Creating a WPA2 compliant network

I have a large project where the customer wishes to use NetgearWAG102 access points with wireless Windows Mobile winCE.net devices. The customer has about 400 stores with about four to five mobile devices per store. Could you please explain the basic principles of creating a WPA2 compliant network in this environment?

WPA2 is available in two forms: WPA2-Personal for home and small office use, and WPA2-Enterprise for business use. Given your target application, you should use WPA2-Enterprise for strong, individual device authentication. You will require support WPA2-Enterprise support on your winCE.net devices and Netgear APs, and at least one RADIUS authentication server for 802.1X/EAP authentication.

Start with your mobile devices. Determine whether their Wi-Fi interfaces support WPA2-Enterprise; this may require installing driver upgrades. If WPA2 is not supported, use WPA instead. The Windows Mobile operating system supports 802.1X and several EAP types, but you'll need to choose an EAP type that meets your security needs and is supported by your devices as well. For example, Protected EAP (PEAP) would require configuring each mobile device with a username and password, while EAP-TLS would require installing a digital certificate on each device. If your mobile devices simply cannot support 802.1X, you may need to resort to WPA2-Personal in conjunction with MAC ACLs and a long, random PreShared Key.

Next, install, and configure a RADIUS authentication server to match the EAP type used by your mobile devices. You will need to create an account for each mobile device, either on the RADIUS server itself, or in a user database (e.g., Windows AD, LDAP database) that interfaces with your RADIUS server. The RADIUS server will be consulted each time a mobile device connects to the network, so give some consideration to where the RADIUS server should be placed, and if you really need more than one server for redundancy or performance. Depending on the EAP type, you will probably need to configure each authentication server with its own digital certificate.

The easiest component to configure will be your Netgear APs. In a WPA2-Enterprise network, APs serve as the middle man, relaying access requests from wireless clients to a RADIUS authentication server. WAG102 APs support WPA2-Enterprise, so just configure them with your authentication server's IP address and RADIUS shared secret. Beware that RADIUS protocol can expose sensitive information, so communication between APs and your authentication server(s) should be protected -- for example, using a site to site VPN to connect stores to a centrally-located server.

To learn more, read our Wireless LAN Security Lunchtime Learning Series tip about WPA2.