WPA2 Enterprise wireless networks

Posted on 2010-11-08
Last Modified: 2013-12-09

We have several offices around the globe, and in each one our wireless team are setting up wireless networks. All we know for the moment is that the wireless networks will use WPA2 Enterprise security.

I'm just reading up on the subject, and from what I understand -

i. WPA2 Enterprise means there is some sort of authentication server
ii. WPA2 Enterprise also means there is some encryption

However, I had some questions I was hoping someone could answer:

1. Regarding authentication server, is this the same as a RADIUS server, or are there different types of authentication servers?

2. Can the authentication server be tied into AD so that users can access the wireless network with their AD credentials?

3. Regarding the encryption, how does EAP fit it into this?:

4. Are there any recommended types of EAP to use (or not use)?

5. What is the best way to automatically set the wireless access settings for laptops and mobile devices?
Question by:Joe_Budden
  • 3
  • 3
  • 2
LVL 13

Accepted Solution

mrroonie earned 250 total points
ID: 34084766
1. you can use a radius server, YOUR server or external addresses -
2. yes, on the clients you need to configure the wifi network to 'use windows domain login information'
3. depends which version of EAP -
4. EAP-TLS is the newest technology, so probably most secure
5. not sure there will be a way to automatically set it up - we use WPA2 Enterprise using EAP-MSCHAPv2 which has only just been replaced with EAP-TLS but there is no way i could automate the process of designating the settings. you may be able to, but you'd need a scripting genuis, which unfortunately i am not

Assisted Solution

Cheever000 earned 250 total points
ID: 34085332
I'll add a bit to all this I have set this up a couple times.  I am assuming for argument sakes that you are using MS server and AD.

1.  You can use RADIUS, you need to create a policy for the specific media "wireless" connecting.

2. It can be based on AD group membership, and you can even allow the devices to authenticated ahead of the user so they are on the network before a user logs in.

3.  Not much to add to this one.

4.  I think this set up uses PEAP on the microsoft side.

5.  You can set wireless settings in AD so the users will not have to touch anything, and this can be deployed through group policy settings.

Check this article out, it is a great place to get started when looking at this.


Author Comment

ID: 34087278
Thanks both. Great answers...

Just two follow up questions...

1. Am I correct in thinking that RADIUS is not necessarily AD specific? It's a protocol for authentication. I've seen many references to it, but not sure what the alternative to RADIUS is?

2. EAP is, again, an authentication mechanism? But EAP works with RADIUS, rather than instead of it?

To be honest I'm a little confused about how EAP and RADIUS interact. I always EAP was an encryption protocol, not an authentication one.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Expert Comment

ID: 34087411
1.  Radius is a method of having something other then the device itself authenticate users, by checking some other system or database for user rights and permission.  It is not AD specific, and their are other implementations of RADIUS which is an industry standard.

2.  As for EAP, this is a method of protecting the key exchange and authentication process, while it is separate works in conjunction with the method chosen to protect the transaction.

Hope that clears it up a bit and my explanation isn't too confusing.

Author Comment

ID: 34087824
Ah RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say?

Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must?
LVL 13

Expert Comment

ID: 34090966
RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say? <<correct, see here for full explanation -
Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must? <<  it's the industry standard as it's the most secure (EAP-TLS) but it is not strictly necessary - you can use MSCHAPv2 with or without EAP

Author Comment

ID: 34096444
Thanks guys - and final question, out of curiousity, is it possible to use PAP and CHAP with WPA2 RADIUS too? Or just MSCHAP and EAP?
LVL 13

Expert Comment

ID: 34099898
i know you can use PAP with WPA2 RADIUS, but i've never tried it with CHAP. i *think* it's only MSCHAP but i may be wrong as i've never used CHAP

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco WLC 5508 Proper Design For The Topology 2 57
WAP requirements 5 58
Installing Certificates for wireless connections 13 51
iPad Won't Connect 16 88
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question