Hello guys!
I got a WiFi dedicated for company smartphones, it uses WPA2-PSK and I would like to get it more secure than just typing password.
My idea at this point is to generate a “global” certificate, install it on smartphones and use RADIUS to check it. But…
- Is it possible to use both methods simultaniously? Not like checking WPA2-PSK and WPA2-EAP on Mikrotic AP’s means “one OR another” but “one AND another”? WPA2 password is configured on AP’s so at this point for this wireless profile access is granted on AP site.
- If answer for above is “yes” - does it mean that I don’t need to forget WiFi SSID on all mobile devices and add/remember it again?
Maybe someone did something similar for smartphones and could share another solution (I mean “secure WiFi connection for company smartphones”)? All devices are added to MDM system so I can globally “do some things”.
Hello!
Maybe someone will look for something like that in the future.
I have decided to install certificate and NEW network profile through MDM system on mobiles.
I have changed SSID name and authorization method on Access Points (without changing VLAN ID, because it’s easier and I won’t use that old SSID).
I have added an AD user in an AD group and use RADIUS to check certificate and user group membership for that SSID.
This way I don’t need to forget old profile on all mobiles (new SSID) and automatically add a new one which is better secured.
At the begining I asked about “double” authorization because of the old profile.
PS.: It’s not so colorful for me because I don’t have LDAP running between AD Controller and MDM system, which is a pain in the ass for future functionalities like “more network access for some priviledged users”, but life goes on… 
Case closed.