Network Authentication Overview

Prev Next

This guide covers the different types of network you can configure in Kandji. For instructions on configuring network access Library Items, please see our Configure the WiFi Library Item and Configure the Ethernet Library Item support articles.

When you're setting up a Wi-Fi network in Kandji, you'll need to choose an authentication type. If your environment doesn't require enterprise-level authentication (like 802.1X), you have a few solid options, each with its own strengths and considerations.

  • Open networks don't require a password. Anyone within range can connect. While that makes them easy to join, it also means that there is no encryption, so data sent over the network is not protected. Open networks are best reserved for situations where security is not a concern, such as public guest Wi-Fi or simple testing environments. For most business use cases, you'll want something more secure.

  • WEP (Wired Equivalent Privacy) is an older security protocol. It was designed to offer basic protection, but it's now widely considered insecure. WEP can be cracked quickly with widely available tools, so it's not recommended unless you have legacy devices that can't use anything else. If you need to use WEP, keep that network isolated from any sensitive information.

  • WPA Personal uses a shared password (pre-shared key) for network access. It was introduced as an upgrade from WEP, but it has now been largely replaced by WPA2 and WPA3. WPA Personal is only recommended for older devices that can't use newer protocols. If you do use it, choose a strong, unique password and plan to upgrade as soon as you can.

  • WPA2 Personal is the current standard for most Wi-Fi networks that don't use enterprise authentication. It uses stronger encryption (AES) and is widely supported. For most small and medium-sized organizations, WPA2 Personal strikes a good balance between security and ease of use. Just make sure your password is strong; long, random, and not something you'd find in a dictionary.

  • WPA3 Personal is the latest evolution in Wi-Fi security. It's designed to be even harder to crack, even if someone tries to guess your password offline. It also provides better protection for data, even if someone manages to get your password later. WPA3 is a great choice if your devices and network equipment support it. If you're rolling out new hardware, it's worth enabling.

  • Mixed-mode networks allow you to enable both WPA2 and WPA3 at the same time. It's helpful if you have a mix of older and newer devices. Just keep in mind: devices that only support WPA2 will still connect using that protocol, so your network's overall security is only as strong as its weakest link.

Protocol

Authentication

Security Level

Compatibility

Use Cases

Notes

Open Networks

None

Very Low

Universal

Public Wi-Fi, testing

No encryption, easy to join but insecure.

WEP

Shared Key

Low

Legacy Devices

Legacy systems

Easily cracked, not recommended for sensitive data.

WPA Personal (WPA-PSK)

Pre-Shared Key (PSK)

Moderate

Older Devices

Small networks, temporary setups

Superseded by WPA2, use only if necessary.

WPA2 Personal

Pre-Shared Key (PSK)

High

Most Modern Devices

Home, small to medium businesses

Current standard, strong encryption.

WPA3 Personal

Simultaneous Authentication of Equals (SAE)

Very High

Newer Devices

New deployments, high-security environments

Latest standard, improved security features.

Mixed Mode (WPA2/WPA3)

PSK, SAE

Variable (depends on device)

Mixed Device Environments

Transitioning networks

Allows both WPA2 and WPA3 devices to connect, security depends on the weakest link.

Enterprise Wi-Fi uses 802.1X authentication to control who can join your network. Instead of a shared password, each user or device is authenticated individually, usually through a combination of credentials and digital certificates. This approach provides better security and makes it easier to manage access at scale.

802.1X authentication involves three main components:

  • Supplicant - This is the device (like a Mac or iPhone) that wants to connect.

  • Authenticator - Usually a network device, such as a wireless access point, which acts as the gatekeeper.

  • Authentication Server - Typically a RADIUS server, which checks the credentials and decides whether to allow access.

When a device tries to join the network, it provides credentials to the authenticator, which passes them to the authentication server. If the credentials check out, the device is granted access.

  • WPA2 Enterprise

    • WPA2 Enterprise pairs 802.1X with strong encryption (AES). Each user gets a unique login, and you can use passwords, digital certificates, or even multi-factor authentication. This setup is widely supported and remains the most common choice for organizations that need robust Wi-Fi security.

  • WPA3 Enterprise

    • WPA3 Enterprise builds on WPA2 Enterprise by adding stronger encryption and additional protections. It requires server certificate validation, which helps ensure users are connecting to the right network. WPA3 also introduces Management Frame Protection (MFP), which helps prevent certain types of attacks that can disrupt connections or trick users into joining rogue networks. There's also an optional 192-bit mode for environments with especially sensitive data.

The actual method used to authenticate users is called the Extensible Authentication Protocol (EAP). Common EAP types include:

  • EAP-TLS - Uses client and server certificates for mutual authentication. This method is very secure, but requires certificate management.

  • PEAP and EAP-TTLS - Uses server certificates and user credentials (like usernames and passwords). Easier to manage than EAP-TLS, but still secure.

  • Other types, such as EAP-FAST or LEAP, exist but are less common and not recommended for new deployments.

  • Each user or device has their own credentials, so you don't have to worry about a shared password leaking.

  • Access can be managed centrally-disable a user's account, and they lose Wi-Fi access instantly.

  • Supports advanced security features like certificate-based authentication and multi-factor authentication.

  • Provides detailed logging and auditing for compliance and troubleshooting.

Enterprise authentication requires additional infrastructure, namely a RADIUS server and, for certificate-based setups, a certificate authority. Most organizations already have these in place, or can use cloud-based solutions. Once set up, the benefits in security and manageability are significant.