Wireless Security in the Enterprise: Deploying WPA3-Enterprise

What is Wi-Fi Protected Access (WPA)?

WPA (referred to as the draft IEEE 802.11i standard) addressed most of the known vulnerabilities of WEP. Primarily intended for wireless enterprise networks, WPA implemented several significant changes.

Those changes were:

• Extensible Authentication Protocol (EAP): This is a secure public-key encryption system so that only authorized network users can access the network. 
• Temporal Key Integrity Protocol (TKIP): TKIP improved data encryption by scrambling the keys using a hashing algorithm to stop tampering.
• Message-integrity check (MIC): This determines whether a hacker captured or altered packets passing between the access point and client.

Within the year, however, a flaw was found in WPA that exploited older weaknesses in WEP and limitations of the MIC feature.

The switch to WPA2

WPA2 introduced the use of AES (Advanced Encryption Standard) algorithms and CCMP (Counter Cipher Mode with Block-Chaining Message Authentication Code Protocol) to tighten the security of both home networks and business enterprises.

WPA2 had two operating modes: one for home Wi-Fi networks and the other for organizations wanting government-grade wireless security (known as WPA2-Enterprise).

WPA2-Enterprise deployment includes installing a RADIUS server (or establishing an outsourced service), configuring access points with the encryption and RADIUS server information, configuring your operating system with the encryption and IEEE 802.1x settings, and then connecting to your secure wireless enterprise.

What is the difference between WPA2 and WPA3?

WPA3, introduced in 2018, addressed vulnerabilities that persisted in WPA2. The enhancements provide users with stronger privacy protections and secure their devices better, regardless of their technical knowledge.

The key enhancements in WPA3 are:

• Simultaneous Authentication of Equals (SAE): Replacing WPA2’s pre-shared key (PSK) exchange protocol, SAE prevents attackers from gaining access by attempting to guess the network password.
• Enhanced Open: This is a way of connecting to public Wi-Fi networks more securely. Traditionally, cybercriminals have used man-in-the-middle attacks to hack into data connections on public Wi-Fi.
• Easy Connect: This is a clever feature allowing connected items without screens or keypads to be logged in to a network via a QR code read on a smartphone.

Like WPA2, WPA3 has two modes: one for home and one for businesses. WPA3-Enterprise is designed for organizations and businesses that transmit sensitive data and offers a boosted 192-bit minimum-strength security protocol. It also incorporates cryptographic tools that align with the Commercial National Security Algorithm (CNSA) Suite that were created by the Committee on National Security Systems.

How do you deploy WPA3-Enterprise?

The standard for passing EAP over a network is IEEE 802.1x. In this authentication framework, the user who wants to be authenticated is the supplicant. The authentication server is an external RADIUS server. The device at the AP, such as a laptop or smartphone, is the authenticator.

Users are assigned login credentials to enter when connecting to the network; they don’t see the actual encryption keys, and the keys aren’t stored on the device. This protects the wireless network against terminated employees or lost devices. When a user attempts to connect to your network, login credentials are sent through a virtual port. If successful, the encryption keys are distributed, granting the user full access.

RADIUS server options

Once you decide on which of the following RADIUS server options to use, you will set it up in the corresponding EAP, AP and user settings.

• Windows Server: If you have a Windows Server set up, use the Network Policy Server (NPS).
• FreeRADIUS: This server is a free, open-source project and the preferred choice of advanced IT personnel. It is available for the Linux, Mac OS X and Windows platforms.
• Outsourced services: If you have multiple offices or lack technical IT expertise, a hosting service is a good option. Many services provide more than just RADIUS server hosting. They can also help with the setup process, do user onboarding and provide real-time reporting functionality. In addition, many companies offer mobile applications that make configuring mobile devices quick and painless for Apple iOS, Android and Kindle Fire users.

EAP options

Your EAP choice depends on the level of security you need and your server/client specs. 

Although there are more than 10 EAP types, the three most widely used are:

• PEAP (Protected EAP): This protocol authenticates users through the usernames and passwords they enter when connecting to the network. It is one of the easiest EAP types to implement.
• TLS (Transport Layer Security): To provide the highest level of security, this type of EAP requires both server and client certificate validation. Instead of connecting to the network with usernames and passwords, end-user devices or computers must have a client certificate. You control the certificate authority and distribute the client certificates.
• TTLS (Tunneled TLS): This version of TLS doesn’t require security certificates and reduces network management time. However, because TTLS doesn’t have native support in Microsoft Windows, it requires a third-party client.

The steps for configuring the APs require you to enable WPA3-Enterprise only mode or transition mode by setting the AKM suite to 00-0F-AC:5 (802.1X with SHA-256). Your APs will use CCMP encryption, so make sure to turn off older encryption methods like TKIP and WEP. You also need to enable Protected Management Frames (PMF) to help secure your network.

On the client side, set up your usernames and passwords or client certificates if that’s what you choose to use. You’ll need to do this for every laptop, tablet, smartphone or other device that connects to your server. Boost connection speed and security further by enabling “fast roaming” and “server certificate validation” if they’re available.

Implementation may vary depending on the hardware and software you choose.

Standards and the Wi-Fi Alliance

There’s no end to the task of protecting against data theft and managing risk and compliance in the wireless enterprise. Key challenges in wireless security vary widely and continue to evolve because every enterprise is different. Some IT teams struggle with the impact of BYOD (bring your own device), while others seek ways to allow guest access without compromising security of mission-critical systems.

The IEEE 802.11 working group and Wi-Fi Alliance continue to address emerging needs, now offering innovations like IEEE 802.11ax, better known as Wi-Fi 6. This update brings improvements designed to enhance network performance at busy times, such as:

• Orthogonal frequency division multiple access (OFDMA): This increases the number of devices that can use the same Wi-Fi channel simultaneously.
• Multi-user, multiple-input, multiple-output (MU-MIMO): Building on OFDMA, this lets your Wi-Fi router communicate with several devices at once, which is great for increasing data transmission speeds.
• Target Wake Time (TWT): Wi-Fi connectivity is a drain on your mobile devices’ power, and TWT lets them sleep and wake up.

In addition, major platform vendors often provide ways to assist in the management of security measures, helping to reduce the resources needed and overall time spent on IT management.

Wi-Fi continues to grow and adapt to business needs. While 2.4 GHz was once the norm in wireless networking, the introduction of Wi-Fi 6 has expanded operation into multiple frequency bands and brought significant advancements, like increased capacity and better performance in dense environments.

When it comes to security, WPA3, certified through the Wi-Fi Alliance’s Wi-Fi CERTIFIED program, has emerged as the latest and most secure protocol. It significantly strengthens encryption, protects against brute-force attacks through SAE and provides transition modes for mixed WPA2/WPA3 environments. Importantly, while WPA2 networks remain secure when properly maintained, WPA3 offers additional security enhancements for those who need them.

The Wi-Fi Alliance and other entities are constantly working to develop new security methods and certifications to ensure optimal protection. As such, updating firmware and drivers regularly, adopting the latest standards, and keeping informed about advancements in security protocols are paramount to maintaining a secure network.

Make sure your group has adopted the latest technologies, such as Wi-Fi 6 and WPA3. Enjoy the convenience and productivity of Wi-Fi, but do it safely.