WPA Enterprise

Wi-Fi Protected Access-Enterprise. A wireless security method that provides strong data protection for multiple users and large managed networks. It uses the 802.1X authentication framework with TKIP encryption and prevents unauthorized network access by verifying network users through an authentication server. (See 802.1X, TKIP, WPA).

WPA-Enterprise works like WPA-Personal (WPA-PSK) but requires each user to self-authenticate via a RADIUS server. WPA-Enterprise works by assigning a long encryption key to each connected device. This key, which is shared with users, is not visible, virtually impossible to break, and is automatically changed on a routine basis. The RADIUS server encompasses IEEE 802.1x, in which users are authenticated based on their account certificates.

WPA-Enterprise primarily uses the Advanced Encryption Standard (AES) encryption mechanism but also supports Temporal Key Integrity Protocol (TKIP).

WPA Enterprise configuration on windows:

It is important to manually configure WPA2-Enterprise for your wireless network profile in Windows Vista and Windows 7. You must not be in the process of associating to the SSID because the configurations will not save correctly. Follow the steps below to configure WPA2-Enterprise.

1. In Windows, navigate to Control Panel > Network and Internet > Network and Sharing Center.

2. Click Manage Wireless networks.

3. Click Add.

4. Choose Manually create a network profile.

5. On the next page, enter the following:

Network name: This is the SSID name. It is case-sensitive.
Security type: Choose WPA2-Enterprise.
Encryption type: Choose AES.
Check to Start this connection automatically if you want Windows to connect to this network automatically.
Check Connect even if the network is not broadcasting if the SSID is hidden and you want Windows to connect to this network automatically.

6. Click Next.

If the RADIUS server has a certificate that may not be trusted by the wireless client or is not a member of the domain in which the RADIUS server resides, on the "Successfully added" page, click Change connection settings.

7. Choose the Security tab.

8. Click Settings.

9. Uncheck Validate server certificate if the wireless client may not trust the RADIUS server certificate.

10. For the Authentication Method, choose EAP-MSCHAP v2.

11. Click Configure.

12. Uncheck Automatically use my Windows logon on name and password if the computer is not on the domain.

13. Click OK.

It may be required to a specific user or computer authentication based on whether the client is part of the domain or if the machine or user authentication is a condition of the RADIUS policy.

To choose a user or computer authentication, from the Security tab,

1. Click Advanced settings.

2. Select the 802.1X settings tab.

c) Check Specify authentication mode.

d) Choose User or computer authentication. Or choose an alternate option if required.

e) Click OK to closeout

ON MAC:

In order to manually configure macOS, the end-user needs to know how to create an enterprise profile, install a client security certificate, verify the certificate, and adjust the network settings. The process isn’t too difficult for someone with a background in IT, but it is risky for the average network user because of the high-level technical information involved with each step.

1. Setting Up EAP-TLS Authentication

§ EAP-TLS requires client and server certificates.

§ Be sure to verify that server certificate validation is enabled to ensure your device always authenticates to the correct RADIUS server.

2. Creating the Network Profile

§ Apple devices include a network location feature that allows end-users to configure networks based on the location.

§ Under System Preferences, go to Network, Edit Location, and then Add Location.

3. Creating 802.1x Profiles – User Profile

§ Since we’re using EAP-TLS authentication, the client-side certificate is required first.

§ Open Network Preferences and select 802.1x under Advanced.

§ Select the secure wireless network.

§ For authentication, be sure to choose EAP-TLS.

§ After hitting Apply, the certificate will be distributed to the device.

For iOS:

Just like every other manual OS configuration, the task of installing configuring the device is left to the end-user. Because the process is much longer, the odds of device misconfiguration increase greatly with each additional step. Automating the onboarding process eliminates these extra steps and streamlines the user’s configuration experience.

§ Set Up the Infrastructure

§ Setting Up EAP-TLS authentication, EAP-TLS requires client and server certificates.

§ We are going with EAP-TLS because it’s the most secure authentication method.

§ Be sure to verify server certificate validation in order for the certificates to connect to the correct RADIUS server.

§ Configure Network Settings

§ Open the Settings app and find Networks.

§ Go to Other Networks.

§ Enter the name of the network in the appropriate field.

§ Go to Security and adjust the settings.

§ Make sure to choose WPA2-Enterprise and EAP-TLS authentication.

§ Go back to Other Networks and enter the password.

§ Enter username as well if necessary.

§ You can now join the network after clicking Join.

For Android:

Android devices are the most difficult to manually configure. Before installing, the end-user will need a RADIUS server and trusted CA to get a certificate onto the device. Certificates need to be generated by a computer in order to be exported to the Android device. EAP-TLS needs two certificates for the end-user and the server, so two certificates need to be exported from the computer to the smartphone. EAP-TLS is widely regarded as the most secure form of authentication because it eliminates over-the-air credential theft. Luckily, there is a faster option for enrolling certificates onto Android devices with EAP-TLS authentication.

1. Setting Up EAP-TLS Authentication

§ EAP-TLS requires client and server certificates.

§ Be sure to verify server certificate validation in order for the certificates to connect to the correct RADIUS server.

2. General User Certificate

§ With the infrastructure in place, it’s time to generate a user certificate using another OS.

§ Access certificate server to request a certificate.

§ Select user certificate and allow it to go through.

§ Install the certificate.

3. Export the Certificate onto the device

§ The device requires the user certificate and the root CA certificate since we are using EAP-TLS.

§ Export the user certificate

§ Find the certificate in the certificate manager.