Wi-Fi: How to deploy 802.1x authentication using WPA3-Enterprise

Wi-Fi Protected Access 3 (WPA3) has brought significant security improvements to Wi-Fi networks, particularly WPA-3Enterprise, which includes tweaks to make authenticating to the network more secure. One of these is has to do with 802.1x authentication that is used to determine whether Wi-Fi clients will be granted access to the enterprise network.

The enterprise mode of WPA has always allowed you to give each user a unique username/password to login to the Wi-Fi or to utilize unique digital certificates for each user to install on devices for even more security. Now with WPA3-Enterprise, the security is increased as clients are now required to make sure it’s communicating with the real authentication server before sending login credentials. That verification was optional with the earlier two versions of WPA.

There are also improvements to the encryption strength with WPA3-Enterprise. However, in most cases the enhancements are not a big enough difference to spend resources in upgrading all your hardware at once to support WPA3. So WPA2-Enterprise is still certainly a good secure choice these days.

Here’s a look at how to roll out 802.1x in WPA3-Enterprise.

Providing RADIUS

Enterprise WPA 802.1x requires a RADIUS server to authenticate Wi-Fi clients trying to gain network access, and there are several options for providing one, as follows:

  • Built-in to the wireless controller or access points (AP): Some controller platforms, including cloud-based ones, and APs have an integrated RADIUS servers and user directories so they can perform the authentication. However, the functionality is limited, and you may not be able to utilize a third-party user directory such as Active Directory for the login credentials. But it may provide an easy and cheap way to enable authentication.
  • Router, Firewall, a unified threat management appliance, or network access server: Some network devices provide an integrated RADIUS server. Similar to those provided by wireless controllers or APs, they might not offer full RADIUS functionality but some do support third-party user directories. So take a look at existing main network gear to see if it offers RADIUS features and which ones.
  • Existing Servers: See whether existing servers include RADIUS server as a feature. For instance, on Windows Servers you can get a RADIUS server via the Network Policy Server role an utilize Active Directory for the Wi-Fi login credentials.
  • Cloud-hosted RADIUS services: This option provides an easy way use RADIUS without deploying your own hardware. This is also useful if you have multiple locations where you want to use it because you only have to manage it in the cloud rather than in each location. Furthermore, some cloud services allow you to connect third-party user directories.
  • Setup a separate RADIUS server: A final option is to deploy a separate full RADIUS server on either dedicated hardware or a virtual platform. There are commercial options for the RADIUS server software, but FreeRADIUS is open source and very popular.

Setting up RADIUS

The difficulty of setting up a RADIUS server varies based on what solution you choose, and it’s usually streamlined if using a wireless controller or APs. If using an external server, you usually have to enter the IP address of the wireless controller or each AP and specify a shared secret that you later input in the controller settings or each AP. For traditional RADIUS servers, these are usually entered in the Network Access Server (NAS) list.

On the RADIUS server you also have to configure user credentials either with usernames and passwords in a local database or external database/directory, or by generating digital certificates that you later install on devices.

Some RADIUS servers support optional attributes you can apply to individual users or groups of users that become part of the policy applied to individual clients. Common attributes that RADIUS servers support include: login-time, allowing you to define the exact days and times they can login; called-station-ID to specify which APs they can connect through; and calling-station-ID to specify which client devices they can connect from.

Some RADIUS servers support optional dynamic VLAN assignments as well. Instead of assigning an SSID to a single VLAN, you can have the VLAN assignments defined in the RADIUS server based upon the user, and their particular VLAN ID will be applied when connecting to the Wi-Fi during the 802.1x authentication.

Configuring APs for enterprise security

When configuring wireless APs you’ll enter the RADIUS server IP address and port and the shared secret you specified earlier if using an external RADIUS server. If the APs support multiple enterprise authentication protocols (EAP) you’ll also have to select which one you’re using, such as protected EAP (PEAP) for usernames/passwords or EAP-TLS for digital certificates. EAP enables the conversation between the client and the RADIUS server as proxied through the AP.

If your APs support WPA3 you’ll likely also have the ability to choose one of three WPA options: WPA2-Enterprise only, WPA3-Enterprise only, or WPA2/WPA3-Enterprise. The third option is the most likely choice until all your client devices are upgraded to support WPA3.

Most wireless controllers and APs also support RADIUS accounting, where they will send usage details back to the RADIUS server so you can keep connection logs. For external RADIUS servers, you’ll have to enter your RADIUS server IP address and accounting port and the shared secret you specified earlier.

Connecting to the Enterprise Security

If you chose to utilize usernames and passwords, as with PEAP, users simply select the SSID on the their devices, and it will prompt them to login. Or you can push predefined settings out to their devices and use single sign-on functionality where the user might not have to provide any credentials themselves.

If you’re using digital certificates (like with EAP-TLS), each user’s certificate needs to be installed on each end-use device. In addition to doing this manually, there are many solutions to deploy these to help automate the process. Check with your RADIUS server or cloud service to see what they offer.

Eric Geier is a freelance tech writer—keep up with his writings on Facebook or Twitter. He’s also the founder of NoWiresSecurity providing a cloud-based Wi-Fi security service, and Wi-Fi Surveyors providing RF site surveying.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.