Wi-Fi Certificate-Based Authentication (CBA) uses digital certificates to create an identity on any given Wi-Fi network. This form of CBA offers a much greater level of security than more traditional Wi-Fi authentication methods, as they’re largely password- or shared credential-based…and we all know that passwords are the least safe form of authentication out there. In this blog, we’re going to go over what EAP-TLS and Wi-Fi CBA are and why your organization should employ them.
EAP (Extensible Authentication Protocol) is a flexible network access authentication protocol developed by the Internet Engineering Task Force (IETF), as detailed in RFC3748. EAP is particularly useful in scenarios where Internet Protocol (IP) isn’t available, offering a secure means of transmitting identification data for network authentication.
Originally, EAP was created for use with the Point-to-Point Protocol (PPP), aimed at establishing a direct connection between two devices. PPP initially had two authentication methods: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). As the need for more diverse authentication methods grew, EAP was developed to enhance PPP’s capabilities. EAP functions within PPP’s authentication framework, supporting a broader range of authentication mechanisms beyond PAP and CHAP. These include methods such as Kerberos, certificate-based, and public key authentication, as well as hardware-based options such as dongles, smartcards, and USB tokens.
When developing the 802.1x standard, the IETF decided to utilize the existing EAP framework from PPP instead of crafting new authentication methods; thus, 802.1x adopted EAP for authentication, particularly in defining how EAP packets are transmitted over LANs, including both wired and wireless setups. 802.1x, which governs network access control based on authentication, employs EAP for the actual authentication process. Within this framework, 802.1x utilizes EAP to manage authentication methods. When a client requests network access – either through a wired connection or a wireless network – the respective switch or wireless access point prompts the client for credentials using an EAP request.
EAP delineates various authentication methods, known as EAP methods (clever name, we know), accommodating different types of credentials like usernames and passwords, digital certificates, or biometric data. In wireless networks, common EAP methods include PEAP-MSCHAPv2, EAP-TTLS/PAP, and EAP-TLS. For organizations using WPA2-Enterprise with password-based authentication, these methods are typically employed; however, this article is focused on EAP-TLS due to its aforementioned lack of reliance on passwords and credential sharing. EAP-TLS is recognized as the most robust authentication protocol for 802.1x networks, relying on certificates for Wi-Fi authentication.
To set up large-scale EAP-TLS certificate-based Wi-Fi authentication in your organization, several key components are necessary beyond just the client (supplicant) and the wireless access point (negotiator). These include:
An Internal PKI or Certificate Authority: Essential for EAP-TLS, which relies on CBA, a sophisticated certificate authority platform (such as EZCA by Keytos) is crucial for the automated issuance and management of properly configured certificates to verified devices.
MDM Server: Though optional, it’s highly beneficial. A device management platform like Intune or ManageEngine simplifies the deployment of certificates and correct Wi-Fi configuration, avoiding confusion for end users.
The workflow of certificate-based authentication with EAP-TLS for WPA2/WPA3-Enterprise Wi-Fi typically involves these steps:
1) Device enrollment with the MDM.
2) MDM installation of the root CA certificate on the device, along with a profile and a SCEP or ACME payload, directing the device to request a client device certificate for Wi-Fi from the certificate authority.
3) The CA’s verification and issuance of the client certificate back to the device.
4) The device’s authentication of the RADIUS server via the Access Point, confirming it is connecting to a trustworthy server.
5) The device’s verification of the RADIUS server certificate against a trusted root, preventing connection to unrecognized servers and protecting against attacks like Evil Twin attacks.
6) The device’s use of its client certificate to request network access through the Access Point, which is then forwarded to the RADIUS server.
7) The RADIUS server’s verification of the certificate’s authenticity and its issuance by a recognized CA, also checking for expiration or revocation.
8) The RADIUS server either granting Wi-Fi access through an accept message to the Access Point or denying it if verification fails.
This rigorous process ensures network access is only granted to authenticated and authorized users with secure, compliant devices holding valid certificates, significantly boosting network security. For users, this entire procedure is streamlined and seamless.
EAP-TLS CBA is widely recognized as the most secure method for network authentication in WPA2 and WPA3 Enterprise Wi-Fi environments, especially when compared to the traditional, password-based Wi-Fi authentication methods. This is due to several key advantages:
Unlike shared credentials, which are highly vulnerable to theft and often contribute to network breaches, certificate-based authentication offers a more secure alternative. Passwords can be difficult to remember and require regular updates, but certificates eliminate these issues. They are a form of digital possession, not reliant on memorization or frequent changes.
This approach not only streamlines user access but also offers phishing resistance, as private keys in certificates are never shared.
Traditional EAP methods can involve up to 22 steps from the initial connection to authorization – EAP-TLS simplifies this process to just 4 steps, significantly accelerating authorization and network access both for first-time connections and when devices roam within a Wi-Fi network. This reduction in steps not only enhances roaming capabilities and reduces latency but also provides a smoother and more efficient experience for networks managing a lot of devices.
EAP-TLS, focusing on certificates, sidesteps problems associated with password changes. Effective certificate management by a competent CA can automate and simplify the process, offering a trouble-free solution for organizations.
EAP-TLS authentication, by utilizing digital certificates, enhances network control and visibility. These certificates carry important contextual information like user types, device ownership, specifications, authorization records, user roles, and situational data. This wealth of information bolsters network security and facilitates more effective network administration.
