Nice Guy Wi-Fi

Residential vs. Enterprise Considerations: WPA-Enterprise vs. WPA-Personal

¡

Matt Glosson Avatar
Matt Glosson

Most of my Wi-Fi career was thinking about the enterprise. No doubt that the enterprise is where you really have to put on your “Wi-Fi hat,” because you’re typically dealing with many (many!) access points. The smallest design and installation I ever did was 4 access points, and the largest was several thousand.

WPA-Personal

This is the basic “password-based” authentication mechanism that is used in most residential scenarios, and by various SSIDs in the enterprise as well. It’s usually designated for:

  • the administrator or home user doesn’t want to or doesn’t have the knowledge to set up a proper infrastructure
  • an access point or station that can’t support “proper” 802.1X (either on the client side or the infrastructure side)

When WEP was determined to have a hole large enough to drive a truck through, some very smart folks at the Wi-Fi Alliance came up with the notion of using the encryption method built into any device that supported WEP (RC4) and wrapping it into a temporal key format. The result was WPA-Personal. It uses the passphrase, SSID, and a few other parameters run through the PBKDF2 algorithm, to derive a pre-shared key. When the IEEE created 802.11i, AES replaced RC4, and WPA2-Personal was born. WPA3-Personal uses a different, more-secure technique, called SAE (Simultaneous Authentication of Equals).

Sometimes people interchangeably use “password,” “passphrase,” and “pre-shared key.” I’m personally fine with that… the context tells you what they’re talking about. Some examples:

  • Alice asks Bob: “Hey, what’s the password for your Wi-Fi?”
  • GUI tooltip: “Click the eyeball to reveal the pre-shared key.”

In both of these cases they are talking about the passphrase, but it’s not worth losing friends over!

WPA-Enterprise

When you do enterprise configuration, you need to be familiar with 802.1X and EAP. I remember it felt like voodoo, because I wasn’t particularly familiar with RADIUS at the time (circa 2004). That meant I had to come up to speed on both RADIUS and EAP at the same time.

I had used RADIUS in a basic sense with Windows 2000/2003’s IAS (Internet Authentication Service). I used it because I was setting up Cisco IOS to use AAA, and we had to use RADIUS because we didn’t have Cisco ACS, which would have provided TACACS+. As a reminder, RADIUS (or any AAA) provides these checks:

  • Authentication: Am I who I say I am?
  • Authorization: What do I get to do?
  • Accounting: What am I doing and how much of it?

The three roles within a RADIUS communication are:

  • Supplicant – the device wanting access to a resource
  • Client – the device the supplicant needs access to or through
  • Authentication server – the device that allows or prevents access (provides an authentication and authorization response)

Once you authenticate, the RADIUS server sends a list of attribute-value pairs (AVPs) to the client indicating what kind of access the user/device should get.

Logging into Cisco IOS expected the RADIUS server to respond with:

  • Authentication – this is easy; does my username match my password
  • Authorization – this where the RADIUS server passes the attribute-value pairs (AVP) back to the RADIUS authenticator

When I got into 802.1X, the thing that blew my mind was that I could pass a VLAN back to the RADIUS client, and it would apply that VLAN tag to every Ethernet frame that was dropped onto the wired network. For a university, based on a Windows group (though it could have been any criteria), students go on the “student VLAN” and staff goes on a “staff VLAN,” which probably have different firewall rules and content controls, all while using the same SSID.

Hybrid Approach

What do we do if the station only supports WPA-Personal and not WPA-Enterprise? or if it’s determined that WPA-Enterprise is too hard? Some IoT devices do not even support WPA-Enterprise. So we use one WPA-Personal SSID, but we want each device to have a unique passphrase. Some vendor terms for this are custom approach are:

  • iPSK (Identity Pre-Shared Key) – Cisco
  • PPSK (Private [or Per-user] PSK) – Juniper, Extreme, Fortinet
  • MPSK (Multi PSK) – Aruba
  • DPSK (Dynamic PSK) – Ruckus

These are all similar riffs on the same concept. The reason I say this is hybrid is because some of these will actually pass the query along to a RADIUS server or proprietary cloud, then read the AVP authorization response to make decisions, just as WPA-Enterprise would do.

Because of the way that WPA3-Personal works (SAE), this approach isn’t reasonable for that. Since 6 GHz doesn’t allow WPA or WPA2, some of these approaches are limited to 2.4 or 5 GHz bands.