Frequently Asked Questions
      Back to home
      1. Smallstep Knowledge Base
      2. Frequently Asked Questions

      How does Smallstep's WiFi solution work?

      An overview of WiFi security and how Smallstep provides a managed solution to implement WPA2/3 Enterprise

      1. What is certificate-based Wi-Fi authentication, and why is it more secure than traditional methods like WPA2-PSK?

      Certificate-based Wi-Fi authentication uses digital certificates to verify the identity of users or devices on a Wi-Fi network. This is more secure than methods like WPA2-PSK or WPA2-Enterprise (EAP-PEAP and EAP-MSCHAPv2) because those rely on passwords or shared credentials, making them vulnerable to compromise if the password is leaked or cracked. Certificates provide individual, cryptographically-secured identities.

      2. What are the key components of an 802.1x network using EAP-TLS, and how do they interact?

      The 802.1x standard defines four functional components:

      1. Client (Supplicant): The device attempting to connect to the network.
      2. Authenticator (Negotiator): A network device like a switch or access point.
      3. Authentication Server: A RADIUS server or LDAP gateway.
      4. User Directory: A database like Active Directory.

      The client sends credentials to the authenticator, which forwards them to the authentication server. The server consults the user directory to verify the credentials. Based on the verification, the server either allows or denies access to the network. With EAP-TLS the credential is a certificate presented by the client to the RADIUS server.

      3. What is RADIUS, and how is it used in Wi-Fi authentication?

      RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting for network access. In Wi-Fi authentication, especially with WPA-Enterprise, the access point forwards the user's credentials to a RADIUS server. The RADIUS server then validates these credentials against a user directory or database and either grants or denies network access.

      4. What is WPA3-Enterprise 192-bit mode, and what cryptographic parameters does it require?

      WPA3-Enterprise 192-bit mode is currently the most secure Wi-Fi security grade available. It requires specific cryptographic parameters to achieve a high level of security:

      • Certificates must use ECC with elliptic curve secp384r1.
      • Protocol must be TLSV1.2 (or TLS 1.3)
      • Cipher algorithm must be AES-256.
      • Key exchange algorithm must be ECDH.
      • Digital signature algorithm must be ECDSA.
      • Hashing algorithm must be SHA384.

      These parameters provide an effective security level of 192 bits. However, not all devices support this mode due to hardware requirements like AES 256 support.

      5. Why is MAC address filtering considered an unreliable security measure for Wi-Fi networks?

      MAC address filtering involves creating an allowlist or denylist of MAC addresses to control network access. However, MAC addresses can be easily spoofed, allowing unauthorized devices to bypass the filter by using an approved MAC address. Network traffic monitoring tools can also be used to discover allowed MAC addresses, further compromising the security provided by MAC address filtering.

      6. What is an SSID, and why is hiding it not an effective security measure?

      SSID (Service Set Identifier) is the name of a Wi-Fi network. Hiding the SSID by disabling its broadcast may deter casual users, but it does not provide significant security. Attackers can still easily detect hidden SSIDs using network sniffers like Wireshark or Kismet. Devices also reveal the SSID in probe requests during the authentication process, making it visible to anyone monitoring the network.

      7. What is Smallstep, and what services does it offer related to Wi-Fi security?

      Smallstep is a company that provides solutions for certificate management and secure Wi-Fi. It offers services such as a fully-managed Certificate Authority (CA), RADIUS server, and tools for deploying certificate-secured Wi-Fi using WPA2/WPA3 Enterprise standards. They also provide device identity solutions and integrations with platforms like Jamf and Intune for certificate deployment.

      8. How can I implement EAP-TLS with Smallstep in my home or business network?

      To implement EAP-TLS with Smallstep, you need to:

      1. Sign up for a Smallstep account.
      2. Create a Device Collection within Smallstep, specifying the device platform (e.g., macOS, iOS, Windows).
      3. Add your devices to the collection, using their serial numbers as Device Identifiers.
      4. Create a "Wi-Fi" account, providing your Wi-Fi SSID and public-facing IP address.
      5. Configure your access point or router to use WPA3-Enterprise, pointing it to the RADIUS server details provided by Smallstep.
      6. Generate and install client certificates on your devices using Smallstep's tools, such as mobile config files for Apple devices or P12 files for other operating systems.