As more and more devices join public WiFi networks, concerns about user authentication and security continue to dominate the conversation. This is especially true when discussing the proper security protocols for large-scale guest WiFi networks that load hundreds, thousands, or even millions of users a day. Without the necessary security measures, users of the shared network are left vulnerable. Those who operate the network may also find the network unmanageable.
As a basic security standard, high traffic public WiFi must be configured with enterprise WPA protocols that use an 802.1X authentication mechanism. 802.1x Wi-fi Authentication works in conjunction with two secure network protocols: Extensible Authentication Protocol over LANs (EAPoL) and Remote Authentication Dial-Up User Service (RADIUS) server. This makes 802.1x inherently more secure than its WPA-PSK or WPA2-PSK standards that require a shared password for all users to access the network.
When to consider 802.1x Wi-fi Authentication
When an Internet user logs into a WPA-PSK or WPA2-PSK network (PSK stands for “Preset Key”), authentication occurs when the user enters the correct network security key/password. This allows the user’s machine or device to join, operate, and potentially control the network without identifying credentials. This becomes especially problematic when businesses — with connected computers, boxes, and IoT devices — share their core network with their customers. As more and more users log into your guest WiFi, it is virtually impossible to know exactly who is using your network (or who knows the password). Changing the password frequently to remove unwanted users from the network is also time-consuming and inefficient,
If you are a business or establishment that offers port security (determine which machines can join a network based on the device’s MAC address), security issues still arise. Although unsolicited users will not be able to join the network on their own devices, Keith Bogart out of nowhere prevents them from impersonating an individual on that device if given the opportunity (i.e .: if an authorized device is stolen, it is not can determine if the correct user is operating the machine).
802.1x authentication solves problems related to password or port security network protocols by requiring that the user be authenticated, regardless of the device. For that reason, we recommend that business and professional environments use this AAA authentication, authorization, and accounting framework as a standard measure.
The 802.1x Authentication Process Explained
There are three parties to 802.1x Wi-fi Authentication that work together to allow a user to log in to a given network: the supplicant, the authenticator, and the authentication server.
The supplicant (or end-user) attempting to join an SSID network is first denied access to an authenticator. The communication that occurs between the requester and the authenticator is part of the EAPoL protocol and contains Ethernet frames that carry the requester’s unique login credentials for a particular network. Depending on the level of security required, authenticators may request additional details or interactions from the requester (i.e. requiring a pin or captcha code).
After the authenticator identifies the EAPoL data as a login attempt, the authenticator prepares the data for the authentication server, eventually allowing or denying network access to the end-user. This involves converting EAPoL data into Foxpass packets that allow the server to interpret the login credentials as a request for access.
Make life easier
Because 802.1x Wi-fi Authentication operates on Foxpass protocol servers, difficulties surrounding user management and scalability for WPA-protected networks are non-existent. Users joining networks in 802.1x authentication go through two levels of data encryption and their secure sessions within particular networks are monitored by the Foxpass server. Unlike password-protected networks (WPA), authenticated users can be individually tracked and removed from a network should they pose a threat. Scaling the number of users is also much easier in the absence of a password, as users can automatically authenticate in the background. In terms of businesses that share the connection with others.
Ultimately, large-scale WiFi operations have a lot to gain by implementing an authenticated network. They also have a lot to lose by ignoring the security risks involved in operating WPA-PSK or WPA2-PSK networks with public access.