What's considered the most secure enterprise wireless?

[cpals]

We are in the process of implementing a new wireless vendor and are open to suggestions to change our current security, if it isn't the best. Unfortunately, he's more here to implement what we tell him and not giving much direction.

We currently are doing WPA w/TKIP and radius/certificate authentication. I'm not much of a wireless person and inherited this design.

We are also trying to implement a sort of byod wireless and also a guest network that has a portal so an employee can 'approve' the guest on our network first.

So is our current setup good or is there a more secure way of doing it?

Thanks!

 

[spidey07]

Holy mackeral this topic could go a million ways. WPA2-AES enterprise is more than secure enough.

The trend today is having a single SSID that also does self provisioning of BYOD devices through a registration portal, pushing down VLAN memberships and access control lists. That's kinda advanced and it's easier to just have a corporate secure SSID and a guest/provisioning SSID that is wide open but only allowed to communicat with provisioning and guest control systems.

Ditch TKIP as modern radios need AES for throughput in hardware.

 

[RadiclDreamer]

The more secure the more of a pain it becomes. I would say WPA2-AES ENT with cert and mac filtering would be pretty darned secure, but not really worth it IMO since WPA2-AES ENT is good enough for most.

 

[Ayah]

The more secure the more of a pain it becomes. I would say WPA2-AES ENT with cert and mac filtering would be pretty darned secure, but not really worth it IMO since WPA2-AES ENT is good enough for most.

agreed. the question becomes, exactly how secure do you need it to be? it becomes exponentially more of a PITA the more secure you make it.

 

[Emulex]

you need to use radius and 2-factor authentication.

but really that's all pointless if the client is not 1000% secure aka byod.

 

[dawks]

Ditch TKIP as modern radios need AES for throughput in hardware.

TKIP also has a few small vulnerabilities, nothing major (not completely broken), but just another reason to move to AES.

As far as I know, if the hardware is setup to use RADIUS with something liek Server 2008 R2, as long as its implemented properly with the correct settings, the hardware doesn't matter much. Our larger affiliate organization requires we use cisco exclusively for wireless if we want to communicate with their network which is frustrating because we could implement a much better network (for our purposes) for 1/10th the cost with commodity hardware, and the same Server 2008 R2 RADIUS backend.

agreed. the question becomes, exactly how secure do you need it to be? it becomes exponentially more of a PITA the more secure you make it.

There's always a trade-off between security and convenience
The question is, how far do you want to push it.