🛜Securing Business Wi-Fi | Why Authentication Beats Shared Passwords🧑‍💻

Ronald BartelsRonald Bartels
5 min read

Wi-Fi connectivity is essential for modern businesses, but how you secure that connectivity is even more critical. Many businesses still rely on shared passwords for their Wi-Fi networks, a practice that exposes them to significant security risks, operational inefficiencies, and a lack of accountability. Instead, businesses should implement user-based authentication on their Wi-Fi networks.

Solutions like RADIUS authentication (Remote Authentication Dial-In User Service) offer a more secure, scalable, and manageable alternative to shared passwords. This approach integrates seamlessly with tools like Microsoft Active Directory (AD), allowing businesses to leverage their existing infrastructure for better control and accountability.

Why Authentication is Better Than Shared Passwords

  1. Improved Security:
    Shared passwords are inherently insecure:

    • Employees can easily share them with unauthorized individuals.

    • Former employees might retain access if the password is not changed.

    • Shared passwords are more vulnerable to brute-force attacks.

Authentication assigns unique credentials to each user. When a user leaves the company, their access can be revoked without affecting others.

  1. User Accountability:
    Authentication enables per-user logging and auditing. If there’s unusual activity on the network, you can trace it back to the specific user. This accountability is impossible with shared passwords.

  2. Scalability:
    As your business grows, managing shared passwords becomes a logistical nightmare. Authentication scales seamlessly, as it integrates with existing user directories like Active Directory.

  3. Easier Network Segmentation:
    With user authentication, you can enforce policies that segment the network based on user roles. For example, employees can have full access while guests are limited to internet-only access.

RADIUS Authentication: A Modern Approach

RADIUS is a protocol for centralizing authentication, authorization, and accounting (AAA). Many enterprise-grade Wi-Fi devices, including Ubiquiti's UniFi line and OpenWrt-based devices, support RADIUS integration.

RADIUS works by verifying user credentials against a database. This database can either be a standalone setup or an existing directory service like Microsoft Active Directory.

Why Use Active Directory with RADIUS?

  1. Single Source of Truth:
    AD serves as the central repository for user accounts, eliminating the need to maintain a separate database for Wi-Fi authentication.

  2. Streamlined Management:
    User credentials and group policies are managed in one place. For example, a user removed from AD automatically loses Wi-Fi access.

  3. Granular Access Control:
    AD allows the creation of security groups that can be mapped to different network policies. For instance, IT staff might have unrestricted network access, while marketing staff are limited to specific resources.

  4. Simplified Onboarding:
    Adding a new employee to the network is as simple as creating an AD account. No need to manually share or reset passwords.

Setting Up Wi-Fi Authentication with NPS and Active Directory

To integrate Wi-Fi authentication with Active Directory, you’ll need a Windows Server running Network Policy Server (NPS), which acts as the RADIUS server. Here’s a step-by-step guide:

Prerequisites:

  • A Windows Server with Active Directory installed and configured.

  • The NPS role installed on the server.

  • Wi-Fi access points or controllers that support RADIUS (e.g., Ubiquiti, Aruba, or OpenWrt devices).

1. Install and Configure NPS

  1. Open Server Manager and add the Network Policy and Access Services role.

  2. Within this role, install Network Policy Server (NPS).

  3. Open the NPS console (nps.msc) and register the server in Active Directory:

    • Right-click NPS (Local) and select Register Server in Active Directory.

2. Configure RADIUS Clients

  1. In the NPS console, go to RADIUS Clients and Servers > RADIUS Clients.

  2. Add a new RADIUS client:

    • Friendly Name: A descriptive name for your Wi-Fi device.

    • IP Address/DNS Name: The IP address of your access point or controller.

    • Shared Secret: Create a strong shared secret (you’ll also configure this on your Wi-Fi device).

3. Create a Network Policy

  1. Under Policies, right-click Network Policies and select New.

  2. Define a policy for Wi-Fi access:

    • Conditions: Add a condition to match users or groups from Active Directory (e.g., “Domain Users” group).

    • Authentication Methods: Enable PEAP (Protected Extensible Authentication Protocol) and configure it to use a server certificate (issued by your CA).

    • Constraints: Configure session timeouts or connection settings as needed.

4. Set Up Your Wi-Fi Device

  1. Access your Wi-Fi controller’s management interface.

  2. Navigate to the RADIUS settings and add the NPS server:

    • Server IP: The IP address of your NPS server.

    • Port: 1812 for authentication and 1813 for accounting (default RADIUS ports).

    • Shared Secret: Enter the shared secret configured in NPS.

  3. Configure the Wi-Fi SSID to use WPA2-Enterprise or WPA3-Enterprise with RADIUS.

5. Test and Validate

  1. Connect a device to the Wi-Fi network.

  2. Use domain credentials to authenticate.

  3. Monitor NPS logs (Event Viewer > Custom Views > Server Roles > Network Policy and Access Services) to verify successful authentication.

Tools to Enhance Wi-Fi Authentication

  1. Certificate Authority (CA):
    Issue certificates to your NPS server to secure PEAP authentication.

  2. Log Management:
    Use tools like Splunk or SolarWinds to centralize and monitor NPS logs for suspicious activities.

  3. Backup and Redundancy:
    Deploy a secondary NPS server for failover in case the primary server becomes unavailable.

Wrap

Switching from shared passwords to RADIUS-based authentication is a game-changer for businesses. Integrating RADIUS with Microsoft AD using NPS allows for a secure, scalable, and easy-to-manage solution that enhances network security and simplifies administration. By leveraging your existing AD infrastructure, you can create a seamless and secure Wi-Fi experience for employees, guests, and contractors.

Don’t let shared passwords put your business at risk—invest in proper Wi-Fi authentication today.

1
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

wifiActive Directory#RADIUS

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa