About this guide
This guide explains the different types of network authentication you can configure in Iru Endpoint. It compares non-enterprise and enterprise Wi-Fi options so you can choose the right approach for your environment. For step-by-step configuration of network access, see:Non-Enterprise Wi-Fi Authentication
When you’re setting up a Wi-Fi network in Iru Endpoint, you need to choose an authentication type. If your environment doesn’t require enterprise-level authentication (like 802.1X), you have several options, each with different strengths and tradeoffs.Types of non-enterprise authentication
- WPA3 Personal: Newer standard with stronger protection, including against offline password guessing. Prefer for new hardware when devices and access points support it.
- Mixed-mode (WPA2/WPA3): Allows both WPA2 and WPA3. Useful during transition; note that overall security is limited by the weakest client.
- WPA2 Personal: Current standard for most Wi-Fi without enterprise auth. Strong encryption (AES), widely supported. Good balance of security and ease of use for small and medium organizations; use a strong, unique password.
- WPA Personal (WPA-PSK): Shared password (pre-shared key). Largely replaced by WPA2 and WPA3. Use only for older devices; choose a strong password and plan to upgrade.
- WEP (Wired Equivalent Privacy): Older protocol, now considered insecure and easily cracked. Use only for legacy devices that cannot support anything else; keep it isolated from sensitive data.
- Open networks: No password required. Anyone in range can connect. There is no encryption, so data is not protected. Best for public guest Wi-Fi or testing only; avoid for business use.
Comparison: non-enterprise Wi-Fi types
| Protocol | Authentication | Security level | Compatibility | Use cases | Notes |
|---|---|---|---|---|---|
| WPA3 Personal | SAE | Very high | Newer devices | New deployments, high-security environments | Latest standard; improved security features. |
| Mixed-mode (WPA2/WPA3) | PSK, SAE | Variable | Mixed device environments | Transitioning networks | Security depends on the weakest link. |
| WPA2 Personal | Pre-shared key (PSK) | High | Most modern devices | Home, small to medium businesses | Current standard; strong encryption. |
| WPA Personal | Pre-shared key (PSK) | Moderate | Older devices | Small networks, temporary setups | Superseded by WPA2; use only if necessary. |
| WEP | Shared key | Low | Legacy devices | Legacy systems | Easily cracked; not recommended for sensitive data. |
| Open networks | None | Very low | Universal | Public Wi-Fi, testing | No encryption; easy to join but insecure. |
Enterprise Wi-Fi Authentication
Enterprise Wi-Fi uses 802.1X to control who can join the network. Instead of a shared password, each user or device is authenticated individually, usually with credentials and often digital certificates. This improves security and makes it easier to manage access at scale.How 802.1X works
Four components are involved:- MDM (Iru Endpoint): Configures devices with credentials for 802.1X and deploys identity certificates (e.g., via SCEP or PKCS #12) so that methods like EAP-TLS work when the device connects.
- Supplicant: The device (e.g. Mac, Windows laptop, or phone) that wants to connect, using credentials and certificates that MDM has deployed.
- Authenticator: The network device (e.g. access point or switch) that acts as the gatekeeper.
- Authentication server: Usually a RADIUS server; it checks credentials and tells the authenticator whether to allow access.
Enterprise authentication types
- WPA3 Enterprise: Builds on WPA2 Enterprise with stronger encryption and extra protections. Requires server certificate validation so users connect to the right network. Adds Management Frame Protection (MFP) to help prevent certain attacks. Optional 192-bit mode is available for highly sensitive environments.
- WPA2 Enterprise: Pairs 802.1X with strong encryption (AES). Each user has a unique login; you can use passwords, certificates, or multi-factor authentication. Widely supported and the most common choice for organizations that need strong Wi-Fi security.
Comparison: enterprise Wi-Fi types
| Protocol | Authentication | Security level | Key features | Use cases | Notes |
|---|---|---|---|---|---|
| WPA3 Enterprise | 802.1X, per-user | Very high | Server cert validation; MFP; optional 192-bit mode | New deployments, high-security environments | Builds on WPA2 with stronger protections |
| WPA2 Enterprise | 802.1X, per-user | High | AES encryption; passwords, certificates, or MFA; widely supported | Most organizations needing strong Wi-Fi security | Most common choice for enterprise Wi-Fi |
EAP types
The method used to authenticate users is the Extensible Authentication Protocol (EAP). Common types (from highest to lowest security):- EAP-TLS: Uses client and server certificates for mutual authentication. Very secure but requires certificate management.
- PEAP and EAP-TTLS: Use server certificates and user credentials (e.g. username and password). Easier to manage than EAP-TLS and still secure.
- Other types (e.g. EAP-FAST, LEAP) exist but are less common and not recommended for new deployments.
Comparison: EAP types
| EAP type | Authentication | Security | Notes |
|---|---|---|---|
| EAP-TLS | Client and server certificates (mutual auth) | Very high | Very secure; requires certificate management |
| PEAP / EAP-TTLS | Server certificates + user credentials (e.g. username and password) | High | Easier to manage than EAP-TLS; still secure |
| EAP-FAST, LEAP | Various | Lower / legacy | Less common; not recommended for new deployments |
Why choose enterprise authentication?
- Per-user or per-device credentials; no shared password to leak.
- Centralized access control; disabling an account revokes Wi-Fi access immediately.
- Support for certificate-based auth and multi-factor authentication.
- Detailed logging and auditing for compliance and troubleshooting.
Infrastructure requirements
Enterprise authentication requires extra infrastructure: a RADIUS server and, for certificate-based setups, a certificate authority. Many organizations already have these or use cloud-based options. For more on certificates and 802.1X, see Using Identity Certificates for 802.1X Authentication.Related articles
Configure the Wi-Fi Library Item
Configure the Wi-Fi Library Item for network deployment
Configure the Ethernet Library Item
Configure 802.1X authentication for wired networks
Using Identity Certificates for 802.1X Authentication
Use identity certificates for 802.1X authentication
Configure EAP Extensible Authentication Protocol Types
Configure EAP types for 802.1X authentication