The two Wi-Fi Protected Access versions (WPA and WPA2) both have two very different modes that you can use to implement encryption and password protection on your wireless network.
The simplest and easiest mode is Pre-shared Key (PSK), commonly called the Personal mode. A single passphrase (password) is set on the wireless access points and must be entered by users on devices before they can connect to the wireless. This doesn’t require anything other than setting the password on the access points. However, as you’ll see, there are many downsides to using this type of security in a business or organization network environment.
The more complex, but more secure mode of Wi-Fi security is commonly called the Enterprise method. This mode allows each user to have their own login credentials that they enter on their device before connecting to the wireless network. This requires a RADIUS server to perform the 802.1X authentication, which contains or connects to a user database. However, there are many benefits of using this mode, making the extra effort worth your time in the long run.
Here I discuss many reasons why you should deploy the Enterprise Wi-Fi security mode on your main private network rather than the Personal mode. With that said, you still might find the Personal mode useful for other segregated network access, like secure wireless Internet for guests or contractors.
Wi-Fi more easily protected against lost or stolen devices
One vulnerability of Wi-Fi is that passwords (for both security modes) are by default saved on devices that users use to connect to the wireless network. Thus if an employee loses a device, whomever gets the device could return to the network and easily connect to the Wi-Fi. When using the Personal mode of WPA or WPA2, the global password for the Wi-Fi would have to be changed in order to prevent this type of vulnerability. This would require effort from the network admin to change the password on all access points and then inform the users of the change, while then requiring efforts by all users to enter the new password the next time they connect. Given the time and effort this process takes, it’s doubtful it will occur when it’s needed.
If the Enterprise mode of Wi-Fi security was deployed, however, protecting against a lost or stolen device is easy: the network admin would simply change just the one user’s password. This would then prevent any thief or snooper from returning to your business and connecting to the Wi-Fi with minimal effort.
Wi-Fi more easily protected against unauthorized access from ex-users
When using the Personal mode, you’re also subject to a scenario similar to that of lost or stolen devices each time an employee leaves the organization. Though there might be more trust with ex-employees, I’m sure you don’t want all past people to be able to come back and connect to the Wi-Fi. Again, to prevent this with the Personal mode, the network admin would have to change the global password in order to void the saved passwords on the devices of ex-employees. However, with the Enterprise mode, they’d simply delete that individual’s account on the RADIUS server or user database, preventing them from ever returning and gaining access to the network when they aren’t employed by you anymore.
Increases overall Wi-Fi security
In addition to the specific security improvements that the Enterprise mode makes, it also increases the overall Wi-Fi security. Though WPA2 security with AES encryption is relatively very secure, it still has its vulnerabilities, such as brute force and dictionary-based cracking and the WPS vulnerability. Although deploying WPA2 with the Enterprise mode doesn’t prevent all vulnerabilities, it does make brute force and dictionary-based cracking harder and nullifies the WPS vulnerability as WPS only works with the Personal mode.
The Enterprise mode can be deployed in various ways using a couple different Extensible Authentication Protocol (EAP) types. The most popular and easiest is PEAP, which users receive a username and password for their login credentials. Though it’s one of the most convenient and secure EAP types, it’s still vulnerable to brute force and dictionary-based cracking if someone sets up a fake signal and RADIUS server. But again, it’s more secure than the Personal mode of Wi-Fi security.
Another popular EAP type is EAP-TLS, which users receive a client security certificate for their login credentials. This is seen as a more secure EAP type since the user would have to have their unique security certificate file installed or a smart card physically plugged into the device. This eliminates the security traditional vulnerabilities of password-based authentication and is seen as one of the most secure Wi-Fi access methods.
Prevents user-to-user snooping
When the Personal mode of Wi-Fi security is used, all connected users can see each other’s wireless traffic. They could for instance, run password sniffing apps, login hijackers, or raw packet captures on the wireless network to snoop on other users. However, with the Enterprise mode, the way the encryption keys are created users cannot snoop on each other. This doesn’t prevent file sharing or other user-to-user communication, but just prevents them from decrypting each other’s raw traffic.
Allows you to dynamically assign users to VLANs
If you utilize VLANs to segregate network access between various departments or roles in the company (for instance one VLAN for management, another for IT, and another for regular employees), you might be creating an SSID for each to offer segregated wireless access. However, when using the Enterprise mode of Wi-Fi security, you can have the RADIUS server dynamically assign users to their appropriate VLAN upon connecting based upon which VLAN ID you have associated for each in the user database. Thus you could basically have just one SSID for the private wireless access, which improves the wireless performance and simplifies the connection process for users.
Deployment has become easier
I’ve discussed many ways in which the Enterprise mode of Wi-Fi security is superior to the Personal mode in regards to security, usability, and maintenance. It makes protecting against lost and stolen devices much easier and practical, along with protecting against unauthorized access from ex-employees. The Enterprise mode also provides better protection against hacking or cracking attempts and user-to-user snooping. Lastly, it gives you the option of dynamic VLAN assignments if you utilize multiple VLANs.
As mentioned, one of the biggest cons of using the Enterprise mode is that a RADIUS server is required for the 802.1X authentication, requiring more initial effort when setting up the security versus using the Personal mode. However as you’ve seen, the security is superior and it actually requires less effort than the Personal mode over time if you account for password changes.
Keep in mind that there are many RADIUS server options out there. Of course, there are commercial software solutions, from free to thousands of dollars. If you’re looking for a free solution and have the time and knowledge to setup and configure it, FreeRADIUS offers a proven Linux/Unix solution. For smaller networks, consider using access points that have a built-in RADIUS server. Or if you don’t want to setup or configure the server at all, consider hosted or cloud-based RADIUS solutions designed for Wi-Fi security.