Are you frustrated by constantly having to change your wireless pre-shared keys when an employee leaves or when someone unwittingly leaks the password? Are you tired of seeing unauthorized users popping up on your internal wireless networks? Are you looking to implement stronger encryption to protect your sensitive data as it travels across the air? Good news – you can do all of this by utilizing Extensible Authentication Protocol (EAP) over the 802.1x framework and moving to an WPA2-Enterprise environment. This technology is widely supported by most networking manufacturers, but there are a lot of options out there to choose from. We’ve touched on this tech briefly in a post about role based access control (RBAC), but I wanted to take some time to review two of the more popular flavors of EAP so you can make an informed decision about which one is best for your organization.
We at Edge see two predominant versions of EAP being installed today – Protected EAP and EAP-TLS.
Protected Extensible Authentication Protocol (PEAP)
PEAP technically has multiple versions, but they all use the same basic “protected” transfer structure. The issue with legacy EAP was that the supplicant’s credentials were transmitted in cleartext… which is less than secure, because it opened up the potential for someone to intercept a username. PEAP corrects this by using two EAP exchanges – first, the outer authentication which is then followed by inner authentication. The outer authentication is a “dummy” EAP exchange that sends information in cleartext to construct a temporary TLS tunnel. Once that encryption cover is in place, the inner authentication takes place securely inside the tunnel, out of sight of roaming sniffers. Can you see why it’s called “Protected”?
The most common version of PEAP is EAP-PEAPv0 (EAP-MSCHAPv2). The protocol used for the inner authentication is EAP-MSCHAPv2, which utilizes a user name and password as the credential. When using PEAP you will need to provide a server side certificate and set up a repository of usernames and passwords for individual client authentications. When your users connect to the network they will validate the server via the installed certificate and (if the trust relationship is there) provide their unique credentials.
This option is popular because PEAP is widely supported by client devices and it allows you to easily utilize an existing database, like Active Directory. Your end users are already used to logging in to the domain using their AD credentials, so asking them to use those same credentials to log on to the network isn’t a big stretch!
PEAP is susceptible to some level of social engineering, because you are still relying on your end users keeping their login information secure. If you need even greater security, you may want to take a look at EAP-TLS.
Extensible Authentication Protocol Transport Layer Security (EAP-TLS)
EAP-TLS is one of the most secure authentication methods available today. Rather than using the standard username / password combination for authentication, EAP-TLS requires both a server side and client side certificate. This means that you can avoid some of the risks inherent to passwords, like a user entering their credentials to connect to the network with an unapproved device or sharing their credentials with another employee. In order to connect to a network secured with EAP-TLS the client must have been provisioned a unique certificate by the network’s public key infrastructure (PKI).
The advantage of this level of security is also its inherent disadvantage. It can be a challenge to implement a PKI if you don’t already have one in place. In addition, provisioning this trust relationship to the client can be a straightforward process with Active Directory’s Group Policy in an exclusively Windows environment – but it can be tricky with a diverse set of endpoints! Asking your users to manually install certificates onto their smartphones is a big ask that will almost inevitably result in an increased burden on your helpdesk. Thankfully there are solutions available that can help set up auto-enrollment procedures and certificate provisioning services, like Aruba’s ClearPass platform.
In summary, I don’t mean to scare you away from EAP-TLS as it is the definitive secure authentication solution around, but you should be aware that this security comes at an administrative cost. It’s really a classic trade-off between security and convenience.
EAP Options to Avoid:
There are many, many other EAP flavors available, too many to effectively cover in a single blog post without delving into whitepaper territory. PEAP and EAP-TLS are the ones that I see the most often, with the occasional EAP-TTLS popping up here and there. However, there are some legacy EAP options with noticeable security flaws that are worth covering here, less to help plan the future and more to help you avoid these legacy options!
EAP-MD5 – This was one of the first EAP options available. It has two major weaknesses – first, it does not use tunneled authentication, meaning that the username is transmitted in cleartext. Second, it uses MD5 encryption, which is not a very strong encryption suite.
EAP-LEAP – The username is transmitted in cleartext, which opens you up to social engineering attacks.
Avoid these two technologies. There are better options out there.
So Why Implement EAP?
EAP is a complex technology, but it can bring a lot of benefits to your organization – both in security and in network permissions management! EAP enables the 802.1X framework with WPA2-Enterprise, bringing a much stronger level of encryption than is available with the commonly deployed WPA2-Personal. You also create a much smaller fallout radius if a network password is compromised, either through negligence or social engineering. And by moving to unique user authentication instead of using a blanket pre-shared key, you can start enabling dynamic network permissions with a role based access control system (see our recent blog post for more details on RBAC). There are software solutions out there that can streamline the transition to WPA2-Enterprise, like Aruba’s ClearPass software. ClearPass provides a central platform that neatly ties together your network infrastructure, authentication servers, and user-based security policies. To learn more, check out the Clear Pass Solutions Overview.
If you’re interested in learning more, we’d be happy to help you make the decision on which EAP flavor is right for you and guide you on the path to a higher level of security. Give us a call or contact us online!