WPA2 Enterprise wireless networks

Posted on 2010-11-08
Last Modified: 2013-12-09

We have several offices around the globe, and in each one our wireless team are setting up wireless networks. All we know for the moment is that the wireless networks will use WPA2 Enterprise security.

I'm just reading up on the subject, and from what I understand -

i. WPA2 Enterprise means there is some sort of authentication server
ii. WPA2 Enterprise also means there is some encryption

However, I had some questions I was hoping someone could answer:

1. Regarding authentication server, is this the same as a RADIUS server, or are there different types of authentication servers?

2. Can the authentication server be tied into AD so that users can access the wireless network with their AD credentials?

3. Regarding the encryption, how does EAP fit it into this?:

4. Are there any recommended types of EAP to use (or not use)?

5. What is the best way to automatically set the wireless access settings for laptops and mobile devices?
Question by:Joe_Budden
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 13

Accepted Solution

mrroonie earned 250 total points
ID: 34084766
1. you can use a radius server, YOUR server or external addresses -
2. yes, on the clients you need to configure the wifi network to 'use windows domain login information'
3. depends which version of EAP -
4. EAP-TLS is the newest technology, so probably most secure
5. not sure there will be a way to automatically set it up - we use WPA2 Enterprise using EAP-MSCHAPv2 which has only just been replaced with EAP-TLS but there is no way i could automate the process of designating the settings. you may be able to, but you'd need a scripting genuis, which unfortunately i am not

Assisted Solution

Cheever000 earned 250 total points
ID: 34085332
I'll add a bit to all this I have set this up a couple times.  I am assuming for argument sakes that you are using MS server and AD.

1.  You can use RADIUS, you need to create a policy for the specific media "wireless" connecting.

2. It can be based on AD group membership, and you can even allow the devices to authenticated ahead of the user so they are on the network before a user logs in.

3.  Not much to add to this one.

4.  I think this set up uses PEAP on the microsoft side.

5.  You can set wireless settings in AD so the users will not have to touch anything, and this can be deployed through group policy settings.

Check this article out, it is a great place to get started when looking at this.


Author Comment

ID: 34087278
Thanks both. Great answers...

Just two follow up questions...

1. Am I correct in thinking that RADIUS is not necessarily AD specific? It's a protocol for authentication. I've seen many references to it, but not sure what the alternative to RADIUS is?

2. EAP is, again, an authentication mechanism? But EAP works with RADIUS, rather than instead of it?

To be honest I'm a little confused about how EAP and RADIUS interact. I always EAP was an encryption protocol, not an authentication one.
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.


Expert Comment

ID: 34087411
1.  Radius is a method of having something other then the device itself authenticate users, by checking some other system or database for user rights and permission.  It is not AD specific, and their are other implementations of RADIUS which is an industry standard.

2.  As for EAP, this is a method of protecting the key exchange and authentication process, while it is separate works in conjunction with the method chosen to protect the transaction.

Hope that clears it up a bit and my explanation isn't too confusing.

Author Comment

ID: 34087824
Ah RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say?

Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must?
LVL 13

Expert Comment

ID: 34090966
RADIUS is one of the authenticatoin methods, and EAP is a method of securing the authentication method, you could say? <<correct, see here for full explanation -
Which begs the question, is EAP a requirement in WPA2 Enterprise? I mean, I know it's preferable, but is it a must? <<  it's the industry standard as it's the most secure (EAP-TLS) but it is not strictly necessary - you can use MSCHAPv2 with or without EAP

Author Comment

ID: 34096444
Thanks guys - and final question, out of curiousity, is it possible to use PAP and CHAP with WPA2 RADIUS too? Or just MSCHAP and EAP?
LVL 13

Expert Comment

ID: 34099898
i know you can use PAP with WPA2 RADIUS, but i've never tried it with CHAP. i *think* it's only MSCHAP but i may be wrong as i've never used CHAP

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MAC Filtering: MAC filtering is like handing a list of names to a doorman. If someone comes to the door and mentions a name, this name is checked by the doorman on his list and granted or denied access by this. This means that if someone menti…
Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question