Most home networks use personal Wi-Fi, which means every device uses the same shared password. It's simple, but all devices get the same level of access, and if you change the password, everyone needs to update their Wi-Fi.

Firewalla AP7 adds more flexibility. It lets you create multiple SSIDs for different devices, or use Personal Keys (PPSK) so each device or group can have its own password (while sharing the same SSID). However, PPSK only works with WPA2, so it cannot use WPA3 or 6 GHz. 

That's why Firewalla AP7 supports WPA Enterprise Wi-Fi, which provides per-user credentials, stronger security, and all Wi-Fi bands. 

• What is Enterprise Wi-Fi?
  • Choosing Between Multiple SSIDs, Personal Keys, and Enterprise Wi-Fi
  • Layered Design
• How to use Enterprise Wi-Fi with Firewalla and AP7
  • Enterprise Wi-Fi Requirements
  • Create Enterprise Wi-Fi on Firewalla AP7
  • Setting Up Usernames and Passwords for RADIUS
• (Advanced) Using RADIUS for 3rd-Party APs

What is Enterprise Wi-Fi?

Enterprise Wi-Fi replaces the single shared password with individual usernames and passwords. As a core principle of Zero Trust Network Architecture, each device proves who it is before joining the network.

Firewalla acts as the local authentication server (RADIUS) automatically, so you can deploy WPA2-Enterprise or WPA3-Enterprise without extra hardware. 

Benefits of enterprise Wi-Fi:

• Identity-based access: each device belongs to a user
• Stronger security: each user gets unique encryption keys, so compromised devices don't affect others
• WPA3 + 6 GHz: full support under one SSID
• Automatic grouping: Firewalla automatically assigns devices to the correct user when they connect

Note:

• Firewalla enterprise Wi-Fi can only use its own local RADIUS Server (Firewalla). It cannot work with other 3rd-party servers.
• Role-based (e.g., guest, admin, employee) authentication is not yet supported. Once an enterprise Wi-Fi is created, any user can join using their credentials.

Choosing Between Multiple SSIDs, Personal Keys, and Enterprise Wi-Fi

Different devices have different capabilities and security needs. Here's a simple guide to when to use:

• Multiple SSIDs: When you need separate Wi-Fi networks with different security levels. This is especially useful for older IoT devices that only support WPA/WPA2 and can't join newer WPA3 networks.
• Single SSID with Personal Keys (PPSK): When you want one Wi-Fi name but separate passwords for different devices or groups, so that they're automatically assigned. (Note: PPSK requires WPA2, which means it is incompatible with WPA3 and 6 GHz.)
• Enterprise Wi-Fi: When you need user identity, the strongest security, and all Wi-Fi bands, while still automatically assigning devices to users under a single Wi-Fi name. 

Layered Design

In a typical consumer network, if you want better security, the best way is to take a layered approach.

• High valued devices + WPA3-Enterprise:
  • Devices such as your Phone or Laptop are often used to store very sensitive data. These devices will almost always support WPA3-Enterprise. Integrating zero trust with WPA3-Enterprise will help you better identify and secure devices.
• IoT devices:
  • Many IoT devices do not support WPA3-Enterprise; the best way to secure them is either to use multiple SSIDs or use a single SSID + PPSK. 

How to use Enterprise Wi-Fi with Firewalla and AP7

Enterprise Wi-Fi Requirements

• Firewalla Gold or Purple series box in Router or Bridge mode.
• Firewalla Access Point 7 unit.
• App version 1.67 and Box version 1.981 or later.

Create Enterprise Wi-Fi on Firewalla AP7

With AP7, creating an enterprise Wi-Fi is just as easy as any other SSID:

1. From your box's main screen, tap Wi-Fi > Create Wi-Fi > set an SSID + password > Create (Note: the password at this point does not matter, as we will be updating it later.)
2. Tap into the SSID you just created > Edit (top right corner) > Security > choose an enterprise security 
3. Tap Save.

(We currently support WPA2-Enterprise and WPA3-Enterprise. WPA2/WPA3-Enterprise is coming soon.)

Note that changing the security to Enterprise will remove all Microsegments (Primary and Additional) for the current SSID, as it uses the local RADIUS server (Firewalla) for authentication. Other SSIDs are not affected.

To connect to enterprise Wi-Fi, you must set up a username and password for each Firewalla User.

Setting Up Usernames and Passwords for RADIUS

Once you've set up your enterprise Wi-Fi, you'll need to set up your User credentials to connect to it.

1. From your box's main screen > tap Users > select a User > tap Username & Password.
2. Tap Generate Password, and adjust the username and password to your liking.
3. Tap Save.

Once saved, you can use the credentials to connect to the enterprise Wi-Fi. Firewalla will automatically assign the device to the configured user. 

Note: 

• When connecting to any new Firewalla enterprise Wi-Fi SSID, your device may prompt you to trust the Firewalla RADIUS certificate. Please confirm the prompt to complete the connection.
• Migrating box data from one box to another box will migrate over RADIUS configuration without the original certificate. Your devices will need to trust a new certificate when connecting to the new box. 
• Some Android devices may require you to select the authentication method. If prompted, please select:
  • EAP Method: PEAP
  • Phase 2 Authentication: MSCHAPV2

  • CA Certificate: Trust on First Use

     

(Advanced) Using RADIUS for 3rd-Party APs

NOTE: This advanced feature is only available to Firewalla Boxes in Router Mode using Early Access or Beta Box Release.

If you don't have the AP7 but you have other APs that support enterprise Wi-Fi, you can use your Firewalla as the local RADIUS Server.

1. From your box's main screen, tap Services > RADIUS Server > toggle it on.
2. If your box is in Early Access or Beta, you'll see Allow 3rd-party APs. Toggle it on, and the app will generate a shared secret to use. 

Devices connecting to enterprise Wi-Fi will be prompted for a username and password. Use the usernames and passwords you set up under Firewalla Users.