Extending the Wireless LAN (WLAN) to be a core technology will mean providing granular WLAN authorisation and access control. In this guide, learn about Wireless LAN access control, as well as managing users on guest wireless networks and controlling Wi-Fi embedded devices on the WLAN.
While WLANs were once used to offer network access to guests or employees in common areas, they are now often extended to reach every laptop and desktop in the enterprise. What's more, they also support both corporate and personal smart phones and tablets, as well as embedded Wi-Fi devices, such as copy machines and surveillance cameras. With all these users and clients, network managers must implement granular WLAN access control and network authorisation.
Wireless LAN access control: Managing users
WLAN security using access control and encryption is much more solid than it was in years past, but WPA2-Enterprise is still no slam dunk. Using 802.1x authentication requires integration of a number of components from multiple vendors.
A successful WLAN access control plan will include the creation of user access policy that touches both corporate and personal devices. Once that policy is established a number of third-party tools can help with device fingerprinting and automated client provisioning for enforcement.
In this expert tip on WLAN access control, learn about integrating wireless access control with other Network Access Control (NAC) tools, as well as information about device fingerprinting and automated provisioning.
Securing guest wireless networks
Old methods of securing guest wireless networks are no longer sufficient. Once upon a time, wireless guest networks were given their own service set identifiers (SSIDs) and mapped onto an isolated Ethernet VLAN. HTTP requests from newly connected clients were sometimes redirected to a captive portal, where guests had to accept "terms of service" before being released onto the Internet. This left the door open for infected devices to access the guest SSID and the VLAN. It also left that captive portal open for attack.
As a result, enterprises must consider other methods for securing these networks. A number of companies sell equipment that comes with built-in guest management. This equipment requires users to sign in and create accounts, and allows enterprises to create walled-gardens of access depending on their own user policy. These tools also allow enterprises to control how guests sign in. Captive portals can require guests to run anti-virus programs, and they allow the IT team to configure permitted destinations, ports and URLs tied to bandwidth limits and priorities. Companies can also integrate a NAC or IDS product to do checks on wireless guest networks.
Learn more about managing and securing guest wireless networks in this expert tip.
Managing embedded Wi-Fi devices on the WLAN
As if managing guest devices weren't enough of a headache, increasingly network managers find themselves managing and securing Wi-Fi embedded devices on the WLAN. These devices range from wireless printers to barcode scanners and point-of-sale terminals.
One way of controlling these devices is through WPA2-Personal: Pre-Shared Key (PSK) authentication and AES encryption. “Personal" suggests that this is not a strategy designed for enterprise wireless LANs, and PSKs are not preferred for devices that can be controlled effectively with WPA2-Enterprise. However, for consumer electronics that do not support WPA2-Enterprise or device certificates, PSKs can be a viable alternative.
Enterprises could also opt to acquire devices that come ready with Wi-Fi Direct, a peer-to-peer Wi-Fi Alliance specification that enables devices to speak directly to each other. Wi-Fi Direct-capable devices discover each other and form Wi-Fi Direct "groups" composed of two or more devices that make management and visibility simpler.
Learn more about controlling Wi-Fi embedded devices in this expert tip.
This was first published in April 2011