troubleshooting Question

How do I secure WPA2-Enterprise / Radius using certificates

Avatar of FriendlyIT
FriendlyITFlag for United Kingdom of Great Britain and Northern Ireland asked on
Wireless NetworkingActive DirectoryNetwork SecurityWindows Server 2012
3 Comments1 Solution130 ViewsLast Modified:
Hi,

As far as I understand our current set-up:-

We have a WPA2 Enterprise wireless solution.  The AP's act as Radius Clients and connecting devices use PEAP to connect valid domain users via RADIUS (currently running on Server 2012 R2) using their domain credentials.

There is a server-side certificate which I believe is used for encrypting the session.

I have been asked to move to a pure certificate based solution (i.e. certificate on both server and client and no more authentication necessary) and I am not sure how best to set this up.  We have our own PKI.

Can anyone point me in the direction of any good quality information about how I would set RADIUS up to work in this way?

I have noticed an unchecked box in Radius that says "Disconnect Clients without Cryptobinding" but I can't find a lot of documentation about what that means and what checking it would change.

I have also noticed that we are using the Domain Users group to validate users, but imagine we could use Domain Computers instead.  How secure would that be?  Does the device actually do some authentication or could another device with the same name connect with that setting?

I've also seen a number of things indicating that MS-CHAP and MS-CHAP-V2 are essentially worthless. so how do I avoid using these?

If anyone can point me at any great documentation for setting something like this up in a more secure way, I would find that really helpful.

Not an expert in these areas, so any pointers or explanations appreciated!

Thanks!


Jon
ASKER CERTIFIED SOLUTION
Jakob Digranes
Team Lead Cloud Services

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros