I have found myself in a situation where I need to setup a somewhat secure Wifi network. I am primarily concerned about these attacks, however I welcome any advice about other attacks that I should be concerned with as well:
- An unauthorized party gaining access to the network without any prior knowledge (eg. by a neighbor brute-forcing the PSK)
- A user that is authorized to use the network as a user (eg. no access to the router's admin panel or the RADIUS server) decrypting another user's data to violate their privacy
- A 3rd party attacker (or an authorized user) that sets up an evil twin attack and is able to get the PSK (or RADIUS credentials) and/or the data itself, thus violating all users' privacy and/or accessing the network without authorization
My research tells me that the normal standard that I have used for years, WPA2 PSK with AES, is vulnerable to all but the first attack. Upon further reading, I have discovered WPA2 enterprise and that it is supposed to be more secure against these types of attacks. It appears to have many different modes, however (eg. What is the difference between EAP, PEAP, and MSCHAP?), and I am finding conflicting and incomplete information about whether or not it is vulnerable to the middle (conflicting information) and last attack (no information).
As such, I ask, what is the best way to setup Wifi to be secure against all three of these attacks? I suspect that some sort of SSH-style key will need to be given to each client, along with an AP/server key that the client can use to defend itself against evil twin attacks, but I can't find anything that precisely describes how to set this up. I am looking for instructions as precise as something like this, for high quality TLS.