Wireless Security in the Enterprise: Deploying WPA3-Enterprise

What is Wi-Fi Protected Access?

Wi-Fi Protected Access (WPA) is a security protocol designed to protect wireless networks by encrypting data transmissions and restricting unauthorized access. Based on the draft IEEE 802.11i standard, WPA was introduced in 2003 as a replacement for the flawed Wired Equivalent Privacy (WEP) protocol, addressing its known vulnerabilities. 

Primarily intended for wireless enterprise networks, WPA introduced several significant security enhancements.

• Extensible authentication protocol (EAP): This is a secure public-key encryption system that allows only authorized network users to access the network.
• Temporal key integrity protocol (TKIP): TKIP improved data encryption by scrambling the keys using a hashing algorithm to stop tampering.
• Message-integrity check (MIC): This security feature determines whether a hacker has captured or altered packets passing between the access point and the client.

Within a year, however, security researchers discovered a WPA flaw that exploited previous WEP weaknesses and MIC feature limitations, prompting the need for additional wireless security standard improvements.

The switch to WPA2

WPA2, introduced in 2004, significantly enhanced Wi-Fi security by implementing AES (advanced encryption standard) encryption and CCMP (counter mode cipher block chaining message authentication code protocol) to strengthen home and business network protection.

WPA2 had two operating modes:

• WPA2-Personal was designed for home and small business networks and used a preshared key (PSK) for authentication.
• WPA2-Enterprise was designed for organizations needing high-security wireless networking. It required IEEE 802.1X authentication with a remote authentication dial-in user service (RADIUS) server.

WPA2-Enterprise deployment required the following: 

1. Installing a RADIUS server (or using an outsourced service) for authentication.
2. Configuring wireless access points with encryption settings and RADIUS server details.
3. Configuring operating system settings to support IEEE 802.1X authentication and encryption protocols.
4. Connecting devices to the secure wireless enterprise network via unique user credentials.

What is the difference between WPA2 and WPA3?

WPA3, introduced in 2018, addressed critical vulnerabilities that persisted in WPA2 and strengthened overall network security. It also introduced additional privacy protections, stronger encryption, and enhanced device authentication mechanisms.

“WPA3-Enterprise builds on the security of WPA2-Enterprise,” said Matt MacPherson, wireless chief technical officer at Cisco. “[It brings] additional security capabilities, such as stronger encryption suites and protected management frames while allowing the use of multiple authentication mechanisms (EAP methods).” 

WPA3’s key enhancements include:

• Simultaneous authentication of equals (SAE): SAE replaced WPA2’s PSK exchange protocol to prevent attackers from gaining access by attempting to guess the network password.
• Enhanced open: This is a way of connecting to public Wi-Fi networks more securely. Traditionally, cybercriminals have used man-in-the-middle attacks to hack into data connections on public Wi-Fi.
• Easy connect: Easy connect is a clever feature that allows connected items without screens or keypads to be logged in to a network via a QR code read on a smartphone.

Like WPA2, WPA3 has both home and enterprise modes. 

• WPA3-Personal: WPA3-Personal uses SAE for stronger password-based authentication.
• WPA3-Enterprise: Designed for organizations that transmit sensitive data, WPA3-Enterprise enforces a minimum 192-bit encryption strength for enhanced security. It also incorporates cryptographic tools that align with the Commercial National Security Algorithm (CNSA) Suite, which was created by the Committee on National Security Systems.

“Foundationally, WPA3-Enterprise provides additional protection over WPA2 from malicious deauthentication and disassociation through the use of protected management frames,” MacPherson said. “WPA3 also has additional modes of operation that enable stronger cryptographic security and prohibit the use of legacy encryption like WEP and TKIP.”

How do you deploy WPA3-Enterprise?

WPA3-Enterprise deployment relies on the IEEE 802.1X authentication framework, which enables secure user authentication over a network.

In this framework:

• The supplicant (the user or device attempting to connect) requests authentication.
• The authenticator (typically a wireless access point or network switch) acts as a middleman.
• The authentication server (a RADIUS server) verifies credentials and grants or denies access.

Authentication process

Users are assigned login credentials (such as a username and password or a digital certificate) to enter when connecting to the network. Unlike WPA2-Personal, users do not see or manage encryption keys, which are never stored on the device.

This setup boosts security by preventing unauthorized access from lost or stolen devices or former employees. When a user attempts to connect to the network, login credentials are sent through a virtual port. If successful, the encryption keys are distributed, granting the user full access.

RADIUS server options

Once you decide which RADIUS server option best suits your organization’s needs, you will configure it within the corresponding EAP, access point (AP), and user authentication settings.

• Windows server: If you have a Windows server setup, use the network policy server (NPS).
• FreeRADIUS: This server is a free, open-source project and the preferred choice of advanced IT personnel. It is available on the Linux, macOS, and Windows platforms.
• Outsourced services: If you have multiple offices or lack IT expertise, a hosting service is a good option. Many services provide more than just RADIUS server hosting. They can also help with the setup process, conduct user onboarding, and provide real-time reporting functionality. In addition, many companies offer mobile applications that make configuring mobile devices quick and painless for Apple iOS, Android, and Kindle Fire users.

EAP options

Your EAP choice depends on the security level you need and your server and client specs. Although there are more than 10 EAP types, the three most widely used are:

• Protected EAP (PEAP): This protocol authenticates users through the usernames and passwords they enter when connecting to the network. It is one of the easiest EAP types to implement.
• Transport layer security (TLS): To provide the highest level of security, this type of EAP requires both server and client certificate validation. Instead of connecting to the network with usernames and passwords, end-user devices or computers must have a client certificate. You control the certificate authority and distribute the client certificates.
• Tunneled TLS (TTLS): This version of TLS doesn’t require security certificates and reduces network management time. Because TTLS doesn’t have built-in support in Microsoft Windows, however, it requires a third-party client.

The steps for configuring the APs require you to enable WPA3-Enterprise-only mode or transition mode by setting the AKM suite to 00-0F-AC:5 (802.1X with SHA-256). Your APs will use AES-CCMP encryption, so make sure to turn off older encryption methods, such as TKIP and WEP. You also need to enable protected management frames (PMF) to help secure your network.

On the client side, set up your usernames and passwords or client certificates if you choose to use them. You’ll need to do it for every laptop, tablet, smartphone, or other device that connects to your server. Enabling fast roaming and server certificate validation, if available, will further boost connection speed and security.

Implementation may vary depending on the hardware and software you choose.

Standards and the Wi-Fi Alliance

Protecting your business from data breaches and ensuring compliance with industry regulations in the wireless enterprise is a continuous task. Key challenges in wireless security are constantly evolving because every enterprise is different. Some IT teams struggle with the impact of bring-your-own-device (BYOD) policies, while others seek ways to allow secure guest access without compromising mission-critical systems.

The IEEE 802.11 working group and Wi-Fi Alliance continue to address emerging wireless security needs, now offering innovations such as IEEE 802.11be, better known as Wi-Fi 7. This update brings major performance improvements:

• Wider channels: Wi-Fi 7 expands channel bandwidth up to 320 MHz, breaking the three bands (2.4 GHz, 5 GHz, and 6 GHz) into multiple wider channels. This setup allows more efficient connections and data routing.
• Multilink operation (MLO): Although Wi-Fi 7 will use three bands, this technology now allows routers and devices to combine several frequencies across bands. That means a single connection between a router and a device can use multiple frequency bands to maximize speed. 

Additionally, major platform vendors now offer AI-driven security solutions to help manage access controls, detect vulnerabilities, and automate network security policies, reducing the burden on IT teams.

Wi-Fi continues to evolve and adapt to business needs. Although 2.4 GHz was once the norm in wireless networking, Wi-Fi 7 has expanded operation into multiple frequency bands and brought significant advancements, such as increased capacity and better performance in dense environments.

WPA-3: The next generation of Wi-Fi security

When it comes to security, WPA3, certified through the Wi-Fi Alliance’s Wi-Fi Certified program, has emerged as the latest and most secure protocol. It significantly strengthens encryption, protects against brute-force attacks through SAE and provides transition modes for mixed WPA2/WPA3 environments. Importantly, although WPA2 networks remain secure when properly maintained, WPA3 offers additional security enhancements for those who need them.

“WPA3 has been recommended since the start of certifications in 2018. With prior generations of Wi-Fi … WPA3 has been optional,” MacPherson said. “With new generations such as Wi-Fi 6E and Wi-Fi 7, WPA3 is required. This leads to stronger security with broader adoption. As Wi-Fi 6E and Wi-Fi 7 are deployed in the enterprise, WPA3-Enterprise will become the standard.”

The Wi-Fi Alliance and other entities are constantly developing new security methods and certifications to ensure optimal protection. As such, updating firmware and drivers regularly, adopting the latest standards, and keeping informed about advancements in security protocols are paramount to maintaining a secure network.

Ensure your organization has adopted the latest technologies, such as Wi-Fi 7 and WPA3. Enjoy the convenience and productivity of Wi-Fi, but do it safely.

Jeremy Bender contributed to this article.