Implement WPA2 Enterprise Encryption on Your WLAN - Page 2

WPA2 Enterprise encryption with 802.1X authentication provides the best Wi-Fi security for businesses, but it's not always easy to configure. Our guide will get you past some of the stumbling blocks.

 By Eric Geier
Page 2 of 2   |  Back to Page 1
Print Article

Creating and maintaining a PKI for digital certificates

If you're setting up your RADIUS server, another concern you might have is creating and maintaining a Public Key Infrastructure (PKI ) and certificate authority (CA) for issuing the digital certificates required by the 802.1X authentication. However keep in mind, if you use the PEAP protocol for 802.1X only one digital certificate is required for the RADIUS server, rather than the server and all the clients with the EAP-TLS protocol.

Remember, if you use a hosted RADIUS/802.1X service, you don't have to worry about this at all.

To get the digital certificate for the RADIUS server you can create your own CA, which most RADIUS servers help you with. Then a client configuration wizard like the three I mentioned can help install the CA certificate to the computers and devices.

If you don't want to install the CA certificate on all the computers, you can pay to get a digital certificate signed by a public CA, like VeriSign or GoDaddy. Most RADIUS servers can also help you create a signing request to submit to the public CA in order to get the signed certificate for the RADIUS server. GoDaddy charges as little as $50 for a SSL certificate.

Man-in-the-middle attacks

WPA2 Enterprise is also vulnerable to some attacks. For example, someone could setup an AP with the same SSID and a modified RADIUS server in hopes of capturing and cracking the login credentials. However, you can help prevent this type of attack from being successful by ensuring you specify three optional settings in Windows, on the PEAP or Smart Card/Certificate window:

  • Check the Validate server certificate option and select the Trusted Root Certificate Authority from the list.
  • Check the Connect to these servers option and input the domain name or IP address of the RADIUS server.
  • Check Do not prompt user to authorize new servers or trusted certificate authorities.

Similar settings exist for most other operating systems and devices.

Also remember that you can apply these settings with a client configuration wizard like I mentioned earlier.

Eric Geier founded NoWiresSecurity, which helps businesses quickly and easily protect their Wi-Fi with enterprise-level security. He's also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.

This article was originally published on Dec 10, 2010
Get the Latest Scoop with Networking Update Newsletter