2.3 Given a scenario, select and configure wireless devices and technologies
Authentication
📘CompTIA Network+ (N10-009)
What Is Enterprise Authentication?
Enterprise authentication uses username-and-password–based access instead of a shared password.
It is commonly implemented using:
- WPA2-Enterprise or WPA3-Enterprise
- 802.1X authentication
- RADIUS server (most commonly Microsoft NPS, FreeRADIUS, Aruba ClearPass, Cisco ISE, etc.)
With this setup, every user has individual login credentials, just like logging into a company computer or email.
Why Enterprise Authentication Is Used
Enterprise mode provides several key benefits:
✔ Individual User Credentials
Each employee has their own login. No shared Wi-Fi password.
✔ Strong Security
Uses EAP (Extensible Authentication Protocol) and TLS-based encryption, which are much stronger than PSK passwords.
✔ Centralized Authentication
If the organization uses a directory service (e.g., Active Directory), Wi-Fi access can use the same credentials.
✔ Easy User Management
- Remove access instantly by disabling a user account
- Add users without changing any shared password
- Apply group-based security policies
✔ Logging and Monitoring
The RADIUS server records:
- Who connected
- When they connected
- Which device they used
This is important for compliance and security audits.
How Enterprise Authentication Works (The Architecture)
Enterprise mode requires three main components:
1. Supplicant (Client Device)
This is the device trying to connect:
- Laptop
- Smartphone
- Tablet
- Wi-Fi-enabled workstation
It must support 802.1X and EAP.
2. Authenticator (Wireless Access Point or Wireless Controller)
The access point acts as a “middleman.”
It:
- Accepts the connection request from the client
- Forwards authentication traffic to the RADIUS server
- Does not store passwords
- Does not make authentication decisions
3. Authentication Server (RADIUS)
This is the central system that validates user credentials.
It:
- Checks the username/password or certificate
- Sends “Access-Accept” or “Access-Reject” back to the AP
- Often integrates with Active Directory for user accounts
Enterprise Authentication Process (Step by Step)
Below is a simplified 802.1X flow:
1. User connects to the SSID that is configured for Enterprise mode.
The AP sees this connection attempt.
2. The AP requests user authentication.
The supplicant responds with EAP credentials (username/password or certificate).
3. The AP forwards the EAP request to the RADIUS server.
This is done using:
- RADIUS protocol (UDP 1812/1813)
- Shared secret between AP and RADIUS server
4. RADIUS validates the credentials.
If correct → sends Access-Accept
If incorrect → sends Access-Reject
5. Once approved, the AP allows the client onto the wireless network.
The SSID now assigns:
- VLAN
- IP address
- Security policies
…based on RADIUS rules or AD group membership.
Key Technologies Used in Enterprise Authentication
Enterprise mode uses several technologies that you must know for the exam:
1. 802.1X
A port-based authentication standard for both wired and wireless networks.
Controls access before the device is allowed on the network.
2. RADIUS
Remote Authentication Dial-In User Service
Used to:
- Authenticate
- Authorize
- Account for user connections
This is often called AAA.
3. EAP (Extensible Authentication Protocol)
Framework used to perform the authentication.
Common EAP types you must know:
• EAP-TLS
- Digital certificate required on the client
- Most secure
- Used in high-security environments
• PEAP (Protected EAP)
- Server certificate required; client uses username/password
- Most common in business environments
• EAP-TTLS
- Tunnel-based
- Similar to PEAP but more flexible
• EAP-FAST
- Used in Cisco environments
- Protected authentication without certificates
You may see these on the exam.
Enterprise vs. Personal Mode (Exam Comparison)
| Feature | Personal (PSK) | Enterprise (802.1X) |
|---|---|---|
| Authentication | Shared Wi-Fi password | Individual usernames/passwords or certificates |
| RADIUS Server | Not used | Required |
| Security Level | Moderate | Very High |
| Scalability | Not scalable | Highly scalable |
| User Management | Changing password affects all users | Disable one user without affecting others |
| Logging | Limited | Full AAA logging |
| Used in | Homes, small offices | Medium and large organizations |
Security Advantages of Enterprise Authentication
Enterprise mode provides:
✔ Per-User Encryption Keys
Every user receives a unique encryption key rather than sharing one key across the network.
✔ Protection Against Unauthorized Access
If one person leaves the organization:
- Disable their account
- No need to change the Wi-Fi password for everyone
✔ Better Compliance
Required for:
- PCI-DSS
- HIPAA
- Government networks
✔ Stronger Encryption
WPA3-Enterprise uses:
- 192-bit encryption option
- Suite B cryptography
This is extremely secure.
Configuration Overview (High-Level Steps)
While exact commands vary by vendor, these are the general required steps:
On the RADIUS Server:
- Add the access points as RADIUS clients
- Set a shared secret
- Configure authentication policies (EAP type, user groups, etc.)
On the Wireless Controller/AP:
- Create the SSID for Enterprise mode
- Select WPA2-Enterprise or WPA3-Enterprise
- Enter the RADIUS server IP and shared secret
- Select the EAP type
On the Client Devices:
- Connect using organization credentials
- Accept or install root certificates (if required)
When Do You Use Enterprise Authentication?
Enterprise mode is used when:
- Employees need individual, trackable access
- The organization uses Active Directory or other directory services
- You need stronger encryption than PSK
- Security compliance is required
- Hundreds or thousands of devices connect to Wi-Fi
Important Exam Tips
Expect these topics to appear on the exam:
✔ WPA2-Enterprise and WPA3-Enterprise require a RADIUS server.
WPA2-Personal and WPA3-Personal do not.
✔ Enterprise uses 802.1X + EAP.
✔ Know the common EAP types (EAP-TLS, PEAP, EAP-FAST, EAP-TTLS).
✔ Enterprise provides per-user authentication, logging, and centralized control.
✔ Understand the role of each component:
- Supplicant = Client
- Authenticator = AP
- Authentication server = RADIUS
✔ WPA3-Enterprise supports 192-bit encryption.
These points are often directly tested.
Conclusion
Enterprise authentication is the most secure and scalable method for controlling access to a wireless network.
It uses 802.1X, RADIUS, and EAP to provide individual user credentials, strong encryption, centralized management, and detailed logging.
Understanding how Enterprise mode works and how it differs from Personal mode is essential for passing the CompTIA Network+ N10-009 exam.
