Can we give Bob a Certificate yet?

A quick intro to securing wireless networks

If you’ve spent any time in a corporate office, you’ve likely seen a “Corporate” Wi-Fi network that asks for your actual username and password, rather than the passphrase we all use at home.

As an engineer, you need to understand how this works.

In this post, I’m looking at the underlying mechanisms and choices of Enterprise WLAN Security and why what you choose matters.

The 802.11 Fundamentals

Wireless security essentially boils down to three buckets. If you’re designing a network, you’re picking one of these:

• Open: No authentication, no encryption. Traditionally, this was pretty insecure. However, modern OWE (Opportunistic Wireless Encryption) now provides AES encryption for open networks. It’s a massive step up for guest Wi-Fi, because things are now encrypted, but still nowhere near the level of security you want on an internal network.

• WPA-Personal: Uses a Pre-Shared Key (PSK). This is probably the most common I’ve seen around; everyone uses the same password. It’s a nightmare for security. If one person leaves the company, you technically need to change the password for everyone.

• WPA-Enterprise (802.1X): The gold standard. Users log in with their own credentials (or certificates). This allows us to treat “Bob from Finance” differently from “The HR Printer.” And this is the one we’re going to talk a bit about.

The 802.1X conversation

When we talk about Enterprise security, we’re really talking about a three-way conversation between:

1. The Supplicant: The device (laptop, phone) trying to join.

2. The Authenticator: The Access Point or Switch. Note: The AP doesn’t actually decide if you’re allowed in…it’s just the bouncer at the door.

3. The Authentication Server: Usually a RADIUS server (like ClearPass or Cisco ISE). This is the one that checks the database and says “Yes” or “No.”

How It Actually Connects (The Handshake)

There’s a sequence that happens before a single bit of user data hits the air. If you’re troubleshooting a connection failure, you need to know where it’s falling over:

• Beacons & Probes: APs broadcast beacons, and clients send probe requests to the Broadcast MAC address (basically shouting “Is anyone out there?”). They’re looking for things like, “Do you support my security settings?”

• Response: If the AP matches what the client is looking for, it sends a probe response.

• 802.11 Open System Authentication: This is a bit of a legacy step. The client tries to “auth” with the AP, but don’t let the name fool you, it’s not real security. It’s essentially just a formal “hello” 👋 before the actual association happens. In an Enterprise setup, the real security (the EAP bit) doesn’t start until after this and the association are done.

• Association: The two devices agree to talk to each other. At this point, the path is still “blocked” to actual traffic, but the door is open for the security conversation to begin.

• The 802.1X Bit: Once the association is sorted, this is where EAP (Extensible Authentication Protocol) kicks in. The AP (the authenticator) encapsulates the client’s EAP packets into RADIUS packets and sends them off to the Authentication Server. The server then checks certificates or credentials. If the server is happy, it sends an Access-Accept back to the AP.

• The 4-Way Handshake: Once cleared, the final step is adding the encryption via a 4-way handshake.

Here’s what it might look like if you were trying to get into a bar 😄

Some design considerations

This is where we move from “knowing the protocol” to “designing for the business.” Here are some of the levers we can pull to ensure the network isn’t just secure, but actually functional.

1. EAP-TLS vs. PEAP

Most places start with PEAP (Username/Password) because it’s ‘easy’, it just works with AD. But PEAP is old and relies on protocols that are relatively easy to crack. If you’ve got a way to push certificates to your devices (like Intune or Jamf) and all the underlying infrastructure, EAP-TLS is what you should be aiming for. It’s more secure, and it stops those ‘my password changed and now my phone is locked out’ tickets that plague every helpdesk.”

• The Technical: EAP-TLS uses mutual certificate-based authentication. No passwords are exchanged.

• The Business Outcome: Reduced Helpdesk tickets due to password changes. More importantly, this hardens the perimeter against credential theft.

2. Role-Based Access

In a flat network, if a guest’s laptop gets infected, it can potentially see your entire network, including those critical servers. We solve this with VLAN segmentation, but how do you ensure the devices connect to the right VLANs? Dynamic Role Assignment is perfect for this.

• The Technical: Instead of 10 different SSIDs, use one SSID and let the RADIUS server push a “User Role” or VSA (Vendor Specific Attribute) based on the login.

• The Business Outcome: Blast Radius Reduction. If a “Contractor” device is compromised, the network is already restricting it to just the tools they need. RBAC is critical to any zero-trust architecture ( you’ll hear that term a lot )

3. Fast Roaming

The 802.1X conversation is pretty chatty. If a user walks from one end of the office to the other on a Teams call, they shouldn’t have to do the full dance every time they hit a new AP.

• The Technical: Use 802.11r (Fast BSS Transition) or OKC (Opportunistic Key Caching). This “pre-shares” key material with neighbouring APs.

• The Business Outcome: Productivity. In a modern “roaming” office or a fast-paced warehouse, five seconds of “re-authenticating” lag is a massive hit to and individuals operations.

4. Revocation: CRL vs. OCSP

If a laptop is stolen on a Friday night, how quickly can you make sure it can’t connect to the network?

• CRL (Certificate Revocation List): CRL (Certificate Revocation List): Think of this as astatic “deny list” that the RADIUS server downloads periodically. The problem? It’s heavy, it can be out of date the minute it’s downloaded, and if the server hasn’t updated the list yet, that stolen laptop is still getting in.

• OCSP (Online Certificate Status Protocol): This is the modern way. Instead of checking a static list, the RADIUS server asks the CA’s responder in real-time: “Is this specific cert still valid right now?” It’s faster, more efficient, and much more “Zero Trust” than waiting for a list to update.

• The Business Outcome: Compliance. For regulated industries (Finance/Healthcare), “we’ll catch the thief eventually” isn’t an answer. OCSP provides the real-time enforcement that keeps security teams happy and the network safe.

Always lead with the why.

These technical posts are based on study notes from my certification archive, but I wanted to add a little sprinkle of “why” into them to show you how you can start to shift the narrative from deep technical ones and zeros to business outcomes.

An engineer can tell you how 802.1x works. A high-value IC tells you how it protects the company’s bottom line.

• Reducing OpEx: Moving from PEAP (passwords) to EAP-TLS (certs) means fewer “I’ve locked myself out” tickets for the helpdesk.

• Blast Radius Reduction: Using Dynamic Role Assignment (RBAC) means if a contractor’s laptop gets compromised, they can’t see the entire server farm. You’ve contained the fire before it starts.

• Operational Reliability: Implementing Fast Roaming is about ensuring the warehouse team doesn’t lose five seconds of productivity every time they take the scanner past a new AP.

By tying your design choices to things like reduced helpdesk OpEx, lower cyber-insurance premiums, and guaranteed uptime, you’re not just a “technical resource”.

You’re becoming strategic, and every time you do this, you build up trust that will pay off come performance review.

Cheers

Danny