Most access points (APs) have a reset button that someone can press to restore factory default settings, removing the Wi-Fi security and allowing anyone to connect. Thus, the APs distributed throughout your facility need to be physically secured as well to prevent tampering. Ensure they are always mounted out of reach and consider using any locking mechanisms offered by the AP vendor to physically limit access to the AP buttons and ports.
An example of a reset button on an access point, courtesy of Cisco. Credit: Cisco
Another physical security concern with Wi-Fi is when someone adds an unauthorized AP to the network, typically called a “rogue AP.” This could be done for legit reasons by an employee wanting to add more Wi-Fi coverage, or for ill-intended purposes by an employee or even an outsider who gains access to the facility. To help prevent these types of rogue APs, ensure any unused ethernet ports (like wall ports or loose ethernet runs) are disabled. You could physically remove the ports or cables, or disable the connectivity of that outlet or cable on the router or switch. Or if you really want to beef up security, enable 802.1X authentication on the wired side, if your router or switch supports that, so any device plugging into the ethernet ports has to enter log-in credentials to gain network access.
Use Enterprise WPA2 with 802.1X authentication
One of the most beneficial Wi-Fi security mechanisms you can put into place is deploying the enterprise mode of Wi-Fi security, because it authenticates every user individually: Everyone can have their own Wi-Fi username and password. So if a laptop or mobile device is lost or stolen, or an employee leaves the company, all you have to do is change or revoke that particular user’s log-ins.
(In personal mode, by contrast, all users share the same Wi-FI password, so when devices go missing or employees leave you have to change the password on every single device — a huge hassle.)
With enterprise Wi-Fi security, users enter their unique username and password when connecting. Credit: Microsoft
Another great advantage of enterprise mode is that every user is assigned his or her own encryption key. That means users can only decrypt data traffic for their own connection — no snooping on anyone else’s wireless traffic.
To put your APs into enterprise mode you'll first need to set up a RADIUS server. This enables user authentication and connects to or contains the database or directory (such as Active Directory) that holds everyone’s usernames and passwords.
Sign up for Computerworld eNewsletters.