Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Why Most Are Leaving LDAP With WPA2-Enterprise Behind

For years, the credential-based network authentication standard was the Lightweight Directory Access Protocol (LDAP). The security and efficiency offered by LDAP provided the necessary protection levels for everyday WPA2-Enterprise operations. But as time progressed, new methods of authentication have been developed to combat the evolving tactics of cyber criminals.

The usability and security flaws of credentials have accelerated, and many organizations are unsatisfied with the authentication protection for WPA2-Enterprise. If you’re on the fence about moving away from using LDAP with your WPA2-Enterprise network infrastructure, consider the following information when making your decision.

Credential-Based Authentication With LDAP

While credential-based authentication may have been the security standard for decades, the risks and inconveniences brought on by credentials are constantly increasing.

Risks of Credential-Based Authentication with LDAP

  • Over-The-Air Credential Theft – Attacks on sensitive identifying information being sent over-the-air have increased dramatically in effectiveness. If your cybersecurity is lacking, bad actors can intercept credential information in the air and utilize it to infiltrate the network. An effective method that is often used is a Man-In-The-Middle attack.
  • Brute Force Attack – Otherwise known as a dictionary attack, a bad actor with sufficient computing power can send endless credential attempts until one is inevitably correct. It’s a simple method that is widely used to find a legitimate set of credentials.
  • Sharing/Losing Passwords – Since passwords are a form of security that a person knows, it can be easily exploited. It’s common for users to share passwords with trusted individuals and think nothing of it, but this is a slippery slope to the password falling into the wrong hands. Alternatively, many people write passwords on a piece of paper to remember it, and then have that paper lost or stolen. We’ve seen a lot of College students tape their credentials to their computer, which is a high risk scenario if the device is stolen.
  • Simple/Repetitive Passwords – The average online user has countless accounts with just as many passwords, and this is simply too much for anyone to remember. To overcome the volume of passwords, many people will use the same password for multiple accounts or use uncomplicated passwords. If a password is used across multiple accounts, the bad actor that discovers one password will also have access to many other accounts. Furthermore, the use of simple passwords makes attacks like Brute Force that much easier to execute.

https://www.sersanoconsulting.com/wp-content/uploads/2017/09/AdobeStock_155061463-Converted-copy.jpg

Inconveniences of Credential-Based Authentication with LDAP

  • Password Change Policies – To put a band-aid on the weaknesses of passwords, many organizations will institute a password change policy that forces users to change their password after a set time, often a period of 90 days. For the network user, this means they must reconnect every network-connected device several times a year. This is plainly a poor experience for every user, and can disconnect them from network access during critical hours.
  • Support Tickets – Connectivity issues caused by passwords are numerous, especially with a frequent password change policy in place. The InfoTech Research Group found that 40% of IT service desk volume is password related, with an annual cost of $118 per person spent on password resets. When every user has to reconnect every device they own, it’s inevitable that some are going to experience connection failures. Support tickets waste the time and resources of IT, users, and the organizations; they’re a net negative for everyone involved.
  • Remembering Passwords – As mentioned above, users today have seemingly endless accounts that require a password. Best practices require a new and complex password for each account, but this is unreasonable to expect and difficult to follow with the volume of accounts users have.
  • Manual Authentication – Having to manually enter passwords to be authenticated feels outdated, and the process is more cumbersome than it should be. Gaining access to your accounts should be simpler, and more efficient methods of authentication exist.

The LDAP protocol used to be required for credential-based authentication, and as a result, many organizations built their authentication infrastructure around it. But as technology has progressed, credentials have become less and less of a reliable form of security. This has prompted many to search for alternative authentication methods.

In recent years, we’ve seen more and more organizations begin to switch from passwords to digital certificates for network authentication. Certificates automatically authenticate to the secure network when within range and do not need to be entered or remembered by the user. Certificates prevent Over-The-Air attacks and a myriad of threats that credentials are susceptible to with EAP-TLS authentication.

Whereas enrolling devices used to be considered complex, the JoinNow onboarding solution allows users to self-configure for certificates in minutes. Once equipped with a certificate, the user can be authenticated to the network for years and will never have to deal with pesky password reset policies. SecureW2 not only offers solutions for issuing certificates, but also turnkey PKI services that provide the entire infrastructure required to switch over from credentials to certificates.

Dynamic Application of Identity Lookup

While EAP-TLS certificate-based authentication does not require LDAP, historically, they have been combined to enable Identity Lookup. During the authentication process, Identity Lookup validates that a user is active within the organization by checking the identifying information against a user list.

This is a great security tool to ensure only approved users have access, and historically was only possible due to LDAP. SecureW2 is able to eliminate the need for LDAP in the identity lookup process. We offer an industry-exclusive identity lookup for SAML-based cloud directories that is used in tandem with EAP-TLS certificate-based authentication to deliver excellent network security without the need for LDAP. The entire process becomes far easier to manage and more efficient for the end user and IT personnel, allowing organizations to move away from an on-premise LDAP infrastructure.

Multi-Tasking, Efficiency, Manager, Time, Business

Advantages of the Cloud

Especially in the last few years, cloud-based environments are becoming the norm because of the numerous security, user experience, and management advantages. This clashes with most LDAP environments as they require hosting servers on-premise and create a barrier for moving entirely to the cloud.

SecureW2 is the industry’s only solution that supports SAML identity providers, while simultaneously enabling efficient certificate-driven authentication and identity lookup, all in the cloud. The initial benefit from an all-cloud environment will be within your budget, as hosting on-premise infrastructure is far more costly. On-premise setups come with high maintenance costs, additional security, and costly upgrades as technologies improve.

Additionally, cloud environments offer stronger protection of data, easy access to authorized users, greater control over who has data access, and they are infinitely scalable as your organization grows. SecureW2 provides all the necessary tools to move your network to the cloud with our PKI and RADIUS services.

Choose Certificates Over LDAP and Credentials

As credential security and LDAP environments continue to fall out of favor, SecureW2 is here to upgrade organizations to modern cybersecurity standards. Our certificate solutions are tailor-made to protect against the countless security threats that take advantage of weak cybersecurity environments. Check out our pricing page to see if our affordable solutions can fit your organization’s needs.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Why Most Are Leaving LDAP With WPA2-Enterprise Behind