15 Reasons to Use WPA-Enterprise (802.1X) Wi-Fi WAN Security

15 Reasons to Use Enterprise WLAN Security

By Eric Geier (NoWiresSecurity Founder & CEO) - originally published on eSecurityPlanet

The Enterprise mode of Wi-Fi Protected Access (WPA or WPA2) encryption uses 802.1X authentication to provide better security for wireless networks. This mode should be used by all businesses and organizations (no matter how small) rather than the Personal or Pre-Shared Key (PSK) mode. There are myriad reasons why your business’s Wi-Fi network should be protected by enterprise-grade security. Here are 15 of the best.

1. Encryption keys are less vulnerable to cracking.

When using the Enterprise mode, each client receives a unique encryption key after logging in. This technique prevents hackers from performing dictionary-based attacks, like with the Personal mode, where they may be able to crack the encryption key.

2. Dynamic encryption keys protect lost or stolen devices.

The encryption keys for the network aren’t saved on computers or devices, unlike with the Personal mode. Therefore, if a laptop, phone, or other mobile device becomes lost or stolen, the thief won’t have the keys to the network. You can simply change the user’s password instead of having to change the encryption key on every network device as you’d have to with the Personal mode.

3. Able to secure the wired side, as well.

The special ingredient of the Enterprise mode is 802.1X authentication. This authentication protocol isn’t designed just for Wi-Fi. If your wired switches support it, you can use 802.1X authentication for the wired side of the network too. Users plugging into Ethernet ports would have to also configure the client settings and supply login credentials before accessing the network.

4. Access regulated by usernames and passwords.

The simple fact that users can logon to the wireless network with a familiar username and password instead of inputting a long complex key is beneficial.

5. End-users don’t see the encryption keys.

Since the actual encryption keys are negotiated securely in the background after logging in, the end-user won’t see the keys like he or she would when using the Personal mode. This prevents employees from seeing or recovering the key to login with other devices or to give to someone else for malicious intent.

6. RADIUS servers and hosted services are cheaper.

In the early days of 802.1X and WPA-Enterprise, RADIUS servers weren’t optimized for this type of authentication. Now there are servers specifically designed for Wi-Fi authentication, such as Elektron starting at $750. Clearbox is another RADIUS server, which is cheaper at $599. Even better, TekRADIUS is freeware. FreeRADIUS is one of the most popular servers and is free and open source. Hosted RADIUS services, such as AuthenticateMyWiFi, are economical, easily support multiple locations, and don’t require the technical expertise.

Other enterprise servers also often include RADIUS support, like the Dell blade server solution through their PowerConnect service.

7. More OSs and devices now support WPA/WPA2.

Some businesses have been held back by legacy equipment, computers, and devices that only support the insecure WEP encryption. However, as old equipment is replaced or updated, WPA/WPA2 should be supported. Plus all operating systems have included support (an 802.1X supplicant) for many years now.

8.Client configuration can be easier.

The difficulty of configuring the authentication settings and installing digital certificates on the client computers and devices is one of the biggest road blocks to using 802.1X. This can be difficult on the end-users and support staff. However, now there are solutions that can help you create and deploy a wizard that can automate the configuration on the clients. The SU1X 802.1X Configuration Deployment Tool is a free and open source solution. Xpressconnect and Quick1X are commercial options. If you use Active Directory on a Windows Server you can push client settings to some end-users that belong to the Domain. Another Microsoft product that may be able to help is the Netsh command-line tool.

9. Digital certificates don’t have to be difficult.

The most popular EAP type now, PEAP, doesn’t require digital certificates for the clients to be installed, as with EAP-TLS. PEAP still requires a certificate for the server so clients can verify they’re talking to the correct server before authenticating. If you create your own self-signed certificates this means you still must install the certificate for your Certificate Authority (CA) onto every client. However, you can save a lot of time by purchasing a certificate from a CA already recognized by the client OS, for example from GoDaddy. You don’t need anything fancy, just a regular SSL certificate like you might use for securing a Web server, which can be as low as $50.

10. Support for dynamic VLANs.

When using static VLANs, you must assign Ethernet ports and wireless access points (APs) to a single VLAN. However, you can use dynamic VLANs where clients are assigned to a VLAN based upon their MAC address or login credentials. The RADIUS server you use for 802.1X can enable this dynamic VLAN functionality. Users are automatically placed on their designated VLAN upon logging on, no matter which port they plug into or AP they connect to.

11. Enables encryption for visitors or public access.

If you use VLANs along with 802.1X you can offer wireless access to visitors or the public. On the RADIUS server you’d associate his or her username with a VLAN ID designated for public access. This isn’t possible when using the Personal mode of WPA/WPA2. To give outsiders Wi-Fi access with this mode, you’d have to give them the encryption key to the whole network.

12. Prevents client-to-client eavesdropping.

Since each user securely receives a unique encryption key after logging in, users can’t see each other’s wireless traffic. The Personal mode, however, uses one encryption key so users can snoop on each other.

13. Integrates with Network Access Protection (NAP).

802.1X authentication can be used in conjunction with a relativity new technology called NAP. NAP gives you more control over which clients can access the network. Compliance is based upon enforcement of identity and health policies you define, such as the client must have the latest antivirus updates installed.

14. More control over client access.

Most RADIUS servers let you assign attributes to users or groups, giving you more control over client access than when using the Personal mode. Common attributes include Login-Time letting you define the exact days and times they can login, Called-Station-ID to specify which APs they can connect to, and Calling-Station-ID to specify which clients they can connect from.

15. Windows helps prevent man-in-the-middle attacks.

The Enterprise mode still has vulnerabilities. For example, a hacker can setup a fake AP and RADIUS server in hopes of obtaining login credentials from users. However, you can help prevent these types of attacks by enabling three key settings on the Windows PCs, on the PEAP or Smart Card/Certificate window:

Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
Check Do not prompt user to authorize new servers or trusted certificate authorities.