Many businesses use WiFi to provide convenient, wireless access to the corporate network – but even with a network key, have you ever considered how secure the solution is? We look at the differences between WPA-Personal and WPA-Enterprise, and highlight why your business should really be using WPA-Enterprise.
The two most common methods of securing a WiFi network are WPA-Personal and WPA-Enterprise. Many people may not know the difference, assuming you need a ‘wireless password’ to connect to a WiFi network.
The differences
WPA-Personal (PSK)
The most common is WPA-Personal, which is probably the type of security you use at home or are most familiar with. Networks secured with WPA-Personal ask for a network password when you connect (known as a pre-shared key or PSK). The password is the same for all users who connect to your network, and if you change the password, all users have to update the password on their devices. The password is also stored on all client devices, so whoever has access to the device can access the network.
WPA-Enterprise (802.1X or RADIUS)
WPA-Enterprise is more suited to business or enterprise environments as it offers higher levels of security. Unlike a WPA-Personal, WPA-Enterprise requires users (or systems) to provide a unique set of credentials when accessing the network. The username/password mode of authentication can also be combined with certificate authentication for added security.
One benefit of WPA-Enterprise is that the user doesn’t know the network encryption key, and an encryption key is generated each time the user accesses the network.
What type of WiFi security do I have?
If you are required to enter a ‘Network Key’ to access your WiFi network, you will likely use WPA-Personal security on the network.
What about guest networks?
As a general rule, WPA-Personal is fine for guest access provided:
- Your guest network is securely isolated from your production systems.
- The segmentation can be physical (i.e. WiFi has its own dedicated network, cabling and internet connection) or;
- Logical, where the network is separated by VLANs, a firewall (or internal network firewall) and appropriate security.
- You change your guest network key periodically.
- The wireless power of the network is configured (i.e. reduced) to focus on the desired coverage area (i.e. boardroom)
How do I configure WPA-Enterprise?
The configuration of WPA-Enterprise is a little more complicated than WPA-Personal. WPA-Enterprise requires more configuration on the wireless access points (or controller) and will require the use of a RADIUS server (which is a feature of Windows Server). The most common deployment we work with is users access the network using the Windows Active Directory credentials.
If your business wants to secure its wireless networks, your in-house IT resource can configure it, or you can ask your managed service provider (MSP) / IT company.
Benefits of WPA-Enterprise
Apart from the obvious enhancements to IT security, there are some immediate benefits:
- Leavers and starters. When an individual leaves the organisation, wireless network access can be terminated immediately. With a PSK, the key would need to be changed and then reconfigured on every user device – which is a significant administrative overhead in any organisation (so in most cases, this doesn’t happen!).
- Accountability and auditing. Individual logins mean you benefit from network access logs and traceability. Logging will tell you who accessed the WiFI network, when and what network resources (i.e. endpoints) they accessed when on the network. While this is possible in a crude manner with WPA-Personal (i.e. MAC addresses), it is not as seamless.
- Authorisation. Authentication secures access to the network, while Authorisation determines what can happen once they have accessed the network. Examples could include what they can access, time of day access, etc. There is some overlap between the two, but authorisation controls provide a greater control level throughout the time people are connected.
- Convenience and SSO (Single sign-on). SSO makes network access seamless and familiar to users. Users can use their same Windows credentials to access the WiFi network with ease. Granted, you need to ensure your business has a robust password policy.
Does my equipment support WPA-Enterprise?
The majority of modern, business-class WiFI devices will support WPA-Enterprise. Check data-sheets for mentions of WPA-Enterprise or 802.1X.
For modern deployments, you should really be looking for your network to support WPA3-Enterprise
Find out more
We work with WiFi equipment from Fortinet, Aruba and Cisco – but our team can assist with implementing a range of WiFi systems. If your organisation is looking for a new WiFI solution, we recommend using a Fortinet Firewall and FortiAPs. Feel free to e-mail sales@mtg.im, call +44 1624 777837 or select Request a Quote for more information. For more tips and tricks, take a look at our Small Business IT Security Guide.