WPA2 Enterprise
Related articles
WPA2 Enterprise is a mode of Wi-Fi Protected Access. It provides better security and key management than WPA2 Personal, and supports other enterprise-type functionality, such as VLANs and NAP. However, it requires an external authentication server, called RADIUS server to handle the authentication of users. This is in contrast to Personal mode which does not require anything beyond the wireless router or access points (APs), and uses a single passphrase or password for all users.
The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.
Contents
Configuration
This section describes the configuration of network clients to connect to a wireless access point with WPA2 Enterprise mode. See Software access point#RADIUS for information on setting up an access point itself.
Enterprise mode requires a more complex client configuration, whereas Personal mode only requires entering a passphrase when prompted. Clients likely need to install the server’s CA certificate (plus per-user certificates if using EAP-TLS), and then manually configure the wireless security and 802.1X authentication settings.
For a comparison of protocols see the following table.
eduroam
eduroam (education roaming) is an international roaming service for users in research, higher education and further education, based on WPA2 Enterprise.
wpa_supplicant
WPA supplicant can be configured directly and used in combination with a dhcp client or with systemd. See the examples in /etc/wpa_supplicant/wpa_supplicant.conf
for configuring the connection details.
Once the connection configuration is complete, you can use the dhcp client to test them. For example:
# dhcpcd interface
will automatically invoke WPA supplicant to establish the connection before proceeding to acquire an IP address.
NetworkManager
NetworkManager can generate WPA2 Enterprise profiles with graphical front ends. nmcli and nmtui do not support this, but may use existing profiles.
connman
connman needs a separate configuration file before connecting to the network. For examples and explanations on different settings, see connman-service.config(5).
Restart wpa_supplicant.service
and connman.service
to connect to the new network.
netctl
netctl supports #wpa_supplicant configuration through blocks included with WPAConfigSection=
. See netctl.profile(5) for details.
Troubleshooting
MS-CHAPv2
WPA2-Enterprise wireless networks demanding MSCHAPv2 type-2 authentication with PEAP sometimes require pptpclient in addition to the stock ppp package. netctl seems to work out of the box without ppp-mppe, however. In either case, usage of MSCHAPv2 is discouraged as it is highly vulnerable, although using another method is usually not an option. See also [2] and [3].