After more development, WPA2 and the TKIP encryption algorithm were created. WPA2 is equivalent with the 802.11i standard. WPA2 provides AES encryption, 802.1X authentication, dynamic key management. For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Server (RADIUS).
In wireless networks, user authentication is managed by Extensible Authentication Protocol (EAP). In an enterprise WLAN the authentication process is the following:
- The authentication process creates a virtual port for each WLAN client at the access point.
- The AP blocks all data frames except for 802.1x-based traffic.
- 802.1x frames carry EAP authentication packets via the AP to an Authentication, Authorization and Account (AAA) server running a RADIUS protocol.
- If the EAP authentication is successful, the server sends an EAP success message to the AP, which then allows the client to send data through the virtual port.
- Before opening the virtual port, data link encryption between the WLAN client and the AP is established to ensure that no other WLAN client can access the port that has been established for a given authenticated client.
Additional security measures you can take is to filter the clients based on their MAC address and don’t broadcast the SSID of your WLAN, but don’t use these measures without WPA2, because they are not enough to consider your wireless network secured.