Nice Guy Wi-Fi

Residential vs. Enterprise Considerations: WPA-Enterprise vs. WPA-Personal

¡

Matt Glosson Avatar
Matt Glosson

Most of my Wi-Fi career was thinking about the enterprise. No doubt that the enterprise is where you really have to put on your “Wi-Fi hat,” because you’re typically dealing with many (many!) access points. The smallest design and installation I ever did was 4 access points, and the largest was several thousand.

WPA-Personal

This is the basic “password-based” authentication mechanism that is used in most residential scenarios, and by various SSIDs in the enterprise as well. It’s usually designated for:

  • the administrator or home user doesn’t want to or doesn’t have the knowledge to set up a proper infrastructure
  • an access point or station that can’t support “proper” 802.1X (either on the client side or the infrastructure side)

When WEP was determined to have a hole large enough to drive a truck through, some very smart folks at the Wi-Fi Alliance came up with the notion of using the encryption method built into any device that supported WEP (RC4) and wrapping it into a temporal key format. The result was WPA-Personal. It uses the passphrase, SSID, and a few other parameters run through the PBKDF2 algorithm, to derive a pre-shared key. When the IEEE created 802.11i, AES replaced RC4, and WPA2-Personal was born. WPA3-Personal uses a different, more-secure technique, called SAE (Simultaneous Authentication of Equals).

Sometimes people interchangeably use “password,” “passphrase,” and “pre-shared key.” I’m personally fine with that… the context tells you what they’re talking about. Some examples:

  • Alice asks Bob: “Hey, what’s the password for your Wi-Fi?”
  • GUI tooltip: “Click the eyeball to reveal the pre-shared key.”

In both of these cases they are talking about the passphrase, but it’s not worth losing friends over!

WPA-Enterprise

When you do enterprise configuration, you need to be familiar with 802.1X and EAP. I remember it felt like voodoo, because I wasn’t particularly familiar with RADIUS at the time (circa 2004). That meant I had to come up to speed on both RADIUS and EAP at the same time.

I had used RADIUS in a basic sense with Windows 2000/2003’s IAS (Internet Authentication Service). I used it because I was setting up Cisco IOS to use AAA, and we had to use RADIUS because we didn’t have Cisco ACS, which would have provided TACACS+. As a reminder, RADIUS (or any AAA) provides these checks:

  • Authentication: Am I who I say I am?
  • Authorization: What do I get to do?
  • Accounting: What am I doing and how much of it?

The three roles within a RADIUS communication are:

  • Supplicant – the device wanting access to a resource
  • Client – the device the supplicant needs access to or through. Sometimes referred to as the authenticator.
  • Authentication server – the device that allows or prevents access (provides an authentication and authorization response)

Once you authenticate, the RADIUS server sends a list of attribute-value pairs (AVPs) to the client indicating what kind of access the user/device should get.

Logging into Cisco IOS expected the RADIUS server to respond with:

  • Authentication – answers the question: does my username match my password?
  • Authorization – this where the RADIUS server passes the attribute-value pairs (AVP) back to the RADIUS authenticator (Cisco IOS-based switch or router, in this example), which can then decide what to let the user do.

When I got into 802.1X, the thing that blew my mind was that I could pass a VLAN back to the RADIUS client, and it would apply that VLAN tag to every Ethernet frame that was put onto the wired network. For a university, based on a Windows group (though it could have been any criteria), students go on the “student VLAN” and staff goes on a “staff VLAN,” which probably have different firewall rules and content controls, all while using the same SSID.

Hybrid Approach

What do we do if the station only supports WPA-Personal and not WPA-Enterprise? or if it’s determined that WPA-Enterprise is too hard? Some IoT devices do not even support WPA-Enterprise. So we use one WPA-Personal SSID, but we want each device to have a unique passphrase. Some vendor terms for this are custom approach are:

  • IPSK (Identity Pre-Shared Key) – Cisco
  • PPSK (Private [or Per-user] PSK) – Juniper, Extreme, Fortinet
  • MPSK (Multi PSK) – Aruba
  • DPSK (Dynamic PSK) – Ruckus

These are all similar riffs on the same concept. The reason I say this is hybrid is because some of these will actually pass the query along to a RADIUS server or proprietary cloud, then read the AVP authorization response to make decisions, just as WPA-Enterprise would do.

Some clever enterprise vendors even support individual passphrases for WPA3-Personal (e.g., Ruckus DPSK3). The approach reminds me of Cisco’s MAB (MAC Authentication Bypass) capability. Essentially, it’s using WPA3-Enterprise on the backend, even though the client thinks it’s WPA3-Personal. The MAC address is in the RADIUS server so that when it sees the authentication attempt, it will query RADIUS for the authenticating MAC address and use that unique value for the seed data in its Diffie-Hellman key exchange.