Hey everyone,
I recently took on a new role at a company that didn't have any IT support in-house before me. With multiple offices worldwide, most of our IT help was handled elsewhere, and the situation I inherited is quite chaotic. Essentially, employees were just given computers with little to no guidance on security practices.
I'm trying to enhance our office security, and I'm thinking about rolling out NAC (Network Access Control) and 802.1X as a starting point. Currently, our WiFi network uses a Pre-Shared Key (PSK) and lacks any NAC implementation. While I've managed to set up a proof of concept using FreeRADIUS, a MySQL database, and the TTLS with MSCHAPv2 protocol, I'm concerned about the operational overhead. Our IT team only has two members for over 350 users, so I'm wondering if this is feasible right now.
I realize the current setup is a step up from just using PSK and no NAC, but I'd love to hear your thoughts and advice on moving forward with these implementations. Thanks!
1 Answer
First off, do you have Active Directory (AD) in place? If you do, consider deploying a Public Key Infrastructure (PKI) – a two-tier setup with root and issuing certificates. You’ll want to integrate an NPS (Network Policy Server) with your AD since it will streamline the process. You can create a certificate template for NPS, and set up Group Policy for auto-enrollment. This way, you can utilize certificates for WiFi access, offering better security.
If PKI feels overwhelming, you can stick with just machine authentication, though it will mean using MSCHAPv2, which isn’t the most secure. The best approach is to really weigh your options based on your team's ability to manage these systems. If it seems too much, maybe consider sticking with the PSK for now until you can get more support.
Thanks for clarifying! But why would sticking with PSK be more viable than setting up individual credentials with TTLS and MSCHAP? Seems like the latter would offer more security, right?