BYOD and WPA2 – not made for each other
As the BYOD (Bring Your Own Device) tide rises, the network and security admins wonder if their existing Wi-Fi infrastructure security will hold on. In particular, will WPA2 with PEAP, which is pretty much the norm for the Wi-Fi infrastructure security in the enterprise networks today, continue to be adequate? WPA2 with PEAP is simple enough, still strong enough, and has served the enterprise Wi-Fi security needs very well in the past several years. The forthcoming BYOD revolution however pops a new challenge for WPA2 and will require additional thinking on part of the network and security admins about how to complement PEAP to address some of the BYOD security issue. This new challenge comes from the ease with which people can bring in personal mobile devices on the enterprise premises and connect them to the WPA2 enterprise Wi-Fi network without administrator knowledge or help.
Quick rundown on how WPA2 with PEAP works
In WPA2 with PEAP, the security handshake starts with the authentication server sending the server certificate to the client. The client is “supposed” to check the validity of the certificate to ensure that it is connecting to the legitimate network. If you check your Windows laptop PEAP configuration, the certificate check is ensured by selecting the “validate server certificate” checkbox. After the server certificate check passes, the client and the server establish an encrypted TLS tunnel between them. Once the encrypted tunnel is up, the client sends username and password to the server to get entry into the network.
PEAP certificate check is no requirement for personal mobile devices
With respect to the description above, if you did not check the “validate server certificate” option in the Windows PEAP configuration, the server certificate check is ignored. Then, it is also not essential to put in the server CA certificate in the client for the certificate checking. With the smart mobile devices also, the certificate check option is off by default. In Android, the default value for the certificate is ”unspecified” (and the device does not even throw any warning about it) and in iOS you have to simply accept a warning indicating that the certificate verification has not been done (who looks at the warnings anyway, particularly those which one doesn’t understand). The result? Users can simply put in their WPA2 usernames and passwords (which they know from their laptops) in any personal Android, iPhone, or any other device for that matter, and connect that device to the enterprise Wi-Fi. No need to call help desk! It is not a good idea to allow indiscriminate connections of personal mobile devices to the corporate networks assets, there can’t be much disagreement about that.
WPA2 can be complemented with “device identification” to solve the above problem
WPA2 can give good user authentication capability, but does not give device identification capability. Hence, when the users log in using their credentials on different devices (including the personal mobile devices), WPA2 can’t stop them from connecting. You will need ability for the device identification in addition to the user authentication to solve this problem. With the device identification capability in place, administrators can then set up policies on what devices the users can connect from and block personal mobile devices from connecting to the WPA2 network, even if users copy credentials from the IT assigned authorized devices to the personal devices.
Device identification in AirTight WIPS and AirTight Wi-Fi access points
AirTight Networks WIPS and Wi-Fi access points both provide the ”device identification” capability. They can fingerprint the device behavior attempting connection to the enterprise Wi-Fi and identify the type of the device. Now administrator can set up policy rules on what devices to allow and what devices to block. On any blocked device, administrator can do drill down including location tracking and then decide to leave it blocked or put in the allow list. This facilitates monitoring and controlling personal mobile devices attempting connection to the enterprise Wi-Fi network and nicely complement WPA2.