This blog post is for the paranoids among us
Many companies use BYOD (Bring Your Own Device) processes to securely connect personal devices to the enterprise network. Typically, Enterprise Authentication with EAP-TLS ensures a good user experience without any struggles when Domain credentials are changed.
But how do we connect company devices to our home office?
The internal WLAN
The typical approach is to connect the company device to the internal Wireless network. This is my least favorite approach. First, I don’t want to have devices with unknown security postures in my network (yes, the device likely has good security, but who knows). Second, the admins of other companies could access my network.
More importantly, the internal WLAN Passphrase would be readable by the company admins or by any malware on that device.
No, this is not an option.
The Guest WLAN
The second approach is to connect the device to the Guest SSID. This would achieve separation, and I wouldn’t have to care about the Passphrase as I would change it regularly. But this is by far not user-friendly (at least for everyone who has to care about the WAF).
The assumption here is that the guest WLAN is not open and the passphrase is not kept over a longer time. With an open SSID the WAF would be fine!
Enterprise Authentication
Enterprise Authentication could be an option for home office admins who run their own RADIUS server. But we would have to add a root certificate to the company PC, which is likely not allowed. And how would the client be authenticated? Using the PC domain credentials is not an option. We would either have to install an identity certificate with the private key on the PC or configure it with static credentials to log in. Both options are difficult to do securely without connecting a USB stick to the PC. (Don’t even think about the USB stick on a foreign PC).
Open Roaming
What about OpenRoaming? Yes, I like that. However, the company PC needs to be configured for this.
Multiple PSKs
So, we are left with MPSKs.
MPSKs with RADIUS would be very nice, as we can typically use WPA3 on the SSID. But having a dependency on the MAC address of a PC that is managed by someone else is again a bad idea. More importantly, my RADIUS server is also a LAB device, which changes frequently in its configuration. This is, again, not compatible with a WAF.
My preferred solution is MPSK without RADIUS. This means that we typically can’t use WPA3 and we are forced to stay with WPA2. But now, the company PC can get its own Passphrase, and when the PC gets lost or replaced, the PSK can easily be changed to something new.
In my setup, I use my IoT SSID, which will likely have to use WPA2-Personal for many years to come because of IoT device restrictions. With WPN (Wireless Private Network), all devices with the same Passphrase have their separate network neighborhood.
Problem solved!
And how do you connect company PCs to your home network?
That is a very interesting article, Karsten!
I use the internal WLAN when connecting the company PC to my network.
I also use a separate Internet connection for my lab.