Upgrade to WPA2-Enterprise Wi-Fi Security

by Eric Geier

Don’t settle for consumer-grade security on your small business network. Our Wi-Fi network expert takes tells you how to lock down your Wi-Fi network using enterprise-grade security.

Your small business's Wi-Fi security is crucial. When you leave your wireless router or access points (APs) completely unprotected, anyone within range of the signal can connect to your wireless Internet, capture your traffic, and possibly access your computers and other network resources. And if you're using an older network security standard, the security could possibly be hacked, bypassed, and otherwise not provide adequate protection.

You may have been told not to use WEP security as it can be quickly cracked, and that you should instead use Wi-Fi Protected Access: the first version, WPA, or the latest, WPA2. However, you should also understand there are two very different modes, both of which can be used with WPA and WPA2.

1. Personal Mode or Pre-shared Key (PSK)

Personal mode is easiest to setup and requires that you create a simple password on your wireless router or APs then enter it into computers and wireless devices when connecting to the Wi-Fi. Though WPA2 provides strong encryption and security and is potentially uncrackable by hackers if you use a long and strong password, the Personal Mode doesn’t provide adequate protection for businesses with more than a couple of Wi-Fi users.

Since the Wi-Fi password is saved into the computers and devices, if they’re lost, stolen, or an employee leaves the company, anyone can come back to your business and connect to your Wi-Fi. To prevent this you would have to change the Wi-Fi password on all your wireless routers/APs and on each Wi-Fi computer and device.

Additionally, your Wi-Fi network could be susceptible to other vulnerabilities when using this mode, like network users eavesdropping on each other’s traffic and the Wi-Fi Protected Setup (WPS) PIN security hole.

2. Enterprise Mode, or 802.1X or RADIUS Mode

Enterprise mode provides adequate protection for businesses, however it is more complicated to setup, and it requires an external server called a RADIUS or AAA server. Instead of creating a global password on the Wi-Fi routers or APs, each user can receive unique login credentials. You can assign users their own username and password and/or a file (digital certificate) that they install on their computer or device.

Even though users can save these to their computers or devices, if the device is lost or stolen -- or the employee leaves the company -- you can easily revoke access or change the login credentials on your RADIUS server. Using this mode also prevents other types of attacks, like users eavesdropping on each other’s traffic and the Wi-Fi Protected Setup (WPS) PIN security hole.

Keep in mind that 802.1X authentication can also be implemented on the wired side of your network as well, so users plugging in via Ethernet must also provide login credentials before being granted access. However, wired 802.1X isn’t supported on consumer-level and even some small business-level routers. If you want to use 802.1X on the wired side, your switches must support it.

Getting a RADIUS Server

As mentioned, to use the Enterprise mode of WPA or WPA2 you need a RADIUS server, which is required for the 802.1X/EAP authentication. If your company has an IT staff, you could consider using a traditional RADIUS server. If you already have a Windows Server you can use the included Internet Authentication Service (IAS) of Windows Server 2003 and earlier or the Network Policy Server (NPS) of Windows Server 2008 and later.

And if you don’t have a Windows Server, you could use the popular free and open source FreeRADIUS server, primarily designed for running on Linux, Mac, and Unix-based computers and servers. But if you're not a Linux/Mac/Unix fan, you could use the freeware TekRADIUS server in Windows, or purchase a commercial server like Elektron or ClearBox.

If you don’t have an IT staff, but you have a tech-savvy employee, you could consider purchasing an AP that has a built-in RADIUS server, like the NWA-3500, NWA3166 or NWA3160-N from ZyXEL. Though these require some understanding of configuring a RADIUS server for 802.1X, it doesn’t require as much as installing and configuring a traditional server. You can use these for all your APs around your building, or just purchase one to serve as a RADIUS server for any other APs you already have, even if from another vendor.

If you don’t have anyone familiar with Enterprise Wi-Fi security or RADIUS servers you could still consider using a hosted or cloud-based service (like BoxedWireless) that runs the server for you and offers help on configuring your computers. If you're interested, you can read more about low-cost RADIUS servers.

Enterprise Wi-Fi Security Options

802.1X authentication uses the Extensible Authentication Protocol (EAP), and when searching for a RADIUS server or a hosted service you’ll have different types of EAP from which to choose. Here are the most popular types:

  • PEAP (Protected EAP): This method is the most popular, easiest to implement, and it lets you create usernames and passwords for each Wi-Fi user/computer.
  • TLS (Transport Layer Security): This is one of the most secure methods, but takes more to setup and maintain, and requires installing a file (digital certificate) on each Wi-Fi computer or device.
  • TTLS (Tunneled TLS): An improved version of TLS that doesn't require digital certificates, but isn’t widely supported by computers and devices, and it requires third-party 802.1X clients like SecureW2.

    Upgrading to the Enterprise Mode

    If you’d like to upgrade to the Enterprise mode, here are the next steps to take:

    • Choose a RADIUS server or hosted RADIUS service.
    • Set up the RADIUS server or service with the desired EAP type and enter your AP and user settings.
    • Configure your wireless router or APs with WPA2-Enterprise and enter the RADIUS server settings.

    If you’re using the PEAP type of EAP, your users with Windows Vista or later will be able to simply enter their username and password when connecting. But Windows XP users may have to preconfigure the network settings before they can connect. If using the EAP types TLS or TTLS on any computer, they’ll have to first have to install a digital certificate and/or a third-party 802.1X client before connecting.

    Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.

    Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
    This article was originally published on Thursday Apr 19th 2012
    Mobile Site | Full Site