Wifi Onboarding for Managed Devices
In 2022, a leading telecom company faced a data breach that cost almost $350MM in compensation to affected customers. Due to the constant threat of data and security breaches, there is an onus on companies to secure managed devices effectively to avoid violations. An effective form of authentication is necessary to ensure that there are no malicious access attempts on the network.
Secure managed devices with 802.1X RADIUS authentication
Most organizations have a bevy of data about each user that could be highly confidential. They could range from financial records to social security numbers and other sensitive details.WPA2-Enterprise has been the gold standard for wireless security since 2004 and, through the 802.1X RADIUS protocol, has been securing networks for many years now. An 802.1X RADIUS (Remote Dial-in User Service) server secures a wireless network by asking for unique credentials from each user, recording logs, and ensuring the application of authorization policies.
You can think of the RADIUS server as a “security guard” at the gate of your network as it authenticates user identity and authorizes them to use a network. A key security feature of the RADIUS server is server certificate validation, which makes sure that the user with the assigned server certificate is the one that is getting connected to a genuine network.
Read on to find out how WPA2-Enterprise authentication through the RADIUS protocol secures managed devices over a network, and how to onboard your managed devices to secure certificate-based authentication using a Cloud RADIUS server.
WPA2-Enterprise with 802.1X authentication for managed devices
When you consider deploying WPA2-Enterprise, you have to choose an authentication protocol. PEAP-MSCHAPv2 and EAP-TTLS/PAP are some of the most common options. They are both credential-based authentication methods for the RADIUS server protocol. They use credentials like passwords to authenticate users over a network.
However, neither of these protocols requires server certificate validation. Server certificate validation is a critical network security feature in which your authentication server (a RADIUS typically) is equipped with a digital certificate that confirms its identity. Without a server certificate, a hacker could execute a variety of over-the-air attacks, such as Man-In-The-Middle or Evil Twin attacks. The attacker impersonates your access points and users’ devices will blindly connect to the false AP and send their credentials, delivering them to the waiting hands of hackers.
This vulnerability is exacerbated by the fact that neither protocol communicates credentials securely. PEAP-MSCHAPv2 uses the MD5 hash that was cracked a decade ago, and EAP-TTLS/PAP doesn’t even try – it just sends the data in cleartext.
For those reasons, neither of the common credential-based authentication methods is sufficient protection. We need a protocol that uses server certificate validation to prevent OTA attacks and effectively secures the data that it communicates. The solution? EAP-TLS. EAP-TLS is considered a highly secure authentication protocol as it supports the use of X.509 certificates for authentication, as well as mandating server certificate validation.
Automatic Enrollment of devices for 802.1X configuration
Manually configuring devices can be a cumbersome affair where the user needs to select the correct network, enter a name, set the security type, adjust the settings, and choose the correct certificate from a list, making it difficult. Although doable, the risk that misconfiguration introduces to your network is enormous, which is why Securew2’s JoinNow onboarding software makes the process of automatic enrollment of 802.1X configuration foolproof for end users.
SecureW2s JoinNow onboarding software integrates with all major mobile device management (MDMs) like Jamf, Workspace One, Intune, and Google Workspace. JoinNow is flexible enough to accommodate any MDM because it supports many certificate enrollment protocols such as SCEP, EST, and WSTEP.
To configure your devices, you just have to follow these steps:
1. Configure the organization’s MDM platform with our Public key Infrastructure (PKI) service.
2. Send configuration profiles to directly managed devices instructing them to auto-enroll for a digital certificate for 802.1X.
Monitoring Managed Devices Using Digital Certificates
The distribution and management of certificates could be cumbersome, especially for larger organizations. The biggest problem faced by an organization is the lack of infrastructure for proper certificate management for managed devices during and after the onboarding process.
Simple mistakes like misconfigured settings or compromised credentials can prove to be expensive mistakes down the road. Automation of the certificate lifecycle minimizes the opportunity for accidents. Thus, a managed PKI is a necessary complement to onboarding software. A PKI contains all the tools needed to manage certificates and their respective identities.
Our JoinNow Connector PKI is a managed PKI service that integrates existing on-premise infrastructure with cloud directories like Azure, Google, and Okta. Users can enjoy the security benefits of identity-based authentication in the cloud no matter where their servers are located. With intuitive single-pane management that provides granular control of certificate lifecycles, they deliver both the user and device context to every connection. You can obtain deeper insights and reports on the number of enrolled devices, active and revoked certificates, and all the onboarded users.
Onboarding devices for passwordless authentication via certificates may seem like a huge task, but it’s definitely worth your while. The benefits provided by certificates far outweigh the time and effort taken to set them up. Once the certificate-based authentication is put in place, the security and accuracy of identifying users over credential-based security boost your confidence in your network security.
Onboard managed devices securely using SecureW2
Configuring your managed devices securely to a network is a necessity and can’t be shirked. Relying upon manual configuration is a disaster waiting to happen, inevitably leading to more support tickets and unnecessary headaches. At SecureW2, we have all the tools you need to successfully onboard a fleet of managed devices and upgrade your authentication from credentials to passwordless.
Ready to take the next step in improving your network security? Click here for pricing.