Wi-Fi using Radius authentication will require credentials for each user where the credentials could also be tied into existing systems such as Active Directory for ease of use. Radius allows for authentication, authorization, and accounting (AAA) for organizations who use it. Deploying enterprise requires a Radius server, which some access points (Meraki, Ubiquiti) have running by default. WPA2-Enterprise was introduced to add additional security to WPA2 to allow for user auditing and eliminates the risk of shared passwords while using enhanced security methods.
However, there are other free solutions that some wireless access points have preinstalled and only require some configuring to enable.
Having a long password or passphrase and using WPA2-AES can be sufficient for smaller to medium sized organizations. If the password length is short, the bruteforce attack could be successful in a short amount of time. The attacker would attempt to recover the preshared key value (also known as the password used to connect to the wireless network) through a bruteforce attack which would attempt to guess what the password is at an extremely fast speed. Within the captured data, the encrypted preshared key would be obtained. Once deauthenticated, the attacker would capture the reconnection.
The primary issue with WPA2-AES apart from the encryption mode is that an attacker, if suitably positioned, can cause a client to deauthenticate from the wireless network. The reason TKIP is even offered is due to older legacy devices that may not be able to support the more secure encryption mode. By default, most configurations out of the box come with the more secure mode (AES). Within WPA2 there are two encryption modes (AES and TKIP) where one is more secure than the other. Today’s default algorithm is Wi-Fi Protected Access 2 (WPA2) which is also known as WPA2-Personal, and is the successor to two weaker standards (WPA and WEP). Out of the box configurations are common at organizations, and with today’s standards they’re mostly secure. Wireless Security: Default Configurations
While the weakest of configurations are seldom seen (e.g., Wired Equivalent Privacy (WEP) from 1999 to 2004), default configurations leave much to be desired, and can be improved without much overhead, especially if the software to support the more secure configuration has already been deployed. Wireless Security varies across organizations when it comes to secure deployments due to the size of the organization, budget constraints, or lack of subject matter experts.