Wi-Fi Security – WPA2, WPA3 & EAP

1. Why Wi-Fi Security Matters

Wireless networks transmit data through open air using radio frequencies — any device within range can receive those frames. Unlike wired networks where an attacker needs physical access to a cable, a wireless attacker needs only proximity. Without strong encryption and authentication, every packet you send over Wi-Fi is readable by anyone nearby with the right tools.

Wi-Fi security standards have evolved significantly since the late 1990s — from the completely broken WEP, through the interim WPA, to the widely deployed WPA2, and now to the modern WPA3. Each generation addressed weaknesses in its predecessor. Understanding what each standard does, why it was introduced, and what it protects against is a core CCNA wireless topic.

Standard	Year	Encryption	Key Exchange	Status
WEP	1999	RC4 (stream cipher)	Static shared key	Broken — never use
WPA	2003	TKIP (RC4 with improvements)	PSK or 802.1X/EAP	Deprecated — avoid
WPA2	2004	CCMP / AES-128	PSK (4-way handshake) or 802.1X/EAP	Current standard
WPA3	2018	CCMP / AES-128 or GCMP-256	SAE (replaces PSK) or 802.1X/EAP-Suite-B	Recommended / modern

2. WEP — Wired Equivalent Privacy (Broken)

WEP (Wired Equivalent Privacy) was the original IEEE 802.11 security standard, introduced in 1999 with the goal of providing privacy equivalent to a wired network. It uses the RC4 stream cipher with a 40-bit or 104-bit static shared key. Despite its name, WEP was fundamentally broken and is now completely insecure.

Why WEP Is Broken

  WEP encryption weakness — IV reuse:

  WEP uses a 24-bit Initialization Vector (IV) prepended to the key:
  Effective key = IV (24 bits) + Static key (40 or 104 bits)

  Problem 1 — Short IV space:
  24 bits = only 16,777,216 possible IV values.
  On a busy network, IVs repeat within minutes to hours.
  RC4 is mathematically vulnerable when the same IV + key is reused.

  Problem 2 — Static key:
  The same shared key is used by ALL clients on the network.
  If one client is compromised, all traffic is exposed.
  No per-user keys, no per-session keys.

  Problem 3 — Weak integrity (CRC-32):
  WEP uses CRC-32 for integrity — a checksum, not a cryptographic MAC.
  An attacker can flip bits in the ciphertext and update the CRC
  without knowing the key → bit-flipping attacks succeed.

  Result: WEP can be cracked in under 60 seconds using tools like aircrack-ng,
  regardless of key length (40-bit or 104-bit). Key length is irrelevant.

WEP is never acceptable. No matter the configuration — 64-bit, 128-bit, or "dynamic" WEP — WEP must never be used on any network. The IEEE deprecated WEP in 2004. Any device or network still using WEP is critically vulnerable. The only correct action is to replace it with WPA2 or WPA3.

3. WPA — Wi-Fi Protected Access (Transitional)

WPA (Wi-Fi Protected Access) was introduced in 2003 as an emergency interim fix for WEP's fatal flaws, while IEEE 802.11i (which became WPA2) was still being finalised. WPA was designed to run on existing WEP hardware via a firmware update — a significant constraint that limited how much it could improve security.

WPA Improvements Over WEP

Feature	WEP	WPA
Encryption cipher	RC4 (static IV)	TKIP — RC4 with per-packet key mixing and extended IV (48 bits)
IV length	24 bits (reuse within minutes)	48 bits (2⁴⁸ ≈ 281 trillion — IV reuse effectively eliminated)
Integrity check	CRC-32 (not cryptographic)	MIC — Message Integrity Check (Michael) — cryptographic
Key management	Static shared key for all clients	Per-session keys derived from PSK or 802.1X via 4-way handshake
Authentication	Shared key only	PSK (Pre-Shared Key) or 802.1X/EAP

WPA Limitations

WPA's TKIP is still based on RC4, which is a weak cipher by modern standards. TKIP was later found to have vulnerabilities (including the TKIP MIC failure attack). WPA is deprecated and should not be used in new deployments. WPA2 replaced it in 2004.

4. WPA2 — The Current Mainstream Standard

WPA2, ratified in 2004 and based on IEEE 802.11i, is the first Wi-Fi security standard to use AES (Advanced Encryption Standard) — a fundamentally stronger cipher than RC4. WPA2 replaces TKIP with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), which provides both strong encryption and cryptographic integrity.

WPA2 comes in two modes depending on the deployment context: WPA2-Personal (for homes and small offices) and WPA2-Enterprise (for corporate environments requiring per-user authentication). See WPA / WPA2 / WPA3 Comparison for a full feature breakdown.

  WPA2 encryption core:

  CCMP (Counter Mode CBC-MAC Protocol):
  ┌─────────────────────────────────────────────────────────────┐
  │  Cipher:      AES (Advanced Encryption Standard)            │
  │  Key length:  128 bits                                      │
  │  Mode:        CTR (Counter Mode) for encryption             │
  │               CBC-MAC for integrity / authentication        │
  │  Block size:  128 bits                                      │
  └─────────────────────────────────────────────────────────────┘
  AES-CCMP is a FIPS 140-2 approved cipher — used by US government
  and military. Considered computationally secure against brute force.

4.1 WPA2-Personal (PSK Mode)

WPA2-Personal uses a Pre-Shared Key (PSK) — a passphrase configured on the access point and on every client device. The PSK is never transmitted over the air. Instead, both the AP and the client use the PSK, the SSID, and random nonces to derive a Pairwise Master Key (PMK), which feeds into the 4-Way Handshake to generate per-session Pairwise Transient Keys (PTKs).

  WPA2-Personal 4-Way Handshake (simplified):

  Client                                   Access Point (AP)
  ──────                                   ────────────────
                        ◄── Message 1: ANonce (AP random nonce)

  Client derives PTK using:
  PTK = PRF(PMK + ANonce + SNonce + AP MAC + Client MAC)

  SNonce (client nonce) ──────────────────────────►  Message 2 + MIC

                   AP verifies MIC, derives same PTK
                   ◄── Message 3: GTK (Group Temporal Key) + MIC

  Client installs PTK and GTK ──────────────────────►  Message 4: ACK

  Session keys installed on both sides — encrypted data transfer begins.

  PTK: Pairwise Transient Key — unique per client per session (unicast)
  GTK: Group Temporal Key — shared for broadcast/multicast frames

WPA2-Personal Vulnerability — KRACK and Dictionary Attacks

WPA2-Personal weaknesses:
1. Dictionary / brute-force attacks: If the PSK is weak (a common word or short passphrase), an attacker can capture the 4-Way Handshake and perform an offline brute-force attack using tools like hashcat. A strong, random passphrase (20+ characters) significantly reduces this risk.
2. KRACK (Key Reinstallation Attack, 2017): A vulnerability in the 4-Way Handshake that allowed nonce reuse under certain conditions. Patched on most modern devices — but unpatched legacy devices remain vulnerable.
3. No forward secrecy: If the PSK is ever compromised, all past sessions that were recorded can potentially be decrypted.

4.2 WPA2-Enterprise (802.1X/EAP Mode)

WPA2-Enterprise replaces the shared PSK with 802.1X/EAP authentication — each user authenticates individually with unique credentials (username/password, certificate, or smart card) via a RADIUS server. This eliminates the single shared secret that makes WPA2-Personal less suitable for corporate environments. See AAA Authentication Methods for the full AAA framework.

  WPA2-Enterprise authentication architecture:

  [Wireless Client]  ←─── 802.1X / EAP ──→  [AP (Authenticator)]
                                                      │
                                                 RADIUS (UDP 1812)
                                                      │
                                             [RADIUS Server (AS)]
                                         (Active Directory, Cisco ISE,
                                          FreeRADIUS, etc.)

  Roles:
  Supplicant:    The wireless client requesting access
  Authenticator: The AP (or WLC) — forwards EAP messages between
                 client and RADIUS server; enforces access decision
  Authentication Server (AS): RADIUS server — validates credentials
                               and returns Accept or Reject

  Benefit: Each user has unique credentials — no shared secret.
  A compromised user account can be revoked without changing the
  password for every device on the network.

Feature	WPA2-Personal (PSK)	WPA2-Enterprise (802.1X)
Authentication credentials	Single shared passphrase for all users	Per-user credentials (username/password or certificate)
Infrastructure required	AP only — no additional servers	RADIUS server + (optionally) PKI/CA for certificates. See AAA Local vs RADIUS.
Scalability	Poor — changing the key requires reconfiguring every device	Excellent — add/remove users on RADIUS without touching APs
Rogue client risk	High — anyone who knows the PSK can join	Low — each user authenticates individually
Typical deployment	Home networks, small offices, guest Wi-Fi	Enterprise, universities, government
Complexity	Simple	Complex — requires RADIUS infrastructure. See AAA Overview.

5. WPA3 — Modern Security Improvements

WPA3, announced by the Wi-Fi Alliance in 2018, addresses the remaining weaknesses in WPA2. It comes in two modes — WPA3-Personal and WPA3-Enterprise — and introduces significant improvements in both authentication and encryption. See WPA / WPA2 / WPA3 Comparison for the full side-by-side breakdown.

5.1 WPA3-Personal — SAE Replaces PSK

WPA3-Personal replaces the WPA2 4-Way Handshake PSK exchange with SAE (Simultaneous Authentication of Equals), also known as Dragonfly (defined in IEEE 802.11s and RFC 7664). SAE is a password-authenticated key exchange protocol that provides several critical improvements over WPA2-PSK.

  SAE vs WPA2-PSK key differences:

  WPA2-PSK:
  ├─ PSK is used directly in PMK derivation
  ├─ 4-Way Handshake can be captured and attacked offline
  ├─ Weak passphrase → crackable with GPU brute force
  └─ No forward secrecy: captured handshakes decryptable if PSK found

  WPA3-SAE (Simultaneous Authentication of Equals):
  ├─ Uses a Diffie-Hellman-style key exchange with the password as input
  ├─ Each authentication generates a FRESH PMK — even with the SAME password
  ├─ No handshake material is transmitted that enables offline cracking
  ├─ Forward secrecy: past sessions cannot be decrypted even if password
  │  is later revealed
  └─ Provides equal standing: neither client nor AP has more power in
     the exchange — mutual authentication

5.2 WPA3-Enterprise

WPA3-Enterprise retains 802.1X/EAP for authentication but strengthens the cryptographic suite:

Feature	WPA2-Enterprise	WPA3-Enterprise
Encryption	CCMP-128 (AES-128)	CCMP-128 (standard) or GCMP-256 (192-bit security mode)
Authentication	802.1X / EAP	802.1X / EAP (same) with stricter cipher requirements
Management Frame Protection	Optional (PMF)	Mandatory — protects deauth/disassoc frames from spoofing
192-bit mode	Not available	Available — uses GCMP-256, HMAC-SHA-384, ECDH/ECDSA P-384

5.3 WPA3 Key Features Summary

Feature	WPA3 Improvement
SAE (Dragonfly)	Replaces PSK 4-Way Handshake; eliminates offline dictionary attacks; provides forward secrecy
Forward Secrecy	Each session generates unique keys — past sessions cannot be decrypted even if the password is later compromised
PMF — Protected Management Frames	Mandatory in WPA3 — encrypts and authenticates management frames (deauthentication, disassociation) to prevent spoofed deauth attacks used to kick clients off the network
Enhanced Open (OWE)	Opportunistic Wireless Encryption for open (no-password) networks — provides per-session encryption even without authentication, replacing completely open WPA2 hotspots
192-bit Security Mode	Available in WPA3-Enterprise for high-security environments (government, financial) — uses GCMP-256 and Suite-B cryptographic algorithms

CCNA exam tip: WPA3's most important improvements are SAE (replaces PSK — prevents offline cracking), Forward Secrecy (past sessions protected even if password is compromised), and mandatory PMF (prevents spoofed deauthentication attacks). These three are the most commonly tested WPA3 distinctions. See WPA / WPA2 / WPA3 Comparison.

6. EAP — Extensible Authentication Protocol

EAP (Extensible Authentication Protocol), defined in RFC 3748, is the authentication framework used in WPA2/WPA3-Enterprise and 802.1X. EAP itself is not an authentication method — it is a flexible framework that supports many different authentication methods (called EAP types or EAP methods), each with different credential requirements and security characteristics.

EAP messages between the wireless client (supplicant) and the RADIUS server are transported by the AP (authenticator), which encapsulates them in RADIUS packets. The AP does not see or process the EAP credentials — it is purely a passthrough. See AAA Authentication Methods for the broader authentication context.

  EAP message flow overview:

  Supplicant             Authenticator (AP/WLC)         RADIUS Server
  (client)               ──────────────────             ─────────────
       │                         │                             │
       │ EAP-Request (Identity)  │                             │
       │◄────────────────────────│                             │
       │                         │                             │
       │ EAP-Response (Identity) │                             │
       │─────────────────────────►                             │
       │                         │ RADIUS Access-Request       │
       │                         │────────────────────────────►│
       │                         │                             │
       │                         │ RADIUS Access-Challenge     │
       │                         │◄────────────────────────────│
       │ EAP-Request (method)    │                             │
       │◄────────────────────────│                             │
       │ EAP-Response (creds)    │                             │
       │─────────────────────────►                             │
       │                         │ RADIUS Access-Request       │
       │                         │────────────────────────────►│
       │                         │                             │
       │                         │ RADIUS Access-Accept + keys │
       │                         │◄────────────────────────────│
       │ EAP-Success             │                             │
       │◄────────────────────────│                             │
       │                         │                             │
  Client derives session keys — WPA2/3 4-Way Handshake proceeds

7. EAP Types — PEAP, EAP-TLS, EAP-TTLS, LEAP, EAP-FAST

Different EAP methods vary in what credentials they use, whether they require a server-side certificate, a client-side certificate, or both, and how strongly they protect credentials in transit. The following are the most important EAP types for the CCNA exam and enterprise deployments.

7.1 PEAP — Protected EAP

PEAP (Protected EAP) is the most widely deployed EAP method in enterprise Wi-Fi. It creates an encrypted TLS tunnel between the client and the RADIUS server using only a server-side certificate (the client does not need a certificate). Inside the tunnel, credentials are exchanged using a simpler inner authentication method — most commonly MSCHAPv2 (username and password).

  PEAP authentication flow:

  Phase 1 — TLS tunnel establishment:
  Client validates server certificate (from RADIUS/CA)
  → Encrypted TLS tunnel is established

  Phase 2 — Inner authentication (inside the tunnel):
  Client sends username + password (via MSCHAPv2)
  RADIUS server validates against Active Directory / user database
  → Access-Accept returned if valid

  Credentials: Username + password (client), Certificate (server only)
  Infrastructure: RADIUS server certificate from a trusted CA
  Common use: Windows domain environments with Active Directory

7.2 EAP-TLS — Mutual Certificate Authentication

EAP-TLS is the most secure EAP method. Both the RADIUS server and the client must present valid digital certificates. There is no password involved — authentication is purely certificate-based. This requires a full PKI (Public Key Infrastructure) to issue and manage client certificates for every device.

  EAP-TLS mutual authentication:

  Client ──────── presents client certificate ────────► RADIUS Server
  Client ◄─────── presents server certificate ─────────  RADIUS Server

  Both sides validate each other's certificates.
  No username/password is used.

  Pros: Strongest available — certificate-based, no password to steal
  Cons: Requires PKI; client certificates must be issued and managed
        for every device — high operational overhead
  Use:  High-security environments (government, financial, healthcare)

7.3 EAP-TTLS — Tunnelled TLS

EAP-TTLS (Tunnelled TLS) is similar to PEAP — it creates a TLS tunnel using a server certificate and performs inner authentication inside. The difference is that EAP-TTLS supports a wider range of inner authentication methods (PAP, CHAP, MSCHAPv2, EAP, etc.) and is more flexible across different operating systems. It is popular in Linux/non-Windows environments.

7.4 LEAP — Lightweight EAP (Cisco Proprietary — Deprecated)

LEAP was Cisco's proprietary EAP method, introduced before PEAP/EAP-TLS were standardised. It uses MS-CHAPv1 for mutual authentication but has serious vulnerabilities — it is susceptible to offline dictionary attacks (ASLEAP attack). LEAP is deprecated and should never be used in new deployments.

7.5 EAP-FAST — Flexible Authentication via Secure Tunnelling

EAP-FAST was developed by Cisco as a replacement for LEAP. It uses a PAC (Protected Access Credential) — a shared secret provisioned to the client — to establish a TLS tunnel without requiring a certificate. It was designed for environments where deploying certificates is not practical. EAP-FAST is secure but less commonly encountered than PEAP today.

EAP Method	Server Cert?	Client Cert?	Client Credentials	Security Level	Status
PEAP	Yes	No	Username + password (MSCHAPv2)	High	Current — widely used
EAP-TLS	Yes	Yes	Client certificate (no password)	Highest	Current — highest security
EAP-TTLS	Yes	No	Username + password (flexible inner method)	High	Current — common on Linux
EAP-FAST	No (PAC used)	No	Username + password (inside PAC tunnel)	High	Current — Cisco environments
LEAP	No	No	Username + password (MS-CHAPv1)	Low — vulnerable	Deprecated — never use

CCNA exam tip: For the CCNA, focus on these three: PEAP (server cert + username/password — most common), EAP-TLS (mutual certs — most secure, requires PKI), EAP-FAST (Cisco — uses PAC instead of certificate). Remember: LEAP = Cisco legacy = deprecated and insecure. See AAA Authentication Methods for the full context.

8. 802.1X Wireless Authentication — How It Works End to End

IEEE 802.1X is the port-based network access control standard that underpins WPA2/WPA3-Enterprise authentication. It defines the roles of supplicant, authenticator, and authentication server, and controls network access at the port level until authentication succeeds. See 802.1X Port Authentication Lab for hands-on configuration.

  802.1X wireless — full flow with WPA2-Enterprise:

  Step 1 — Client associates with the SSID (open association, not yet authed)
  Client ──────── 802.11 Association Request ────────────► AP

  Step 2 — AP opens a controlled port (only EAP traffic allowed)
  AP ◄──────── EAP-Request/Identity ──────────────────── AP sends to client

  Step 3 — Client identifies itself
  Client ──── EAP-Response/Identity (username) ─────────► AP → RADIUS

  Step 4 — EAP method negotiation and credential exchange
  (PEAP: TLS tunnel built, MSCHAPv2 inside)
  (EAP-TLS: mutual certificates exchanged)
  Client ↔ AP (relay) ↔ RADIUS server

  Step 5 — RADIUS returns Access-Accept with PMK (key material)
  RADIUS ──── Access-Accept + MSK (Master Session Key) ──► AP

  Step 6 — AP sends EAP-Success to client
  AP ──────── EAP-Success ───────────────────────────────► Client

  Step 7 — WPA2/WPA3 4-Way Handshake
  Client ↔ AP derive PTK and GTK from MSK → encrypted data begins

  Step 8 — AP opens controlled port for all traffic
  Client can now send/receive normal network traffic.

802.1X Port States

Port State	Traffic Allowed	When
Unauthorised	EAP/802.1X only — no data traffic	Before authentication completes
Authorised	All traffic permitted (based on RADIUS policy)	After successful authentication

RADIUS server options: Common RADIUS server implementations for 802.1X wireless include: Cisco ISE (Identity Services Engine), Microsoft NPS (Network Policy Server — integrates with Active Directory), and FreeRADIUS (open source). The RADIUS server typically validates credentials against a directory service (Active Directory, LDAP) and can return additional authorisation attributes such as VLAN assignment. See AAA Local vs RADIUS for configuration details.

9. Additional Wireless Security Mechanisms

9.1 SSID Hiding (Not a Security Control)

Some administrators disable SSID broadcasting so the network name does not appear in client scan results. This is not a security control — SSIDs are visible in probe requests and can be discovered in seconds with wireless sniffing tools like Wireshark. SSID hiding creates management overhead without providing meaningful protection.

9.2 MAC Address Filtering (Weak)

MAC address filtering allows only devices with pre-approved MAC addresses to associate with the AP. This provides a very low level of security — MAC addresses are transmitted unencrypted in 802.11 frames and can be trivially spoofed by any attacker with a wireless adapter. It is useful only as an additional layer alongside strong WPA2/WPA3 — never as a primary security mechanism.

9.3 PMF — Protected Management Frames (802.11w)

PMF (Protected Management Frames), defined in IEEE 802.11w, encrypts and authenticates wireless management frames — specifically deauthentication and disassociation frames. Without PMF, an attacker can send spoofed deauthentication frames to disconnect clients from the network (a deauth attack, commonly used as part of WPA2 handshake capture). PMF makes these attacks ineffective.

Standard	PMF Status
WPA2	Optional — can be set to Disabled, Optional, or Required
WPA3	Mandatory — always enabled, cannot be disabled

9.4 Wireless Intrusion Prevention System (WIPS)

A WIPS monitors the RF environment for rogue access points, ad-hoc networks, and wireless attacks. It can automatically contain rogue APs by sending deauthentication frames (in coordination with a WLC) to disconnect clients from unauthorised networks. Cisco's WLC supports WIPS functionality through its CleanAir and Rogue Management features.

9.5 Guest WLAN Isolation

Guest Wi-Fi networks should be isolated from the corporate LAN using a separate VLAN, firewall policy, or client isolation feature on the AP/WLC. This prevents guest devices from accessing internal resources. See: Guest WLAN & WebAuth Lab

10. Comparing All Wi-Fi Security Standards

Standard	Encryption	Auth (Personal)	Auth (Enterprise)	Forward Secrecy	PMF	Use Today?
WEP	RC4 (broken)	Static key	None	No	No	Never
WPA	TKIP/RC4	PSK (4-way handshake)	802.1X/EAP	No	No	No — deprecated
WPA2-Personal	CCMP/AES-128	PSK (4-way handshake)	—	No	Optional	Yes — home/SMB
WPA2-Enterprise	CCMP/AES-128	—	802.1X/EAP	No	Optional	Yes — corporate
WPA3-Personal	CCMP/AES-128	SAE (Dragonfly)	—	Yes	Mandatory	Recommended
WPA3-Enterprise	CCMP-128 or GCMP-256	—	802.1X/EAP (Suite-B)	Yes	Mandatory	Recommended

  Quick selection guide — which security mode to use:

  Home network / small office with no RADIUS server?
  → WPA3-Personal (SAE) if all devices support it
  → WPA2-Personal (PSK + AES) if legacy devices require it
  → Use a strong random passphrase (20+ characters)
  → Never use WEP or WPA/TKIP

  Corporate network with Active Directory / user management?
  → WPA3-Enterprise or WPA2-Enterprise (802.1X)
  → Use PEAP-MSCHAPv2 for username/password (simpler deployment)
  → Use EAP-TLS for certificate-based (highest security)
  → Deploy RADIUS server (Cisco ISE, Microsoft NPS, FreeRADIUS)

  Guest / public hotspot?
  → WPA3-Personal with separate VLAN
  → Or WPA3 Enhanced Open (OWE) if supported
  → Enable client isolation to prevent guest-to-guest attacks
  → Captive portal / WebAuth for acceptable-use policy

Test Your Knowledge — Wi-Fi Security Quiz

1. Why is WEP considered completely broken and unsuitable for use, regardless of key length?

A. WEP uses AES encryption, which has known weaknesses in wireless implementations B. WEP uses RC4 with a short 24-bit IV that reuses quickly, allowing attackers to capture enough packets to crack the key in under a minute regardless of whether 64-bit or 128-bit keys are used C. WEP does not support SSID broadcasting, making it impossible to connect devices D. WEP was never standardised by the IEEE and was only used by Cisco devices

Correct answer is B. WEP's fatal flaw is its 24-bit Initialization Vector (IV). With only ~16.7 million possible IVs, on a busy network IVs repeat within minutes. When two packets share the same IV and key, the RC4 keystream is identical — and mathematical analysis of the ciphertext reveals the key. Tools like aircrack-ng can crack WEP in under 60 seconds using this weakness. Key length (64-bit vs 128-bit) does not protect against this attack. See WPA / WPA2 / WPA3 Comparison for how later standards addressed these flaws.

2. What encryption cipher does WPA2 use, and why is it considered significantly stronger than WEP/WPA?

A. TKIP — a strengthened version of RC4 with longer keys B. DES — the Data Encryption Standard used in US government systems C. CCMP — Counter Mode with CBC-MAC Protocol, using AES-128 block cipher, which is FIPS-approved and fundamentally stronger than RC4-based ciphers used in WEP and WPA D. SAE — Simultaneous Authentication of Equals

Correct answer is C. WPA2 uses CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) based on AES-128. AES is a block cipher (not a stream cipher like RC4) that is FIPS 140-2 approved and considered computationally secure. TKIP (used by WPA) is still RC4-based. SAE is WPA3's key exchange mechanism, not an encryption cipher. See WPA / WPA2 / WPA3 Comparison.

3. What is the main difference between WPA2-Personal and WPA2-Enterprise authentication?

A. WPA2-Personal uses a single shared passphrase (PSK) for all users; WPA2-Enterprise uses 802.1X/EAP with per-user credentials validated by a RADIUS server B. WPA2-Enterprise uses a stronger AES key length than WPA2-Personal C. WPA2-Personal is for 5 GHz networks; WPA2-Enterprise is for 2.4 GHz D. WPA2-Enterprise does not support EAP — it uses certificates only

Correct answer is A. WPA2-Personal uses a Pre-Shared Key (PSK) — the same password for all users. WPA2-Enterprise uses 802.1X with EAP — each user authenticates with individual credentials (username/password or certificate) validated by a RADIUS server. This means in Enterprise mode, revoking a single user's access is as simple as disabling their account — no need to change the wireless password on every device. See AAA Authentication Methods and 802.1X Authentication.

4. What is SAE in WPA3, and what specific WPA2 vulnerability does it address?

A. SAE (Secure Access Exchange) replaces CCMP encryption with a stronger AES-256 cipher B. SAE (Server Authentication Extension) adds a second RADIUS server for redundancy C. SAE (Simultaneous Authentication of Equals) is a new encryption cipher that replaces AES D. SAE (Simultaneous Authentication of Equals) replaces the WPA2 PSK 4-Way Handshake with a Diffie-Hellman-style key exchange that generates a fresh PMK per session, eliminating offline dictionary attacks and providing forward secrecy

Correct answer is D. SAE (Simultaneous Authentication of Equals), also called Dragonfly, is WPA3-Personal's replacement for the WPA2 PSK 4-Way Handshake. In WPA2-PSK, the handshake can be captured and subjected to offline brute-force attacks. SAE uses a Diffie-Hellman-based exchange where even capturing the authentication exchange yields nothing useful for offline cracking. Each session gets a unique PMK, providing forward secrecy. See WPA / WPA2 / WPA3 Comparison.

5. Which EAP method requires digital certificates on BOTH the client and the RADIUS server?

A. PEAP — both client and server require certificates B. EAP-TLS — mutual certificate authentication; both the RADIUS server and each client device must have a valid digital certificate from a trusted CA C. EAP-FAST — uses PAC files instead of certificates on both sides D. LEAP — uses certificates on both sides for mutual authentication

Correct answer is B. EAP-TLS is the only common EAP method that requires certificates on both the RADIUS server and every client device. This makes it the most secure EAP method — no passwords that can be guessed or stolen — but also the most operationally complex, requiring a full PKI to issue and manage client certificates. PEAP only requires a server certificate; EAP-FAST uses a PAC (not a certificate) on the client side. See AAA Authentication Methods.

6. What is PMF (Protected Management Frames), and why is it mandatory in WPA3 but only optional in WPA2?

A. PMF encrypts all data frames sent over the wireless network — WPA3 mandates higher throughput so makes PMF mandatory B. PMF is a certificate management feature only relevant when using WPA2-Enterprise C. PMF encrypts and authenticates 802.11 management frames (deauth/disassociation) to prevent spoofed deauthentication attacks; WPA3 mandates it because deauth attacks are commonly used to force WPA2 handshake captures D. PMF is a Cisco-proprietary feature not defined in the 802.11 standard

Correct answer is C. Without PMF (defined in IEEE 802.11w), an attacker can inject spoofed deauthentication or disassociation frames into the wireless channel — the AP or client has no way to verify they are legitimate. This forces clients off the network (deauth attack) and is commonly used to capture WPA2 4-Way Handshakes for offline cracking. PMF cryptographically signs management frames so spoofed frames are rejected. WPA2 made PMF optional; WPA3 made it mandatory — closing this attack vector entirely. See WPA / WPA2 / WPA3 Comparison.

7. Which wireless authentication architecture involves a Supplicant, Authenticator, and Authentication Server?

A. WPA2-Personal using PSK — the PSK is the authentication server B. WPA3 SAE — SAE defines these three roles in its Dragonfly exchange C. TKIP — the TKIP handshake uses these three components D. IEEE 802.1X / EAP — the client is the Supplicant, the AP/WLC is the Authenticator, and the RADIUS server is the Authentication Server

Correct answer is D. IEEE 802.1X defines the three-party architecture: the Supplicant (wireless client requesting access), the Authenticator (the AP or WLC — controls port access, relays EAP messages to the RADIUS server), and the Authentication Server (RADIUS server — validates credentials and returns Accept/Reject). The Authenticator never processes credentials directly — it is a transparent relay between client and RADIUS. See AAA Overview.

8. Which certificate(s) are required for PEAP authentication?

A. Client certificate only — the client proves identity via certificate B. Both client and server certificates — PEAP requires mutual certificate authentication C. No certificates — PEAP uses only username and password D. Server certificate only — the RADIUS server presents a certificate to establish a TLS tunnel; the client authenticates inside the tunnel using username and password (typically MSCHAPv2)

Correct answer is D. PEAP requires only a server-side certificate (on the RADIUS server) to establish the TLS tunnel. The client does not need a certificate — it authenticates inside the encrypted tunnel using a username and password (via MSCHAPv2). This makes PEAP much simpler to deploy than EAP-TLS (which requires client certificates on every device) while still protecting credentials from eavesdropping. See AAA Local vs RADIUS for deployment context.

9. Why is SSID hiding (disabling SSID broadcast) NOT considered an effective wireless security control?

A. SSID hiding is very effective and prevents passive attackers from finding the network B. The SSID is still transmitted in plaintext in 802.11 probe request and probe response frames — any wireless scanner can discover hidden SSIDs in seconds, so hiding provides no real protection C. SSID hiding prevents WPA3 SAE from functioning correctly D. SSID hiding is only supported on WPA2 networks, not WPA3

Correct answer is B. Even with SSID broadcast disabled, the SSID appears in plaintext in 802.11 probe request frames (sent by clients looking for the network) and probe response frames. Any passive wireless capture tool (Wireshark, Kismet, airodump-ng) will display hidden SSIDs within seconds of a client connecting. SSID hiding adds configuration complexity without any meaningful security benefit — it is considered security through obscurity.

10. An enterprise deploys WPA2-Enterprise with PEAP. A user's account is compromised. What action removes that user's wireless access without affecting other users?

A. Change the WPA2 PSK on all access points — this forces all users to re-authenticate B. Add the user's MAC address to the AP's deny list C. Disable or delete the user's account on the RADIUS server / Active Directory — the next authentication attempt will fail only for that user; all other users are unaffected D. Revoke the AP's server certificate to force all clients to re-authenticate

Correct answer is C. This illustrates the key operational advantage of WPA2/WPA3-Enterprise over Personal mode. Because each user has individual credentials validated by the RADIUS server against a directory (Active Directory, LDAP), disabling a single user account immediately prevents that user from re-authenticating — with zero impact on other users. In WPA2-Personal, you would have to change the PSK on every AP and every client device. See: AAA Local vs RADIUS

← Back to Home