Security recommendations wifi connected to corporate network

We have been tasked with connecting a room to our corporate network via wireless router.  I am not that adept at wireless security.  Can anyone give me any general guidelines to make this as secure as possible?  Is this even recommended.  Our domain is a Windows  2016 domain.  

Thanks
TOHITAsked:
Who is Participating?
 
Jakob DigranesSenior ConsultantCommented:
as Noci mention;
the only way to get secure WiFi is using WPA2-Enterprise.
WPA2-Enterprise use RADIUS server for authentication, the RADIUS server can be a windows DC if you like, or Linux or 3rd party product.
But Radius needs to be setup securly.

EAP-setting (for authentication and credentials exchange) should be Protected EAP (PEAP) using a valid certificate on server, and use this certificate for secure exchange credentials

EAP-Inner method can be either certificates on devices -EAP-TLS (yes please!) , or user name and password from domain, PEAP-MsChapv2

once again, as noci says - with WPA2-Enterprise every station use a random generated unique encryption key that is rotated. With WPA2-Personal (using a pre-shared key) - every station share the same encryption key.
KRACK can be mitigated, as most vendors have released firmware patches to fix this. WPA2-KRACK is not a protocol flaw, but an implementaion flaw, which makes it ease to secure.
WPA2 enterprise is still susceptible to KRACK if wireless equipment are not upgraded.

and yes, secure and recommended
0
 
masnrockCommented:
Please give more detail? There seems to be some ambiguity. Is this a space that's not part of your current space, or are you implementing a wireless network that needs to be tied to the corporate network?
0
 
CompProbSolvCommented:
Once you have connected the room to your network, how will users connect to it?  More specifically, you can do a point-to-point connection between the corporate network and your room and then connect to that with a wired connection.  The point-to-point connection can be fairly secure by restricting communication between the two devices by WPA2 and only allowing connections between those two MAC addresses.  An access point can be connected to the PTP connection and standard wireless security rules would apply.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Rob KnightConsultantCommented:
Given recent WPA2 vulnerabilities (KRACK) you may want to consider an alternative - I.e. if you already have a VPN solution, just put in a standard Internet connection bases Wi-Fi.
0
 
nociSoftware EngineerCommented:
KRACK can be mitigated somewhat, but at least stick to WPA2 + AES (or CCMP)   avoid TKIP, WPA and WEP.
Tomake WiFi more or less secure you will need to setup WPA2+AES Enterprise. This mode uses certificates & generates access keys based on those. KRACK will not help a lot as the password changes every time the connection is made.
Even roaming can be made more smooth that way.
0
 
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Jakob Digranes (https:#a42430695)
-- noci (https:#a42430585)
-- Rob Knight (https:#a42430480)
-- CompProbSolv (https:#a42430442)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.