WPA2-Enterprise

Discussion in 'privacy technology' started by Palancar, Mar 18, 2015.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    OK guys so we are always discussing what some refer to as "security theater". With that in mind I thought I would throw out a question as to whether or not its worth it to upgrade to wpa2-enterprise on a home network? I am currently in the market for and examining replacing my router. I am looking at a huge range of options and while I am at it I wanted to pause and consider the "enterprise" addition to my encryption. After reading it doesn't look to be beyond my capabilities, but in the end is it worth it for the potential gains in security?

    The other option is conventional wpa2 psk with an insanely long pass phrase using common settings like MAC locking, etc... in an attempt to raise the low hanging fruit at least a little bit. LOL!

    I could still have a small router on a separate LAN for when a visitor/family came over. I would simply turn it on and then off when they leave. That would be wpa2 psk so I don't have to deal with handing out certs to anyone like that.

    Is there anyone here that does this for their personal network?
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    I use wpa2 psk with an insanely long pass phrase (randomly generated), plus a shorter guest one that's supported on my router. I don't think MAC filtering is worth the bother.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    That is why I termed (Mac locking) as raising low hanging fruit just a little bit!

    My real concern here in this thread is trying to gain some "intel" from anyone running wpa2 enterprise at home. Just asking while I am in the process of changing hardware out.

    If I go the home router direction some of the higher end ones offer enterprise but I don't know exactly what steps they require for the clients (normal radius, etc). e.g. - Asus rt-ac87u has some neat features.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Will be interested in your experience, I was intending to do similar with freeRadius on pfSense, and naively hoping I have few problems!
     
  5. x942

    x942 Guest

    I have been using WPA2 Enterprise for some time now, although I have switched back to regular WPA2-PSK now instead as I believe my setup is now superior to what it was and more convenient.

    My old setup:

    • PFSense running as router and firewall. This guy does all of the "router" parts + intrusion detection with snort and various other things
    • FreeRadious server installed in a Proxmox VM
    • Router running Open-WRT setup to use WPA2 Enterprise with EAP-TLS. (Full break down of how this works)
    • Kismet WIDS sensors feeding back to OSSIM Server.
    This setup allowed me to specify usernames and passwords for me, my family, friends, and guests. Each with various limitations on the pfSense side and each being isolated so in the even of compromise an attacker couldn't decrypt everyone's sessions. This worked well but there where issues and it became annoying. Issues included:

    • A ton of overhead. Setting up freeRadius is a PITA.
    • A LOT of consumer device don't support WPA2 Enterprise. Some only support PEAP and LEAP which aren't the most secure modes and rely on MSCHAP
    • No physical isolation - Guest and Private users are on the same router


    New Setup:

    • PFSense router/Firewall
    • 8-Port Switch with separate VLAN for each type of device: Admin (Ethernet only- access the Admin UI of the switch and PFSense), Media (Pretty much anything that is proprietary- Game Console/Phones/etc.), Private (My network - Only FOSS devices/software on this side), Guest VLAN, & Testing Lab.
    • Router running Open-WRT - This one is private and connected to the private VLAN. Only I can access this network. Uses a 63 Character random password (Max length that WPA2 supports). WPS disabled of course.
    • Router 2 - Open-WRT again with WPA2. - This one is connected to the "Media" VLAN
    • Router 3 - Open-WRT again with WPA2- This is the guest VLAN. Only ports 80 and 443 are allowed through. You also have to authenticate to a captive portal and all traffic is put through a transparent proxy that uses content filter to block out certain sites/content.
    • Kismet WIDS sensors again
    The new setup has a hell of a lot less overhead, consumer products work with it, and if one Access Point goes down, the rest still work. Cons: You need to buy new equipment and set it up, where as WPA2 Enterprise is almost all software (provided you have a server for it).
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,515
    Well, if you want to just raise the bar, there are other steps to take. Those can include: reduce range of WiFi access point, limit amount of connections to router, use a network monitor, and not broadcasting SSID.
     
  7. x942

    x942 Guest

    These are all more convenient than enterprise and most consumer routers will support it. As for network monitoring I use the opensource AlienVault OSSIM You can have it use NMAP and scan the network every hour, if a new device is found alert with an e-mail. It does a ton more, but that would be a whole new thread. I personally hide my SSID too. Yes it's not fool proof, but it will slow down some attackers and others are probably going to go after the softer targets anyways.
     
  8. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    WPA2 - AES. (makes your Wifi more efficient then defaults)
    Disable WPS. (stops hack tools)
    Good Password. (Obvious)

    99% of people hacking WiFi are using tools and all these tools abuse only WPS, disable WPS and no more abuse. I stopped posting here because everyone always overcomplicated everything. Case and point, this thread.
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Just trying to learn something new my friend! The routers I am looking at show wpa2 enterprise as an encryption option, and I thought it might be prudent to investigate how wpa2 enterprise could work for me. While maybe not the sharpest knife in the drawer, I can see that enterprise would not be worth the effort to maintain it. I have never had a breach of my wireless network that I know of. I will always strive to learn more about security and how new technology might impact my safety online.



    x942 -- thank you for your input. I have read through your links. There are other security forums where folks strongly agree with your decision to abandon enterprise, mostly due to high overhead issues for what I am wanting to investigate.
     
  10. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    758
    Location:
    MICHIGAN,USA
    There's some routers you cannot disable WPS.
     
  11. x942

    x942 Guest

    I am sorry if I of complicated the thread. That was my fault. I thought I could use my setup to show why it may not be of any advantage to use WPA2 Enterprise. I got overboard I guess. Yes, this is really all you need from a WiFI perspective.

    No problem. Yes, that tends to be the case. That and AFAIK only EAP-TLS is secure. The others are broken, can be MITM, or have other issues. WPA2-CCMP (AES) is easier to setup and you don't have to worry about MITM because you misconfigured it.
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    x942,

    Complicated or not, I enjoyed reading through your posts and links. Lets not beat anybody up here. I had a thought/idea and it proves to be overkill in every sense of the word. I have already moved on and hope others reading this thread will have also picked up some "intel" on wpa2 enterprise.

    daman1,

    I know I would never buy one of those routers, OR I would swap out the firmware for ddwrt or similar. Absent that it would be going back to the store for a refund!
     
  13. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    758
    Location:
    MICHIGAN,USA
    I have a low end router that you can not :(