Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Best Practices for Enrolling Users for WPA2-Enterprise

Wifi is essential in daily life and is critical for any business today. At home, we use a single static password to protect your wifi. This security is called WPA2-Personal. However, organizations are using a more advanced protocol called WPA2-Enterprise. Unlike a personal solution with a single password for everyone, enterprise security protocol uses a unique user and a password for every user. It works by having the access point (AP) talk to the RADIUS server to check if the user credentials are valid. This setup enables enhanced security methods and enables additional controls.

The Problem

BYOD and other users arrive at your doorstep expecting to connect their devices to the network rapidly and easily. It’s challenging to meet those expectations and if it is not done securely, you are headed for trouble. Users get frustrated when the onboarding process is lacking and always user frustration translates into a rise in IT tickets.

What’s more, default methods for getting users onto the network are not secure.

An enterprise environment is not similar to home Wi-Fi, where the user experience is simple. Users look for the name of the Wi-Fi source and enter the password. The device consistently seems to connect without problems when they return after going out. Users control their own Wi-Fi password—when it changes. We cannot expect a set-it-and-forget-it experience in an enterprise environment.

So how do you ensure that everyone on the network is protected?                                 

Onboarding Challenges

Too many IT organizations depend on the default methods for network onboarding that are built into their networking infrastructure. Network onboarding alone isn’t enough—secure network onboarding is crucial to plug the security holes such as unencrypted data traffic, undifferentiated access, etc.

Credential theft is a high-priority concern, and to combat it, many institutions have deployed WPA2-Enterprise wireless networks. This network type encrypts all network communications, as well as secures the authentication process. WPA2-Enteprise protocols can either be credential-based (such as EAP-TTLS/PAP and PEAP-MSCHAPv2) or certificate-based (EAP-TLS).

Often, WPA2-Enterprise is deployed using certificates for a highly secure network, but this is not always the case. If credentials are used for authentication rather than certificates, the threat of credential theft is substantially higher. Server certificate validation is basic to securing credentials on wireless networks; however, it is often overlooked or misconfigured, resulting in devices that are still vulnerable to credential theft. 

 

source

Fig: Certificate Based Authentication

WPA2-Enterprise Authentication Methods

The first authentication protocol to consider deploying with WPA2-Enterprise is PEAP-MSCHAPv2. It is credential-based and does not require the configuration of server-certificate validation, leaving devices vulnerable to Over-the-Air credential theft. When left to end-users, device misconfiguration is relatively common which is why most organizations rely on Onboarding Software to configure devices for PEAP-MSCHAPv2.The authentication protocol that is most recommended is EAP-TLS. With its  certificate-based protocol, it eliminates the risk of over-the-air credential theft and added benefits such as eliminating password-related disconnects due to password-change policies

WPA2-Enterprise Onboarding Best Practices

The trials associated with onboarding often lead to mass support tickets and frustrated users. Organizations that seek opportunities to increase efficiency and lower costs, should examine onboarding software.

Go for Secure Credential-Free Authentication

Pre-shared Keys (PSKs) are extremely unscalable. Would you install the same lock on every door at your company and give everyone the key? This is where certificates come in.

Certificates contain a public key that’s shared with everyone, much like business cards. They’re a way to reliably link users’ identity information (your name and email address, or your web server’s fully-qualified domain name) to their public key.

Since you give out your certificate to everyone, merely possessing or presenting a certificate is not proof that you’re the rightful owner of that certificate. The way to do that is to prove you know the secret private key that matches the public key in the cert. That private key is securely stored on the device and can’t be removed or stolen. These basic principles of asymmetric cryptography provide dramatically better security than preshared keys.

Avoid Manual Configuration

Configuring unmanaged devices for certificate-based authentication takes expertise that the average end-user doesn’t have. The price of misconfiguration can lead to missing server certificate validation, EAP misconfiguration or users could access your network with outdated drivers – the list goes on.

Auto Configure Certificate – Use Existing Credentials

SecureW2 offers the industry’s #1 rated self-service onboarding app for BYOD devices. All users need to do is to run the app, enter in their IDP credentials, and it will auto-configure their device and distribute a certificate that is tied to the identity of the user for the life of the certificate,  thus eliminating the need for credentials and enabling a hassle-free and stable connection.

Simple Self-Service Onboarding for All Your Unmanaged Devices – JoinNow MultiOS 

What if BYOD and guest users could get quick and easy network access, what if help desk tickets related to network access all but went away, IT could focus on important projects, what if you could make users, devices, data, and the network more protected?

SecureW2 JoinNow Suite makes it possible. Our software delivers secure network access for any user and any device on any network. It ensures secure connections for internal users, guests, and IT-owned devices, including IoT devices on wired and wireless networks. Robust security measures include:

  • Encryption for data 
  • Encrypted pathway for transit between device and AP
  • Authentication based on digital certificates
  • Security Posture Assessment and Remediation before the system permits access
  • IT gets visibility and control over devices on the network with the ability to revoke access at any time
  • Users experience trouble-free onboarding, they provide their device once and only
  • Only the users should have access, and get access. And they only see the network resource they should see
  • Works with any vendor – wired or wireless

JoinNow MultiOS saves you time by dramatically reducing help desk tickets, it gets users online quickly without IT intervention and strong security features protect users, devices, data, and the network.

SecureW2 offers affordable options for organizations of all shapes and sizes. Click here to inquire about pricing.

Learn about this author

Shantha Meena

Shantha Meena is a content writer with a passion for creative writing and poetry that captures momentary emotions and insights. She originally was a Software Engineer at Juniper Networks and started writing out of a desire to further her creative aspirations and her technical knowledge

Best Practices for Enrolling Users for WPA2-Enterprise