Avatar of FriendlyIT
FriendlyITFlag for United Kingdom of Great Britain and Northern Ireland asked on

How do I secure WPA2-Enterprise / Radius using certificates

Hi,

As far as I understand our current set-up:-

We have a WPA2 Enterprise wireless solution.  The AP's act as Radius Clients and connecting devices use PEAP to connect valid domain users via RADIUS (currently running on Server 2012 R2) using their domain credentials.

There is a server-side certificate which I believe is used for encrypting the session.

I have been asked to move to a pure certificate based solution (i.e. certificate on both server and client and no more authentication necessary) and I am not sure how best to set this up.  We have our own PKI.

Can anyone point me in the direction of any good quality information about how I would set RADIUS up to work in this way?

I have noticed an unchecked box in Radius that says "Disconnect Clients without Cryptobinding" but I can't find a lot of documentation about what that means and what checking it would change.

I have also noticed that we are using the Domain Users group to validate users, but imagine we could use Domain Computers instead.  How secure would that be?  Does the device actually do some authentication or could another device with the same name connect with that setting?

I've also seen a number of things indicating that MS-CHAP and MS-CHAP-V2 are essentially worthless. so how do I avoid using these?

If anyone can point me at any great documentation for setting something like this up in a more secure way, I would find that really helpful.

Not an expert in these areas, so any pointers or explanations appreciated!

Thanks!


Jon
Wireless NetworkingWindows Server 2012Active DirectoryNetwork Security

Avatar of undefined
Last Comment
FriendlyIT

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Jakob Digranes

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Jakob Digranes

ASKER
FriendlyIT

Thanks!  Looks great.  Will work through that.
Your help has saved me hundreds of hours of internet surfing.
fblack61