We are deploying an 802.11n wireless network in a manufacturing floor environment to enable rearranging of benches and work cells, as well as to streamline new processes. What wireless access control methods would you suggest using to keep workers from accessing the company's network with their personal devices while still allowing some key personnel access?
Do you have a question for our experts?
Submit your question directly to our editors at firstname.lastname@example.org
WPA2-Personal requires every device to supply a Pre-Shared Key (PSK) derived from a passphrase. For example, devices on your manufacturing floor might be required to supply the same random string of 20 characters known only to your IT department and configured during deployment. This method is often combined with MAC address filtering, so that only known devices with the right PSK are granted access. However, MAC address filters are easily bypassed, as are PSKs that are too short or too easy to guess.
WPA2-Enterprise requires every device to complete an 802.1X log-on process that can support various authentication methods. For example, each device on your manufacturing floor might be required to prove its identity with a unique digital certificate. Alternatively, each device might be required to supply a unique username and password configured during deployment and known only to your IT department. With this Wi-Fi access control method, you will be able to tell which individual machines are logged on. When used with certificates, WPA2-Enterprise is less vulnerable to password sharing and reuse, which are common problems when employees know a valid username/password or PSK and simply configure those into personal devices.
Read more of Lisa’s expert advice
Creating Wi-Fi policy: Elements to consider before implementation
Overcoming wireless network interference in public venues
Using wireless network bandwidth monitoring to stay within data caps
But you also wish to allow some key personnel to access your company network from personal devices. A common approach to achieve this is to create separately named networks (SSIDs) and corresponding VLANs inside your wired network. IT-managed devices might be configured to access “MachineNet” using certificates issued during installation, while personal devices might be allowed to access “SpecialNet” with other credentials. In this way, key personnel are not given the PSK used by “MachineNet,” nor must they submit devices to IT.
However, you still want network access protection and a secure and simple way for key personnel to register their own devices for secure access to “SpecialNet.” Ask your WLAN or NAC vendor if they sell a visitor-management feature or a registration portal capable of walking personal devices through authorization and Wi-Fi provisioning. Another method for network access protection and wireless access control could be using a Mobile Device Manager (MDM) to shepherd these tasks – to learn more, read this Information Security Magazine feature.
This was first published in June 2012