Feb Project - Radius? Network Security

hobbit666

OK chaps.
Any advice links etc on todays Best Practices on securing the company WiFi.

At the moment we are rolling out Unifi AP's everywhere. We have a "Corporate" SSID and a "Guest" SSID, guest is ticked with isolation so it can't see the Corp network.
At Head office I have also separated the guest and corp WiFi onto separate VLANs as well.

But we have an issue that because the WiFi key is know by everyone they put there phone on the Corp ssid and use up all the IP's so I want to move to RADIUS or what ever the latest and greatest standard is to Authenticate and join company laptops onto the corp network forcing all phones onto the guest.

scottalanmiller

Looking to deploy FreeRADIUS on Linux?

hobbit666

@scottalanmiller said:

Looking to deploy FreeRADIUS on Linux?

Might do
I have looked at that in the past and did like it, but not sure about best practices in regards to what type of certificates to use etc. I don't really want to manage 100+ Certificates for each laptop.

So really after what options are available to secure the WiFi and what does everyone do?

Deleted74295

I just don't give out the private wifi key. Works a lot here.

mlnews

@Breffni-Potter said:

I just don't give out the private wifi key. Works a lot here.

I find unplugging the wifi most effective.

hobbit666

@Breffni-Potter & @mlnews
Both excellent options........BUT!!!! not the one I was hoping for lol.

Is Radius still the "in thing" to handle authentication on Wireless stuff or is there a new and better thing we can look into. I don't moind spending company money!!

scottalanmiller

Radius is still quite standard. Don't know if it is the "in thing" anymore, but still very common, popular and accepted.

Dashrender

If you have Active Directory, you could look at their implementation of RADIUS so you only have one user account to worry about, though that probably wouldn't solve your phones on the wrong network problem.

hobbit666

@Dashrender said:

If you have Active Directory, you could look at their implementation of RADIUS so you only have one user account to worry about, though that probably wouldn't solve your phones on the wrong network problem.

Yeah we have AD.
Is just using Username good enough or should we look at using certificates?

Dashrender

@hobbit666 said:

@Dashrender said:

If you have Active Directory, you could look at their implementation of RADIUS so you only have one user account to worry about, though that probably wouldn't solve your phones on the wrong network problem.

Yeah we have AD.
Is just using Username good enough or should we look at using certificates?

That would be up to you - do you want to have to deploy certs to end user devices? Is device level security that important?

Carnival Boy

@Breffni-Potter said:

I just don't give out the private wifi key. Works a lot here.

What's to stop people from simply getting it off their laptop (or their colleague's laptop)?

I will watch this thread with interest as I have a similar problem. At the moment I go into Unifi and manually block any devices that I don't recognise, which keeps things under control but isn't ideal.

hobbit666

@Carnival-Boy said:

@Breffni-Potter said:

I just don't give out the private wifi key. Works a lot here.

What's to stop people from simply getting it off their laptop (or their colleague's laptop)?

I will watch this thread with interest as I have a similar problem. At the moment I go into Unifi and manually block any devices that I don't recognise, which keeps things under control but isn't ideal.

Similar to us at the moment. What I want as a end goal is once a machine has been imaged and logged on with new user Via a cable. It will get WiFi settings from GPO and just connect when the machine is out and about.

Then change the SSID to Corp leaving the guest one for phones and other devices that's isolated already

Deleted74295

@Carnival-Boy said:

@Breffni-Potter said:

I just don't give out the private wifi key. Works a lot here.

What's to stop people from simply getting it off their laptop (or their colleague's laptop)?

What happens is the moment I see your personal device on my network, you hear about it.

If I see it again, your manager hears about it.

Or...

https://community.spiceworks.com/topic/269617-windows-7-and-hiding-the-wireless-password
http://www.thewindowsclub.com/disable-password-reveal-button-windows-8