Implement WPA2 Enterprise Encryption on Your WLAN
By Eric Geier (NoWiresSecurity Founder & Owner) - originally published on EnterpriseNetworkingPlanet
Implementing WPA2 Enterprise encryption with 802.1X authentication provides the best Wi-Fi security for businesses. However, as you may know, it isn't easy to setup and support. Nevertheless, you shouldn't let this stop you.
The Personal or Pre-Shared Key (PSK ) mode of WPA2 doesn't provide adequate security for businesses. Encryption keys are more vulnerable to cracking, static encryption keys are a problem when devices are lost or stolen, and employees can snoop on others or even hand out the encryption key to outsiders.
The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a user logins with their username and password or provides a valid digital certificate. Users never see the actual encryption keys and they aren't stored on the device. This protects you against rogue or terminated employees and lost or stolen devices. The list of reasons to use Enterprise mode goes on.
In this article, I'll discuss the issues related to deploying and using 802.1X. Best of all, I'll share some tips that can help you overcome them. Let's get started!
Expertise, time, and cost to set up a RADIUS server
Your first concern might be the expertise, time and cost involved in setting up the RADIUS server, required for the 802.1X authentication. This is especially true for smaller businesses that don't have a big IT staff or budget, or any at all. However, there are RADIUS servers that are user-friendly, fairly easy to setup, and won't break the bank. The Elektron RADIUS Server runs at $750, the ClearBox Enterprise RADIUS Server $599, and the TekRADIUS Server is free. Another free option is the open source FreeRADIUS server, great for experienced IT administrators.
You don't even have to setup your own server if you use a hosted RADIUS service. This is great for smaller businesses, or those that don't want to dedicate the time or money to setting up and maintain a server. Plus it doesn't require any real advanced technical knowledge.
Configuring computers and devices
As you may know, you can't just connect to an Enterprise-protected wireless network like you do with the Personal or PSK mode. The 802.1X authentication settings must be preconfigured in Windows, either by you or the end-user. This is complicated even more if end users bring their own laptops or mobile phones.
If you run a domain with Active Directory on a Windows Server, you may be able to push client settings to some end-users with GPO. The Netsh command-line tool can also help, even without a Domain network.
Keep in mind, there are third-party solutions you can use to create a wizard to help automate the client configuration process. The SU1X 802.1X Configuration Deployment Tool is a free and open source solution. Xpressconnect and Quick1X are commercial options. Once you create a configuration wizard, you might even look into creating a separate setup SSID with a captive portal that's unencrypted just so users can download the wizard, which would then configure and connect them to the Enterprise-protected SSID.
There are also solutions to help configure mobile phones. Apple, for example, offers the iPhone Configuration Utility (iPCU) to push 802.1X and other settings to iPhones, iPod Touches, and iPads.
Creating and maintaining a PKI for digital certificates
If you're setting up your RADIUS server, another concern you might have is creating and maintaining a Public Key Infrastructure (PKI ) and certificate authority (CA) for issuing the digital certificates required by the 802.1X authentication. However keep in mind, if you use the PEAP protocol for 802.1X only one digital certificate is required for the RADIUS server, rather than the server and all the clients with the EAP-TLS protocol.
Remember, if you use a hosted RADIUS/802.1X service, you don't have to worry about this at all.
To get the digital certificate for the RADIUS server you can create your own CA, which most RADIUS servers help you with. Then a client configuration wizard like the three I mentioned can help install the CA certificate to the computers and devices.
If you don't want to install the CA certificate on all the computers, you can pay to get a digital certificate signed by a public CA, like VeriSign or GoDaddy. Most RADIUS servers can also help you create a signing request to submit to the public CA in order to get the signed certificate for the RADIUS server. GoDaddy charges as little as $50 for a SSL certificate.
Man-in-the-middle attacks
WPA2 Enterprise is also vulnerable to some attacks. For example, someone could setup an AP with the same SSID and a modified RADIUS server in hopes of capturing and cracking the login credentials. However, you can help prevent this type of attack from being successful by ensuring you specify three optional settings in Windows, on the PEAP or Smart Card/Certificate window:
-
Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
-
Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
-
Check Do not prompt user to authorize new servers or trusted certificate authorities.
Similar settings exist for most other operating systems and devices.
Also remember that you can apply these settings with a client configuration wizard like I mentioned earlier.