Modernizing Authentication — What It Takes to Transform Secure Access
Deploying WPA2-Enterprise security with 802.1X authentication across your Wi-Fi network of PCs is already quite a task. Adding in support of all the mobile phones and tablets makes it even more daunting. However, there are several solutions out there to help end-users configure their own devices, which can help cut down calls to the IT staff.
Here we’ll discuss solutions for automating 802.1X configuration on iOS, Android, and BlackBerry devices:
iPhone Configuration Utility (iPCU) for iOS devices
Apple offers the free iPhone Configuration Utility (iPCU) that runs on Windows and Mac OS X to help configure and manage a variety of network settings for iOS products: the iPhone, iPod Touch, and iPad. Plus it’s how you setup 802.1X in Mac OS X 10.7 Lion since Apple now removed the settings in the OS.
In addition to wireless settings, iPCU can distribute security policies, VPN configuration, MS Exchange and email settings, and digital certificates.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Once you define the settings in iPCU it generates a XML configuration profile that you can create for specific users, groups, or a single profile for all users. Then you can distribute it to users by email or a website. There are a few security options to help prevent the altering of settings or to encrypt the profile to protect the settings and ties it to a specific iOS device. You can also connect devices to the computer running iPCU and install the configuration profiles directly. When a user opens or downloads the configuration profile, they are prompted to start the painless automated configuration.
XpressConnect for Android, iOS & more
To support 802.1X for both iOS and Android, you might consider the XpressConnect solution from Cloud Path Networks. In addition to mobile devices, it has full support for distributing wired and wireless configurations to Windows, Mac OS X, and Ubuntu machines. It supports the main EAP types: PEAP, TTLS, and EAP-TLS.
You define the network settings on the hosted web-based Cloudpath administrative console. In the end, you’ll get a Web interface you can upload to your Web server. This Web interface can serve as the single point to start the configuration process on all the supported devices: Android, iOS, and computers.
Users can visit the website and it will begin the configuration process for their particular device or OS. For Android devices, users will be prompted with a link to install the XpressConnect Android app, which is required for it to configure the settings. For iOS devices, it automatically downloads a .mobileconfig file to automatically configure, just like with the iPCU from Apple.
For PCs, it creates a wizard that you can also download and distribute via other mediums to users. Additionally, it can create MSI installers and supports group policy deployments for managed devices. End users then just have to simply run the wizard and it automatically configures the network and connects.
BlackBerry Enterprise Server for BlackBerry devices
If your organization uses the BlackBerry Enterprise Server or the free BlackBerry Enterprise Server Express, you can use it to distribute Wi-Fi profiles, VPN profiles, and IT policy rules to the BlackBerry devices you manage.
If you don’t have a BlackBerry Server yet, consider installing it on a Windows Server, Windows Small Business Server, or an IBM Lotus Domino server. It also gives employees access to their Exchange or Lotus Domino services from their BlackBerry phones via the cell and Wi-Fi networks. They can wirelessly access and synchronize their email, calendar, contacts, and remotely download, view and edit files stored on your network. Plus, you can distribute BlackBerry Java Applications to the users.
The BlackBerry Server supports distributing Wi-Fi profiles for all the main 802.1X/EAP types: PEAP, EAP-TLS, EAP-TTLS, LEAP, EAP-FAST, and EAP-SIM. Then you can also push any required server or client certificates to the BlackBerry devices over the cell network if you’re using the Enterprise Server. If using the free Express version, you’re limited to using the BlackBerry Desktop Manager installed on the user’s PC to install certificates.
When creating Wi-Fi profiles you can also set additional 802.1X options: Link Security, Hard Token Required, Server Subject, Server SAN, and Disable Server Certificate Validation. Once created, you can push the Wi-Fi profile to the BlackBerry devices by resending the IT policy.
When using the Enterprise Server you can enable the certificate enrollment process of devices through another security policy. Then you can automatically enroll certificates onto the devices from the following certification authorities (CA): RSA, Microsoft standalone, and Microsoft enterprise. When using the Express version of the Enterprise Server, you’d have to inform users on how to use the certificate synchronization tool of the BlackBerry Desktop Manager software installed on their PC or do this for them.
Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security. He is also a freelance tech writer. Become a Twitter follower or use the RSS feed to keep up with his writings.