Configuring WPA2-Enterprise With Cambium Networks

By integrating SecureW2’s onboarding and PKI solutions with Cambium networks, your organization can effectively implement a robust, certificate-based 802.1xnetwork. Certificates negate the threat from over-the-air credential theft and ensure that only approved users can access the network. SecureW2 guarantees that a user cannot delete or transfer their certificate from their device. Your users will also be spared from password disconnect policies that require them to reconnect every network device. The costs in support tickets and wasted time is spared as certificates are configured once and set for life.

When enrolling users to the network, utilizing onboarding software is essentially a requirement if you want to maintain the security benefits you expect. Allowing manual configuration is a fast track towards misconfiguration, which can be detrimental to network security.

SecureW2’s onboarding software allows users to self-configure in minutes by completing a couple simple steps. Once complete, they are automatically authenticated to the secure network for the life of the certificate.

The below guide demonstrates the process of integrating SecureW2’s onboarding solution with Cambium networks. As a high-level overview, here are the basic steps to integrate:

  1. Configure SecureW2’s PKI Services
    • Configuring and managing a PKI is not a simple task, so SecureW2 provides a cloud PKI to streamline the process. Our turnkey PKI services includes all the necessary tools to secure and distribute certificates to network users.
  2. Configure a Secure SSID as a WPA2-Enterprise EAP-TLS network
    • Configuring and managing a WPA2-Enterprise EAP-TLS network is no easy task. SecureW2’s configuration guide simplifies the process so you can set up the network in hours instead of days.
  3. Add the SecureW2 RADIUS Server to the Secure SSID
    • SecureW2’s certificate solutions integrate with all major RADIUS vendors, but our Cloud RADIUS is perfect for those that do not want to manage additional infrastructure. In addition to RADIUS, SecureW2 can provide all necessary tools to implement certificate-based authentication (PKI, CRL, Certificate Authorities, Management Software, and more).
  4. Configure the Onboarding SSID and Landing Page
    • To navigate users to the onboarding software, a common solution is the use of an onboarding SSID. Once connected, users will be redirected to a customizable landing page that guides them through onboarding software.

To complete this setup, you need to have already configured:

  • A SecureW2 Network Profile
  • Cambium Networks Access Points and controller

Creating an EAP-TLS Network Profile

  1. Login to the SecureW2 Management Portal
  2. Click Getting Started under Device Onboarding
  3. For the Profile Type, select Wireless
  4. Enter a name in the SSID field
  5. For the Security Type, select WPA2-Enterprise
  6. For the EAP Method, select EAP-TLS
  7. For the Policy, select DEFAULT
  8. Click Create, and the EAP-TLS Network Profile is added to the Network Profiles list

Creating a SecureW2 Network Profile with EAP-TLS authentication

Creating an SSID

  1. Login to cnMaestro (Cambium Networks Wireless Network Manager)
  2. Click New WLAN
  3. Create a new WLAN using the same SSID Name as early created for the SecureW2 Network Profile
  4. The new SSID gets added to the WLANs list as shown in the screenshot below

Creating the SSID in Cambium Networks

Configuring the SSID to Authenticate with 802.1x

  1. Click the name of the newly created SSID under WLANs in the earlier section and the following screen will appear

< Displaying the screen that appears when editting the Cambium WLAN

  1. Navigate to Configurations > WLANs > Basic Settings
  2. Select WPA2-Enterprise (802.1x) from the Security drop-down list

Adding the SecureW2 Cloud RADIUS Server to Cambium

  1. Click Configurations > AAA Servers
  2. In the SecureW2 Management Portal, navigate to and click AAA Configuration under AAA Management
  3. Copy the Primary IP Address, Shared Secret, and Port and paste them in the 1. Host, Secret, and Port fields, respectively
  4. Navigate back to the SecureW2 Management Portal and copy the Secondary IP Address, Shared Secret, and Port and paste them in the 2. Host, Secret, and Port fields, respectively
  5. Click Save

Connecting SecureW2 RADIUS with the Cambium Network

Onboarding Devices for WPA2-Enterprise

  1. Click the name of the open SSID under WLANs in cnMaestro
  2. Navigate to Configurations > WLANs > Basic Settings
  3. Select Open from the Security drop-down list
  4. Navigate to Configurations > WLANs > Guest Access
  5. Under Whitelist, in the IP Address/Domain Name section, enter in the names that you want to permit in the walled garden and click Add
  6. Click Save

Configuring Redirect to SecureW2 Landing Page

  1. Navigate to Configurations > WLANs > Guest Access
  2. Click View on the Network Profile configured earlier and paste it in the External Page URL field
  3. Click Save

Configuring the redirect to the SecureW2 landing page

Concluding Thoughts

By clicking Save, the Cambium APs and controller have been successfully configured for a WPA2-Enterprise network with EAP-TLS authentication. Users can easily use the onboarding software to enroll for certificates and avoid disconnects from password-expiration policies. Also, without passwords, the network is protected from credential leaks, Evil Twin Attacks, and MITM attacks. So if you’d like to try out SecureW2, or have any questions about how we integrate with Cambium Networks, drop us a line! If you’re interested in talking to a Cambium expert for a free demo, click here. If you’d like more information about our pricing, click here.

CTA Background