Obtain Wireless Access Control for Personal Devices

Editor's note: Lisa Phifer is vice president of Core Competence, a consulting company focusing on leading network technologies. She has been designing, implementing, and evaluating network and security products for up to 25 years. During her work at Core Competence, she made reasonable suggestions for many large and medium-sized enterprises in terms of customer requirements, product evaluation, use of new technologies, and best solutions. Prior to joining Core Competence, Phifer worked at the Bell Institute of Communications and won the presidential award in ATM network management. She has made academic reports at many industry conferences and online seminars on issues in areas such as wireless LAN, mobile security, NAC and VPN. At the same time, she wrote articles on network architecture and security technology for multiple professional media, these media types include SearchSecurity.com, security information, Wi-Fi Planet, ISP-Planet, commercial communications review, and online world.

We deploy the 802.11n wireless network in the bottom floor of the Workshop, re-plan the workbench and work room, and streamline the process. What Wireless Access Control method do you recommend to allow access by some major employees and prevent them from accessing the company's network through personal devices?

For this type of wireless access control, I recommend that you have built-in access control functions on All Wi-Fi devices that support 802.11n, including personal and enterprise WPA2. The WPA2 Personal Edition requires each device to provide a pair of pre-shared keys from the password. For example, the device on the bottom floor of your workshop may need to provide an identical 20-character random string, which is configured during deployment and only known to your IT department. These methods are usually combined with MAC address filtering. Therefore, only known devices with the correct pre-shared key can be authorized for access. However, the MAC address filtering mechanism is easy to bypass, and the pre-shared key is too short to be guessed.

WPA2 Enterprise Edition requires an 802.1X Login Mechanism for each device. It supports multiple authentication methods. For example, each device in the bottom floor of your workshop may need a unique digital certificate to authenticate its identity. Or each device may need to provide a unique user and password, which was configured at the beginning of deployment and only known to your IT department. With this Wi-Fi access control method, you can know which individual device has logged on. When used in combination with certificates, WPA2-Enterprise Edition is rarely attacked by password sharing and reuse, which is a common problem-employees know a valid user name and password or pre-shared key, then configure the personal device.

However, you still want some major employees to access the company's network through personal devices. A common practice is to create an independent network SSID) and create a corresponding VLAN in your wired network. Devices managed by itwill use certificates during installation and configure them to access "MachineNet", while personal devices access "SpecialNet" through other authentication ". In this way, the primary employee will not get the pre-shared key for "MachineNet" unless they submit the device to IT.

If you want both network access protection and a simple and secure way for primary employees to register their personal devices to "SpecialNet." for secure access. Ask your WLAN or NAC manufacturer to see if they sell guest management functions or register channels to support mobile personal devices through authorization and Wi-Fi. Another method of network access protection and wireless access control is to manage these tasks using mobile device management software.