Continuing my series on deployment strategies for enterprise WLAN, today I’m covering the most common type of WLAN deployment – extending the enterprise to mobile users.
Basic Enterprise Mobility – Strategy
Extending the enterprise’s wired LAN to wireless is one of the more straightforward tasks from a network design perspective, but the authentication piece for the Wireless LAN needs to be strictly controlled. Fortunately, wireless can benefit from the widespread deployment of another technology in the enterprise world – centralized authentication servers.
Many enterprise environments utilize a centralized authentication system to manage their user accounts, with Microsoft Active Directory being one of the most common. This system can also be leveraged to provide authentication to the Wireless LAN. Active Directory can serve as an 802.1X authenticator, allowing the wireless network to use EAP technology to authenticate users. The two EAP methods most worthy of consideration in a WLAN environment are EAP-TLS, and PEAP.
EAP-TLS provides full mutual authentication, using a public key infrastructure to create and manage certificates for both client devices and the authenticating server. In practice, it will allow users to seamlessly authenticate to the wireless network, because the certificate exchange occurs behind the scenes. In an Active Directory environment, the certificates used in authentication can be deployed remotely by the Domain Controllers. This works especially well with laptop users, but can be a challenge with mobile devices that do not have a wired connection to the network. Certificates can be pushed to mobile devices in several ways, such as by use of a dedicated management WLAN or physical installation via memory cards or barcode scanning, but in a large environment with many mobile devices, it may be wise to look into alternatives.
Fortunately, a worthy alternative to EAP-TLS exists with PEAP authentication. PEAP provides for similar levels of security to EAP-TLS, but does not rely on client certificates to authenticate devices to the network. Instead, PEAP uses a more traditional username & password combination. These credentials can be integrated with an Active Directory environment, allowing administrators granular control over what users get access to the WLAN. PEAP also mitigates the potentially expensive maintenance cost of managing certificates on mobile devices.
EAP-TLS and PEAP, combined with WPA2-AES, provide the strongest authentication and encryption solutions available in WLAN, and as such should be used to protect any critical data traveling over the network. While integration with Active Directory is not mandatory, because many organizations have such an environment already deployed, extending its use to cover WLAN authentication is an attractive option. If your organization does not have a centralized authentication system in place already, the deployment of a WLAN can be a strong motivation to do so. Several free alternatives to Active Directory also exist, such as FreeRADIUS. Some enterprise-grade WLAN infrastructure also provides the ability to generate and manage certificates using an internal server hosted on the access point. Given the easy integration with common authentication systems, and the availability of free alternatives, there really is no reason not to deploy a centralized authentication solution to secure your enterprise WLAN.
Pre-Shared Keys – also known as “Personal” authentication – are generally not appropriate for enterprise environments. WPA2-AES using pre-shared keys does not have any documented vulnerabilities, but any PSK solution relies on sharing authentication credentials between multiple users and devices. This can affect the integrity of the network, and doesn’t provide any traceability to activities of users on the network. It should be avoided in a mission-critical environment.