Controllerless Networks

Reply
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

WPA2- Personal vs Enterprise

Are there performance differences associated with WPA2 Personal vs Enterprise?

 

Looking to auth devices via mac address to a secure (teacher) role across specific vlans.

Other devices would be placed in a generic (student) role across another set of vlans.

This would allow us to easily identify student traffic and apply content filter roles as needed.

 

Any suggestions greatly appreciated.

Thanks.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: WPA2- Personal vs Enterprise

Enterprise is per user and or per device authentication (unique credentials) whereas personal uses a shared key.

If your users already have accounts, then enterprise is your best option (and most secure).


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: WPA2- Personal vs Enterprise

"Are there performance differences associated with WPA2 Personal vs Enterprise?"

 

For actual traffic encryption i believe they use the same encryption algorithm based on AES, so there would be no difference. The main difference is during authentication. During roaming there may be more over head to join the next AP when using Enterprise, but this should not really be noticable ot the end user unless you have high latency between you network and AAA servers.

 

Authing devices via MAC is not very secure, and if you have teksavvy students it's only a matter of time before they figure out how to clone a MAC and get teacher access.

 

What are you using to authenticate your users? If you have AD in the back end you should be able to pass back role information and assign Teacher vs Students to different roles, even while keeping them on the same VLAN in the Aruba infrastructure. if you need to apply FW polices up steam, you might be forced to use VLAN, but i would still suggest role mapping over MAC filtering.

 

Let me know if you have questions about these options.


_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: WPA2- Personal vs Enterprise

We currently are using Enterprise.

However, we are transititoning away from AD.

Currently our staff only need it to auth into Enterprise wireless network.

 

Is it possible to use Enterprise w/ MAC address only?

In my testing so far its requiring a username and password to be applied.

This is with MAC auth and failover to 802.1x enabled.

 

Thanks,

 

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: WPA2- Personal vs Enterprise

Enterprise, or 802.1x requires a Username and password.

 

"we are transititoning away from AD."

 

What are you moving to? I assume you will still have some sort of directory/radius services? Do you have Aruba Clearpass?

 

"Is it possible to use Enterprise w/ MAC address only?"

 

No, enterprise requires a username and password. Unless the user manually enters their Password as their MAC address, i am not aware of any mechanism to have a device submit their 802.1x auth with their MAC address.

 

I would really suggest you move away from MAC filtering at all on your secure network. It offers basically no security.

-------------------
ACDX, ACCP, CISSP, CWNA
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: WPA2- Personal vs Enterprise

No, you need credentials. What are you moving to for an identity store?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: WPA2- Personal vs Enterprise

No meaningful difference in performance with the encryption types, no.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: WPA2- Personal vs Enterprise

Transitioning over to Google Apps for Edu.

Cloudessa provides it as a directory but no budget for it

 

No clearpass either.

 

Even with Enterprise setup to auth via AD teachers still give out creds / lose creds and we have had students on secure network.

 

My hope was that mac auth would limit this further.

Maybe MAC + Another Role ID to transtion into roles rather than VLAN.

 

However, your bring up a great point - our students would be past the mac address auth in no time.

Time to rethink this design.

 

Additionally, our OSX laptops occassionally are not happy with our 802.1x network but auth onto legacy PSK network no problem.

 

Thanks.  Awesome input.

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: WPA2- Personal vs Enterprise

If you do not have the budget, but you do have the time and effort, you could setup FreeRadius

 

http://freeradius.org/

 

I know it's another system to administer, but at least you could stop using AD and save that cost.

 

Another option is that if you have a certifiate authority, you could distribute certs to Teachers, and students would auth with a username and password. Then you can assign roles based on auth type. But again, this might require another investment in hardware, so it's only feasable if you already have a Certificate authority.

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Occasional Contributor II
Posts: 51
Registered: ‎03-15-2014

Re: WPA2- Personal vs Enterprise

Any documentation on the Ca
authentication setup and config?
Search Airheads
Showing results for 
Search instead for 
Did you mean: