Cybersecurity is a top priority for every organization and securing our organizations’ networked infrastructures plays a major role in the success of a meaningful security strategy. So why should Wi-Fi pros care about security? For starters, we live in a world where security is a major force driving commerce and enterprise businesses. Organizational risk tolerance and governance largely impact security, which is why wireless professionals need to understand how wireless configurations affect an organization’s security posture. Understanding encryption schemes, secure management, segmentation, traffic paths, and monitoring are just a few areas that can help enhance wireless security and protect organizations.
Jennifer Minella, our VP of Engineering and Security, recently lead a session on Wi-Fi security at WLPC Phoenix 2020 to help wireless pros and network administrators understand what organizations are dealing with on the security front and the role they play in enhancing security posture. To help narrow the gap between the board-level view or organizational risk and those who architect and protect it daily, we’re sharing the top three concepts WLAN professionals should understand as it relates to security.
RADIUS Authentication Troubleshooting (Stop Doing Weird $#!+ With Your Policies)
RADIUS, used to authenticate and authorize users to secure networks, enables IT administrators to employ EAP protocols to validate identity and authorize access. But did you know hackers can leverage dozens of attacks against a “secure” network, many of which are caused by weak Wi-Fi defenses?
RADIUS policies set the conditions that allow network administrators to identify how authentications, segmentation/micro-segmentation, and role-based access is assigned, making this essential to wireless security. It’s important to be precise, accurate and specific with your policies, and just because it’s working doesn’t mean it’s correct. The RADIUS or authentication server will be used for something else down the line if it’s not already, and precise rules prevent overlap and misdirected requests.
If something goes wrong, take the proper steps to troubleshoot the RADIUS authentication. The first step to troubleshooting is enabling RADIUS accounting within the wireless infrastructure and on the RADIUS server. The next step is to investigate why authentication failed. If you’re using Microsoft NPS, look at the native logs and evaluate the packet types and reason codes. A reason code of zero is good, but anything other than zero is bad.
Pro tip: Google and bookmark error codes and packet types- there’s only so much information worth memorizing!
Selecting EAP Methods
While EAP chaining standards were rendered unnecessary by NAC’s advanced policy engines, EAP methods are still vital to supporting wireless security. EAP is an authentication framework that provides transport and material usage and parameters generated by EAP methods.
Authentication methods are not created equally, and some lack security. Carefully selecting the best EAP method is important to your organization’s Wi-Fi security strategy. Depending on the organization’s requirements, you will need to decide which is most important: flexibility, simplicity or security. We suggest picking the latter or finding a nice balance with use cases and reasonable levels of security.
For the strongest security, we recommend using an EAP-TLS certificate-based authentication method if an organization has a PKI infrastructure. EAP-PEAP and similar options that pass-through user login credentials from the operating system are also considered secure. Layering both device and user authentication offers the most granular control of access rights.
Certificates for Wireless
We can all agree that while certificates are a pain, they’re painfully necessary. The two main certificates for wireless are 802.1X certificates and web portal certificates. For 802.1X authentication, RADIUS server certificates are always required, no matter what EAP method you’re using to authenticate clients. This should be a domain-issued internal certificate when possible. One pro tip here is that a smaller or mid-size organization can usually quickly and easily deploy Microsoft Certificate Services on existing infrastructure.
In all cases, we highly recommend security-conscious organizations refrain from using self-signed certs or wildcard certifications because they aren’t secure and can introduce risk and ultimately lead to failing certain audits and assessments.
When it comes to web portal certificates, portal server certificates are always required to establish secure connections. Unlike RADIUS server certificates, web portal certificates should be publicly-signed which increases the likelihood the endpoint’s browser will already trust it, and not be forced to interact with a certificate message.
You can watch the entire presentation video with slides online at https://www.youtube.com/watch?v=X1Eu0fI9d24 .
Want to know more? We offer consulting and full turnkey wireless solutions including products and/or services for secured wireless. If you’re mid-market, enterprise, or public sector, contact us today to see how our team can help.