Passwordless Wired (Ethernet) Network Security Service

The primary distinction between wired and Wi-Fi 802.1X is the connection medium and the attendant security concerns. Wired 802.1X protects network access via physical Ethernet connections, guaranteeing that only authorized devices may communicate with the network by requiring them to validate their credentials before giving access. This often entails setting switches to implement 802.1X authentication, which then requires communication with a RADIUS server for identity verification. Authorized users are then granted access to network resources over a wired connection.

Wi-Fi 802.1X, on the other hand, provides network access through wireless access points by forcing devices to verify themselves using credentials or digital certificates before joining the Wi-Fi network. This helps to prevent unauthorized wireless access and eavesdropping of over-the-air communications. Both techniques use the same underlying authentication system but are adapted to solve the differences in security problems between wired and wireless contexts.

You'll need a few critical components to implement EAP-TLS on your wired network. To issue and administer digital certificates for authentication, you must first establish a Public Key Infrastructure (PKI). SecureW2 offers a managed PKI solution that streamlines the procedure while eliminating the need for substantial in-house upgrades. Second, you'll need a RADIUS server to process authentication requests and validate the devices' certificates. SecureW2's Cloud RADIUS was created expressly for this reason and works flawlessly with cloud identity providers like Azure AD (Entra ID), Okta, and Google.

Furthermore, your network infrastructure must offer 802.1X authentication to enable the first authentication procedure over wired Ethernet networks. Lastly, you’ll need device onboarding technology to ensure end-user devices are properly configured for authentication on your network. SecureW2 offers two different technologies to achieve this depending on whether your devices are managed by an MDM such as Intune or unmanaged/BYODs. For managed devices, we can automatically issue certificates through the Simple Certificate Enrollment Protocol (SCEP). On the other hand, we’ve developed our user-friendly JoinNow MultiOS application to empower end users to configure their own devices for certificate-based authentication in a matter of seconds.

A Public Key Infrastructure (PKI) enhances wired network access control by authenticating devices and users with digital certificates, guaranteeing that only authorized entities can access the secure network. Unlike password-based systems, certificates cannot be stolen, resulting in a more secure method for accessing network resources. A PKI provides each device with a unique certificate, which a RADIUS server validates during connection attempts. Our Cloud RADIUS service even utilizes an Identity Lookup, which allows it to interface with Azure AD, Okta, Google, and OneLogin at the time of network authentication, taking the extra step to verify a user’s status in your IDP in real-time during authentication.

Our PKI also supports enhanced integration with Intune and Jamf for devices managed by those vendors. This advanced integration makes automatic certificate revocation possible as our PKI service will check specific groups in your MDM every several minutes, revoking certificates from any devices found in those groups. As a result, you can be sure that the devices connected to your network only do so under the latest network policies and access controls you’ve set in your MDM.

Building your own PKI is frequently impractical owing to the complexity, expense, and continuing maintenance requirements. Creating an in-house PKI requires large upfront expenditures in hardware and software, as well as qualified individuals to maintain and run it. It also needs ongoing maintenance, which includes frequent security upgrades, hardware upkeep, and compliance with changing security requirements.

Additionally, managing the entire lifetime of the certificate, from issue and renewal to revocation, necessitates robust policies and practices to avoid security breaches. It’s time-consuming to revoke and issue certificates without tools designed specifically for those processes. An in-house PKI done securely would be resource-intensive, diverting attention from vital corporate operations.

A managed PKI service, such as SecureW2's JoinNow Connector PKI, offers a cost-effective, scalable, and secure option. It integrates seamlessly with existing infrastructure, automates certificate administration, and assures current security standards without the burden of maintaining everything internally.

We wouldn’t be able to call it PKI as a Service if we didn’t provide you with everything you needed to manage your certificates. For endpoint distribution, we have our automatic gateway APIs for managed devices and our self-service onboarding technology for unmanaged devices/BYODs.

When it comes to revocation, our cloud-based PKI can revoke certificates in a few different ways, including manually and through automatic revocation with some MDMs such as Jamf and Intune. Our PKI as a service also includes customizable policies you can create, such as non-utilization, which means certificates that aren’t used for a definable period of time (such as 60 days) are automatically revoked.

Our PKI makes renewal simple, too. For managed devices, certificate renewal typically happens on an automatic basis a month or two before the certificate’s expiration. For BYODs, administrators can set a customizable notification email to go out to end-users, encouraging them to re-enroll for a certificate before it expires. Managed devices will automatically renew themselves, though some small MDM vendors don’t support this.

Although both PEAP-MSCHAPv2 and EAP-TLS both use the Extensible Authentication Protocol, their implementation and security are very different. With asymmetric encryption and digital certificates for mutual authentication, EAP-TLS eliminates password weaknesses while offering stronger security. It necessitates a Public Key Infrastructure (PKI), which a managed PKI service provides with a drastically reduced resource investment when compared to maintaining your own.

In contrast, because of known weaknesses in the MSCHAPv2 protocol, PEAP-MSCHAPv2 is less secure but employs server-side certificates and client-side passwords, making it easier to install. This makes PEAP-MSCHAPv2 seem easier on the surface to deploy, but the truth is that EAP-TLS doesn’t need to be difficult to implement with the proper tools and automation technologies.

End users shouldn't be responsible for setting up certificate-based security on wired networks. Misconfiguring even one parameter might prohibit a user from joining your network; several settings, including server certificate authentication, are easy to forget. If misconfigured, an end-user's hacked device may, at worst, connect to your network, putting other devices at risk of compromise.

The ideal approach to set up all endpoints for certificate-based security is onboarding technology. SecureW2 is an EAP-TLS SaaS solution with robust onboarding capabilities for managed and unmanaged devices/BYODs. We provide gateway APIs for managed devices that leverage the Simple Certificate Enrollment Protocol (SCEP) to enroll endpoints managed by MDMs, like Intune and Jamf, automatically. We provide a simple self-service onboarding application for BYODs that allows end users to establish EAP-TLS on their devices and apply for a client certificate in seconds.

The end-user has a smooth and intuitive passwordless authentication process. They no longer need to remember or type passwords to access the network after their device is equipped with a digital certificate, usually through an automated onboarding procedure or a guided self-service application depending on whether their device is managed or unmanaged.

The device offers its certificate for authentication immediately when it connects to the network, allowing access immediately without any further input from the user. After the one-time enrollment, Wi-Fi authentication is essentially invisible to users. This makes it easier to log in and more efficient by doing away with the inconvenience of frequent password changes, resets, and complexity requirements. Overall, using certificate-based solid authentication in place of conventional password-based techniques improves ease and security.