1. Is WPA2 Enterprise overkill for a home wireless network?
  2. Why EAP-TLS?
  3. Can I send feedback?

Is WPA2 Enterprise overkill for a home wireless network?

Yes, it is. You're perfectly fine with WPA2 or WPA3 Personal - as long as you choose a strong password. Here are some reasons why you might want to implement this:

  • Security - Even though it's overkill, why not use the best? - especially if you work from home
  • Privacy - You don't want to share your WiFi password with Google / Apple / etc...
  • Education - You'll have a much better idea of how to configure a wireless network in a professional setting

Why EAP-TLS?

Because it is Simple and Secure.

On a WPA Enterprise network there are several forms of the Extensible Authentication Protocol (EAP) available for authenticating clients. Unfortunately, they are not all equal from a security standpoint and some do not have widespread client support. A comprehensive (or even basic) technical comparison of all the available protocols is beyond the scope of this site, though I encourage you to do some research on this topic.

Of the protocols, EAP-TLS has universal client support and is considered to be among the most secure. That is why I chose to higlight this protocol here.

In terms of simplicity it is hard to find a better authentication method without comprimising security. The protocol only consists of a TLS handshake, which quickly verifies the identity of both the client and the server. There is no inner tunnel to configure on the RADIUS server, unlike some of the other protocols.

The main drawback of EAP-TLS is that it requires a certificate to be generated and placed on each client. Due to this characteristic, compromising client credentials is considerably more difficult than just stealing a username/password combination - which is what some of the other forms of EAP use. While the process is clearly outlined here, it can be a bit cumbersome if you have a lot of clients to connect to the network.


Can I send feedback?

Absolutely!

I can be contacted at: radius@cifelli.xyz