Support Multiple Authentication Protocols on One SSID
Going passwordless is one of the most secure ways to protect your wireless enterprise network. Especially in an environment where you have BYOD and remote logins, a certificate-based authentication protocol can help protect your network from hackers.
EAP-TLS is an increasingly common and secure authentication protocol used for wireless networks that uses digital certificates for authentication. However, transitioning from a password-based environment to certificate-based authentication might sound complicated. You might be worried about handling the transition because of factors such as training users and the back-end work involved with configuration. With the right solution, this is very easy and requires minimal work.
In this article, we will explain how SecureW2 can help transition your organization to a certificate-based environment as simply and efficiently as possible. We can integrate your existing infrastructure to help you move to a passwordless environment without users noticing much difference.
Common Authentication Protocols for SSIDs
Using the right authentication method to authenticate users and devices to a network goes a long way toward determining the strength of your network security as well as implementing zero trust network security. The authentication process is the most vulnerable stage for a network since this is where an attacker can find loopholes to infiltrate a network.
Some examples of common wireless Authentication Protocols (EAP) used are PEAP-MSCHAPv2, EAP-TTLS, and EAP-TLS. PEAP-MSCHAPv2 and EAP-TTLS/PAP are especially common and utilize passwords for network access. The key difference between them is that they have different levels of encryption. PEAP-MSCHAPv2 uses the MD4 hashing algorithm to encrypt credentials and EAP-TTLS/PAP uses no encryption at all.
EAP-TLS abandons password-based authentication for wireless access entirely. Instead of passwords, users gain access to the network through secure certificate-based authentication.
Unlike PEAP-MSCHAPv2, when using EAP-TLS as an authentication protocol, credentials are used once for certificate enrollment, after which users and devices are auto-authenticated without the need for any manual input from the user. This eliminates the need for passwords and makes EAP-TLS the most secure way to authenticate with your network.
Here are some key points that help us understand the strengths and weaknesses of each authentication method:
Authentication Method | Security | User Experience | Identity Management |
PEAP-MSCHAPv2-Used for WPA2-Enterprise environment. This credential-based authentication method uses encryption and tunneling methods to transmit credentials at the time of authentication. | Uses credentials for authentication and the strength of the network depends on the users. Dependency on human behavior is one of the biggest vulnerabilities of this protocol. | Remembering and re-setting the credentials does not create a good user experience. In the event of an account lockout due to using the wrong password, the user has to wait for their account credentials to be reset, which leads to a loss of productive time. | This is not great for identity management viewpoint, as credentials fail to establish the identity of a user with absolute certainty. User ID and passwords can be easily shared or stolenand anyone with access to the password can log in to the network. |
EAP-TTLS/PAP– A crenedital based authentication that uses Tunneled Transport Layer Security to allow communication between server and client and can be used to set up multiple authentication processes such as PAP (Password Authentication Protocol), MS-CHAP, or EAP | Uses an EAP tunnel to transmit credentials. Though considered a method where communication cannot be observed by an outsider, it may be susceptible to interception by an attacker in the case of a man-in-the-middle attack. | The need for manual input of credentials just as in the case of PEAP-MSCHAPv2 makes it susceptible to the vulnerabilities that are experienced with a credential-based authentication method. | Just like PEAP-MSCHAPv2, credentials are not a good identity context and therefore fail to be a strong instrument for identity management. |
EAP-TTLS– This authentication method allows the use of digital certificates to authenticate users into a network, making it the most secure authentication method by eliminating the need for any human input during the authentication process. | Uses certificate-based authentication and the only information exchanged is the public key. The private key is never exchanged at the time of authentication and therefore, even if there is an attack, the information cannot be exploited to gain access to the network. This makes it the most secure authentication method. | Once enrolled for a certificate, the authentication process is completely automatic. There is zero manual input needed from the user at the time of authenticating to a network, making it a seamless process with a great user experience. With the right on-boarding solution, certificate renewal is alsoautomatic, thus eliminating the need for any human intervention. | Certificates are great for identity management because they cannot be shared, stolen, or replicated. Also, certificate templates can carry a lot more information about the user that can help identify them with a greater degree of accuracy. Once installed on a device, with the right solution, admins have greater control over them as they can be revoked in real-time when any malicious activity is suspected. |
Why Would I Want to Support Multiple Authentication Protocols on One SSID?
Setting up separate SSIDs for each access point for more efficient network segmentation is the best practice for network security. However, there are some scenarios where administrators would have multiple authentication methods for a single SSID. The most common use cases for enabling multiple authentication protocols on one SSID are:
- When devices that do not support EAP-TLS are on the same SSID as devices with certificate-based authentication.
For example, if you are adding new devices that support 802.1x configuration to your school library and want to enable certificate-based authentication for the new devices, You want to continue using the same SSID for all library devices. This includes the old devices that do not support certificate-based authentication. In such a scenario, you can enable multiple authentication protocols on one SSID to ensure they are in the same network segment. - When your organization is transitioning from password-based authentication to EAP-TLS. For example, if you are an educational institute transitioning from PEAP-MSCHAPv2 to EAP-TLS, you may want to opt out of changing the network settings for all the accounts of students graduating in a few months. The time and effort that will be needed for that may not be justified for accounts that will be deactivated soon. In that case, setting up more than one authentication protocol for one SSID may be useful.
If you are facing either of these challenges, enabling support for multiple authentication protocols on one SSID can help you solve your problem to a great degree.
What is the Most Secure Authentication Protocol to Use on an SSID?
To prevent credential theft, it’s simply more secure to use as few credentials as possible. This is why certificate-based EAP-TLS is the most secure authentication protocol you can use on enterprise wireless networks.
With certificates, you can take identity-based access control to the next level. Every certificate contains unique information about the user that can help identify a user with absolute certainty. And since certificates can neither be stolen nor replicated, you can be rest assured that the user connecting to your network is indeed the one to whom you have granted access.
Certificates provide a greater user experience than passwords. For managed devices, there is no end-user interaction since certificate installation is completely automatic with a SCEP Gateway. In fact, the only difference they might experience is that their connection is getting faster.
For BYOD devices, installing certificates is easy with the right onboarding services, such as JoinNow MultiOS. Users are directed to the onboarding page, which is customizable as per your organization’s needs. BYODs can be easily enrolled for certificates as well as configured with 802.1X security settings.
For IT and admins, certificates for authentication can reduce the workload substantially, as using certificates can reduce support tickets and account lockout issues. This is because end-users no longer have to worry about failed password attempts, frustrating password resets, and disconnects related to those password resets.
SecureW2’s in-built PKI solutions will automate the entire lifecycle management of certificates, making it a seamless process of authentication. Once installed, all the devices in the network will be enrolled for certificates.
EAP-TLS Authentication Integration with Microsoft NPS
To explain the process steps, we will take the example of the Microsoft RADIUS server or Microsoft NPS since that is the most widely used server. Combining it with SecureW2’s EAP-TLS solutions will help secure your network from unauthorized access.
Integration Process Overview
- To start using 802.1x certificate authentication, first configure your network along with Active Directory
- Once the WPA2-Enterprise network is set up, connect the Microsoft NPS RADIUS to the network
- Once set up, the RADIUS will authenticate and authorize users by verifying their identity with the identity provider (AD in this case).
- Connect the PKI to download and install the Certificate Authorities (CA)
- Connect the Root and Intermediate CA’s to the RADIUS and the network. Certificates will be distributed to the users when they try to connect to the network for the first time.
The following needs to be configured to complete the setup for EAP-TLS authentication.
- A SecureW2 Network Profile
- A Microsoft NPS RADIUS Server
- An Identity Provider (for using NPS, you must have AD in place)
Configuring Secure Network for Enabling 802.1x Certificates Authentication
The snap-in steps aren’t required if you already have NPS available as a server role.
- Go to Windows > Run > MMC
- Navigate to File > Add/Remove Snap-in from the Console
- Select Network Policy Server from the Available Snap-ins, from the Add/Remove Snap-in window, and then click Add
- Select Local Computer from the Computer window, and click OK
- Click OK from the Add/Remove Snap-in window
- Navigate to NPS (Local) > Policies > Network Policies from the Console
- Click New under Policies -> Network Policies from the Actions pane on the right, and the New Network Policy wizard will appear
- Enter the required Policy Name for the policy and click Next
- Now the Conditions page appears. Click Add and a set of conditions appears. Conditions could be applied depending on requirements. For this article, we are taking User Groups as the only condition
- Click Add. Choose the required AD group to which this Policy is to be applied
- The condition gets added to the Specify Conditions page
- The Configure Authentication Methods window appears when you click Next
- Click Add under EAP Types, and the Add EAP window appears. If you want to use PEAP-MSCHAPv2 in conjunction with EAP-TLS, in the Authentication Methods section under the Authentication tab, select both EAP-TLS and PEAP-MSCHAPv2. You can also select CHAP, PAP which are less secure authentication methods
- Click Next from the Configure Constraints window
- Click Next from the Configure Settings window
- Click Finish from the Completing New Network Policy window
Linking the Microsoft NPS RADIUS Client to the Network
- Navigate to NPS (Local) > RADIUS Clients and Servers > RADIUS Clients from the Console.
- Click New RADIUS Clients, and the New RADIUS Client window appears from the Actions pane on the right.
- Enter a Name and the IP address in the Friendly name and Address (IP or DNS) fields, respectively.
- Enter the shared secret in the Shared secret and Confirm shared secret fields, and click OK.
The below steps are required for EAP-TLS only:
Download the Root and Intermediate CA from SecureW2
- From the SecureW2 JoinNow MultiOS and Connector Management Portal
- Go to PKI Management > Certificate Authorities
- Download the Root and Intermediate CAs for your organization
Installing the Root and Intermediate Certificates
- Go to the NPS or Domain Controller server where you want to install the certificates.
- Go to Windows > Run > CMD. Go to the folder where your certificates are saved.
- Run the following command successively for both certificates to install and publish the certificates:
C:\<Certificates Folder> certutil -dspublish -f <certificate name>
Simplify the Transition to EAP-TLS with SecureW2
Accessing an organization’s network is no longer confined to a specific physical location. Users can now access a company network from anywhere worldwide, especially with a remote work culture becoming more popular. Even your employees who work from the office often log in from their personal devices and BYOD. Passwords are no longer enough to mitigate network security risks.
EAP-TLS is the most secure means of authentication due to the use of digital certificates for client and server communication. It may, however, be a daunting task to configure, manage, and maintain because of the complexity of managing the PKI which is the very backbone of certificate-based authentication. SecureW2 can support you in enrolling your devices for certificates and also manage the entire certificate lifecycle in a seamless, automated manner, providing you with the strength of EAP-TLS with its Cloud PKI-as-a-Service solution.
Certificate-based authentication helps you mitigate the risk of identity theft and the overall network security risk. The task of going passwordless may seem like an exhaustive task, especially implementing it across your organization.
SecureW2 has a great support team that can help your organization go passwordless in phases without compromising your network security using your existing network infrastructure. Click here to learn more about our pricing.