WPA2 Enterprise wireless networks


We have several offices around the globe, and in each one our wireless team are setting up wireless networks. All we know for the moment is that the wireless networks will use WPA2 Enterprise security.

I'm just reading up on the subject, and from what I understand -

i. WPA2 Enterprise means there is some sort of authentication server
ii. WPA2 Enterprise also means there is some encryption

However, I had some questions I was hoping someone could answer:

1. Regarding authentication server, is this the same as a RADIUS server, or are there different types of authentication servers?

2. Can the authentication server be tied into AD so that users can access the wireless network with their AD credentials?

3. Regarding the encryption, how does EAP fit it into this?:

4. Are there any recommended types of EAP to use (or not use)?

5. What is the best way to automatically set the wireless access settings for laptops and mobile devices?
Who is Participating?
mrroonieConnect With a Mentor Commented:
1. you can use a radius server, YOUR server or external addresses - http://www.ciscopress.com/articles/article.asp?p=1576225&seqNum=3
2. yes, on the clients you need to configure the wifi network to 'use windows domain login information'
3. depends which version of EAP - http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#EAP_extensions_under_WPA-_and_WPA2-_Enterprise
4. EAP-TLS is the newest technology, so probably most secure
5. not sure there will be a way to automatically set it up - we use WPA2 Enterprise using EAP-MSCHAPv2 which has only just been replaced with EAP-TLS but there is no way i could automate the process of designating the settings. you may be able to, but you'd need a scripting genuis, which unfortunately i am not
Cheever000Connect With a Mentor Commented:
I'll add a bit to all this I have set this up a couple times.  I am assuming for argument sakes that you are using MS server and AD.

1.  You can use RADIUS, you need to create a policy for the specific media "wireless" connecting.

2. It can be based on AD group membership, and you can even allow the devices to authenticated ahead of the user so they are on the network before a user logs in.

3.  Not much to add to this one.

4.  I think this set up uses PEAP on the microsoft side.

5.  You can set wireless settings in AD so the users will not have to touch anything, and this can be deployed through group policy settings.  http://www.petri.co.il/creating_wireless_gpo_settings.htm

Check this article out, it is a great place to get started when looking at this.

Joe_BuddenAuthor Commented:
Thanks both. Great answers...

Just two follow up questions...

1. Am I correct in thinking that RADIUS is not necessarily AD specific? It's a protocol for authentication. I've seen many references to it, but not sure what the alternative to RADIUS is?

2. EAP is, again, an authentication mechanism? But EAP works with RADIUS, rather than instead of it?

To be honest I'm a little confused about how EAP and RADIUS interact. I always EAP was an encryption protocol, not an authentication one.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

1.  Radius is a method of having something other then the device itself authenticate users, by checking some other system or database for user rights and permission.  It is not AD specific, and their are other implementations of RADIUS which is an industry standard.

2.  As for EAP, this is a method of protecting the key exchange and authentication process, while it is separate works in conjunction with the method chosen to protect the transaction.

Hope that clears it up a bit and my explanation isn't too confusing.
Joe_BuddenAuthor Commented:
Ah ok...so RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say?

Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must?
RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say? <<correct, see here for full explanation - http://en.wikipedia.org/wiki/Radius_server
Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must? <<  it's the industry standard as it's the most secure (EAP-TLS) but it is not strictly necessary - you can use MSCHAPv2 with or without EAP
Joe_BuddenAuthor Commented:
Thanks guys - and final question, out of curiousity, is it possible to use PAP and CHAP with WPA2 RADIUS too? Or just MSCHAP and EAP?
i know you can use PAP with WPA2 RADIUS, but i've never tried it with CHAP. i *think* it's only MSCHAP but i may be wrong as i've never used CHAP
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.