WPA-Enterprise for Small Businesses (Part I)
July 18, 2008
An introduction to WPA-Enterprise security for small businesses and an overview of the best options for using it to secure an SMB WLAN.
Its not a secret that the WEP (Wired Equivalent Privacy) encryption method for wireless networks can be easily cracked. Using WEP actually invites Wi-Fi eavesdroppers to take a stab at cracking your encryption key, so they can connect to your network in order to steal data and wreak havoc. This leaves you with using the more secure Wi-Fi Protected Access (WPA or WPA2) encryption method. However, youll find that the easy-to-setup WPA method (PSK or Pre-shared Key) is also vulnerable to cracking, which is explained in an earlier tutorial. Since each client or computer on the network has to be configured with the same passphrase, this method usually isnt practical for small businesses that have employees using the network.
How WPA-Enterprise encryption works
If you require a highly secure wireless network, its best to use the WPA or WPA2 Enterprise encryption solution. After securely logging on to the network with a username and password, every client automatically receives a unique encryption key thats long and regularly updatedmaking it impossible for a Wi-Fi snooper to intercept enough packets (within hundreds of years) per key to decode a key. Even if a key was somehow decoded, the extremely old hacker will find a new key would have already been put into placethe locks are already changed. Technically, WPA-PSK works by each client being assigned a unique encryption key, as well. However, the encryption keys for WPA-PSK are derived (between the client and access point/wireless router) in such a way that enables much easier decoding by eavesdroppers.
When using WPA-Enterprise, unlike WPA-PSK, employees wont know the passphrase. This way they cant share it with outsiders or use it when they are no longer employed with the company. WPA-Enterprise also can save you a great deal of time; the keys dont have to manually changed on all of the clients. If you use WPA-PSK and you want to change the passphrase for your network (which is recommended on a regular basis to help prevent eavesdroppers from decoding it) you would have to go to each computer and input the new key.
Traditionally, the WPA-Enterprise implementation requires purchasing, installing, and configuring a RADIUS server and other technical components. This rather great investment of your money and time isnt likely to be practical for your small business, especially if you lack a dedicated IT person or staff. This doesnt have to be the case these days, however.
Your WPA-Enterprise options
In this series of tutorials youll discover some options to get enterprise-level wireless security to protect the sensitive information on your small business network. You dont even have to drown yourself in the pool of network security acronyms. Heres a sneak peak of some your options:
Buy an Access Point (AP) with a built-in RADIUS server: This is an easy way out; just purchase an AP with a built-in 802.1x RADIUS server that works with WPA/WPA2. Youll find these APs, such as the USRobotics USR5453 or ZyAIR G-2000 Plus v2, online anywhere from $100 to $200 a piece. This solution typically is best if you only need a few APs for your entire wireless network and is more cost-effective if your APs already have this feature or you havent bought any yet.
To set up the server, all you have to do is select the wireless security type on the Web-based configuration screen and create accounts on the local databases of each of the APs. Then you can configure your client computers with the proper settings and youre secured.
Use hosted third-party services: This is also another great way to ease the learning curve and simplify your wireless security journey. All you do is sign up for the service, configure your wireless router and/or APs, and set up your computers. The RADIUS server is hosted by the company. Youll receive Web-based access to a portal where you can add/remove user accounts and APs.
BoxedWireless offers this type of service for 1-10 users at $186 or 11-25 users at $257 per year (supports more users--see their Web site) with an unlimited number of APs.
Setup your own RADIUS server: If you want more control and flexibility of your encryption scheme, setting up a software-based server on your network thats user-friendly and targeted towards small-businesses may be the way to go. That way you can have a bullet-proof Wi-Fi network up and running in a matter of an hour or two, rather than spending thousands of dollars on a traditional enterprise-level server that would take an average user days to wrap his or her head around.
Youll need RADIUS/802.1x server software that supports protocols, such as Extensible Authentication Protocol (EAP). (Well discuss using Elektron in a later part.) The server handles the authentication of the clients trying to connect to your wireless network. Its basically a database where you can list usernames and passwords for the people that you want to connect to your network. You input the address of the server into your wireless router and/or APs. Then, when someone tries to connect theyre prompted to login and the credentials are checked against those on the server. Additionally, the client computer must also have a certificate (a small file) installed and is checked against the certificates listed in the server.
Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).
- For more of Eric Geier's tutorials, read "How to: Add a Mac to your Windows Network (Part I)," "How to: Add a Mac to your Windows Network (Part II)," or "How to: Convert a Wireless Router into a FON Spot."