Critical Considerations for Wireless Network Authentication

At VectorUSA, we get asked a lot about what goes into building a wireless network. Among the top wireless network concerns we hear about is network authentication. 

We also address related concerns about network management, IoT, various device issues as well as overall network security. 

When working with someone like VectorUSA for managed IT services, it’s important to fully understand:

• The types of authentication products and services the managed services provider (MSP) relies on to ensure a successful wireless network.
• The primary benefits you’ll receive from wireless network authentication.
• The types of questions your MSP will ask you about your wireless network plans.
• How the MSP has helped its customers overcome their network challenges.

Best-in-breed partners for network authentication

VectorUSA primarily relies on Aruba and Cisco as our best-in-breed partners for wireless network authentication. However, if a client wants the Aruba product but has other vendor networks in place, we're able to work with them. In fact, one of VectorUSA’s school district clients had four different wireless manufacturers and we were able to successfully integrate with all of them with no need to “rip and replace” to get the project done. There are cases, though, when replacing a network might make sense, especially if a product is nearing the end of its life-cycle.

"There are cases, though, when replacing a network might make sense, especially if a product is nearing the end of its life-cycle." Scott Jamison, Senior Wireless Network Engineer, VectorUSA

Even for wired networks that start doing network authentication, there is a financial incentive because that will lower management costs on the network. Plus, when you plug in new devices that simply just work and end up on the right network, you won’t spend as much time troubleshooting and configuring ports manually.

Primary benefits of wireless network authentication

Once network authentication is up and running, you’re able to see who's connecting to your network. Beyond someone just connecting with a pre-shared key, you’ll know exactly who's connecting and when. You can then take that network information, send it to your firewall and base policy on that information. If you are in a financial group, you might have a policy that prohibits any traffic from going to China. Or, for educational institutions, students should never be allowed to visit a particular group of websites. VectorUSA can take authentication information and utilize it to better protect your network or provide access that’s only appropriate to the role of the person who's connecting. In the healthcare industry, secure networks are also vital for protecting patient information, especially with so many medical devices connected to networks via IoT (Internet of Things). You need to have a way for devices to connect to the network, but also be able to control the traffic, where it's going and what it's doing. You need to determine if the device is misbehaving on the network, and if so, be able to limit its activity.

"You need to determine if the device is misbehaving on the network, and if so, be able to limit its activity." Scott Jamison, Senior Wireless Network Engineer, VectorUSA

If you have a camera that's talking back to a server in the cloud, and you don't want it doing that, you might want to shut it down but still allow it to serve video on your network. You can automatically then profile the camera to not be permitted Internet traffic.

Be prepared to answer some essential questions

When considering wireless network authentication, there are several essential questions that you should be prepared to answer from your MSP, including questions about guest access and registration:

• When guests connect to your network, do you want them to be sponsored, meaning someone within the organization has to permit them on?
• Are you going to allow guests to self-register, and then through email or SMS, get a code so that they can log onto the network? Or, is someone going to be sitting at a desk?

For corporate-owned devices, it’s important to consider how those devices will connect to the network.

• Are you going to onboard them using certificates or are they going to be using a username and password?
• How are they going to be authenticated? Is it going to be against active directory or any other authentication sources?
• What's your security strategy to secure your infrastructure both at the edge (where you’re handing off to the Internet) and within the wired network by placing probes to identify and track user behaviors? It’s important to remember that keeping the inside of your network secure is just as important as securing at the Internet.

While we always try to uncover answers to such questions, we also bring best practices to the table. However, it’s ultimately the customer’s decision concerning they’re planned outcome.

"While we always try to uncover answers to such questions, we also bring best practices to the table. However, it’s ultimately the customer’s decision concerning they’re planned outcome." Scott Jamison, Senior Wireless Network Engineer, VectorUSA

For example, we might set up wireless network access three different ways: via a pre-shared key, username, and password or a secure certificate. The customer can then evaluate those options including all of the positives and negatives with a full customer experience on each of them in a development environment. We’ll then help the customer deploy their chosen solution while training their IT staff on using certificates, how to access the onboard page and much more.

How we’ve helped our clients

To assist our clients with fully comprehending what’s connected to their networks, we’ve even alerted them about issues they weren’t even aware of.

Many clients, for example, have been unaware that their foreign-manufactured security cameras contain an embedded dial-home feature to China. Not wanting that to occur, they can still record video locally on their networks. However, their enforcement profiles now simply send that information to their firewalls to contain the video and not let it out of their designated network parameters.

And for a municipality client, VectorUSA rebuilt their entire network, including network authentication at the wired level. They had no idea what was on their network.

When we started viewing and profiling different devices, we allowed connections to occur to find out what was on the network. The municipality quickly realized that they had many devices connected to their network that they didn’t know even existed.

They found several medical devices on the network and determined that they were connecting via the local fire department. That process provided the municipality visibility into what was occurring on their network that they wouldn't have known otherwise.

For the devices that needed to be on the network, we profiled them. Instead of the devices going into a quarantine state, and now knowing that they existed, we created a profile for them so that when they’re plugged in at Station 1, they’ll get on the right network with the access they need. If one of the devices is moved to Station 3 and plugged in, it would still be permitted onto the network because the profile for that device, or type of device, is already set up.

That same approach works as well for new equipment. If a new piece of equipment is new to Station 1 and profiled there, and the fire department wants to order that same device for Station 3, Station 3 simply plugs its new device in. The network will know what device it is, where it should go on the network, as well as what rights and access it has.