The most important thing to understand about the WPA2 PSK attack is its nature: it is passive and offline. The attacker captures the four-way handshake exchange (which takes seconds), then leaves the premises. The cracking happens later, at the attacker's own pace, on their own hardware, with no connection to your network. There is no rate limiting. No lockout after failed attempts. No detection possible. A GPU can test millions of passphrases per second. Cloud cracking services are available for a few dollars per hour.
This is why passphrase complexity helps but does not solve the problem β a sufficiently random passphrase resists dictionary attacks, but the offline nature of the attack means the attacker has unlimited time and compute. The only real fix is WPA3 SAE, which removes the crackable hash from the wireless medium entirely.
The exam tests whether you understand WHY WPA3 SAE is more secure β not just that it is. The entire WPA2 PSK attack depends on one thing: a hash derived from the passphrase crosses the wireless medium during the four-way handshake. SAE eliminates this at the source. Using Diffie-Hellman key derivation, both the client and access point independently derive the session key from the passphrase β neither side ever transmits the key or a crackable hash of it. The attacker captures nothing useful.
SAE also provides mutual authentication (both sides prove knowledge of the passphrase without revealing it) and per-session unique keys (forward secrecy). These are not separate features β they are consequences of the Diffie-Hellman derivation approach.
The exam presents scenarios and asks which wireless security mode is appropriate. The pattern is predictable: if the scenario requires individual user identity, audit trails, per-user revocation, or VLAN assignment β the answer is WPA3-Enterprise (802.1X). If it just needs basic encryption without a RADIUS server β WPA3-Personal/PSK. If it explicitly describes a public hotspot with intentional open access β Open. The discriminator is almost always whether the organization needs to know WHO is on the network at the individual level.
The most common exam trap in 802.1X questions is attributing credential validation to the wrong component. The access point (Authenticator) does not validate credentials β it receives them from the client (Supplicant) and forwards them to the RADIUS server (Authentication Server), which does the actual validation. The AP's role is pure policy enforcement: block access until you hear "Access-Accept" from RADIUS, then open the port. Nothing more.
Remember the three roles by their function, not their name: Supplicant asks, Authenticator enforces, Authentication Server decides. The names are slightly confusing β the component called "Authenticator" does not actually perform authentication. It enforces the outcome of authentication performed by someone else.