Chapter 79 Β· Concepts

Wireless Security Settings β€” Concept Maps

Side-by-side comparisons, structured breakdowns, and visual relationships for wireless security protocols, modes, and frameworks.

WPA2 vs WPA3 β€” Side-by-Side Comparison
PropertyWPA2 PSKWPA3 (Personal)
Encryption algorithmCCMP (AES-based)GCMP (AES + GMAC)
Integrity check (MIC)CCMP MICGMAC (part of GCMP)
Handshake mechanismFour-way handshakeSAE (Simultaneous Authentication of Equals)
Hash transmitted over air?Yes β€” attacker can capture and crack offlineNo β€” session key derived independently via Diffie-Hellman; never transmitted
Offline brute-force attack possible?Yes β€” GPU/cloud cracking with no lockoutNo β€” nothing to capture; no hash available for offline attack
Mutual authentication?No β€” only client authenticates to APYes β€” both sides prove knowledge of passphrase
Forward secrecy?No β€” PSK compromise exposes all past sessionsYes β€” unique session key per connection; past sessions safe
Management frame protectionOptional (802.11w)Mandatory (802.11w required)
Key size256-bit (derived from passphrase)256-bit (derived via SAE/Diffie-Hellman)
Three Wireless Security Modes β€” When to Use Each
ModeAuthenticationKey ManagementUse CaseKey Risk / Limitation
Open System None β€” any device connects No encryption Public hotspots where access is intentionally unrestricted Zero confidentiality; all traffic visible; must rely on application-layer encryption (HTTPS, VPN)
WPA3-Personal (PSK) Shared passphrase (all users share one key); SAE protects the handshake Single pre-shared key; unique session keys per SAE exchange Home networks; small offices; environments without RADIUS infrastructure Shared secret β€” if passphrase is compromised, all users are exposed; no per-user audit trail or individual access revocation
WPA3-Enterprise (802.1X) Individual credentials via RADIUS β€” username/password, certificates, or MFA token Unique key per user session; derived from RADIUS-based auth exchange Corporate networks requiring individual accountability, per-user access control, audit logs, and VLAN assignment Requires RADIUS infrastructure; more complex to deploy; certificate management overhead for EAP-TLS
AAA Framework β€” Four Sequential Steps
StepQuestion AnsweredMechanismExample in Wireless Context
Identification Who are you? (claim) User presents a username or identity Employee types their corporate username to connect to the WPA3-Enterprise network
Authentication Prove it Password, certificate, biometric, MFA token β€” validated by RADIUS against directory RADIUS verifies the password (or certificate) against Active Directory; returns Access-Accept or Access-Reject
Authorization What are you allowed to access? RADIUS returns authorization attributes: VLAN, bandwidth limits, session time, permitted resources After authentication, RADIUS assigns the user to VLAN 20 (engineering) rather than VLAN 30 (guest)
Accounting What did you do? (record) RADIUS logs session start time, end time, duration, data volume, assigned resources RADIUS accounting records show the user connected at 08:45, disconnected at 17:20, transferred 2.1 GB β€” useful for audit, billing, and anomaly detection
802.1X β€” Three Component Roles
RoleTypical DeviceFunctionWhat It Does NOT Do
Supplicant Client laptop, smartphone, or workstation Initiates authentication by presenting credentials; responds to authenticator challenges; completes EAP exchange Does not validate its own credentials; does not make access decisions
Authenticator Wireless access point (for Wi-Fi) or network switch (for wired 802.1X) Enforces port-level access control β€” blocks all traffic until authentication succeeds; passes EAP messages between supplicant and authentication server; opens the port on Access-Accept Does NOT validate credentials itself; acts as a relay/policy enforcement point, not a credential validator
Authentication Server RADIUS server (FreeRADIUS, Microsoft NPS, Cisco ISE) Receives forwarded authentication requests from the authenticator; validates credentials against directory (AD, LDAP); returns Access-Accept (with optional authorization attributes) or Access-Reject; performs accounting logging Does not enforce access directly β€” sends the decision back to the authenticator, which acts on it
WPA2 PSK Attack Flow vs. SAE Defense
StageWPA2 PSK (Vulnerable)WPA3 SAE (Protected)
Client associates with AP Four-way handshake occurs β€” hash of PSK + nonce transmitted in frame 2 SAE commit phase: both sides derive a shared value using Diffie-Hellman; no PSK hash transmitted
Attacker captures exchange Attacker captures the four-way handshake passively; leaves network; begins offline cracking Nothing useful to capture β€” no hash, no crackable value is transmitted
Offline cracking attempt Attacker runs dictionary + brute-force attack on captured hash; no lockout; GPU acceleration possible; cloud cracking services available No offline attack possible β€” the session key was derived independently, never transmitted; attacker has no starting material
Passphrase later compromised Attacker decrypts all previously recorded sessions β€” no forward secrecy Previously recorded sessions remain protected β€” each session used a unique derived key; forward secrecy maintained
EAP Methods Comparison
EAP MethodClient Certificate Required?Server Certificate Required?Security LevelCommon Use Case
EAP-TLS Yes β€” mutual TLS Yes Highest β€” both sides authenticated with certificates; no password involved High-security enterprise environments with PKI infrastructure; eliminates password-based auth entirely
PEAP (Protected EAP) No Yes β€” server cert creates TLS tunnel High β€” inner auth (usually MSCHAPv2) is protected inside TLS tunnel Most common enterprise deployment; uses password-based inner auth protected by server-cert TLS tunnel
EAP-TTLS No Yes β€” server cert creates TLS tunnel High β€” more flexible inner auth methods than PEAP Similar to PEAP but supports legacy or non-Microsoft inner auth methods