Most people use one fixed WiFi password in their home or corporate network. This WiFi password is a WPA-personal or WPA-psk (pre shared key). At the moment the most use the WPA2 protocol but this will be replaced by the new WPA3 protocol. For home networks this is a good solution but not for corporate networks.
Another alternative that is used in corporate networks is 802.1x (radius). This is a good solution but has some disadvantages. It’s more complex and more expensive to manage. Also more and more companies are evolving to a network without a (radius) server and use for example Google Gsuite. Also some clients have difficulties with certificates or aren’t compatible with Radius networks (example: iot devices, printers,…).
If you want a secure solution that is compatible for every device you need unique psk passwords. Luckily there are more and more vendors that understand this problem and have this solution. Examples: Aerohive/Extreme (ppsk), Ruckus (dpsk), Mist/Juniper and Cambium (epsk).
Below we will explain you the different advantages of this feature.
Security (sniffing)
Within an open network it is very easy to sniff all the internet traffic. All the websites without https will go through the air in clear text. When you fill in your login details on these kind of website all hackers can capture these details. Many people think this problem is solved by using a WPA-psk key but it isn’t. If you only use one fixed WiFi password the hacker will have this password also. They just need to capture the 4-way handshake to generate the encryption keys and then they can decrypt your wireless traffic.
Below you can see an example. On the left an unique PSK is used so the hacker couldn’t decrypt the traffic as he did not know the unique PSK and on the right he was able to decrypt the traffic as a shared PSK was used:
Segmentation
Because you are using different WiFi passwords you can segmentate users/groups. You can define different vlans and for some vendors you can even use different schedulers, QOS rules, Firewall rules,…..
Example 1:
In a school a teacher, student and the principals need a different vlan. Also
you can chose to only allow students between 1 and 2pm on the internet en not
on Youtube.
Example 2: In the below example you can make a separate policy for a byod, guest or iot device.
People leave the organisation
When someone leaves the company you want to deactivate his access to the internal network. If you have a fixed WiFi password you need to change it which will affect all the devices of your other employees and the ict department will receive a lot of calls 😉. With a unique WiFi password you only need to disable that password and the rest of your company will not be affected.
Do you want to disable the WiFi password automatically? Have a look at our Wiflex BYOD solution. We have an integration with Office365/Azure AD/Google Gsuite.
Users don’t pass personal passwords
A fixed WiFi password is passed very easily, even to visitors/speakers. When you give them a personal WiFi password they will not pass that so easily. Because they are responsible for that password and for the internet behavior linked to that password.
IoT
IoT is not just a hype anymore but it is used a lot in the business world. One of the problems with IoT devices is to connect them securely on the WiFi. Radius/802.1x is not an option because of the lack of support and mac authentication is not secure. As discussed a fixed WiFi password is not a good idea. So this is a very good use case for Unique WiFi passwords.
Guest network
Many companies use open ssid’s for guest networks. But this is very unsecure, even with a captive portal. Nac solutions are secure but very difficult to setup and complicated for the guests/visitors.
For easy onboarding guests with unique WiFi passwords you can use a QR code. Guests can scan this qr code with their mobile phone and they are connected. You can also define how long this password is valid.
Do you want to automatically create an unique password when a guest arrive and deactivate it when he leaves the company. Have a look at our visitor registration or One Click solution from Wiflex.
Less SSID’s
More WiFi networks (ssid’s) have a adverse effect on WiFi quality. You get more overhead and less airtime for real data. With unique passwords you can use segmentation within one WiFi network. So you need less SSID’s.
Have a look
at:
http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html
Cheap solution
Unique psk’s are a lot cheaper and less complex than a radius or NAC solutions for the onboarding of your guests and BYOD devices. Of course a NAC solution has more functionalities than just onboarding. But if you only need the onboarding functionalities it can be a great solution.
In terms of security, there is no additional security offered by ePSK compared to PSK. In both cases, the intruder has to depend on brute-force algorithm to break it.
The biggest advantage of ePSK, PPSK/DPSK/iPSK is that the insider attack is not possible. Secondly, if the key is shared/leaked then the entire network is not impacted. One can simply disable the leaked/compromised key and can have the same level of security maintained.
Amazing! Most people use one fixed WiFi password in their home or corporate network. This WiFi password is a WPA-personal or WPA-psk (pre shared key). Thank you so much.