The most common method of providing authentication uses a security overlay and wireless access points. Organizations adopting this strategy usually install their WLANs outside the enterprise firewall, often using VLANs if the wireless infrastructure spans multiple buildings, and treat it as a dirty network. Even if an attacker penetrates the WLAN, he or she will gain access rights equivalent to those given to users on the public Internet. Because WLAN users look like Internet users, it's not surprising that IPsec VPNs often are used to secure WLANs--after all, they provide authentication, authorization and privacy (encryption). But VPNs are costly, require VPN clients on all endpoints, don't interoperate well with non-Windows clients, don't scale well in high-traffic environments and provide no protection at Layer 2. Layer 2 protection is more important with WLANs than with other LANs: A variety of management frames, which contain information about your network, are transmitted over the network.
Organizations that don't want to incur the high overhead of VPNs may opt for captive-portal Web authentication used with a dynamically configured firewall. Users associate with APs without providing authentication credentials but are redirected to a captive-portal Web page, where they must log in to gain access rights. Captive-portal authentication is popular in universities and hotspots where service providers cannot make assumptions about the availability of client-authentication software. All you need is a browser-capable device--even a PDA or smartphone--and you can gain secure access.
To facilitate guest use, those without appropriate credentials may be given access to the public Internet but restricted from internal hosts. Web authentication is a reasonable approach to providing authentication and authorization, but it does not provide encryption, except to the degree that the authentication is often protected using SSL.
The IEEE's approach to WLAN authentication is based on 802.1x, which provides port-level authentication (the "port" is defined as the 802.11 association between client and AP) and EAP, which creates a flexible tunnel through which authentication can be passed. This Layer 2 approach, central to both WPA and 802.11i, involves back-end RADIUS servers, usually tied into an existing user database. Mobile devices must be configured with 802.1x clients (supplicants in 802.1x parlance) that support specific EAP authentication types. And there's the rub: Even assuming that 802.1x is supported on your wireless clients--not always the case for PDAs and VoIP phones--there are multiple EAP authentication types to choose from. Unfortunately, there's little reason to expect the industry to standardize on a single EAP type, for both political and technical reasons. We had hoped that PEAP (Protected EAP) would emerge as the de facto standard, but for now, the industry is stuck with incompatible implementations from Cisco and Microsoft. Over the next several years, it's likely that broad support for a range of EAP types will be included in most popular OSs, but today, you'll need to stick with what is there (TLS and MS-PEAP on Win2K and XP) or turn to Funk Software, Meetinghouse Data Communications and other vendors for more flexible 802.1x clients.
In addition to authentication, 802.1x also handles key management, providing a mechanism for unique encryption keys to be distributed to clients when they authenticate. When used in conjunction with 802.11i's AES encryption (which is supported in most new WLAN silicon), this provides strong data privacy.
Pending 6GHz spectrum availability, faster speeds, and private wireless access use drive FWA forward.
The new HPE Aruba 730 series Wi-Fi 7 access points tout high performance, enhanced security, location tracking capabilities, and more.
Verizon is demoing crowd analytics technology that uses 5G along with AI and mobile edge computing to give stadium operators insights into the flow of fans throughout a venue.
