WPA (Wi-Fi Protected Access) was created in the early 2000s when IT professionals quickly realized that WEP (Wired Equivalency Protocol) had terrible security vulnerabilities. WPA2 was ratified in 2004 as a more secure iteration of the protocol and is what the majority of network connections use today. It defines how devices should initiate communication with network infrastructure, and ensure that the Wi-Fi we take for granted today is incredibly fast and secure.
As most IT professionals know, WPA2 comes in two forms; WPA-PSK and WPA2-Enterprise. PSK stands for pre-shared key and is the Wi-Fi we use at home. It uses one single shared key, the Wi-Fi password you use for all the devices on your network. WPA2-Enterprise is what is commonly found in corporate and university networks. It is more secure than WPA2-PSK for a variety of reasons, but the most significant difference is that it enables devices to have their own unique key for the network, rather than sharing one like we do at home.
Despite WPA2 being introduced in 2004, many organizations still struggle to implement WPA2-Enterprise to this day. It requires servers that are complicated to set up and manage. They can get quite costly for large organizations as well. In addition, configuring end-user devices for WPA2-Enterprise can also be quite difficult. There are considerably more settings that need to be configured, which would be fine if the misconfiguration of some (Server Certificate Validation) didn’t cause serious security vulnerabilities for your network. Fortunately, there are now modern solutions for the problems outlined above, but it took a lot of trial and error to get to where we are today.
What is WPA3-Enterprise?
WPA3 was announced in 2018 but has only recently begun to be supported by a significant amount of devices and network infrastructure. Much of the changes that were created were made to improve PSK networks. Simultaneous Authentication of Equals (SAE) was introduced to prevent dictionary attacks from brute-forcing their way into the network. WPA3 also includes forward secrecy, which prevents the decryption of old data traffic even if the network password is compromised in the future.
With WPA3-Enterprise, the changes are less impactful. A 192-bit encryption mode is available, which improves authentication security over the 128-bit WPA2-Enterprise. However, the use of 128-bit encryption was never a serious issue. However, what is a notable improvement is the requirement of Server Certificate Validation. This setting enables devices to verify the network they are connecting to isn’t malicious. It’s not easy for the average user to configure, which is why it’s often omitted, but it’s incredibly important in ensuring credentials are not stolen over the air.
WPA3-Enterprise Support is Complicated… Test Thoroughly!
If you are an organization that is interested in adopting WPA3-Enterprise, there are a few things that you need to consider.
- Not all operating systems support WPA3-Enterprise, even if it might seem like they do.
- Not all network infrastructure support WPA3-Enterprise, and even if they do, they might not support all operating systems.
To illustrate this point, we’ve created a table that summarizes some of the WPA3-Enterprise testing we have done.
The 3 common forms of WPA2/3 Enterprise (EAP-TLS, PEAP-MSCHAPv2, EAP-TTLS/PAP) were all tested as well. For all network infrastructure, if WPA3-Enterprise was supported, then all 3 of those protocols worked. Passpoint was available for our Unifi and Mist testing infrastructure, though Mist did not support WPA3-Enterprise with Passpoint. Hidden SSIDs showed no impact on whether or not WPA3-Enterprise would work or not.
Probably the biggest surprise to us all was the lack of “true” WPA3-Enterprise support for Windows and Linux devices, which is why they were omitted from the table above. Windows devices instead support “transitional WPA3”, which is a rebadged version of WPA2 with support for Management Frame Protection (MFP), Counter Mode CBC-MAC Protocol (CCMP), and EAP SHA256. This is opposed to “proper WPA3” which uses EAP Suite B ciphers and Galois/Counter Mode Protection (GCMP) and is supported by the operating systems in the table above.
Despite not supporting “proper” WPA3-Enterprise, Windows devices will connect just fine to a network that is configured for WPA3-Enterprise. With Linux devices, however, the support is not there, unfortunately. The Wi-Fi UI doesn’t show WPA3-Enterprise, as they are still using the WPA/WPA2 EAP cipher with no MFP. In all our testing Linux devices routinely failed to connect to the network infrastructure in our test lab.
Should You Move to WPA3-Enterprise?
If you do decide to move from WPA2-Enterprise to WPA3, first make sure to thoroughly test out the devices and infrastructure in the environment before turning on WPA3. The lack of ubiquitous support requires a thorough understanding of how your devices will react to this change, before you can even consider making this decision.
Second, you should evaluate what you might stand to gain from it. Interestingly, the main motivation that we’ve seen with organizations striving to move to WPA3-Enterprise, is the desire to adopt Wi-Fi 6e. Unlike Wi-Fi 6, 6e requires devices to use WPA3 (PSK or Enterprise) to fully leverage new infrastructure that takes advantage of the performance benefits Wi-Fi 6e provides.
We suspect that organizations that are not currently leveraging an 802.1x Onboarding solution, will stand to benefit from the switch. Onboarding solutions, like JoinNow MultiOS, make sure that WPA2/3 Enterprise settings are properly configured. They are great for reducing support tickets and improving user experience, but they also ensure important settings are configured like Server Certificate Validation. WPA3-Enterprise mandates Server Certificate Validation, so if you are an organization relying on manual instructions it will ensure that this critical security setting isn’t omitted. However, we still strongly recommend organizations use onboarding solutions, as configuring these types of settings is next to impossible for the average user.
In conclusion, WPA3-Enterprise looks to be another iterative improvement for network authentication security. However, many organizations will find the vendor and infrastructure support may be too immature to make the migration. We still have hundreds of organizations that reach out to us for help adopting WPA2-Enterprise, despite being available for two decades, so industry-wide support may take some time and that’s ok. If you are interested in adopting either WPA2 or WPA3-Enterprise, reach out to us today and we would be happy to help!
