Problem solve Get help with specific problems with your technologies, process and projects.

Obtaining wireless access control for personal devices

Lisa Phifer explains methods for wireless access control to allow employees certain but not full access to a company’s network and maintaining network access protection.

We are deploying an 802.11n wireless network in a manufacturing floor environment to enable rearranging of benches and work cells, as well as to streamline new processes. What wireless access control methods would you suggest using to keep workers from accessing the company's network with their personal devices while still allowing some key personnel access?

For this type of wireless access control, I would suggest access controls built into all Wi-Fi certified 802.11n devices include Wi-Fi Protected Access version 2 (WPA2) Personal and Enterprise.

Do you have a question for our experts?

Submit your question directly to our editors at editor@searchnetworking.com

WPA2-Personal requires every device to supply a Pre-Shared Key (PSK) derived from a passphrase. For example, devices on your manufacturing floor might be required to supply the same random string of 20 characters known only to your IT department and configured during deployment. This method is often combined with MAC address filtering, so that only known devices with the right PSK are granted access. However, MAC address filters are easily bypassed, as are PSKs that are too short or too easy to guess.

WPA2-Enterprise requires every device to complete an 802.1X log-on process that can support various authentication methods. For example, each device on your manufacturing floor might be required to prove its identity with a unique digital certificate. Alternatively, each device might be required to supply a unique username and password configured during deployment and known only to your IT department. With this Wi-Fi access control method, you will be able to tell which individual machines are logged on. When used with certificates, WPA2-Enterprise is less vulnerable to password sharing and reuse, which are common problems when employees know a valid username/password or PSK and simply configure those into personal devices.

Read more of Lisa’s expert advice

Creating Wi-Fi policy: Elements to consider before implementation

Overcoming wireless network interference in public venues

Using wireless network bandwidth monitoring to stay within data caps

But you also wish to allow some key personnel to access your company network from personal devices. A common approach to achieve this is to create separately named networks (SSIDs) and corresponding VLANs inside your wired network. IT-managed devices might be configured to access “MachineNet” using certificates issued during installation, while personal devices might be allowed to access “SpecialNet” with other credentials. In this way, key personnel are not given the PSK used by “MachineNet,” nor must they submit devices to IT.

However, you still want network access protection and a secure and simple way for key personnel to register their own devices for secure access to “SpecialNet.” Ask your WLAN or NAC vendor if they sell a visitor-management feature or a registration portal capable of walking personal devices through authorization and Wi-Fi provisioning. Another method for network access protection and wireless access control could be using a Mobile Device Manager (MDM) to shepherd these tasks – to learn more, read this Information Security Magazine feature.

This was last published in June 2012

Dig Deeper on Wireless LAN (WLAN)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.