- WPA3-Enterprise with 802.1X authentication is the standard for corporate Wi-Fi. WPA2-Personal (pre-shared key) is unsuitable for enterprises because a compromised key grants all users access.
- 802.1X authenticates each user individually via a RADIUS server, typically against Active Directory. Only authenticated users receive network access.
- The guest Wi-Fi must be fully isolated from the internal network: dedicated VLAN, dedicated firewall rules, no access to internal resources, internet access only.
- Rogue access points (unauthorised access points) are a serious security risk. Wi-Fi controllers and specialised monitoring tools detect them automatically.
- The physical range of Wi-Fi does not end at the building boundary. Transmit power and access point placement must be configured to minimise coverage outside the building.
Why Wi-Fi security is an ISMS concern
Wireless networks are convenient, but they have one property that fundamentally distinguishes them from wired networks: the signal does not end at the building boundary. Anyone within radio range can see the Wi-Fi and, if the security configuration is poor, access it as well.
ISO 27001 addresses Wi-Fi security in several controls: A.8.20 (Network security), A.8.22 (Segregation of networks) and A.8.1 (User endpoint devices). NIS2 requires appropriate technical measures to secure network infrastructure.
In practice, we regularly find three conditions at SMEs: a Wi-Fi with a shared password for all employees (that has not been changed for three years in violation of every password policy), a guest Wi-Fi that is not isolated at all, and access points with default configuration and outdated firmware.
Wi-Fi encryption: WPA2 vs. WPA3
WPA2: the previous standard
WPA2 (Wi-Fi Protected Access 2) is based on AES-CCMP encryption and has been the standard since 2004. WPA2 comes in two variants:
WPA2-Personal (PSK). All users share the same pre-shared key (password). Easy to set up but problematic: if an employee leaves the company, the password should be changed because the former employee knows it. In practice, this rarely happens, and the old password remains active.
WPA2-Enterprise (802.1X). Each user authenticates individually via a RADIUS server, typically with a username and password or with a certificate. When an employee leaves the company, their account is deactivated, and Wi-Fi access is immediately revoked.
WPA2 has known vulnerabilities: the KRACK attack (Key Reinstallation Attack, 2017) and the Dragonblood vulnerabilities affect WPA2-Personal. WPA2-Enterprise is less susceptible but not immune.
WPA3: the new standard
WPA3, specified since 2018, fixes WPA2's weaknesses and brings several improvements:
SAE (Simultaneous Authentication of Equals). WPA3-Personal uses the SAE protocol instead of the PSK handshake, which is resistant to offline dictionary attacks. Even if an attacker records the handshake, they cannot crack the password offline.
Protected Management Frames (PMF). WPA3 makes PMF mandatory. This encrypts and authenticates management frames (deauthentication, disassociation). Deauthentication attacks, where attackers deliberately disconnect clients from the Wi-Fi, are thereby prevented.
192-bit security in enterprise mode. WPA3-Enterprise offers an optional 192-bit security mode with stronger cryptographic algorithms (AES-256-GCM, SHA-384), recommended for particularly sensitive environments.
Opportunistic Wireless Encryption (OWE). Even open Wi-Fi networks (without a password) are encrypted with WPA3. This protects guest networks and public hotspots from passive eavesdropping.
Recommendation for enterprises
Internal Wi-Fi: WPA3-Enterprise with 802.1X authentication. If not all clients support WPA3, a transition mode WPA2/WPA3-Enterprise is possible, supporting both standards simultaneously.
Guest Wi-Fi: WPA3-Personal (SAE) with a regularly rotating password, or WPA3-OWE for an open but encrypted connection. Alternatively: captive portal with individual access registration.
802.1X authentication: how it works
802.1X is an IEEE standard for network-based access control. In the Wi-Fi context, it works as follows:
The three roles
Supplicant (client). The user's device (laptop, smartphone, tablet) that wants to connect to the Wi-Fi.
Authenticator (access point). The access point that controls network access. It forwards the authentication request to the RADIUS server.
Authentication server (RADIUS). The server that verifies the user's identity and tells the access point whether access is granted. Typical RADIUS servers: Microsoft NPS (Network Policy Server, part of Windows Server, integrated with Active Directory), FreeRADIUS (open source), Cisco ISE, Aruba ClearPass.
The authentication flow
- The client connects to the Wi-Fi (SSID)
- The access point blocks all network traffic except EAP authentication messages
- The client sends its credentials (username/password or certificate) encrypted to the access point
- The access point forwards the data to the RADIUS server
- The RADIUS server verifies the credentials (e.g. against Active Directory)
- On successful authentication, the RADIUS server tells the access point that access is granted
- The RADIUS server can additionally send a VLAN assignment (dynamic VLAN assignment)
- The access point enables network access
EAP methods: which to choose?
EAP (Extensible Authentication Protocol) defines how authentication works in detail. The key methods:
EAP-TLS (certificate-based). Both the server and the client authenticate with a digital certificate. The most secure method because no passwords are transmitted and stolen passwords are useless. Requires a PKI (Public Key Infrastructure) for distributing client certificates.
PEAP (Protected EAP). The server authenticates with a certificate, the client authenticates with a username and password within an encrypted TLS tunnel. The most widely used method because it requires no client certificates and works with Active Directory credentials.
EAP-TTLS (Tunneled TLS). Similar to PEAP but more flexible in inner authentication methods. Frequently used in combination with PAP (Password Authentication Protocol) within the TLS tunnel.
Recommendation: PEAP (MSCHAPv2) as a starting point because it works with existing Active Directory credentials and requires no PKI. Medium-term: migration to EAP-TLS with client certificates for maximum security.
Dynamic VLAN assignment
A particularly powerful feature of 802.1X: the RADIUS server can tell the access point not only whether access is granted but also which VLAN the client should be placed in.
Example: an IT department employee connects to the Wi-Fi. The RADIUS server recognises their group membership in Active Directory (group "IT Department") and assigns them to VLAN 10 (server access). An accounting employee connects and is assigned to VLAN 20 (standard client network). A guest logs into the guest portal and is assigned to VLAN 100 (guest network, internet only).
This way, different user groups automatically receive the appropriate network access without needing to operate separate SSIDs.
Guest Wi-Fi: proper isolation
A guest Wi-Fi belongs in every company. Visitors, customers, tradespeople and external contractors expect internet access and should have it. But under no circumstances should they be able to access the internal network.
Guest Wi-Fi architecture
Dedicated SSID. The guest Wi-Fi gets its own SSID (e.g. "CompanyName-Guest"). It runs on the same access points as the internal Wi-Fi but in a separate VLAN.
Dedicated VLAN. The guest VLAN is fully separated from the internal network at Layer 2. No routing between the guest VLAN and internal VLANs.
Firewall rules. The firewall allows the guest VLAN only internet access (HTTP, HTTPS, DNS). All access to internal IP ranges is blocked. Access to the management interfaces of network devices (firewall, switches, access points) is also blocked.
Client isolation. Within the guest Wi-Fi, clients cannot communicate with each other. A guest cannot access another guest's laptop. This feature is called "client isolation", "AP isolation" or "station isolation" depending on the vendor.
Bandwidth limiting. Limit the bandwidth per guest client so that a single guest does not consume all the internet bandwidth.
Access control for guests
Option 1: Simple password. A shared password that is changed regularly (weekly or monthly). Simple but no individual tracking.
Option 2: Captive portal. On first access, the guest is redirected to a login page. There they accept the terms of use and optionally enter their name and email address. Provides individual tracking and legal protection.
Option 3: Voucher system. Individual access codes are issued at reception, valid for a limited time (e.g. 8 hours). Good balance between security and user-friendliness.
Option 4: Sponsored access. An employee "sponsors" the guest access via a portal. The guest receives an email or SMS with the credentials. Full traceability and time limitation.
Detecting rogue access points
A rogue access point is an unauthorised access point connected to the corporate network. This could be an attacker who places their own access point in the building, but more commonly it is an employee who brings a personal access point because the Wi-Fi coverage in their office is poor.
Both scenarios are dangerous: a rogue access point bypasses the Wi-Fi security measures (802.1X, VLAN isolation) and provides uncontrolled network access.
Detection
Wi-Fi controller with rogue detection. Most enterprise Wi-Fi controllers (Cisco, Aruba, Ubiquiti, Ruckus) have integrated rogue detection. The authorised access points continuously scan the environment and report unknown access points to the controller.
Wireless Intrusion Detection System (WIDS). Specialised systems that monitor the radio spectrum and detect suspicious activity: rogue access points, evil twin attacks (an access point that imitates the company's SSID), deauthentication attacks.
NAC (Network Access Control). As part of network segmentation, a NAC system checks every device that connects to the network (wired or wireless). Unauthorised devices, including rogue access points, are blocked or redirected to a quarantine VLAN.
Prevention
- Policy prohibiting the bringing and connecting of personal access points
- Port security on switches: only authorised MAC addresses may send traffic
- 802.1X on wired ports as well: only authenticated devices receive network access
- Regular physical inspections of office spaces
Wi-Fi monitoring and troubleshooting
What you should monitor
- Number of connected clients per access point: Overloaded access points deliver poor performance and can cause disconnections
- Failed authentication attempts: Frequent failures may indicate brute-force attacks
- Rogue access points: Continuous monitoring for unauthorised access points
- Channel utilisation and interference: Neighbouring Wi-Fi networks, Bluetooth devices and microwaves can impair signal quality
- Firmware status: Are all access points on the current firmware version?
Logging and auditing
Log all Wi-Fi-related events:
- Successful and failed authentications (with username, MAC address, timestamp)
- VLAN assignments
- Rogue detection alarms
- Configuration changes
These logs feed into your central log management and form the basis for evaluation within your ISMS. In ISMS Lite, you document the Wi-Fi security measures as technical controls and link them to the relevant risks from your risk assessment.
Evil twin attacks: the underestimated threat
An evil twin is a malicious access point that broadcasts the same SSID as your corporate Wi-Fi. The attacker places a powerful access point near your building (car park, neighbouring building, even inside the building itself). Clients that connect send their data through the attacker's access point, which can intercept and manipulate all traffic.
With WPA2-Personal, protection against evil twins is limited: if the attacker knows the pre-shared key (or none is configured), clients automatically connect to the stronger signal. With WPA3-Enterprise and 802.1X, protection is significantly better because the client verifies the RADIUS server certificate. If the evil twin cannot present a valid certificate, the client refuses the connection.
The prerequisite is that clients are correctly configured and validate the RADIUS server certificate. In practice, certificate validation is not active or incorrectly configured on many clients. Check the supplicant configuration on all managed devices and ensure the RADIUS server certificate (or the issuing CA) is stored as trusted.
Wi-Fi policy: what you should document
A Wi-Fi policy belongs in every ISMS. It defines the binding requirements for operating and using wireless networks in the company. Typical contents:
- Which Wi-Fi standards and encryption methods are used (WPA3-Enterprise, 802.1X)
- Which authentication methods are employed (PEAP, EAP-TLS)
- How the guest Wi-Fi is configured and isolated
- Who may install and configure access points (IT department only)
- That bringing and connecting personal access points is prohibited
- How frequently firmware updates and configuration reviews are performed
- Which monitoring and logging measures are active
- Who must be informed in case of Wi-Fi security incidents
Best practices at a glance
Encryption: WPA3-Enterprise with 802.1X. No WPA2-Personal on the corporate network.
Authentication: PEAP (MSCHAPv2) as a starting point, EAP-TLS with client certificates as the goal.
Guest Wi-Fi: Dedicated SSID, dedicated VLAN, full isolation, client isolation enabled, bandwidth limiting.
SSID naming: Use descriptive but not overly detailed SSID names. "CompanyName" is better than "CompanyName-Internal-VLAN10". Do not hide the SSID (hidden SSID): it provides no security benefit and only complicates troubleshooting.
Transmit power: Reduce transmit power so that coverage within the building is sufficient but as little signal as possible leaks outside.
Firmware updates: Keep the firmware of all access points up to date. Automatic updates are possible and recommended in many controller-based solutions.
Management access: Access to the management interface of access points and the Wi-Fi controller is restricted to the management VLAN and secured with MFA.
Regular review: At least annually: review Wi-Fi configuration, evaluate rogue detection results, check firmware status, update access policies.
Further reading
- Firewall configuration for SMEs: rules, zones and best practices
- Network segmentation for SMEs: why and how to segment your network
- Choosing a VPN solution: WireGuard, OpenVPN or IPsec?
- Zero trust for mid-market companies: principles and practical implementation
- Implementing MFA: multi-factor authentication in the enterprise
A secure corporate Wi-Fi is not rocket science, but it requires more than an access point from the electronics store and a sticky note with the Wi-Fi password at reception. WPA3-Enterprise, 802.1X, VLAN isolation and continuous monitoring are the building blocks that turn a convenience feature into a secure network segment.
