It's become de rigeur to protect wireless networks with Wi-Fi Protected Access II (WPA2) security, but many small and even midsize businesses default to using the personal or pre-shared key (PSK) mode of WPA2, rather than its enterprise mode. Despite its name, however, the enterprise mode isn't only for large networks; it has a place in all businesses. Though you might think the simple personal mode is easier to use, the exact opposite can be true if you factor in the ongoing effort required to properly secure the business's network.
The enterprise mode of WPA2 uses 802.1X authentication, which provides an extra layer of security for a network, and is designed much better for business networks than the personal mode is. Though it does initially require more effort and resources to set up — for instance, you'll need a Remote Authentication Dial In User Service (RADIUS) server or service — it doesn't have to be complicated or costly, either for individual organizations or for IT/managed service providers who manage networks for multiple organizations.
Full disclosure: I own a business that provides cloud-based RADIUS service. However, it is my honest opinion as an experienced networking professional that enterprise-level Wi-Fi security is recommended for all business networks, for the reasons outlined below. And note that there's no need to use a hosted RADIUS service at all; this story presents many other RADIUS server options, several of which won't cost you anything. I'll walk you through the choices and the steps to a more secure Wi-Fi network.
How the enterprise mode is better
Each mode has its advantages, of course. The initial setup of the PSK mode is very simple. You just set a single password on the access points (APs), and then the users enter that global password when connecting to the Wi-Fi network. Seems effortless, but there are several problems with this method.
First, since everybody on the network uses the same Wi-Fi password, any users who leave the organization will continue to have wireless access until you change the password. A password change requires you to modify the AP settings and inform all the other users of the new password — and they have to enter it correctly the next time they connect, after which it's saved for future connections.
With enterprise mode, each user or device has individual login credentials that you can change or revoke when needed — no other users or devices are affected.
And here's another problem when using the PSK mode: The Wi-Fi password is typically stored on the client devices. Thus, if a device becomes lost or stolen, the password is comprised and should be changed to prevent unauthorized access by anyone who gets his or her hands on the device. Again, if the enterprise mode is used, you can change just that individual's password if the device is lost or stolen.
Additional benefits of the enterprise mode
There are many more advantages to using enterprise Wi-Fi security:
Better encryption: Since the encryption keys for the enterprise mode are unique for each user, it's more difficult for hackers to perform brute-force password cracking and other Wi-Fi attacks than with PSK mode.
Prevents user-to-user snooping: Since each user is assigned the same encryption keys with personal mode, it allows anyone with the Wi-Fi password to decrypt the raw data packets from the airwaves, which could include passwords for unsecured sites and email services. With enterprise mode, users can't decrypt each other's wireless traffic.
To continue reading this article register now