Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

WPA2 Enterprise wireless networks

Hi

We have several offices around the globe, and in each one our wireless team are setting up wireless networks. All we know for the moment is that the wireless networks will use WPA2 Enterprise security.

I'm just reading up on the subject, and from what I understand -

i. WPA2 Enterprise means there is some sort of authentication server
ii. WPA2 Enterprise also means there is some encryption

However, I had some questions I was hoping someone could answer:

1. Regarding authentication server, is this the same as a RADIUS server, or are there different types of authentication servers?

2. Can the authentication server be tied into AD so that users can access the wireless network with their AD credentials?

3. Regarding the encryption, how does EAP fit it into this?:

4. Are there any recommended types of EAP to use (or not use)?

5. What is the best way to automatically set the wireless access settings for laptops and mobile devices?
0
Joe_Budden
Asked:
Joe_Budden
  • 3
  • 3
  • 2
2 Solutions
 
mrroonieCommented:
1. you can use a radius server, YOUR server or external addresses - http://www.ciscopress.com/articles/article.asp?p=1576225&seqNum=3
2. yes, on the clients you need to configure the wifi network to 'use windows domain login information'
3. depends which version of EAP - http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#EAP_extensions_under_WPA-_and_WPA2-_Enterprise
4. EAP-TLS is the newest technology, so probably most secure
5. not sure there will be a way to automatically set it up - we use WPA2 Enterprise using EAP-MSCHAPv2 which has only just been replaced with EAP-TLS but there is no way i could automate the process of designating the settings. you may be able to, but you'd need a scripting genuis, which unfortunately i am not
0
 
Cheever000Commented:
I'll add a bit to all this I have set this up a couple times.  I am assuming for argument sakes that you are using MS server and AD.

1.  You can use RADIUS, you need to create a policy for the specific media "wireless" connecting.

2. It can be based on AD group membership, and you can even allow the devices to authenticated ahead of the user so they are on the network before a user logs in.

3.  Not much to add to this one.

4.  I think this set up uses PEAP on the microsoft side.

5.  You can set wireless settings in AD so the users will not have to touch anything, and this can be deployed through group policy settings.  http://www.petri.co.il/creating_wireless_gpo_settings.htm


Check this article out, it is a great place to get started when looking at this.
http://articles.techrepublic.com.com/5100-10878_11-6148579.html

0
 
Joe_BuddenAuthor Commented:
Thanks both. Great answers...

Just two follow up questions...

1. Am I correct in thinking that RADIUS is not necessarily AD specific? It's a protocol for authentication. I've seen many references to it, but not sure what the alternative to RADIUS is?

2. EAP is, again, an authentication mechanism? But EAP works with RADIUS, rather than instead of it?

To be honest I'm a little confused about how EAP and RADIUS interact. I always EAP was an encryption protocol, not an authentication one.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Cheever000Commented:
1.  Radius is a method of having something other then the device itself authenticate users, by checking some other system or database for user rights and permission.  It is not AD specific, and their are other implementations of RADIUS which is an industry standard.

2.  As for EAP, this is a method of protecting the key exchange and authentication process, while it is separate works in conjunction with the method chosen to protect the transaction.

Hope that clears it up a bit and my explanation isn't too confusing.
0
 
Joe_BuddenAuthor Commented:
Ah ok...so RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say?

Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must?
0
 
mrroonieCommented:
RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say? <<correct, see here for full explanation - http://en.wikipedia.org/wiki/Radius_server
Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must? <<  it's the industry standard as it's the most secure (EAP-TLS) but it is not strictly necessary - you can use MSCHAPv2 with or without EAP
0
 
Joe_BuddenAuthor Commented:
Thanks guys - and final question, out of curiousity, is it possible to use PAP and CHAP with WPA2 RADIUS too? Or just MSCHAP and EAP?
0
 
mrroonieCommented:
i know you can use PAP with WPA2 RADIUS, but i've never tried it with CHAP. i *think* it's only MSCHAP but i may be wrong as i've never used CHAP
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now