As we bring more and more devices join public WiFi networks, concerns around security and user authentication continue to dominate the conversation. This is especially true when debating the appropriate security protocols for large-scale, guest WiFi networks that onload hundreds, thousands or even millions of users a day. Without the necessary security measures in place, users across the shared network are left vulnerable. Those operating the network may also find the network is unmanageable.

As a basic standard of security, high-traffic public WiFi should be set up with WPA-enterprise protocols that use an 802.1X authentication mechanism. 802.1X operates in conjunction with two secure networking protocols: Extensible Authentication Protocol Over Lans (EAPoL) and Remote Authentication Dial-In User Service (RADIUS) server. These make 802.1x inherently more secure than your standard WPA-PSK or WPA2-PSK which require a shared password for all users to access the network.

When to Consider 802.1x Authentication

When an internet user logs onto a WPA-PSK or WPA2-PSK network (PSK standing for ‘preselected key’), authentication occurs when the user enters the correct network password / security key. This allows the user’s machine or device to join, operate on, and potentially control the network without any identifying credentials. This becomes especially problematic when businesses (with connected computers, tills, and IoT devices) share their main network with their customers. As more and more users log onto your guest WiFi, knowing exactly who uses your network (or who knows the password) becomes virtually impossible. Frequently changing the password to remove unwanted users from the network is also laborious and inefficient, and not ideal for big networks with a high volume of users.

If you are a business or establishment that offers port security (determines what machines can join a network based on the MAC address of the device), security concerns still arise. Although unsolicited users will not be able to join the network on their own devices, Keith Bogart from nothing prevents them from impersonating an individual on that device if given the opportunity (ie: if an authorized device is stolen, it cannot be determined if the correct user is operating the machine).

802.1x authentication solves the issues around password or port security network protocols by demanding that the user is authenticated, regardless of the device. For that reason, we recommend commercial and professional environments use these AAA Authentication, authorization, and accounting) (frameworks as a standard measure.

The 802.1x Authentication Process Explained

There are three parts to 802.1x authentication that work together in order to allow a user to log onto a given network: the supplicant, the authenticator, and the authentication server.

The supplicant (or end user) that is attempting to join an SSID network is first prevented access by an Authenticator. The communication that occurs between the supplicant and the authenticator is part of the EAPoL protocol, and contains ethernet frames that carry the supplicant’s unique login credentials for a particular network. Depending on the level of security needed, authenticators can prompt for further details or interactions from the supplicator (ie, requiring a pin or filling in a captcha code).

After the EAPoL data is identified by the authenticator as an attempted login, the authenticator prepares the data for the authentication server, which will ultimately allow or deny network access to the end user. This involves the conversion of EAPoL data into RADIUS packets that allow the server to interpret the login credentials as an access request.

Servers that operate on the RADIUS security protocol use an Authentication, Authorization, and Accounting (AAA or Triple A) system, which is a far more intelligent and secure method of controlling access to networks / servers / computers and so on. Servers like these require that the data provided by the authenticator is cross-referenced (or authenticated) against backend infrastructures like directories or databases containing details of the user and the corresponding credentials required for authentication. Once a the information within the RADIUS packet is approved by the server, an approval request is sent back to the authenticator, granting the supplicant with the appropriate access rights and permissions.

Making Life Easier

Because 802.1x authentication operates on a RADIUS protocol-enabled servers, the difficulties surrounding user management and scalability for WPA protected networks are nonexistent. Users who join networks on 802.1x authentication go through two levels of data encryption and their secure sessions within particular networks are monitored by the RADIUS server. Unlike with password protected (WPA) networks, authenticated users can be individually tracked and removed from a network should they pose any sort of threat. Scaling the amount of users is also much easier in the absence of a password, as users can be authenticated automatically in the background. In terms of businesses who share the connection with others, access can also be restricted to certain areas of a network on a RADIUS server, which is considerably more secure than having an open-access network that can be easily infiltrated.

Ultimately, large-scale WiFi operations have a lot to gain by implementing an authenticated network. They also have a lot to lose should they ignore the security risks involved in operating WPA-PSK or WPA2-PSK networks with public access.

Further Reading

There are many resources across the web explaining the inner workings of 802.1x authentication, however INE instructor Keith Bogart offers a highly comprehensive explanation in his video overview.