WPA2 personal VS WPA2 enterprise

[RL600]

Dear all,

I know the differrence between the two so that is not the question.

If you compare the two most internet sites says enterprise is better, why?
Is the combination username and password harder to crack than PSK?

If so, is WPA2 enterprise with a short username and a easy password harder to crack then WPA2 personal with a much longer and harder to guess password?

 

[Someone Somewhere]

Cracking isn't really the issue. Neither are particularly feasible.

The issue is that if someone leaks a WPA2 Enterprise password or certificate, you can disable that account and keep on operating. If a WPA2 Personal password gets leaked, then you have to go and change the password on every single AP and device, plus you can't tell who leaked it.

 

[RL600]

Good point, but is WPA2 enterprise harder to crack?

 

[Someone Somewhere]

I think so, but neither is feasible.

This is assuming that WPS is disabled - it has a ridiculous number of security flaws.

 

[RL600]

WPS is indeed turned off 😉


Is WPA2 enterprise with a short username and a easy password harder to crack then WPA2 personal with a much longer and harder to guess password?

 

[Someone Somewhere]

I don't really know. Possibly, but neither is feasible.

 

[bill001g]

WPA2 enterprise is harder to crack for a number of reasons but remember the actual passwords are never sent for you to even attempt to crack them. What is send are hashes that are generated with the passwords.

The main reason enterprise is hard to crack is you must first beat the radius and then use that to crack the keys so you have multiple level of stuff to crack. The radius is only used to authenticate the user. The session keys are sent in a encrypted form from the radius server to the user. In the most secure form it is done with certificates so it is done with a private/public key pair. In any case it is not a simple machine sends userid/password to radius server. It is a series of messages that are encrypted with the radius servers key or as part of the 802.1x eapol messages.

...as a added note you can't run WPS on enterprise mode since they AP itself does not really know the keys before the session is opened. The radius server tells the AP what they first key is for that ones users session.

 

[RL600]

Thanks bill001g that really helped.

The hashed sending of the password is only WPA2 enterprise doing that or does WPA2 personal do the same hashing?

 

[Someone Somewhere]

WPA2 Personal hashes the password, I'm not entirely sure how enterprise does it - would depend on it it's a certificate or just username/password.

You don't actually need to reverse the hash to connect to the network; many devices will let you connect with just the hash.

 

[bill001g]

Yes and no. There are 2 level of password exchanges. You would think of the radius one just as a function to get the pre shared key the personal one already has. After that point once it has the session keys it functions the same. Both generate random number and then encrypt the random numbers with the key to get what is called a mic. It is the mic that is sent back and forth not the keys. The 2 end points can then verify that the mic is correct.

This is the easiest diagram of this I have seen but it is still somewhat over simplified.

http://en.wikipedia.org/wiki/IEEE_802.11i-2004

 

[RL600]

Really thanks!

Just out of curiosity what did you study bill001g to get this high level of understanding of networking?

 

[bill001g]

I have had my ccie in both routing and security for 10+ yrs and worked in the field for much longer