Friday, October 22, 2021

WPA2-Enterprise RADIUS Authentication Options

I am looking to deploy more secure wireless authentication for the company that I work at. Currently, we are using standard WPA2 encryption. This could cause an issue when someone leaves the company, as they still would have the wireless credentials, so could access the network. We have enough devices that it would be impractical to change the key every time, so I am looking to deploy WPA2-Enterprise and give all users their own credentials. I do have a trusted root certificate (I created a rootCA for internal use) installed on all workstations, which is used for SSL encryption to local web apps. I have setup a FreeRADIUS server with PEAP-MSCHAPv2 authentication with a certificate generated using the internal rootCA in a lab environment. User credentials in this test setup are stored in an OpenLDAP server hosted in the same VM, with LDAP Account Manager as a web GUI to manage credentials. Main question that I would have is whether PEAP-MSCHAPv2 authentication is still considered secure, and if not, is there another alternative that would better meet my use case. I considered EAP-TLS, but I don't currently have anything as far as PKI infrastructure to distribute individual keys (I distributed the root cert by sending an email to a company wide distribution list with instructions on how to install it and to contact me if you have any issues). Thanks in advance.



No comments:

Post a Comment