Upgrade to WPA2-Enterprise Wi-Fi Security - Page 2

By Eric Geier
  • Print Article
  • Email Article

Getting a RADIUS Server

As mentioned, to use the Enterprise mode of WPA or WPA2 you need a RADIUS server, which is required for the 802.1X/EAP authentication. If your company has an IT staff, you could consider using a traditional RADIUS server. If you already have a Windows Server you can use the included Internet Authentication Service (IAS) of Windows Server 2003 and earlier or the Network Policy Server (NPS) of Windows Server 2008 and later.

And if you don’t have a Windows Server, you could use the popular free and open source FreeRADIUS server, primarily designed for running on Linux, Mac, and Unix-based computers and servers. But if you're not a Linux/Mac/Unix fan, you could use the freeware TekRADIUS server in Windows, or purchase a commercial server like Elektron or ClearBox.

If you don’t have an IT staff, but you have a tech-savvy employee, you could consider purchasing an AP that has a built-in RADIUS server, like the NWA-3500, NWA3166 or NWA3160-N from ZyXEL. Though these require some understanding of configuring a RADIUS server for 802.1X, it doesn’t require as much as installing and configuring a traditional server. You can use these for all your APs around your building, or just purchase one to serve as a RADIUS server for any other APs you already have, even if from another vendor.

If you don’t have anyone familiar with Enterprise Wi-Fi security or RADIUS servers you could still consider using a hosted or cloud-based service (like BoxedWireless) that runs the server for you and offers help on configuring your computers. If you're interested, you can read more about low-cost RADIUS servers.

Enterprise Wi-Fi Security Options

802.1X authentication uses the Extensible Authentication Protocol (EAP), and when searching for a RADIUS server or a hosted service you’ll have different types of EAP from which to choose. Here are the most popular types:

  • PEAP (Protected EAP): This method is the most popular, easiest to implement, and it lets you create usernames and passwords for each Wi-Fi user/computer.
  • TLS (Transport Layer Security): This is one of the most secure methods, but takes more to setup and maintain, and requires installing a file (digital certificate) on each Wi-Fi computer or device.
  • TTLS (Tunneled TLS): An improved version of TLS that doesn't require digital certificates, but isn’t widely supported by computers and devices, and it requires third-party 802.1X clients like SecureW2.

    Upgrading to the Enterprise Mode

    If you’d like to upgrade to the Enterprise mode, here are the next steps to take:

    • Choose a RADIUS server or hosted RADIUS service.
    • Set up the RADIUS server or service with the desired EAP type and enter your AP and user settings.
    • Configure your wireless router or APs with WPA2-Enterprise and enter the RADIUS server settings.

    If you’re using the PEAP type of EAP, your users with Windows Vista or later will be able to simply enter their username and password when connecting. But Windows XP users may have to preconfigure the network settings before they can connect. If using the EAP types TLS or TTLS on any computer, they’ll have to first have to install a digital certificate and/or a third-party 802.1X client before connecting.

    Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.

    Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

    Page 2 of 2

    Previous Page
    1 2
    This article was originally published on April 19, 2012
    Thanks for your registration