Scary Wi-Fi: the power of WPA2-Enterprise (if you do it right)

NAC7-1-1-1In our previous blog, we discussed the disadvantages of securing a company network with WPA2-Personal. We also promised that we’d come up with an alternative that’s much more suited for company Wi-Fi. So, in this article, let’s talk about the corporate equivalent of WPA2-Personal, called WPA2-Enterprise. In what way do both Wi-Fi security technologies differ and which tools should you add to make WPA2-Enterprise your ultimate security solution? And evenly important: how do you make it work for yourself and your co-workers without working overtime? We’ll give you the answers in this blog.


Recap of WPA2-Personal

First, let’s recap why securing your company Wi-Fi with WPA2-Personal is a bad idea. First of all, WPA2-Personal is meant to secure a small, private network, such as the Wi-Fi people use at home. Here, the local network only consists of a couple of devices such as phones, laptops and tablets. The Wi-Fi is secured with a pre-shared key that must be shared with anyone who needs access. This is fine for families and visiting friends, but at a random office, Wi-Fi isn’t just used by many more people; it also allows access to large amounts of sensitive business data. Moreover, as WPA2-Personal works on a mere shared password, there are many ways for hackers to detect vulnerabilities of devices inside the network to get full control over the network. Fourth, WPA2-Personal comes with no restrictions whatsoever: once you’re connected to the Wi-Fi, you have all the freedom in the world.


Differences between WPA2-Personal and WPA2-Enterprise

Clearly, company Wi-Fi needs a little more than a pre-shared key. This is where WPA2-Enterprise comes in. This older brother of WPA2-Personal works with an authentication process that’s based on the 802.1X protocol. In its simplest form, this is the combination of the Wi-Fi access point asking the user for a username and password through the PEAP-protocol and a RADIUS server in the back that checks whether this user is allowed access. If necessary, the RADIUS server can be connected to the internal user directory, so users can log in using their existing username and password. A server certificate is used to authenticate the access point and temporary encryption keys are generated per session, so all traffic between the device and the network is now individually encrypted with keys that are thrown away after the session is closed. This is why WPA2-Enterprise is also referred to as secure wireless. Because of this, WPA2-Enterprise comes with three huge advantages:

  1. Security risks of a pre-shared key are eliminated
  2. Authentication of users takes place before they gain access to the network
  3. Because of the per-session encryption of the data, chances of intruders being able to understand the traffic or becoming a man-in-the-middle, become smaller


Additional controls

Another great thing about WPA2-Enterprise is that it enables IT managers to implement additional controls. Let’s say you want to avoid co-workers logging into the systems during non-working hours (you obviously don’t want them to get burnt out or allow them to sleep over and watch unlimited Netflix). With WPA2-Enterprise, the RADIUS server can not only “tell” the Wi-Fi access point whether a user is allowed access to the network; he also tells the Wi-Fi access point under which conditions. For example, some employees are allowed to gain access to the network through their phone and laptop at all times (CEOs, for example) whereas other employees may only be allowed to enter the network using a company laptop during working hours. Much more is possible here, but that’s outside the scope of this article. All of these additional controls give you more grip on your network and therefore improve overall IT security.


Are we there yet?

There’s a last problem that needs to be tackled. Despite of the many advantages that come with WPA2-Enterprise, intruders can still steal your company data, for example by using a rogue access point or by stealing the personal log in credentials of a user. If you want to water tighten your Wi-Fi security, users that want access to the network should be cleared based on something they know (a password) and something they have. This can be done with certificates that are installed on the devices or in smart cards. However, the PEAP protocol can only check user passwords, meaning you need to replace it with a protocol that’s able to check certificates. The EAP-TLS is such a protocol, as it enables you to work with a multi-factor authentication procedure. This is how it works: you install client certificates on all the devices that need access to your company network, and you then implement the EAP-TLS protocol so that these certificates are used during authentication. This results in mutual authentication, as both the server and the device get proof of each other’s trustworthiness.

Hence: it becomes virtually impossible to pretend to be a trusted device when you’re really not. Gone is the man-in-the-middle!


One last note: compartments

It’s safe to say that the combination of WPA2-Enterprise, the EAP-TLS protocol and the client certificates is a great way of securing your company Wi-Fi. But there’s another measure you can take. If you split up your company network in different compartments (by creating different VLANs), you can have the RADIUS server direct users to only those compartments they need access to. For example, only a few people in your organisation need access to the financial systems, so why leave it out in the open? Compartmenting helps you limit the risks of intruders gaining access to sensitive data, as it’s safely locked away for most people in the first place. This is called dynamic VLAN support and it comes for free, together with the WPA2-Enterprise implementation. Add this measure to the multifactor authentication procedure we talked about, and you’ve got yourself a fine network access control solution. 

Sounds like a lot of work? Well, it is. Fortunately, there’s a way to automate the entire process of creating, installing and renewing certificates on devices. This is called automated NAC and you can compare it with a dishwasher taking care of your dishes. It will do so better and faster, while you can go off and do other things. On top of that, automated network access control is also far less prone to error compared to manual implementation. Only benefits here!

Want to know more about network access control and learn about the possibilities for your own company network? Download the white paper below!

Learn more about NAC

Originally published 19 May 2019, updated on 14 June 2023 for freshness and relevancy

Hans-Peter Ponten

Subscribe Here!