Implement WPA2 Enterprise Encryption on Your WLAN - Page 2
Creating and maintaining a PKI for digital certificates
If you're setting up your RADIUS server, another concern you might have is creating and maintaining a Public Key Infrastructure (PKI ) and certificate authority (CA) for issuing the digital certificates required by the 802.1X authentication. However keep in mind, if you use the PEAP protocol for 802.1X only one digital certificate is required for the RADIUS server, rather than the server and all the clients with the EAP-TLS protocol.
Remember, if you use a hosted RADIUS/802.1X service, you don't have to worry about this at all.
To get the digital certificate for the RADIUS server you can create your own CA, which most RADIUS servers help you with. Then a client configuration wizard like the three I mentioned can help install the CA certificate to the computers and devices.
Man-in-the-middle attacks
WPA2 Enterprise is also vulnerable to some attacks. For example, someone could setup an AP with the same SSID and a modified RADIUS server in hopes of capturing and cracking the login credentials. However, you can help prevent this type of attack from being successful by ensuring you specify three optional settings in Windows, on the PEAP or Smart Card/Certificate window:
- Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
- Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
- Check Do not prompt user to authorize new servers or trusted certificate authorities.
Similar settings exist for most other operating systems and devices.
Also remember that you can apply these settings with a client configuration wizard like I mentioned earlier.
Eric Geier founded NoWiresSecurity, which helps businesses quickly and easily protect their Wi-Fi with enterprise-level security. He's also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.
