Deploying WPA2-Enterprise Wi-Fi Security in Small Businesses

Introduction

When setting up a wireless network, you’ll find two very different modes of Wi-Fi Protected Access (WPA) security, which apply to both the WPA and WPA2 versions.

The easiest to setup is the Personal mode, technically called the Pre-Shared Key (PSK) mode. It doesn’t require anything beyond the wireless router or access points (APs) and uses a single passphrase or password for all users/devices.

The other is the Enterprise mode —which should be used by businesses and organizations—and is also known as the RADIUS, 802.1X, 802.11i, or EAP mode. It provides better security and key management, and supports other enterprise-type functionality, such as VLANs and NAP. However, it requires an external authentication server, called a Remote Authentication Dial In User Service (RADIUS) server to handle the 802.1X authentication of users.

Here I’ll share information and tips to help you understand, setup, and manage enterprise Wi-Fi security in small businesses—even if running a non-domain network without a Windows Server.

Understand the Benefits of Enterprise Mode

The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Both credential-types can be changed or revoked at any time on the server when a Wi-Fi device becomes lost or stolen, or an employee leaves the organization. When using the Personal mode, the passphrase would have to be manually changed on all APs and Wi-Fi devices.

Since the Enterprise mode provides each user with a dynamic and unique encryption key, it also prevents user-to-user snooping on the wireless network. When using the Personal mode, successfully connected users can see each other’s traffic—possibly passwords, emails, and other sensitive data.

The dynamic keying also helps the overall strength of the WPA (TKIP) and WPA2 (AES) encryption. The Personal mode is more susceptible to brute-force dictionary attacks that can reveal the encryption key to hackers. This is why it’s very important to create long and complex passphrases when the Personal mode is used.

Consider All Server Options

If the small business has a Windows Server, you could use the Internet Authenticate Service (IAS) or Network Policy Server (NPS) feature for the required RADIUS server. For help you can refer to a previous article series by Brien Posey or myself.

There are several other options, great for those lacking a domain network:

• Buy and use APs that have a built-in RADIUS server. Examples include the HP ProCurve 530 and ZyXEL NWA-3500 or NWA3166, and run around $150 and up. If it’s a simple wireless setup, you may be able to get away with buying just one and using cheaper APs for more coverage.
  
• Create your own router/gateway with a built-in RADIUS server, such as with RouterOS or Zeroshell. This usually consists of installing the software onto a server. For smaller and less crucial networks, you could even dust-off and repurpose an old PC for the job.
  
• Use a hosted service, such as AuthenticateMyWiFi, to save the time, money, and expertise required in setting up your own server. It also provides client configuration help and makes it easier to deploy the enterprise security at multiple locations.
  
• Use a freeware server, such as TekRADIUS a free GUI-based Windows application.
  
• Use a free and open source server, such as FreeRADIUS, which uses plain-text files for configuration and command-line for administration. Primarily for Linux/Unix machines but can also run on Windows.
  
• Purchase and use RADIUS server software, such as Elektron ($750) for Windows or Mac OS X and ClearBox ($599) for Windows.

Easing Client Configuration

In addition to running a RADIUS server, the Enterprise mode also requires a more complex client configuration on the computers and Wi-Fi devices of the end-users. The Personal mode only requires entering a passphrase when prompted, and can usually be done by the end-users. But for the Enterprise mode you’ll likely need to install the server’s certificate authority (CA) certificate onto the clients (plus per-user certificates if using EAP-TLS) and then manually configure the wireless security and 802.1X authentication settings. It’s best for the IT or tech staff to initially setup and troubleshoot client configuration, or use a deployment utility to help.

If a Windows Server is used, you may be able to distribute the certificate(s) and configure the settings remotely and centrally using Group Policy, at least for the Windows machines that are joined to the domain.

For non-domain networks, you could consider using the free SU1X 802.1X utility or commercial options: XpressConnect and Quick1X. These types of utilities let you specify or capture the security and authentication settings and generate a client setup program. End-users (or even IT staff) can then execute the program, automating the configuration of their computer. They can also help distribute the RADIUS server’s CA certificate (and possibly end-user certificates if using EAP-TLS). Some can also perform other checks and wireless setting changes to aid in the deployment, such as removing profiles for existing SSIDs and setting profile priorities.

Understand the Overall Steps

To help you better understand the process of setting up WPA/WPA2-Enterprise and 802.1X, here’s the basic overall steps:

1. Choose, install, and configure a RADIUS server, or use a hosted service.
   
2. Create a certificate authority (CA), so you can issue and install a digital certificate onto the RADIUS server, which may be done as a part of the RADIUS server installation and configuration. Alternatively, you could purchase a digital certificate from a public CA, such as GoDaddy or Verisign, so you don’t have to install the server certificate on all the clients. If using EAP-TLS, you’d also create digital certificates for each end-user.
   
3. On the server, populate the RADIUS client database with the IP address and shared secret for each AP.
   
4. On the server, populate user data with usernames and passwords for each end-user.
   
5. On each AP, configure the security for WPA/WPA2-Enterprise and input the RADIUS server IP address and the shared secret you created for that particular AP.
   
6. On each Wi-Fi computer and device, configure the security for WPA/WPA2-Enterprise and set the 802.1X authentication settings.

Summary

We discussed the main concerns small businesses should have when setting up enterprise Wi-Fi security. Now you should have a basic understanding of the benefits, server options, and simplifying client configuration. You should also have a good idea of what’s involved and where you should start.

Once you’ve gotten basic authentication up and running, you can experiment with authorization and accounting functionality. Authorization features typically include allowing you to limit specific users to using certain computers and APs and limiting connection days and times. Accounting can help you produce reports and logs on usage for troubleshooting, auditing, or billing purposes.