Wireless Security Best Practices

Jul 1, 2025

Overview

This lecture discusses the most secure options for protecting wireless networks, comparing enterprise-grade solutions to more practical alternatives, and providing best practices to enhance security.

Most Secure Wireless Security Option

  • 802.1X with EAP-TLS provides the highest level of wireless security when properly configured.
  • EAP-TLS requires both a RADIUS server and additional authentication backend systems.
  • Public Key Infrastructure (PKI) is mandatory for EAP-TLS, adding complexity for certificate management.
  • Each client device must have a signed certificate distributed and managed securely.

Security vs. Convenience Trade-Off

  • Implementing full PKI and certificate management is often considered too complex for many organizations.
  • The complexity and overhead of 802.1X with EAP-TLS lead some companies to opt for simpler methods.

Practical Alternative: WPA2 with AES

  • WPA2 using AES in CCMP mode is the next best alternative if 802.1X is too complex.
  • Use a long, complex, and non-dictionary-based passphrase to resist brute-force and rainbow table attacks.
  • Changing the SSID to something unique reduces vulnerability to precomputed rainbow tables.

Avoiding Insecure Features

  • Wi-Fi Protected Setup (WPS) should not be used in enterprise environments due to weak security.
  • Always disable WPS in the access point (AP) management console.

Verification and Enforcement

  • Use tools like WASH to independently verify that WPS is actually disabled on all APs.
  • Some routers may not truly disable WPS via the management console; independent checks are recommended.

Key Terms & Definitions

  • 802.1X — A network access control protocol for authenticating devices using an external server.
  • EAP-TLS — An authentication method using certificates for secure network access.
  • RADIUS Server — A server that handles authentication, authorization, and accounting for network access.
  • PKI (Public Key Infrastructure) — System for managing digital certificates and public-key encryption.
  • WPA2 (Wi-Fi Protected Access 2) — A security protocol for wireless networks, improved over WPA.
  • AES (Advanced Encryption Standard) — Encryption used in secure Wi-Fi communications.
  • CCMP — A mode of AES providing data confidentiality in WPA2.
  • WPS (Wi-Fi Protected Setup) — A feature intended to simplify connecting to a secure wireless network.

Action Items / Next Steps

  • Ensure WPS is disabled on all APs and verify using a tool like WASH.
  • Choose complex, non-dictionary passphrases and unique SSIDs if not using 802.1X.
  • Review organizational needs to determine if the additional security of 802.1X with EAP-TLS is justified.

View note source

https://d3c33hcgiwev3.cloudfront.net/eSTJCSqkQcW8hajkyO2d7A.processed/full/720p/index.mp4?Expires=1751500800&Signature=TIifqbR7lGeodB~V4MeXvALw3Ycfu~GHDwBlsZXaVdcs8Cosq8iyeTnth07i1ZpiEEuTFEFK-VOJc~YK9Ix17r9P~NKxbGRvbFbu0ckswbEZTewqIhZ~3xtz2A~PWnTC1DZv8xVlw4sgWCx~o5okVKD-8JfjNN1-SEmMDBx3iB0_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A