Implementing WPA2 Enterprise encryption with 802.1X authentication provides the best Wi-Fi security for businesses. However, as you may know, it isn't easy to setup and support. Nevertheless, you shouldn't let this stop you.
The Personal or Pre-Shared Key (PSK ) mode of WPA2 doesn't provide adequate security for businesses. Encryption keys are more vulnerable to cracking, static encryption keys are a problem when devices are lost or stolen, and employees can snoop on others or even hand out the encryption key to outsiders.
The Enterprise mode of WPA2 gives you dynamic encryption keys distributed securely after a user logins with their username and password or provides a valid digital certificate. Users never see the actual encryption keys and they aren't stored on the device. This protects you against rogue or terminated employees and lost or stolen devices. The list of reasons to use Enterprise mode goes on.
In this article, I'll discuss the issues related to deploying and using 802.1X. Best of all, I'll share some tips that can help you overcome them. Let's get started!
Expertise, time, and cost to set up a RADIUS server
Your first concern might be the expertise, time and cost involved in setting up the RADIUS server, required for the 802.1X authentication. This is especially true for smaller businesses that don't have a big IT staff or budget, or any at all. However, there are RADIUS servers that are user-friendly, fairly easy to setup, and won't break the bank. The Elektron RADIUS Server runs at $750, the ClearBox Enterprise RADIUS Server $599, and the TekRADIUS Server is free. Another free option is the open source FreeRADIUS server, great for experienced IT administrators.
You don't even have to setup your own server if you use a hosted RADIUS service. This is great for smaller businesses, or those that don't want to dedicate the time or money to setting up and maintain a server. Plus it doesn't require any real advanced technical knowledge.
Configuring computers and devices
As you may know, you can't just connect to an Enterprise-protected wireless network like you do with the Personal or PSK mode. The 802.1X authentication settings must be preconfigured in Windows, either by you or the end-user. This is complicated even more if end users bring their own laptops or mobile phones.
If you run a domain with Active Directory on a Windows Server, you may be able to push client settings to some end-users with GPO. The Netsh command-line tool can also help, even without a Domain network.
Keep in mind, there are third-party solutions you can use to create a wizard to help automate the client configuration process. The SU1X 802.1X Configuration Deployment Tool is a free and open source solution. Xpressconnect and Quick1X are commercial options. Once you create a configuration wizard, you might even look into creating a separate setup SSID with a captive portal that's unencrypted just so users can download the wizard, which would then configure and connect them to the Enterprise-protected SSID.
There are also solutions to help configure mobile phones. Apple, for example, offers the iPhone Configuration Utility (iPCU) to push 802.1X and other settings to iPhones, iPod Touches, and iPads.