Regardless of the size of your business, using WPA2 security will be a good first step in securing Wi-Fi network security. Also, do not use the less secure PSK mode in the standard-this poses a serious potential risk.
Today, the use of Wi-Fi Protected Access II (WPA2) to protect wireless network security has become a mainstream trend, but many small and even medium-sized enterprises still default on the WPA2 standard of the personal or preshared key (that is, PSK) mode, rather than the enterprise model provided by it. Although the name is a bit scary, but the enterprise model is not only applicable to large-scale network system; It can also be integrated into various business environments of various sizes. You may think that the pure personal model is easier to manage, but considering the many requirements of the enterprise network security, covet the convenience but often give the future security stories planted the curse.
The WPA2 Enterprise model employs a 802.1X authentication mechanism that provides the network with an additional layer of security and is better suited to the business network rather than the personal usage model in design thinking. While in initial configuration, the enterprise model requires users to devote more resources and effort-for example, to provide server or service support for remote authenticated dial-up User Service (RADIUS)-but the process is not necessarily as complex or expensive as you might expect, This is true both for a single enterprise and for it/managed service providers that need to target multiple organizations.
First, let's talk about my own situation: the Enterprise I manage is responsible for providing cloud based radius services. But to be fair, as an experienced network professionals, the enterprise-class Wi-Fi security solution is the best choice for all types of business network, specific reasons we will discuss together in the next article. And it's important to emphasize that you don't even have to use managed RADIUS services at all. This article will provide a variety of other RADIUS server options, and some of them do not require any financial input at all. Next, let's start the search and verification of the Wi-Fi security network together.
What are the advantages of the enterprise model
It is true that each model has its own unique advantages. The initial setting of the PSK mode is very simple. All you need to do is set a password for the access point, and the user can connect to the Wi-Fi network after entering the correct global password. It seems effortless, but there are several problems with this approach.
▲ in the personal or preshared key (i.e. PSK) mode, we only need to set a global Wi-fi password.
First, because each user in the network uses the same Wi-Fi login password, any employee who leaves the service can continue to use the wireless access point-unless we modify the password content. Obviously, modifying the password content means that we need to adjust the settings of the access point device and expose the new password content to all users--and at the next logon, they need to enter at least the correct time to save it as the default option for future connections.
In enterprise mode, each user or device has a separate login credential, which can be changed or invoked if necessary-while other users or devices are not affected at all.
▲ in enterprise mode, users must enter their own unique login credentials when attempting to access.
Next is another problem with the PSK pattern: Wi-Fi passwords are usually kept in the customer's device. Therefore, once the device is lost or stolen, the password will be cracked at the same time. This means that the enterprise must modify the content of the password in time to prevent malicious people from unauthorized access to the business environment. By contrast, if we use the enterprise model, we only need to modify the corresponding password when the device is lost or stolen to solve the problem.
▲ Anyone can easily view the contents of a saved PSK Wi-fi password in Windows Vista or later versions of Windows, so that once the device is lost or stolen, the consequences will be disastrous.
Other advantages of the enterprise model
There are several other advantages to using the enterprise Wi-Fi security mechanism:
Better encryption: Because the encryption key used by the enterprise model is different for each user, it is hard for a malicious person to guess the content of the Wi-Fi key in the most feared form of violent destruction.
Prevent user snooping: Because each user is assigned the same encryption key content in personal mode, anyone with the password can use Wi-Fi to send the original packet, where the password content is likely to be included in the unsecured site and mail service. But in the enterprise mode, the user cannot decrypt each other's wireless access mode.
Dynamic VLAN: If you use a virtual LAN to isolate network traffic without using the 802.1X authentication mechanism, as in the case of PSK mode, then we may need to manually allocate the Ethernet port and the wireless SSID to the static VLAN. However, in the enterprise model, you can use the 802.1X authentication mechanism to implement dynamic VLAN, it can automatically through the RADIUS server or user database to automatically transfer users to the previously allocated VLAN.
Other access control capabilities: Most RADIUS servers that can provide 802.1X authentication in enterprise mode also support other access policies, from which you can select and implement to the user side. For example, you can set the effective time limit after each access, limit which devices have access to and even limit the access points that must be implemented through the network docking.
Wired support: If the switch is supported, the 802.1X authentication mechanism used by the enterprise Wi-Fi security scheme can also be used to control the wired network. After this feature is enabled, users must enter their login credentials when accessing the Ethernet ports in the Web site, and then access the network and the Internet.
RADIUS server Options
As mentioned earlier, you must have a RADIUS server or service to use the enterprise Wi-Fi security mechanism. It can perform 802.1X validation and act as or connect to a user database, allowing everyone to define their specific login credentials for each user. There are many RADIUS options available on the market, mainly including:
Windows Server or OS X Server: If you already have a set of Windows Server, consider using its radius features. In the old version, we need to use Microsoft's so-called Internet Authentication Service (IAS), and in Server 2008 and later versions it is called the Network Policy Server (NPS). Similarly, Apple's OS X server also has built-in RADIUS capabilities.
Other servers: You can check the documentation or online specifications of servers in your existing network, such as directory servers or network-attached storage, to see if they provide RADIUS server functionality.
Access points: Many enterprise access point devices now have built-in RADIUS servers that typically have the ability to support 20 or more than 30 users. Again, consult the documentation or online specifications to learn about the functionality.
Cloud services: Managed RADIUS services are ideal for users who do not want to set up or run their own servers, but also for users who need to protect multiple locations that are not bound together in a WAN. Such options include Cloudessa, Ironwifi, and our own offerings, Authenticatemywifi.
Open or free software: Open source Freeradius is one of the most popular servers at the moment. It runs on Mac OS X, Linux, FreeBSD, NetBSD, and Solaris system platforms, but it requires users to have some experience with Unix-like platforms. For those who prefer to use the GUI platform, consider free Tekradius, which can run on top of Windows.
Commercial software: Of course, we also have a large number of business options based on hardware and software available, including Clearbox (Windows platform-oriented) and aradial (Windows, Linux, and Solaris) RADIUS servers.
Select an EAP type
The authentication mechanism used by the 802.1X standard is referred to as the Extensible Authentication Protocol (EAP). We currently have a variety of EAP types to choose from, namely, the most popular Protected EAP (PEAP) and the EAP Transport Layer Security (or simply TLS).
Most traditional RADIUS servers and wireless clients can support both PEAP and TLS, but may also contain other types. However, in some RADIUS servers, such as cloud services or schemes built into an access point appliance, they can only support PEAP.
PEAP is a simpler EAP type: With its help, users can access the Wi-Fi network by simply entering their username and password. This connection process is most concise and intuitive for users of most devices.
TLS is more complex but also more secure: It uses a digital certificate or a smart card as the user's logon credentials, compared to a traditional username plus a password combination. In a negative sense, this means that both the administrator and the user need to devote more effort to managing the relevant credentials. If you want to use smart cards, you need to buy card readers and cards, and then distribute them to each user. Digital certificates, however, must be installed on every login device, which may be difficult for users to complete themselves. However, in the next installment, we will detail how to use the deployment tools to simplify the distribution and installation process of such certificates.
How to process digital certificates
Each set of RADIUS servers should have a digital SSL certificate installed, regardless of whether it is using PEAP. In this way, the user device will be able to identify the corresponding RADIUS server first before authenticating. If you use TLS, you also need to create and install client certificates for users. Even if you are using PEAP, you may have to distribute the root certificate authentication scheme on each client device.
You can use the programs provided by the RADIUS server to create your own digital certificates, which are often referred to as self-signed. Of course, you can buy it directly from Symantec SSL (the predecessor named VeriSign) or a public certification authority such as GoDaddy.
In TLS settings, it is usually best to create our own public key infrastructure (PKI) and self-signed certificates. This approach is better suited to situations where most Wi-Fi clients belong to a single network domain, so that we can easily complete the distribution and installation of certificates. Users who hold a device that is not included in the domain generally need to manually install the certificate.
You can also use some Third-party products to simplify the distribution process for server root certificates and client certificates under a Non-domain network environment, including su1x tools for Windows devices and support for Windows, OS X, Ubuntu Linux, The Xpressconnect of iOS and Android devices.
For most users Wi-Fi devices are not included in the domain, you can purchase the server-side certificate directly from the public certification authority to simplify the work intensity of the PEAP setup process. This is because if we want the client device to implement server authentication, then these devices also need to have a root authentication certificate from the server certificate generation mechanism. Devices with Windows, Mac OS x, and Linux systems are usually pre-installed with root certification from various major certification authorities.