude from the authentication process and be allowed network access. However, given how easy it is to spoof MAC addresses, this isn't a very secure method. Another option is to create a separate SSID with personal PSK security, but this can also reduce the security of your network.
If the non-enterprise device has an Ethernet port, one option is to plug it into the wired network. If there's no available LAN port to plug into, another option is to use an enterprise-capable wireless bridge. You could disable the device's internal Wi-Fi (if any) and connect the wireless bridge to the device's Ethernet port; then the bridge would wirelessly connect to the main enterprise-secured Wi-Fi network.
Protecting against man-in-the-middle attacks
Although enterprise Wi-Fi security provides superior protection, it has vulnerabilities too, one of which is the man-in-the-middle attack. This occurs when a hacker sets up a fake wireless network or rogue access point, typically named the same as the target network, so Wi-Fi devices automatically roam to it. The fake network can also have its own RADIUS server as well.
The hacker's objective is to get devices connected to the fake network to capture the authentication attempts, which can possibly lead to the hacker capturing the login credentials. The fake network can even be set up so users are fully connected to the Internet, giving them no impression that something is wrong.
This is why it's so important to have a digital SSL certificate installed on your RADIUS server. As touched on earlier, most wireless devices can perform server validation after connecting to a Wi-Fi network. It helps ensure they are talking to the real server before passing along their login credentials.
With Windows, Mac OS X and iOS devices, server validation is usually enabled by default. The first time you connect to an enterprise Wi-Fi network, you're prompted to verify the details of the RADIUS server's digital certificate. Then by default you're usually prompted again if the server's digital certificate or the certificate's issuer changes.
On Android phones or tablets, you must manually enable server validation and possibly install the server's root CA certificate as well.
Server validation can help you identify a possible man-in-the-middle attack, but many users will blindly accept a new certificate. To prevent users from accepting new or changed server certificates, you can use any functionality the device or operating system offers to automatically deny certificate changes.
For instance, Windows provides a setting for this in the EAP properties on the computer or other device, which can be manually enabled on each device or pushed out to computers on domain networks.