Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Configuration Guide For WPA2-Enterprise On Operating Systems

Key Points
  • Password-based authentication on a WPA2-Enterprise network is used widely by home and enterprise networks, but they put your network at risk of MITM and brute force attacks.
  • EAP-TLS supports digital certificates for network authentication. Digital certificates are safer than passwords as they use asymmetric, public-private key cryptography and are phishing-resistant.
  • They can be used seamlessly with various OSs like Windows, iOS, macOS, and Android. Further, SecureW2’s Managed PKI lets you manage certificates on a WPA2-Enterprise network with EAP-TLS for top-notch security.

Automation is critical for a positive user experience; the faster a monotonous task can be finished, the more time users can focus on important activities. Network authentication can operate the same way as long as you have the right tools. Other guides may suggest authentication with EAP-TTLS-PAP or Microsoft’s PEAP-MSCHAPv2, but those protocols authenticate with passwords, a weak network security. 802.1x can be authenticated with passwords, but the problem is that passwords can be stolen, forgotten, and shared, which allows hackers to infiltrate the network. Many credential-based networks rely on end users manually configuring their devices for network access. This is incredibly risky because an error in configuring just one device can pose a severe security risk to the entire network. It opens a door for over-the-air credential theft and can threaten the organization’s data, not just the end user’s.

The best security measure is deploying digital certificates because they provide the most secure way to deploy 802.1x authentication with EAP-TLS. Certificate-based authentication ensures that only approved network users have access to the network. A certificate-based network eliminates over-the-air credential theft, and certificates offer a better user experience by eliminating credentials and burdensome password-change policies. Admins can deploy certificates with onboarding software to automate device configuration, certificate enrollment, and network access. The user only needs to enter their credentials once to authenticate their identity and be assigned a certificate. After this process, they’re automatically connected for the life of the certificate.

SecureW2’s JoinNow Suite works with every operating system so end users can easily self-service for WPA2-Enterprise and be authenticated with the most secure 802.1x protocol. Below we’ve detailed the difference between manually configuring your device for WPA2-Enterprise on different operating systems and using an onboarding software like SecureW2.

Configuring Windows OS

Manual Configuration

Manually configuring a Windows device requires the user to set up a new wireless network, enter a network name, set the security type, adjust network settings, set the 802.1x authentication method, and many more steps. While it’s certainly possible to complete this process accurately, it is highly complex and much more difficult than an onboarding software designed for efficiency.

  1. Setting Up a New Network
    • Go to the control panel, then under setup network go to manual configuration.
    • Make sure the security type is set to WPA2-Enterprise and the encryption type is set to AES.
  2. Modify the Wi-Fi Connection
    • Go to change connection settings.
  3. Configuring Certificate Authentication
    • Under security, go to Choose Authentication method.
    • Pick the setting in regards to certificates.
      • Choose the setting ‘Microsoft: smart cards or other certificates’
  4. Authentication with EAP-TLS
    • Install a certificate authority so the certificates will be able to verify which server to connect with.
    • Make sure it is a trusted root CA.
    • EAP-TLS is the authentication method used to authenticate certificates.
  5. Enable certificate enrollment
    • Be sure to enable both the certificate and simple certificate selection
    • Select the option that allows the device to use the certificate. After clicking OK, the process is complete.

Configuring with SecureW2

The process for configuring Windows OS with SecureW2 requires the user to connect the onboarding SSID and open an internet browser. The user is sent to SecureW2’s JoinNow onboarding software. After clicking JoinNow, a graphic will indicate the progress of the configuration. The user will then be prompted to enter their credentials and the device will be authenticated and equipped with a certificate.

Configuring macOS

In order to manually configure macOS, the end user needs to know how to create an enterprise profile, install a client security certificate, verify the certificate, and adjust the network settings. The process isn’t too difficult for someone with a background in IT, but it is risky for the average network user because of the high-level technical information involved with each step.

  1. Setting Up 802.1x EAP-TLS Authentication
    • EAP-TLS requires client and server certificates.
    • Be sure to verify that server certificate validation is enabled to ensure your device always authenticates to the correct RADIUS server.
  2. Creating the Network Profile
    • Apple devices include a network location feature that allows end users to configure networks based on the location.
    • Under System Preferences, go to Network, Edit Location, and then Add Location.
  3. Creating 802.1x Profiles – User Profile
    • Since we’re using EAP-TLS authentication, the client-side certificate is required first.
    • Open Network Preferences and select 802.1x under Advanced.
    • Select the secure wireless network.
      • For authentication, be sure to choose EAP-TLS.
    • After hitting Apply, the certificate will be distributed to the device.

Configuring with SecureW2

Download the SecureW2 JoinNow for macOS devices to enable 802.1x authentication. The setup is similar to Windows OS; the end user starts by connecting to the onboarding SSID and opens a browser. After downloading the .DMG file and entering their credentials, the configuration process begins. The entire configuration and authentication requires only a few steps, allowing the end user to sit back while the device configures.

Configuring iOS

Manual Configuration

Just like every other manual OS configuration, the task of installing configuring the device is left to the end user. Because the process much longer, the odds of device misconfiguration increase greatly with each additional step. Automating the onboarding process eliminates these extra steps and streamlines the user’s configuration experience.

  1. Set Up the Infrastructure
    • Setting Up 802.1x EAP-TLS authentication, EAP-TLS requires client and server certificates.
      • We are going with EAP-TLS because it’s the most secure authentication method.
    • Be sure to verify server certificate validation in order for the certificates to connect to the correct RADIUS server.
  2.  Configure Network Settings
    • Open the Settings app and find Networks.
      • Go to Other Networks.
    • Enter the name of the network in the appropriate field.
    • Go to Security and adjust the settings.
      • Make sure to choose WPA2-Enterprise and EAP-TLS authentication.
    • Go back to Other Networks and enter password.
      • Enter username as well if necessary.
    • You can now join the network after clicking Join.

Configuring with SecureW2

Installing 802.1x EAP-TLS certificates on to Apple smartphones is a simple process since the configuration software does almost all of the work. Similar to macOS configuration, the end user is required to connect to the onboarding SSID and open their browser app. After entering their login credentials, the JoinNow option becomes available. Once clicked, the device will automatically install a profile and enroll a certificate. The end user is automatically connected to the correct Wi-Fi and doesn’t have to worry about misconfiguration or password-change policies.

Configuring Android OS

Manual Configuration

Android devices are the most difficult to manually configure. Before installing, the end user will need a RADIUS server and trusted CA to get a certificate onto the device. Certificates need to be generated by a computer in order to be exported to the Android device. EAP-TLS needs two certificates for the end user and the server, so two certificates need to be exported from the computer to the smartphone. EAP-TLS is widely regarded as the most secure form of authentication because it eliminates over-the-air credential theft. Luckily, there is a faster option for enrolling certificates onto Android devices with EAP-TLS authentication.

  1. Setting Up 802.1x EAP-TLS Authentication
    • EAP-TLS requires client and server certificates.
    • Be sure to verify server certificate validation in order for the certificates to connect to the correct RADIUS server.
  2. General User Certificate
    • With the infrastructure in place, it’s time to generate a user certificate using another OS.
    • Access certificate server to request a certificate.
      • Select user certificate and allow it to go through.
    • Install the certificate.
  3. Export the Certificate onto the device
    • The device requires the user certificate and the root CA certificate since we are using EAP-TLS.
    • Export the user certificate
      • Find the certificate in the certificate manager.
      • Right click and export.
      • The Certificate Export Wizard will pop up.
        1. Export private key.
        2. Select the option to include all certificate paths.
        3. Enter a password and create file name.
    • Repeat the process for the root CA certificate.
  4. Import Certificates on to Android device
    • Copy both certificate files on to device storage.
    • Go to Settings.
    • Under Security, install certificates from storage.
      • Enter the password to install both.
    • You can check if certificates installed by checking the Trusted Certificates.
  5. Authentication with EAP-TLS
    • Once the certificates are trusted and installed, connect to the right Wi-Fi SSID.
    • A security details prompt will appear.
      • Make sure the EAP method is TLS and both user and root CA certificates are in place.
    • Connect to the Wi-Fi.


Leaderboard

Configuring with SecureW2

The process for enrolling certificates on Android devices is incredibly quick with SecureW2. All the end user needs to do is open their browser and they will be required to download the SecureW2 app. After entering the device lock code, the certificate will be installed and the end user can input their credentials. Then the device will automatically configure and authenticate. SecureW2 can cut the onboarding process exponentially.

802.1x and Device Onboarding Is Easy with SecureW2

Manually configuring new devices creates too much risk in the device onboarding process, both for the organization and the end user. Most end users are not properly trained to do manual configuration, so it saves time, money, and significant risk to automate the configuration and authentication process.

SecureW2’s software enables the strongest form of 802.1x authentication so networks are protected from security threats. It’s a cost-effective solution because enrollment only takes a few minutes. Automated device onboarding gives the IT department more time for important tasks by cutting down on meaningless support tickets.

[/vc_column_text][/vc_column][/vc_row]

Learn about this author

Anusha Harish

Anusha is a copywriter with a passion for telling stories through her writing. With a law degree and keen research skills, she writes articles to help customers make informed decisions. A movie buff and a bookworm, she can be found tucked away with a book and a cup of coffee mostly.

Configuration Guide For WPA2-Enterprise On Operating Systems