Part 1: Understanding Authentication in Enterprise Wi-Fi
Introduction
Enterprise Wi-Fi networks are critical infrastructure, necessitating robust security measures to protect sensitive data and ensure reliable connectivity. Central to enterprise Wi-Fi security is the Extensible Authentication Protocol (EAP), a versatile framework for securely authenticating users and devices. This post explores various EAP methods, authentication mechanisms, and EAP modes that form the foundation of enterprise Wi-Fi security.
What is EAP?
The Extensible Authentication Protocol (EAP) is a flexible framework designed for transporting authentication protocols, commonly employed in wireless networks and point-to-point connections. EAP supports multiple authentication methods, enabling enterprises to select the most appropriate option for their security needs.
Common EAP Methods
EAP-TLS (Transport Layer Security)
EAP-TLS is renowned for its security, utilising mutual authentication that requires both the client and server to present valid digital certificates. This method provides strong security through mutual authentication and encryption but is complex and costly due to the need for public key infrastructure (PKI).
EAP-TTLS (Tunnelled Transport Layer Security)
EAP-TTLS creates a secure tunnel for client authentication using various mechanisms, such as passwords. It offers flexibility in choosing inner authentication methods and is easier to implement than EAP-TLS, though it is slightly less secure due to the potential use of weaker inner methods.
PEAP (Protected EAP)
PEAP establishes a secure tunnel between the client and the authentication server, using MSCHAPv2 for client authentication within the tunnel. It is widely supported and easier to implement than EAP-TLS, but its security depends on the strength of the inner authentication protocol (e.g., MSCHAPv2).
EAP-MD5
EAP-MD5 employs a simple MD5 hash for client authentication. While it is easy to implement, its weak security and vulnerability to dictionary attacks make it unsuitable for enterprise use.
EAP-FAST (Flexible Authentication via Secure Tunnelling)
EAP-FAST uses a Protected Access Credential (PAC) to establish a secure tunnel for client authentication. This method offers strong security with PACs and a faster authentication process, though it is complex to manage and not as widely supported as other methods.
EAP Modes
EAP Standalone Mode
In standalone mode, the client communicates directly with the authentication server without intermediaries, suitable for small networks or environments where direct communication is feasible.
EAP Pass-Through Mode
In pass-through mode, the access point relays EAP messages between the client and the authentication server, commonly used in larger networks where access points do not perform authentication but pass EAP messages to a centralised server (e.g., RADIUS server).
EAP Termination Mode
In termination mode, the access point or a network device terminates the EAP session and handles the authentication process locally, useful in environments requiring local authentication processing, thereby reducing the load on central servers.
Choosing the Right EAP Method
Selecting an EAP method depends on the enterprise’s security requirements, infrastructure, and resources. Considerations include:
- Security Level: EAP-TLS offers the highest security but requires significant investment in PKI.
- Ease of Deployment: PEAP and EAP-TTLS are easier to deploy and manage, making them suitable for many enterprises.
- Compatibility: Ensure that the chosen EAP method is supported by all network devices and client systems.
- Scalability: Consider the scalability of the EAP method to accommodate future growth and network changes.
Authentication Mechanisms in Enterprise Wi-Fi
Digital Certificates
Digital certificates are used in EAP-TLS for mutual authentication, offering high security and non-repudiation but requiring PKI infrastructure and complex management.
Usernames and Passwords
Common in PEAP and EAP-TTLS, usernames and passwords are easy to implement but vulnerable to password attacks, offering less security compared to certificate-based methods.
Tokens and Smart Cards
Used for multi-factor authentication, tokens and smart cards enhance security but involve additional hardware and management complexity.
Biometrics
Emerging in modern authentication systems, biometrics offer high security and are difficult to replicate. However, they raise privacy concerns and require biometric hardware.
Conclusion
Understanding the various EAP methods, modes, and authentication mechanisms is crucial for securing enterprise Wi-Fi networks. By choosing the right EAP method and implementing robust authentication practices, enterprises can protect their networks from unauthorised access and ensure the integrity of their wireless communications. Stay tuned for Part 2, where we will explore common enterprise Wi-Fi attack techniques and how to defend against them.