You’ve heard us talk a lot about digital certificates as a way to deliver secure onboarding and network authentication in support of Bring Your Own Device (BYOD) initiatives. Digital certificates provide a much higher level of security than conventional pre-shared keys, which are typically the default method of providing Wi-Fi network access for internal BYOD users. You may remember Ruckus’ previous blog about the security problems associated with conventional PSKs and MAC authentication.
Certificates ensure that every session is secure because data in transit is encrypted using WPA2-Enterprise, as well as providing a variety of other security measures. Certificate-based authentication also improves end-user and IT experience because as long as the certificate remains valid, users don’t have to enter login credentials again after initial onboarding.
Digital certs are often not appropriate for guest users though—in which case a technology called a dynamic pre-shared key (DPSK) can help optimise both security and usability.
Why Not Just Use Digital Certificates for Guest Wi-Fi Access?
Certificates work great for internal BYOD users, who need network access on an ongoing basis. However, they require the user to download and install the certificate on their device as part of the onboarding process. You could take this approach for guest users too—the up-front investment of time for the user is not onerous. But it probably does not make sense from a usability perspective for someone who will only be in your environment for an hour or a day. And yet you don’t want to revert to default measures such as conventional PSKs and MAC authentication due to the security issues mentioned previously. Ideally, you want to employ an alternative method that provides similar security benefits while not asking the guest user to download a certificate.
Why Dynamic Pre-Shared Keys Are the Answer for Guest Wi-Fi Access
Dynamic pre-shared keys are a Ruckus-patented technology found in Cloudpath Enrollment System, our software/SaaS platform for delivering secure network access for BYOD, guest users, and IT-owned devices (including IoT devices). DPSKs fit the guest access use case perfectly. With DPSKs, each user gets a unique access code for Wi-Fi access, which the Cloudpath system provides by SMS, email, or even printed voucher.
Organisations usually let guest users access only the internet—not internal network servers—over the wired/wireless connection. You still want to associate every device with a user, perform an up-front posture check during onboarding, and apply relevant policies. It’s also important to be able to revoke access at any time for specific users and devices. (Imagine if you became aware that a visitor was using that network connection to do something malicious such as sending spam emails linking to a phishing site. You’d want to revoke their access in a hurry. Now, we’re sure your guests would not do that, but better safe than sorry.) Encryption for data in transit may not be as critical for guest users, but it’s not a bad idea either.
The DPSK method for network authentication, in the context of Cloudpath Enrollment System, lets you do all of these things. Since it does not require the user to install a certificate, you increase security while also optimising usability for your visitors.
The “D” in DPSK Makes All the Difference for Secure Wi-Fi
DPSK and PSK can’t be that different right, since only a “D” separates them? Quite the opposite! Most of the security measures referenced above simply don’t exist with a conventional PSK. That’s why we are so careful to use the term “conventional” or “traditional” when we refer to the garden-variety PSK. Sure, it encrypts data between the device and the access point. But that’s where the similarity ends. Using conventional PSKs, you could potentially direct guests to a separate SSID with only internet access, supplying them with the relevant PSK. But they could share that PSK with anyone or use it past the time of their visit.
Remember, with traditional PSKs everyone accessing a given SSID uses the same key. With DPSKs, each guest user gets his or her own access key. That “D” in front of PSK makes all the difference because it provides much greater security for users, devices, and the network. Think of the DPSK as a precision surgical scalpel in comparison to the blunt instrument that is the PSK. Organisations often also use MAC authentication via captive portal for providing guest access—which also fails to provide adequate levels of protection. (Once more, refer to our previous blog to understand the shortcomings of the default methods, which the patented DPSK technology in Cloudpath software addresses.)
Digital Certificates and DPSKs—Secure Network Access for BYOD, Guest and Even IoT Devices
In summary, digital certificates and DPSKs are a great tandem. Cloudpath Enrollment System uses both technologies for streamlined secure onboarding and network authentication. It supports both internal users (with digital certificates) and guest users (typically with DPSKs). Cloudpath software also supports IT-owned devices. As IoT devices become more common in enterprise environments, schools, and institutions of higher education, certificates and DPSKs are also a great way to securely support those devices. DPSKs will be especially important for consumer IoT devices that make their way into enterprise environments because many of those devices are not equipped to accept certificates. But that’s a topic for another blog.