Moving to WPA/WPA2-Enterprise Wi-Fi Encryption
- Two Modes of WPA/WPA2: Personal (PSK) versus Enterprise
- Introducing 802.1X Authentication and RADIUS Servers
- Getting an Authentication Server
- The Different Flavors of EAP
- Your Next Steps
As you may know already, Wired Equivalent Privacy (WEP) security is not secure. This first wireless LAN security standard, developed by the IEEE, has been vulnerable to cracking by Wi-Fi hackers for nearly a decade now.
In 2003, the Wi-Fi Alliance released a security standard called Wi-Fi Protected Access. Although the first version (WPA), which uses TKIP/RC4 encryption, has gotten beaten up a bit, is not totally cracked, and can still be very secure.
The second version (WPA2), released in mid-2004, does provide complete security, however, because it fully implements the IEEE 802.11i security standard with CCMP/AES encryption.
In this article, we'll discover the two very different modes of Wi-Fi Protected Access. We'll see how and why you'd want to move from the easy-to-use Personal mode to the Enterprise mode.
Now let's get started!
Two Modes of WPA/WPA2: Personal (PSK) versus Enterprise
Both versions of Wi-Fi Protected Access (WPA/WPA2) can be implemented in either of two modes:
- Personal or Pre-Shared Key (PSK) Mode: This mode is appropriate for most home networksbut not business networks. You define an encryption passphrase on the wireless router and any other access points (APs). Then the passphrase must be entered by users when connecting to the Wi-Fi network.
- Enterprise (EAP/RADIUS) Mode: This mode provides the security needed for wireless networks in business environments. Though more complicated to set up, it offers individualized and centralized control over access to your Wi-Fi network. Users are assigned login credentials they must present when connecting to the network, which can be modified or revoked by administrators at anytime.
Though this mode seems very easy to implement, it actually makes properly securing a business network nearly impossible. Unlike with the Enterprise mode, wireless access can't be individually or centrally managed. One passphrase applies to all users. If the global passphrase should need to be changed, it must be manually changed on all the APs and computers. This would be a big headache when you need to change it; for instance, when an employee leaves the company or when any computers are stolen or compromised.
Unlike with the Enterprise mode, the encryption passphrase is stored on the computers. Therefore, anyone on the computerwhether it be employees or thievescan connect to the network and also recover the encryption passphrase.
Users never deal with the actual encryption keys. They are securely created and assigned per user session in the background after a user presents their login credentials. This prevents people from recovering the network key from computers.