JBickford.com

Choosing WPA2 over 802.1x (…For Now)

Part of managing a small business network involves picking your battles. There’s a constant balancing act between ‘Best Practice’ and ‘getting the job done’.

With our recent rollout of some beautiful Meraki Access Points, we had to decide how we were going to handle authentication and authorization on both our ‘Secure’ corporate network, and on the ‘Guest’ network. We settled no WPA2 – and here’s why.

Benefits of 802.1x Wireless

Initially, I was impressed with the security benefits in using WPA2-Enterprise security:

  • Access is controlled through Active Directory
  • Access policies are easily pushed out and updated through Group Policy
  • No Pre-shared Key (PSK) to hand to every. single. employee. that needs access

So I went ahead and set it all up: Windows Server 2008 Network Access Policies, Group Policy settings, SQL Auditing, ect. After figuring out a few bumps in the road (including having separate NAP for Machines and Users), it worked flawlessly with the test equipment! I was just about ready to roll it out to the rest of the network devices…

and then I disabled it. All of it.  

Let’s Be Realistic

Our users are used to pre-shared keys. They expect it. There’s a password at their house, at the coffee shop down the street, at the hotel they’re staying at –  all WPA2-PSK (hopefully!). So when I get the call that the “wireless won’t connect” – I realized that explaining or diagnosing all the communication steps to granting access just wasn’t going to cut it.

So while my 802.1x setup was wonderfully secure and centrally , it quite honestly only increased the number of ways that things could go wrong.

Simplicity FTW

As I re-evaluated our wireless needs, something occurred to me – a lot of our wireless clients are junk. They’re either employee iPhones/iPads or guests, with no reason to need access to the corporate network – all connected having the pre-shared key passed around for years. The actual company-owned devices always pass through the IT Department’s hands during setup, thereby controlling PSK access to the secure network. (Meraki’s cloud-based management also has some fantastic tools that make auditing access much easier.)

So where is 802.1x right? Well, I think when you’re reaching an upwards of 50-75 devices, it’s time to implement a better solution. If only for the ‘disgruntled employee’ situation, to keep you from having to change the password on 50 devices after a single incident. Thankfully, we have happy employees and a very low turn-over rate.

Until then, we’re going to stick with WPA2 – “It Just Works”.