With the KRACK WPA2 vulnerability making headlines in October 2017, many IT admins are asking if there is a WPA2 alternative that is safer. The short answer is not really. WPA2 is a critical component of WiFi authentication. However, the longer answer is that while WPA2 may be unavoidable, you can dramatically step-up your WiFi security so that WPA2 security becomes less of an issue.
WiFi Security and WPA2
First we should point out that the KRACK vulnerability is a particularly insidious one given how many different devices it affects. Despite that, it is relatively straight forward to remediate quickly. To address this issue, you need to ensure that every device gets patched with the latest code to close the KRACK security hole. Of course, the patching process is never easy and it is time consuming, but at least it is a method to address this issue immediately.
The second point is much more significant, and that’s because it’s on how you can really take your WiFi infrastructure security up a notch. That issue is less about replacing WPA2 since that is a widely used standard, and more about how you can get away from the shared SSID and passphrase approach that is popular with WPA2.
Securing the Network through RADIUS
The most significant step that IT admins can take with their WiFi security is to uniquely authenticate users to the network. Similar to how wired networks have worked in the past, it is possible to have every user login to the WiFi network uniquely rather than through a shared SSID and passphrase.
This approach is possible leveraging the authentication protocol RADIUS. By connecting your wireless access points to your directory service via RADIUS, you will be able to ensure that every user logs in with their core credentials. No more shared credentials, and no more risk of those credentials getting out to unauthorized users.
The benefit is that unless the user has an account in the core identity provider, they won’t have access to the network. Even the shared WPA2 credentials won’t give them access. This approach to the (Read more...)