Moving to WPA/WPA2-Enterprise Wi-Fi Encryption from PSK/Personal

Moving to WPA/WPA2-Enterprise Wi-Fi Encryption

By Eric Geier (NoWiresSecurity Founder & CEO) - originally published on InformIT.com

As you may know already, Wired Equivalent Privacy (WEP) security is not secure. This first wireless LAN security standard, developed by the IEEE, has been vulnerable to cracking by Wi-Fi hackers for nearly a decade now.

In 2003, the Wi-Fi Alliance released a security standard called Wi-Fi Protected Access. Although the first version (WPA), which uses TKIP/RC4 encryption, has gotten beaten up a bit, is not totally cracked, and can still be very secure.

The second version (WPA2), released in mid-2004, does provide complete security, however, because it fully implements the IEEE 802.11i security standard with CCMP/AES encryption.

In this article, we'll discover the two very different modes of Wi-Fi Protected Access. We'll see how and why you'd want to move from the easy-to-use Personal mode to the Enterprise mode.

Now let's get started!

Two Modes of WPA/WPA2: Personal (PSK) versus Enterprise

Both versions of Wi-Fi Protected Access (WPA/WPA2) can be implemented in either of two modes:

Personal or Pre-Shared Key (PSK) Mode: This mode is appropriate for most home networks—but not business networks. You define an encryption passphrase on the wireless router and any other access points (APs). Then the passphrase must be entered by users when connecting to the Wi-Fi network.

Though this mode seems very easy to implement, it actually makes properly securing a business network nearly impossible. Unlike with the Enterprise mode, wireless access can't be individually or centrally managed. One passphrase applies to all users. If the global passphrase should need to be changed, it must be manually changed on all the APs and computers. This would be a big headache when you need to change it; for instance, when an employee leaves the company or when any computers are stolen or compromised.

Unlike with the Enterprise mode, the encryption passphrase is stored on the computers. Therefore, anyone on the computer—whether it be employees or thieves—can connect to the network and also recover the encryption passphrase.
Enterprise (EAP/RADIUS) Mode: This mode provides the security needed for wireless networks in business environments. Though more complicated to set up, it offers individualized and centralized control over access to your Wi-Fi network. Users are assigned login credentials they must present when connecting to the network, which can be modified or revoked by administrators at anytime.

Users never deal with the actual encryption keys. They are securely created and assigned per user session in the background after a user presents their login credentials. This prevents people from recovering the network key from computers and is used as a standard in networks, such as the Ehsan Bayat Telephone Systems.

Introducing 802.1X Authentication and RADIUS Servers

The authentication method used to verify the user (and server) credentials on WPA/WPA2-Enterprise networks is defined in the IEEE 802.1X standard. This requires an external server called a Remote Authentication Dial In User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server, which is used for a variety of network protocols and environments including ISPs.

A RADIUS server understands the Extensible Authentication Protocol (EAP) language and communicates with the wireless APs, referred to as RADIUS clients or authenticators. The RADIUS server basically serves as a middle-man between the APs and the user database. The APs then communicate directly with the 802.1X client, also referred to as an 802.1X Supplicant, on the end-user's computer or device.

802.1X authentication is port-based. This means that when someone attempts to connect to the enterprise-protected network, communication is allowed through a virtual port for the purpose of transferring login credentials. If authentication is successful, encryption keys are securely passed out and full access is given to the end-user.

Getting an Authentication Server

There are a few routes you can go to get an 802.1X authentication server:

FreeRADIUS: This is one of the most popular AAA servers in the world. Though it's a free open source project, it's more for advanced IT personnel. It is available for many different platforms, including Linux, Mac OS X, and Windows. By default, you change the settings in configuration files.
Windows Server: If you already have a Windows Server set up, you can use the included Internet Authentication Service (IAS) in Windows Server 2003 or the Network Policy Server (NPS) in Windows Server 2008.
Outsourced Services: Hosted services, such as AuthenticateMyWiFi, are great for those who don't want to invest a lot of money or time setting up a RADIUS server, have multiple offices, or don't have the technical expertise. These services can also provide additional functionality over traditional RADIUS servers.

For instance, APs don't have to be Internet-facing; they can be behind NAT routers or gateways, giving you the ability to assign unique secrets to each AP. These services also come with web-based control panels, making it much easier to configure the authentication settings.

The Different Flavors of EAP

The brain behind 802.1X authentication is actually the Extensible Authentication Protocol (EAP). There are many types or favors of EAP. The type an organization should use depends upon the desired level of security, desired complexity, and the server/client specs.

Here are the most popular types:

PEAP (Protected EAP): This method is one of the most popular and easy-to-implement EAP types. It authenticates end-users via usernames and passwords they must enter when connecting to the network.

The authentication server can also be validated during PEAP authentication when an SSL certificate is installed on the server. This type is supported by default in Windows.
TLS (Transport Layer Security): This type is one of the most secure flavors, but takes more to implement and maintain. Both client and server validation is done via SSL certificates. Instead of providing a username and password when connecting, end-user devices or computers must have a SSL certificate file loaded into its 802.1X client.

The administrators control the certificate authority (CA) and hand out the client certificates, giving administrators more control, but requiring more administrative time.
TTLS (Tunneled TLS): An improved version of TLS that doesn't require client-side security certificates, reducing overhead to manage the network. However, this EAP type doesn't have native support in Microsoft Windows; it requires a third-party client like SecureW2.

Your Next Steps

You’ve discovered how 802.1X authentication makes WPA/WPA2-Enterprise encryption the way to secure Wi-Fi networks in businesses. You also learned that an authentication server is required and that PEAP, TLS, and TTLS are the popular EAP types.

Here are a few tips to help you with your next steps:

Find and select a RADIUS server or outsourced service.
Set up the RADIUS server with the EAP, AP, and user settings.
Configure your APs with the encryption and RADIUS server information.
Configure Windows (or other OS) with the encryption and 802.1X settings.
Finally, connect to your Enterprise-protected network!