Deploying enterprise Wi-Fi security with 802.1X authentication isn’t difficult, but is often overlooked on smaller networks due to the requirement of installing and maintaining a server. Smaller businesses and organizations often lack an IT staff and they must either figure it out on their own or hire a third-party to come in. Either way, there are ways to simplify the process and make the deployment and maintenance more reasonable, whether you’re from that small business or an outside IT provider helping them.
If you search the Internet for details on 802.1X authentication, you’ll likely find most go on about supplicants, authenticators, and other technical details. However, here I will surpass the technical jargon and get right to the point, along with giving tips on how to get started.
Benefits of Enterprise Wi-Fi Security
Any business or organization with more than a couple Wi-Fi devices should consider using enterprise Wi-Fi security. The main benefit over the personal (PSK) mode of Wi-Fi security is that the enterprise mode allows you to give each Wi-Fi user or device a unique password (or other login credentials) which can be managed via a central location.
If someone loses a Wi-Fi device or someone leaves the organization, you can simply change or revoke their individual Wi-Fi login when using the enterprise mode of WPA/WPA2. When using the personal mode, you’d have to change the password for everyone in order to secure the network after a lost device or employee leaving. Typically, most people won’t actually change the password, allowing a thief or past employee the ability to come back to the network (even out in the parking lot) and connect, possibly able to access sensitive files and communication.
Another great benefit of the enterprise mode of Wi-Fi security is that users can’t snoop on each other. Each user basically has their own encryption key and no one else can unlock their traffic, whereas with the personal mode everyone has the same key and with it they can unlock everyone’s communication.
There are many other benefits of enterprise security as well, such as the ability to dynamically assign users to VLAN and the support of additional controls such as login time or device restrictions.
Understand the Overall Process
Here are the main steps to implement enterprise Wi-Fi security:
Setup a RADIUS server or signup for a cloud service: During the configuration you would also create a password (technically called a shared secret) that you’d enter into the wireless router or APs, in addition to specifying the usernames and passwords (or other credentials) users will use to login to the wireless network.
Enable enterprise security on your wireless router or APs: You would enable the enterprise mode of WPA/WPA2 security, specify the IP address and port of the RADIUS server, and enter the password (shared secret) you created on the server.
Login from devices: You would choose the wireless network from the computer or device like any other network and you’ll be prompted for the username and password.
Explorer Alternative RADIUS Server Options
If the network already has a server with RADIUS capability, such as a Windows Server or other directory, you could certainly consider using it. Some network storage (NAS) solutions even have embedded RADIUS servers you could consider.
If you don’t already have RADIUS server capability, there are open source options (such as FreeRADIUS) and commercial offerings. However, for smaller networks you might consider an alternative type of server. Many business-class wireless APs these days include an embedded RADIUS server, eliminating the need for a separate server. These are typically designed for smaller networks with load limits on the amount of users or devices it can handle.
If you don’t want to configure a RADIUS server at all, consider a cloud-based or hosted service, which typically can handle higher amounts of users and devices. In addition to not having to maintain a server of your own, these hosted services typically allow use via different multiple locations. Whereas with traditional servers you must have a separate server at each location unless you create VPN connections between the locations.
Consider the Simpler Password Authentication: PEAP
When configuring your RADIUS server or service, you’ll likely have to decide on which EAP type to use for the 802.1X authentication. To simplify the configuration and connection process, consider the Protected EAP (PEAP) option. This allows users to login to the Wi-Fi with a more familiar username and password process.
The other popular EAP type, TLS is generally more secure but requires generating digital certificates for the Wi-Fi devices and/or users and then installing them onto the devices. There are third-party deployment solutions that can ease this type of configuration, but its still more complicated than PEAP.
For smaller networks without an IT staff, I suggest going with the simpler option of PEAP, which still is much more secure than using the personal (PSK) mode of Wi-Fi security.
You Can Connect Non-Enterprise Devices Too
Though the majority of Wi-Fi devices these days support enterprise Wi-Fi security and 802.1X authentication, you might run into some that don’t, such as gaming consoles, wireless media devices, and Wi-Fi video cams. If the device has an Ethernet port you can use a wireless bridge that supports enterprise security in order to connect to the Wi-Fi and then run an Ethernet cable from it to the device that lacks the support. The wireless bridge basically acts as an external wireless adapter. You may also be able to utilize lower cost consumer products too for this purpose, if they support enterprise security, such as WDS capabilities in wireless routers.
If the device that lacks enterprise security support also doesn’t have an Ethernet port and you can’t replace the device, you could consider enabling the personal mode of WPA/WPA2 security on a secondary virtual SSID of the network. Though you’d be using the personal mode, you still aren’t defeating the purpose of using the enterprise mode for the main network. You could periodically change the password on the secondary SSID easier if less devices connect to it. You could even utilize VLANs and firewall rules to block users on that less-secure secondary SSID from accessing the main enterprise-secured SSID and allow other access to the Internet.
Remember, no mater how small a network, the use of enterprise Wi-Fi security should be considered if there are more than a couple Wi-Fi devices and/or users. This can help better secure the network by giving each device or user unique login credentials. The setup process doesn’t have to be costly or time consuming either. There are alternative options to setting up a RADIUS server, such as a cloud or hosted service that doesn’t require any on-premises server or maintenance.