Security best practices for Enterprises
We have seen a ton of attacks against WPA/WPA2, both Personal and Enterprise. Based on our experience, we would recommend the following:
For SOHOs and medium-sized businesses, use WPA2-PSK with a strong passphrase. You have up to 63 characters at your disposal. Make use of it.
For large enterprises, use WPA2-Enterprise with EAP-TLS. This uses both client and server-side certificates for authentication, and currently is unbreakable.
If you have to use PEAP or EAP-TTLS with WPA2-Enterprise, then ensure that certificate validation is turned on, the right certifying authorities are chosen, the Radius servers that are authorized are used and finally any setting that allows users to accept new Radius servers, certificates, or certifying authorities is turned off.
Pop quiz – attacking WPA-Enterprise and RADIUS
FreeRadius-WPE is a:
Radius server written from scratch
Patch to the FreeRadius server
Ships by default on all Linuxes
None of the above
PEAP can be attacked...
