Solved

WPA2 Enterprise wireless networks

Posted on 2010-11-08
8
502 Views
Last Modified: 2013-12-09
Hi

We have several offices around the globe, and in each one our wireless team are setting up wireless networks. All we know for the moment is that the wireless networks will use WPA2 Enterprise security.

I'm just reading up on the subject, and from what I understand -

i. WPA2 Enterprise means there is some sort of authentication server
ii. WPA2 Enterprise also means there is some encryption

However, I had some questions I was hoping someone could answer:

1. Regarding authentication server, is this the same as a RADIUS server, or are there different types of authentication servers?

2. Can the authentication server be tied into AD so that users can access the wireless network with their AD credentials?

3. Regarding the encryption, how does EAP fit it into this?:

4. Are there any recommended types of EAP to use (or not use)?

5. What is the best way to automatically set the wireless access settings for laptops and mobile devices?
0
Comment
Question by:Joe_Budden
  • 3
  • 3
  • 2
8 Comments
 
LVL 13

Accepted Solution

by:
mrroonie earned 250 total points
ID: 34084766
1. you can use a radius server, YOUR server or external addresses - http://www.ciscopress.com/articles/article.asp?p=1576225&seqNum=3
2. yes, on the clients you need to configure the wifi network to 'use windows domain login information'
3. depends which version of EAP - http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#EAP_extensions_under_WPA-_and_WPA2-_Enterprise
4. EAP-TLS is the newest technology, so probably most secure
5. not sure there will be a way to automatically set it up - we use WPA2 Enterprise using EAP-MSCHAPv2 which has only just been replaced with EAP-TLS but there is no way i could automate the process of designating the settings. you may be able to, but you'd need a scripting genuis, which unfortunately i am not
0
 
LVL 9

Assisted Solution

by:Cheever000
Cheever000 earned 250 total points
ID: 34085332
I'll add a bit to all this I have set this up a couple times.  I am assuming for argument sakes that you are using MS server and AD.

1.  You can use RADIUS, you need to create a policy for the specific media "wireless" connecting.

2. It can be based on AD group membership, and you can even allow the devices to authenticated ahead of the user so they are on the network before a user logs in.

3.  Not much to add to this one.

4.  I think this set up uses PEAP on the microsoft side.

5.  You can set wireless settings in AD so the users will not have to touch anything, and this can be deployed through group policy settings.  http://www.petri.co.il/creating_wireless_gpo_settings.htm


Check this article out, it is a great place to get started when looking at this.
http://articles.techrepublic.com.com/5100-10878_11-6148579.html

0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 34087278
Thanks both. Great answers...

Just two follow up questions...

1. Am I correct in thinking that RADIUS is not necessarily AD specific? It's a protocol for authentication. I've seen many references to it, but not sure what the alternative to RADIUS is?

2. EAP is, again, an authentication mechanism? But EAP works with RADIUS, rather than instead of it?

To be honest I'm a little confused about how EAP and RADIUS interact. I always EAP was an encryption protocol, not an authentication one.
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 34087411
1.  Radius is a method of having something other then the device itself authenticate users, by checking some other system or database for user rights and permission.  It is not AD specific, and their are other implementations of RADIUS which is an industry standard.

2.  As for EAP, this is a method of protecting the key exchange and authentication process, while it is separate works in conjunction with the method chosen to protect the transaction.

Hope that clears it up a bit and my explanation isn't too confusing.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Joe_Budden
ID: 34087824
Ah ok...so RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say?

Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must?
0
 
LVL 13

Expert Comment

by:mrroonie
ID: 34090966
RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say? <<correct, see here for full explanation - http://en.wikipedia.org/wiki/Radius_server
Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must? <<  it's the industry standard as it's the most secure (EAP-TLS) but it is not strictly necessary - you can use MSCHAPv2 with or without EAP
0
 
LVL 1

Author Comment

by:Joe_Budden
ID: 34096444
Thanks guys - and final question, out of curiousity, is it possible to use PAP and CHAP with WPA2 RADIUS too? Or just MSCHAP and EAP?
0
 
LVL 13

Expert Comment

by:mrroonie
ID: 34099898
i know you can use PAP with WPA2 RADIUS, but i've never tried it with CHAP. i *think* it's only MSCHAP but i may be wrong as i've never used CHAP
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now