Wireless Security β Three Objectives
The three security goals that wireless configuration must address: confidentiality (encrypt data so intercepted traffic cannot be read), authentication (verify identity before granting network access), and integrity (detect modification or tampering with frames in transit, implemented via MIC).
WPA2 PSK (Pre-Shared Key)
Wi-Fi Protected Access 2 using a pre-shared key. All users share the same passphrase. The WPA2 four-way handshake transmits a hash derived from the PSK and a nonce during the authentication exchange. An attacker who captures this handshake can attempt to crack the PSK offline using brute-force or dictionary attacks β with no limit on attempt rate, no lockout, and no network interaction required. WPA2 PSK also lacks forward secrecy: if the PSK is compromised, all previously recorded sessions can be decrypted.
Four-Way Handshake
The WPA2 authentication exchange between a client and access point that establishes the session encryption key. The four frames exchanged include nonces from both parties and a MIC value derived from the PSK. An attacker passively capturing the four-way handshake can attempt offline brute-force against the hash to recover the PSK without interacting with the network. WPA3 replaces this mechanism with SAE.
WPA3 (Wi-Fi Protected Access 3)
The current Wi-Fi security standard, addressing the fundamental cryptographic weaknesses in WPA2. WPA3 uses GCMP for encryption and integrity, and SAE for the authentication handshake in Personal mode. Key improvements over WPA2: no hash is transmitted during handshake (eliminating offline brute-force), forward secrecy (unique per-session keys mean past sessions cannot be decrypted even if the passphrase is later compromised), and mandatory management frame protection (802.11w) to prevent deauthentication attacks.
GCMP (Galois/Counter Mode Protocol)
The encryption and integrity algorithm used in WPA3. GCMP combines AES-based encryption for data confidentiality with GMAC (Galois Message Authentication Code) for frame integrity in a single algorithm. The GMAC component is WPA3's implementation of the Message Integrity Check (MIC). GCMP is more efficient and cryptographically stronger than the CCMP algorithm used in WPA2.
SAE (Simultaneous Authentication of Equals)
The handshake mechanism used in WPA3-Personal, replacing the WPA2 four-way handshake. SAE is based on the Diffie-Hellman key exchange: both the client and access point independently derive the session key from the passphrase β the key is never transmitted across the network. This eliminates the hash capture attack that makes WPA2 PSK vulnerable to offline brute-force. SAE also provides mutual authentication (both sides prove knowledge of the passphrase) and generates a unique session key for every connection, enabling forward secrecy. Also called the dragonfly handshake in IEEE 802.11 standards.
Forward Secrecy
A cryptographic property where compromise of a long-term key (such as a Wi-Fi passphrase) does not expose previously recorded encrypted sessions. Forward secrecy is achieved when each session uses a unique, independently derived encryption key. WPA3 provides forward secrecy through SAE: every connection derives its own session key, so capturing and later cracking the passphrase does not retroactively decrypt past traffic. WPA2 PSK lacks forward secrecy β all sessions used keys derivable from the same static PSK.
Open System Authentication
A wireless security mode with no authentication and no encryption. Any device can connect without credentials. Used in public Wi-Fi hotspots (airports, cafes, hotels). Provides zero confidentiality or authentication β all traffic is visible to any device within range. When using open networks, users must rely on application-layer encryption (HTTPS/TLS, VPN) to protect their traffic.
WPA3-Personal (PSK Mode)
A wireless security mode where all users share a single 256-bit pre-shared key (passphrase). Authentication uses SAE rather than the WPA2 four-way handshake, eliminating hash capture and offline brute-force attacks and providing forward secrecy. Appropriate for home networks and small organizations where individual user authentication and per-user audit trails are not required. Simpler to deploy than WPA3-Enterprise β no RADIUS server needed.
WPA3-Enterprise (802.1X Mode)
A wireless security mode that provides individual user authentication through a RADIUS authentication server rather than a shared passphrase. Each user authenticates with unique credentials (username/password, certificate, or token). The access point acts as an authenticator, forwarding credentials to the RADIUS server for validation. Appropriate for corporate environments requiring individual accountability, per-user access control, audit trails, and the ability to revoke individual user access without changing the shared password. Also called WPA3-Enterprise with 802.1X.
AAA Framework
A security framework for controlling network access through three sequential functions: Authentication (verify identity β who are you?), Authorization (determine permissions β what are you allowed to do?), and Accounting (record activity β what did you do, when, and for how long?). In wireless contexts: Authentication validates user credentials via RADIUS; Authorization determines VLAN, bandwidth, or resource access; Accounting logs session start/end times, duration, and data volume for audit and billing purposes. Identification (presenting a username) precedes the three As.
RADIUS (Remote Authentication Dial-In User Service)
The most widely deployed AAA protocol. A centralized server that receives authentication requests from network access devices (wireless APs, VPN concentrators, switches), validates credentials against a directory or database, and returns Access-Accept or Access-Reject responses β optionally including authorization attributes (VLAN assignment, session time limits). Used in WPA3-Enterprise for wireless authentication, VPN gateway authentication, and router/switch console authentication. Centralizes credential management: a user's credentials are stored once; changing or revoking access takes effect across all RADIUS-integrated systems immediately.
802.1X β Port-Based Network Access Control
An IEEE standard for port-based network access control. 802.1X blocks all network access at a physical or logical port until the connecting device/user successfully authenticates. Used on both wired switches (physical port control) and wireless access points (logical association). The standard defines three roles: Supplicant (client seeking access), Authenticator (switch or AP enforcing access control), and Authentication Server (RADIUS server validating credentials). Integrates with RADIUS, LDAP, and TACACS+.
EAP (Extensible Authentication Protocol)
A flexible authentication framework used within 802.1X. Rather than defining one fixed authentication method, EAP defines a transport for authentication messages and allows many different authentication methods to be implemented as EAP types. Common EAP methods: EAP-TLS (mutual TLS with client and server certificates β strongest), PEAP (Protected EAP β server cert only; inner auth protected by TLS tunnel), EAP-TTLS (TLS tunnel; more flexible inner methods than PEAP). Manufacturers can implement custom EAP types, making EAP adaptable to future authentication mechanisms.
Supplicant / Authenticator / Authentication Server
The three roles in an 802.1X authentication exchange. The Supplicant is the client device seeking network access; it sends credentials. The Authenticator is the network device (AP or switch) that enforces access control β it blocks traffic until authentication succeeds and passes EAP messages between supplicant and authentication server (it does not validate credentials itself). The Authentication Server (typically RADIUS) is the component that actually validates credentials and issues Access-Accept or Access-Reject. Understanding which role does what is a common exam question.