⚡ Wireless Security in One Paragraph
Wireless security protocols protect Wi-Fi traffic from eavesdropping and unauthorised access. They have evolved from the completely broken WEP (1997) through the transitional WPA (2003) and widely deployed WPA2 (2004) to the current standard WPA3 (2018). Each protocol comes in two modes: Personal (pre-shared key — for homes and small offices) and Enterprise (802.1X with a RADIUS server — for corporate environments, providing per-user authentication). The exam tests which protocol to recommend, which is insecure, and how 802.1X/EAP authentication works.
WEP → WPA → WPA2 → WPA3 — The Evolution
WEP
Introduced 1997
Completely Broken
Encryption: RC4 stream cipher · 64-bit or 128-bit key · Static key
Wired Equivalent Privacy — the original 802.11 security protocol. Uses RC4 with a static pre-shared key and a flawed IV (Initialization Vector) implementation. IVs repeat after ~16 million packets, allowing attackers to collect enough traffic to crack the key in minutes using freely available tools. Never use WEP under any circumstances — it provides no meaningful security.
Exam note: WEP is always the wrong answer when asked which protocol to use. It's the correct answer when asked which protocol is completely broken and should never be used. The IV flaw is the specific weakness to remember.
WPA
Introduced 2003
Deprecated
Encryption: TKIP (Temporal Key Integrity Protocol) · Still RC4 underneath
Wi-Fi Protected Access — a transitional fix designed to work on existing WEP hardware via firmware updates. Replaced WEP's static key with TKIP, which generates a new key for each packet, fixing the IV reuse problem. Still uses RC4 underneath, and TKIP itself has been broken. WPA is better than WEP but is no longer considered secure and was officially deprecated in 2012.
Exam note: WPA = TKIP. WPA is transitional and deprecated. Still better than WEP but not acceptable for any new deployment.
WPA2
Introduced 2004
Current Standard
Encryption: AES-CCMP (Counter Mode CBC-MAC Protocol) · 128-bit key
The current widely deployed standard. Replaced RC4/TKIP with AES encryption using CCMP — a fundamentally stronger cipher. WPA2 has been the mandatory minimum for Wi-Fi certification since 2006. Known vulnerability: the KRACK attack (Key Reinstallation Attack, 2017) affects WPA2 in certain implementations — mitigated by patches. WPA2 remains acceptable if WPA3 is unavailable, especially in Enterprise mode.
Exam note: WPA2 = AES/CCMP. This is the key fact — AES is what makes WPA2 significantly more secure than WPA (TKIP/RC4). CCMP is the specific mode of AES used.
WPA3
Introduced 2018
Recommended
Encryption: AES-GCMP-256 (192-bit in WPA3-Enterprise) · SAE replaces PSK
The current recommended standard. Key improvements over WPA2: SAE (Simultaneous Authentication of Equals) replaces the PSK handshake — eliminates offline dictionary attacks against captured handshakes. Forward secrecy — each session uses unique keys, so past traffic can't be decrypted if the password is later compromised. Stronger encryption — 192-bit security in Enterprise mode. Enhanced Open — encrypts open (no-password) networks using OWE (Opportunistic Wireless Encryption).
Exam note: WPA3 key features: SAE (replaces PSK, prevents offline cracking), forward secrecy, 192-bit enterprise mode, OWE for open networks. SAE is also called "Dragonfly handshake."
⚡ The encryption association the exam tests
WEP = RC4 (static key, broken IVs) — completely insecure, never use.
WPA = TKIP — transitional, deprecated, still RC4 underneath.
WPA2 = AES/CCMP — current standard, strong encryption, acceptable.
WPA3 = AES-GCMP + SAE — recommended, forward secrecy, no offline dictionary attacks.
The exam will often list all four and ask which provides the highest security or which should be used for a new enterprise deployment. The answer is always WPA3. If WPA3 isn't available, WPA2 Enterprise.
Personal vs Enterprise Mode
Both WPA2 and WPA3 come in two authentication modes with fundamentally different authentication mechanisms:
| Feature | Personal (PSK) | Enterprise (802.1X) |
|---|---|---|
| Authentication | Pre-Shared Key (PSK) — everyone uses the same password to connect to the network | 802.1X with a RADIUS server — each user authenticates with their own credentials |
| Who it's for | Homes, small offices — simple, no infrastructure required | Corporate environments — provides per-user accountability and access control |
| Key weakness | Single shared password — if compromised, all users must update their devices. No per-user audit trail. | Complex to deploy — requires RADIUS server, certificates (for EAP-TLS) |
| WPA2 name | WPA2-Personal | WPA2-Enterprise |
| WPA3 upgrade | WPA3-Personal uses SAE instead of PSK — prevents offline dictionary attacks against captured handshakes | WPA3-Enterprise uses 192-bit AES-GCMP instead of 128-bit AES-CCMP |
| Exam recommendation | Home / SOHO networks only | Always recommended for corporate/enterprise deployments |
802.1X — Port-Based Network Access Control
802.1X is an IEEE standard for port-based Network Access Control (NAC) — it requires devices to authenticate before being granted access to the network. Used in both wired (switch port authentication) and wireless (WPA2/WPA3 Enterprise) deployments. Three components make up the 802.1X framework:
| Role | What It Does | Real-World Example |
|---|---|---|
| Supplicant | The client device requesting access — must provide credentials | Laptop, smartphone, workstation connecting to Wi-Fi |
| Authenticator | The network device that enforces access — blocks unauthenticated traffic, forwards authentication traffic to the RADIUS server | Wireless Access Point (WAP) or managed switch |
| Authentication Server | Validates credentials and tells the authenticator whether to grant or deny access | RADIUS server (e.g. Microsoft NPS, Cisco ISE, FreeRADIUS) |
The authentication flow: Supplicant → Authenticator (AP) → RADIUS Server. The AP acts as a pass-through — it doesn't validate credentials itself, it forwards the authentication exchange to the RADIUS server and grants/denies access based on the response.
EAP Types — How Credentials Are Carried
EAP (Extensible Authentication Protocol) is the framework that carries authentication credentials inside 802.1X. Different EAP types provide different levels of security:
| EAP Type | How It Works | Security Level | Exam Note |
|---|---|---|---|
| EAP-TLS | Mutual certificate authentication — both the client AND the server present digital certificates. Most secure EAP type. | Highest — mutual authentication with certificates prevents MITM | Requires PKI infrastructure — certificates on every client device. Most complex to deploy but most secure. Ask the Security+ exam what the most secure EAP type is → EAP-TLS. |
| PEAP | Protected EAP — creates an encrypted TLS tunnel using a server certificate only, then sends username/password inside the tunnel. Client doesn't need a certificate. | Good — server authenticated by certificate, credentials protected by tunnel | Most common enterprise EAP type. Only server needs a certificate (cheaper to deploy than EAP-TLS). Client authenticates with username/password or MS-CHAPv2 inside the TLS tunnel. |
| EAP-TTLS | EAP Tunneled TLS — similar to PEAP. Creates a TLS tunnel using a server certificate, then sends credentials inside. Supports a wider range of inner authentication methods than PEAP. | Good — similar security to PEAP | More flexible than PEAP for inner authentication methods. Less common on Windows networks (PEAP is the Microsoft default). |
| EAP-FAST | EAP Flexible Authentication via Secure Tunneling — Cisco's replacement for LEAP. Uses a PAC (Protected Access Credential) instead of a server certificate to create the tunnel. | Good — no certificate required, but PAC management adds complexity | Cisco proprietary. Designed for environments where certificate infrastructure isn't available. PAC = the Cisco alternative to a server certificate for tunnel establishment. |
| LEAP | Lightweight EAP — Cisco proprietary, older. Uses MS-CHAP v1 for authentication — cryptographically weak. | Weak — deprecated, vulnerable to dictionary attacks | LEAP is the wrong answer. Cisco replaced it with EAP-FAST. Never recommended for new deployments. |
EAP-TLS vs PEAP — the key distinction
EAP-TLS: Both client and server have certificates. Mutual authentication. Most secure but most complex — requires PKI with certificates deployed to every client device.
PEAP: Only the server has a certificate. The server proves its identity to the client via certificate; the client proves its identity with username/password inside the encrypted TLS tunnel. Easier to deploy (no client certificates), nearly as secure if the server certificate is properly validated.
The exam asks: "Which EAP type requires certificates on both the client and the server?" → EAP-TLS. "Which EAP type requires only a server certificate?" → PEAP or EAP-TTLS.
Wireless Attacks
| Attack | How It Works | Defence |
|---|---|---|
| Evil Twin / Rogue AP | Attacker sets up a Wi-Fi access point with the same SSID as a legitimate network — users connect to the fake AP, allowing MITM interception of all traffic | 802.1X Enterprise (users authenticate to a RADIUS server, not just an SSID), wireless intrusion detection, certificate validation |
| Deauth Attack | Attacker sends forged 802.11 deauthentication frames (management frames are unauthenticated in WPA2) — disconnects clients from the AP, forcing them to reconnect. Captures the 4-way handshake for offline cracking. | WPA3 (Management Frame Protection — MFP/PMF required in WPA3, makes management frames authenticated) |
| WPA2 Handshake Capture + Offline Cracking | Attacker captures the 4-way WPA2 handshake (often by forcing deauth), then runs an offline dictionary or brute-force attack against the captured hash | Strong, random WPA2-PSK passphrase (20+ chars). Better: WPA3-Personal (SAE prevents offline cracking of captured handshakes) |
| WPS Brute Force (Pixie Dust) | Wi-Fi Protected Setup PIN is an 8-digit number with a design flaw — effectively only 11,000 combinations. Pixie Dust attack can crack it in seconds on vulnerable implementations. | Disable WPS entirely on all access points |
| Wardriving | Scanning for open or weakly secured wireless networks while driving — using tools like Kismet or inSSIDer to map available networks | Strong encryption (WPA2/WPA3), avoid broadcasting default SSIDs that identify equipment type |
| Jamming | RF interference that disrupts wireless communications — either deliberate (attacker) or unintentional (microwave ovens, baby monitors on 2.4 GHz) | Use 5 GHz or 6 GHz bands (less interference), frequency hopping, identify and eliminate interference sources |
Additional Wireless Security Controls
| Control | What It Does | Effectiveness |
|---|---|---|
| SSID Hiding | Disable SSID broadcast so the network doesn't appear in Wi-Fi scans | Security through obscurity — low. The SSID is still visible in probe requests and captured frames. Provides minor inconvenience, not real security. |
| MAC Filtering | Configure AP to only allow connections from specific MAC addresses | Low. MAC addresses are transmitted in plaintext and easily spoofed. Provides minor inconvenience to unsophisticated attackers. |
| Guest Network Isolation | Separate VLAN/SSID for guest/untrusted devices — isolated from internal network resources | High value — prevents guest devices from accessing internal systems even if connected to Wi-Fi |
| Management Frame Protection (MFP) | Authenticates 802.11 management frames (required in WPA3) — prevents deauthentication attacks | High — eliminates deauth-based attack vectors. Mandatory in WPA3. |
| Wireless IDS/IPS | Monitors wireless spectrum for rogue APs, unusual frame patterns, deauth floods, and other attacks | High — detects evil twin, deauth attacks, and rogue APs in real time |
Exam Scenarios
💬 "A company is setting up Wi-Fi for 200 employees and needs per-user authentication with an audit trail. Which wireless security configuration should they use?" → WPA2-Enterprise or WPA3-Enterprise with 802.1X — each user authenticates individually through a RADIUS server, providing per-user access control and logging.
💬 "Which wireless protocol is completely broken and should never be used under any circumstances?" → WEP — flawed IV implementation allows the encryption key to be cracked in minutes with freely available tools regardless of key length.
💬 "A wireless network uses WPA2-Personal. A security consultant captures the 4-way handshake and is running an offline dictionary attack. Which protocol upgrade would prevent this attack?" → WPA3-Personal — SAE (Simultaneous Authentication of Equals) is specifically designed to prevent offline dictionary attacks against captured handshakes.
💬 "Which EAP type provides the highest security by requiring certificates on both the client and the authentication server?" → EAP-TLS — mutual certificate authentication. Both supplicant and RADIUS server present certificates, providing the strongest authentication of any EAP type.
💬 "A large enterprise wants to deploy 802.1X but doesn't have the infrastructure to deploy certificates to every client device. Which EAP type requires only a server certificate?" → PEAP — creates a TLS tunnel using only a server certificate, then carries username/password authentication inside the encrypted tunnel.
💬 "Users are reporting intermittent Wi-Fi disconnections. The wireless IDS shows a flood of deauthentication frames. What attack is occurring and how is it prevented?" → Deauthentication (deauth) attack — forged management frames force clients to disconnect. Prevention: WPA3 with Management Frame Protection (MFP/PMF), which authenticates management frames.
💬 "An administrator hides the SSID and enables MAC filtering on the access point. How effective are these controls?" → Both are low-effectiveness security controls. SSID hiding is defeated by passive capture of probe requests. MAC filtering is defeated by spoofing a whitelisted MAC address. Neither replaces strong encryption.
💬 "In an 802.1X deployment, what is the role of the access point?" → The authenticator — it passes authentication traffic between the supplicant (client) and the authentication server (RADIUS), but does not validate credentials itself. It enforces access based on the RADIUS server's response.
Studying for Security+?
See the study guides and practice exams that cover the full SY0-701 exam.