Archive for December, 2013

Cert-based Enterprise Authentication backup plan

If you run a of business and any form of credit or debit card information traverses your network, and you have  a wireless network attached, you should only be using serious security for the WLANs.   By that, I mean Enterprise Auth, preferably based on device certificates.  You could use pre-shared key security, as it makes things so much easier to install and maintain, but it can be cracked, not to mention those keys are “the keys to the kingdom”.  If a bad guy (hacker, disgruntled employee, etc.) gets a hold of the keys, you’ll have to change them on every remote device to ensure that everything is secure again.  Not a fun prospect.

Anyhow, when running certificate-based Enterprise Authentication, there are no known hacks, but an expired cert could cause a device to drop off the network until it could pull a new certificate.  Or, something could go very wrong, potentially causing all devices on your WLAN to be unable to authenticate.

So, when you have a hundred remote sites, and someone forgot to update a critical certificate, how do you get all the devices communicating again?

Road Trip!!

Unfortunately, if you are already in that nightmare situation, it will likely require boots on the ground at all of those sites to fix.

But, if you haven’t already gotten into that disaster scenario, you can do the following steps using the same settings at each location (these aren’t EASY steps, but they can save tons of time and money later):

1.  Create a secondary WLAN, protected with WPA2 and a strong pre-shared key.2.  This new WLAN should be administratively disabled.
3.  We’ll call the SSID “backup” for the sake of this example.  It doesn’t matter too much what you call it, since most people will never see it.
4.  Configure all of your devices to communicate to both your normal Enterprise Authenticated WLAN and this “backup” WLAN.  Ideally, this would be automated and/or part of the initial load image.

When an issue occurs with a device (or, heaven forbid, all your devices):

1.  Enable the “backup” WLAN and disable the production WLAN.  Devices will see this available WLAN and jump on it.
2.  Using a remote admin tool (like RDP) you should now be able to fix the certificate on the problematic device.
3.  Once the device has been updated to fix the cert issue, enable the Production SSID and disable the “backup” SSID.

The key to this system is that the PSK should only ever be active for a few hours at a time at specific sites, while a problem is being worked.  Once the issue requiring this special SSID is taken care of, it should be immediately turned off.  This limits the amount of time that a hacker could have to attempt to crack the pre-shared key.

I do not know how many thousands of dollars implementing this strategy has saved my company, but it’s at least in the tens, if not hundreds.

Using this method gives you the best of both worlds… You get the security of Enterprise Authentication, along with the ease of use of WPA PSK.


December 5, 2013 at 12:12 am Leave a comment


December 2013

Posts by Month

Posts by Category