Finish Lines

Finish lines in IT seldom have trophies or uproarious applause. Satisfaction in a job done well is a reward in itself. However, there is little praise for solving an unnoticed problem no matter the improvement to quality of life it brings. An obvious solution would be to announce, with much fanfare, any changes or updates to a system. But going back to a recent conversation I had about the quality of WiFi., there is a vast difference between up and good. As network engineers, we have to measure the improvements against the annoyance of system downtime when deciding if a new feature needs to be implemented or if the current state is good enough. In truth, it’s question of the value proposition any update brings. 

A Concrete Example

So, What am I talking about? As you are already aware from this post, I got a new toy for Christmas—upgraded WiFi! One of the defining features that this new gismo enabled was the use of WPA3-Enterprise authentication. For many (and if that’s you, feel free to skip to the section I Say All That to Say…), the end result of this method of authenticating to a WiFi network is the determinant of its value—if the WiFi isn’t noticeably any faster or more reliable, it’s a hard sell to leverage better encryption standards just to keep the WiFi password safe from prying eyes.

Others of you may be wondering what WPA3-Enterprise authentication is. Here is what Wikipedia has to say:

In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to WPA2. Certification began in June 2018, and WPA3 support has been mandatory for devices which bear the "Wi-Fi CERTIFIED™” logo since July 2020.

The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode, and still mandates the use of CCMP-128 as the minimum encryption algorithm in WPA3-Personal mode.

The WPA3 standard also replaces the pre-shared key PSK (passwords) exchange with Simultaneous Authentication of Equals (SAE) exchange, a method…resulting in a more secure initial key exchange in personal mode and forward secrecy. The Wi-Fi Alliance also says that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface.

Basically, it means that you neither have the same password as other users on the WiFi, nor are your login credentials vulnerable to being sniffed over the air as you log in, thanks to the aforementioned SAE. A note on SAE and a point of contrast between having it (as with WPA3) and not (as with WPA2): SAE ensures that each time a user is authenticated, a new session key is created (thank you, Diffie-Hellman) and your credentials, even if captured and brute-forced, will be worthless at a later time when an attacker attempts to decrypt captured traffic. TL;DR—your WiFi is safer!

Add to the Fun

The use of Enterprise authentication assumes a centralized AAA (Authentication, Authorization, and Accounting) server to store and check login credentials. While there are a few flavors of AAA servers to choose from, I decided on a RADIUS (Remote Authentication Dial-In User Service) server called freeRADIUS. It is a server with a database that must be queried to verify users before they are granted network access, aka, it authenticates users. If you’re interested in setting one up yourself, here is a link to a great tutorial on getting freeRADIUS installed from Beam Networks. 

But That’s not All

AAA servers also authorize users. In my case, I have the server set up to drop administrators (me) into a different network (VLAN) than users (my wife) and guests. The segmentation allows for firewall rules to permit or deny access to various network resources such as file shares, virtualization servers, web servers, etc. In short, the second A of AAA aids in the authorization of the end user, saying whether or not that user is allowed to mess with a thing on the network.

One More Thing

Accounting—not the money type, but just as boring if you don’t know what to do with it. Accounting means, in a nutshell, that you will leave record of your login. It will allow admins visibility into who is on the network and when. It can also key admins in to the path users travel through the network—especially helpful when diagnosing connectivity issues. Sorry, my One More Thing isn’t nearly as exciting as Steve Jobs’, but I really want to give a surface-level summary on accounting here; much more could be said on this topic, if I wanted to expand this particular post into the realm of cybersecurity.

I Say All That to Say…

You could skip to this part, and it would be completely understandable. I just wanted to give a bit of background into the problems I was solving. At the end of the day, my wife wasn’t impressed. She used her shiny, new login and went straight to Instagram. “Nothing’s different,” she said. But I know that’s not quite true, and now so do you. And that’s enough for me. This is one lemon whose juice was worth every bit of its squeeze.