Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Cloud RADIUS for Wi-Fi Authentication

A survey found that 74% of IT decision-makers whose organizations have been breached in the past say it involved privileged access credential abuse. While Wi-Fi revolutionized networking during the transition from wired to wireless, the challenge is to secure the wireless network. To secure your Wi-Fi network against attacks, it’s important to understand its vulnerabilities and your options for Wi-Fi security protocols.

This article will discuss the types of attacks a Wi-Fi network might encounter and how you can defend Wi-Fi with Cloud RADIUS.

Common Attacks Against Wi-Fi Networks

Hackers look for poorly secured Wi-Fi networks as they are easy to attack.

There are numerous different types of Wi-Fi attacks meant to obtain sensitive credentials or spread malware. Some common types of Wi-Fi attacks are detailed below:

Evil Twin Attack

Many devices are configured to automatically attempt to connect to any SSID that they have connected to before. Hackers can easily set up fake Wi-Fi access points (APs) with the same name as the establishment in the SSID. For example, an SSID called ‘Airport Wi-Fi’ would be enough to get many people (or their devices) to automatically connect to the hacker’s fake AP.

When users connect to these rogue Wi-Fi networks they can still access the Internet, so are unlikely to realize anything is wrong. But once connected to that network, everything done online will be monitored by hackers. Sensitive information entered online, such as email addresses and passwords,  card numbers, or banking credentials, can and will be stolen.

Packet Sniffing

Packet sniffing is one of the most common wireless attacks. Communication over the internet happens through many routers and switches, where the packets are susceptible to collection and analysis. As public Wi-Fi does not always encrypt traffic, hackers can use packet sniffers to intercept traffic. One notable example of how easy it can be for a hacker to take over a wireless network is from Tel Aviv, where the hacker took full control of a router. By controlling a router, attackers can snoop on all unencrypted user data that passes through it and capture sensitive data.

Wardriving

Wardriving attackers search for weak wireless networks while moving around an area in a vehicle. With the help of hardware and software, they locate unsecured Wi-Fi networks and then gain unauthorized access by cracking passwords or decrypting the router. Often they record vulnerable targets on digital maps, known as access point mapping, and sell that information with third-party applications/websites.

This method is effective since many Wi-Fi networks used by businesses extend beyond the premises and most small businesses have poor cybersecurity. Here is how three wardriving men hacked at least 13 Seattle-area businesses’ wireless networks to steal sensitive information.

MAC Address Spoofing

Media Access Control (MAC) address is a type of serial number sometimes used to identify devices on a network. Devices that don’t have a traditional operating system, such as printers, can’t support standard authentication methods like 802.1X (AKA RADIUS). These devices authenticate through MAC Authentication Bypass, an authentication method that simply checks the MAC address of the requesting device against a list of preapproved MAC addresses.

Unfortunately, it’s quite trivial to spoof a MAC address and impersonate a given device. MAC Auth Bypass is not inherently very secure, so the authentication server has a few ways to confirm if the MAC address is legitimate.  If somebody spoofs your MAC addresses, the only way to realize it is through contextual awareness by spotting the same MAC address being used in multiple places on the WLAN, which can be difficult.

WPA2-Enterprise for Secure Wi-Fi Authentication

For a secure Wi-Fi network, users need to get permission to do anything on the network with their unique credentials. So the most secure setup is implementing the EAP-TLS authentication protocol, but you will need RADIUS and a capable PKI for that. RADIUS makes it possible for users to each use their own set of credentials to access the Wi-Fi or VPN, as opposed to sharing credentials.

What happens with RADIUS?

Upon a connection request, RADIUS validates the user if they are allowed access and uses organization network policies to further grant users varying levels of access to the applications.

Why Individual Credentials?

Individual credentials increase security, and if they’re stolen, the breach can be stopped by changing or revoking the single set of stolen credentials rather than all of them.

PEAP-MSCHAPV2

PEAP uses encrypted credentials to authenticate users. Its encryption mechanism makes it easy for a hacker to decrypt the user’s credentials. Moreover, credentials do not give a clear picture of who is connected to a network because they can be stolen or given to another user. So a bad actor on the network can gain access to resources without being properly identified and can wreak havoc on an organization-wide scale.

PEAP-MSCHAPv2 has known vulnerabilities but the ultimate cause is that it relies on credentials. And credentials can be easily sold like the Man-In-The-Middle attack where the hacker harvests credentials while they are being sent for authentication.

That is why you need certificate-based authentication.

In short, the drawbacks of PEAP are

  • Uses Credentials
  • Vulnerable to over-the-air attacks
  • Requires complex configuration  
  • Designed for on-premise

EAP-TTLS/PAP

A major flaw with EAP-TTLS/PAP is that credentials are sent over-the-air in “cleartext” (they are not encrypted and can be read plainly). When a user wants to connect to the network, the device initiates requests with the network and confirms that it is the correct network by identifying the server certificate. Server certificate validation is an important step to prevent over-the-air credential theft. While TTLS supports server certificate validation, 99% of organizations do not configure it because it is not mandatory. This makes EAP-TTLS/PAP weak and EAP-TLS strong as the configuration is mandatory.

EAP-TTLS/PAP is also vulnerable to the standard set of credential-based attacks, like PEAP-MSCHAPv2.

In short, the drawbacks of EAP-TTLS/PAP are:

  • Uses Cleartext Credentials
  • Vulnerable to over-the-air attacks
  • Requires complex configuration  
  • Designed for on-premise

EAP-TLS

EAP-TLS authentication is a certificate-based authentication protocol, that provides an extra degree of cryptographic security. Certificate-based authentication prevents many of the attacks other authentication methods are vulnerable to because certificates can’t be exported, cloned, or robbed  Whereas credentials can be repurposed and used on any device, a certificate is explicitly tied to the identity of a particular person and device.

certificate-armed device needs no end-user support, the device detects the network and sends the certificate public key to authenticate on its own. The end-user can easily enroll themselves for a certificate using their existing credentials with our foolproof onboarding solution, JoinNow MultiOS.

In short, the advantages are:

  • Uses Certificates
  • Automatic Authentication
  • Compatible with Cloud
  • Impossible over-the-air attacks

EAP-TLS For Superior Cryptographic Safety

Securew2, with its managed cloud PKI, has helped many of our Fortune 100 customers switch to digital certificates with EAP-TLS.

How to Set Up Wireless RADIUS

It is very difficult and time-consuming to construct a RADIUS server on your own. Luckily there’s Cloud RADIUS, a turn-key cloud-based RADIUS solution. Thousands of customers are eschewing implementing their own RADIUS server in favor of a cloud-based option that can integrate with any environment. We are the only cloud-based RADIUS that was built for passwordless authentication via EAP-TLS..

Cloud-based RADIUS solutions succeed where their on-prem counterparts fail:

  • Easy implementation
  • Cost-effective
  • Strong security measures
  • Superior user experience
  • Give IT admins better management of their environments.

Perfect Cloud RADIUS for Wi-Fi Authentication

EAP-TLS networks maximize security and user experience. SecureW2 excels in setting up and maintaining an EAP-TLS network for you. Similar to user lookup in LDAP-AD systems, Cloud RADIUS is the only cloud-based RADIUS that can directly reference a directory entry and check if a user is authorized and any additional info attached to that user with the help of our Dynamic Policy Engine.

We also have experience in helping some organizations who opt to move to certificate authentication with simultaneous support for PEAP. Click here to inquire about pricing.

Learn about this author

Shantha Meena

Shantha Meena is a content writer with a passion for creative writing and poetry that captures momentary emotions and insights. She originally was a Software Engineer at Juniper Networks and started writing out of a desire to further her creative aspirations and her technical knowledge

Cloud RADIUS for Wi-Fi Authentication