Wi-Fi Security – WPA2, WPA3 & EAP

1. Why Wi-Fi Security Matters

Wireless networks transmit data through open air using radio frequencies — any device within range can receive those frames. Unlike wired networks where an attacker needs physical access to a cable, a wireless attacker needs only proximity. Without strong encryption and authentication, every packet you send over Wi-Fi is readable by anyone nearby with the right tools.

Wi-Fi security standards have evolved significantly since the late 1990s — from the completely broken WEP, through the interim WPA, to the widely deployed WPA2, and now to the modern WPA3. Each generation addressed weaknesses in its predecessor. Understanding what each standard does, why it was introduced, and what it protects against is a core CCNA wireless topic.

Standard Year Encryption Key Exchange Status
WEP 1999 RC4 (stream cipher) Static shared key Broken — never use
WPA 2003 TKIP (RC4 with improvements) PSK or 802.1X/EAP Deprecated — avoid
WPA2 2004 CCMP / AES-128 PSK (4-way handshake) or 802.1X/EAP Current standard
WPA3 2018 CCMP / AES-128 or GCMP-256 SAE (replaces PSK) or 802.1X/EAP-Suite-B Recommended / modern

Related pages: Wi-Fi Overview | 802.11 Standards | WPA / WPA2 / WPA3 Comparison | Wireless LAN Overview | Frequency & Channels | 802.1X Authentication | AAA Overview | AAA Local vs RADIUS | AAA Authentication Methods | Access Points & WLC | WLC SSID & VLAN Mapping Lab | Guest WLAN & WebAuth Lab | 802.1X Port Authentication Lab

2. WEP — Wired Equivalent Privacy (Broken)

WEP (Wired Equivalent Privacy) was the original IEEE 802.11 security standard, introduced in 1999 with the goal of providing privacy equivalent to a wired network. It uses the RC4 stream cipher with a 40-bit or 104-bit static shared key. Despite its name, WEP was fundamentally broken and is now completely insecure.

Why WEP Is Broken

WEP encryption weakness — IV reuse:WEP uses a 24-bit Initialization Vector (IV) prepended to the key:Effective key = IV (24 bits) + Static key (40 or 104 bits)Problem 1 — Short IV space:24 bits = only 16,777,216 possible IV values.On a busy network, IVs repeat within minutes to hours.RC4 is mathematically vulnerable when the same IV + key is reused.Problem 2 — Static key:The same shared key is used by ALL clients on the network.If one client is compromised, all traffic is exposed.No per-user keys, no per-session keys.Problem 3 — Weak integrity (CRC-32):WEP uses CRC-32 for integrity — a checksum, not a cryptographic MAC.An attacker can flip bits in the ciphertext and update the CRCwithout knowing the key → bit-flipping attacks succeed.Result: WEP can be cracked in under 60 seconds using tools like aircrack-ng,regardless of key length (40-bit or 104-bit). Key length is irrelevant.
WEP is never acceptable. No matter the configuration — 64-bit, 128-bit, or "dynamic" WEP — WEP must never be used on any network. The IEEE deprecated WEP in 2004. Any device or network still using WEP is critically vulnerable. The only correct action is to replace it with WPA2 or WPA3.

3. WPA — Wi-Fi Protected Access (Transitional)

WPA (Wi-Fi Protected Access) was introduced in 2003 as an emergency interim fix for WEP's fatal flaws, while IEEE 802.11i (which became WPA2) was still being finalised. WPA was designed to run on existing WEP hardware via a firmware update — a significant constraint that limited how much it could improve security.

WPA Improvements Over WEP

Feature WEP WPA
Encryption cipher RC4 (static IV) TKIP — RC4 with per-packet key mixing and extended IV (48 bits)
IV length 24 bits (reuse within minutes) 48 bits (2⁴⁸ ≈ 281 trillion — IV reuse effectively eliminated)
Integrity check CRC-32 (not cryptographic) MIC — Message Integrity Check (Michael) — cryptographic
Key management Static shared key for all clients Per-session keys derived from PSK or 802.1X via 4-way handshake
Authentication Shared key only PSK (Pre-Shared Key) or 802.1X/EAP

WPA Limitations

WPA's TKIP is still based on RC4, which is a weak cipher by modern standards. TKIP was later found to have vulnerabilities (including the TKIP MIC failure attack). WPA is deprecated and should not be used in new deployments. WPA2 replaced it in 2004.

4. WPA2 — The Current Mainstream Standard

WPA2, ratified in 2004 and based on IEEE 802.11i, is the first Wi-Fi security standard to use AES (Advanced Encryption Standard) — a fundamentally stronger cipher than RC4. WPA2 replaces TKIP with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), which provides both strong encryption and cryptographic integrity.

WPA2 comes in two modes depending on the deployment context: WPA2-Personal (for homes and small offices) and WPA2-Enterprise (for corporate environments requiring per-user authentication). See WPA / WPA2 / WPA3 Comparison for a full feature breakdown.

WPA2 encryption core:
CCMP (Counter Mode CBC-MAC Protocol):
┌─────────────────────────────────────────────────────────────┐
│  Cipher:      AES (Advanced Encryption Standard)            │
│  Key length:  128 bits                                      │
│  Mode:        CTR (Counter Mode) for encryption             │
│               CBC-MAC for integrity / authentication        │
│  Block size:  128 bits                                      │
└─────────────────────────────────────────────────────────────┘
AES-CCMP is a FIPS 140-2 approved cipher — used by US government
and military. Considered computationally secure against brute force.

4.1 WPA2-Personal (PSK Mode)

WPA2-Personal uses a Pre-Shared Key (PSK) — a passphrase configured on the access point and on every client device. The PSK is never transmitted over the air. Instead, both the AP and the client use the PSK, the SSID, and random nonces to derive a Pairwise Master Key (PMK), which feeds into the 4-Way Handshake to generate per-session Pairwise Transient Keys (PTKs).

WPA2-Personal 4-Way Handshake (simplified):
Client                                   Access Point (AP)
◄── Message 1: ANonce (AP random nonce)
Client derives PTK using:
PTK = PRF(PMK + ANonce + SNonce + AP MAC + Client MAC)
SNonce (client nonce) ──────────────────────────►  Message 2 + MIC
AP verifies MIC, derives same PTK
◄── Message 3: GTK (Group Temporal Key) + MIC
Client installs PTK and GTK ──────────────────────►  Message 4: ACK
Session keys installed on both sides — encrypted data transfer begins.
PTK: Pairwise Transient Key — unique per client per session (unicast)
GTK: Group Temporal Key — shared for broadcast/multicast frames

WPA2-Personal Vulnerability — KRACK and Dictionary Attacks

WPA2-Personal weaknesses:
1. Dictionary / brute-force attacks: If the PSK is weak (a common word or short passphrase), an attacker can capture the 4-Way Handshake and perform an offline brute-force attack using tools like hashcat. A strong, random passphrase (20+ characters) significantly reduces this risk.
2. KRACK (Key Reinstallation Attack, 2017): A vulnerability in the 4-Way Handshake that allowed nonce reuse under certain conditions. Patched on most modern devices — but unpatched legacy devices remain vulnerable.
3. No forward secrecy: If the PSK is ever compromised, all past sessions that were recorded can potentially be decrypted.

4.2 WPA2-Enterprise (802.1X/EAP Mode)

WPA2-Enterprise replaces the shared PSK with 802.1X/EAP authentication — each user authenticates individually with unique credentials (username/password, certificate, or smart card) via a RADIUS server. This eliminates the single shared secret that makes WPA2-Personal less suitable for corporate environments. See AAA Authentication Methods for the full AAA framework.

WPA2-Enterprise authentication architecture:[Wireless Client] ← 802.1X / EAP → [AP (Authenticator)]RADIUS (UDP 1812)[RADIUS Server (AS)](Active Directory, Cisco ISE,FreeRADIUS, etc.)Roles:Supplicant: The wireless client requesting accessAuthenticator: The AP (or WLC) — forwards EAP messages betweenclient and RADIUS server; enforces access decisionAuthentication Server (AS): RADIUS server — validates credentialsand returns Accept or RejectBenefit: Each user has unique credentials — no shared secret.A compromised user account can be revoked without changing thepassword for every device on the network.
Feature WPA2-Personal (PSK) WPA2-Enterprise (802.1X)
Authentication credentials Single shared passphrase for all users Per-user credentials (username/password or certificate)
Infrastructure required AP only — no additional servers RADIUS server + (optionally) PKI/CA for certificates. See AAA Local vs RADIUS.
Scalability Poor — changing the key requires reconfiguring every device Excellent — add/remove users on RADIUS without touching APs
Rogue client risk High — anyone who knows the PSK can join Low — each user authenticates individually
Typical deployment Home networks, small offices, guest Wi-Fi Enterprise, universities, government
Complexity Simple Complex — requires RADIUS infrastructure. See AAA Overview.

5. WPA3 — Modern Security Improvements

WPA3, announced by the Wi-Fi Alliance in 2018, addresses the remaining weaknesses in WPA2. It comes in two modes — WPA3-Personal and WPA3-Enterprise — and introduces significant improvements in both authentication and encryption. See WPA / WPA2 / WPA3 Comparison for the full side-by-side breakdown.

5.1 WPA3-Personal — SAE Replaces PSK

WPA3-Personal replaces the WPA2 4-Way Handshake PSK exchange with SAE (Simultaneous Authentication of Equals), also known as Dragonfly (defined in IEEE 802.11s and RFC 7664). SAE is a password-authenticated key exchange protocol that provides several critical improvements over WPA2-PSK.

SAE vs WPA2-PSK key differences:
WPA2-PSK:
├─ PSK is used directly in PMK derivation
├─ 4-Way Handshake can be captured and attacked offline
├─ Weak passphrase → crackable with GPU brute force
└─ No forward secrecy: captured handshakes decryptable if PSK found
WPA3-SAE (Simultaneous Authentication of Equals):
├─ Uses a Diffie-Hellman-style key exchange with the password as input
├─ Each authentication generates a FRESH PMK — even with the SAME password
├─ No handshake material is transmitted that enables offline cracking
├─ Forward secrecy: past sessions cannot be decrypted even if password
│  is later revealed
└─ Provides equal standing: neither client nor AP has more power in
the exchange — mutual authentication

5.2 WPA3-Enterprise

WPA3-Enterprise retains 802.1X/EAP for authentication but strengthens the cryptographic suite:

Feature WPA2-Enterprise WPA3-Enterprise
Encryption CCMP-128 (AES-128) CCMP-128 (standard) or GCMP-256 (192-bit security mode)
Authentication 802.1X / EAP 802.1X / EAP (same) with stricter cipher requirements
Management Frame Protection Optional (PMF) Mandatory — protects deauth/disassoc frames from spoofing
192-bit mode Not available Available — uses GCMP-256, HMAC-SHA-384, ECDH/ECDSA P-384

5.3 WPA3 Key Features Summary

Feature WPA3 Improvement
SAE (Dragonfly) Replaces PSK 4-Way Handshake; eliminates offline dictionary attacks; provides forward secrecy
Forward Secrecy Each session generates unique keys — past sessions cannot be decrypted even if the password is later compromised
PMF — Protected Management Frames Mandatory in WPA3 — encrypts and authenticates management frames (deauthentication, disassociation) to prevent spoofed deauth attacks used to kick clients off the network
Enhanced Open (OWE) Opportunistic Wireless Encryption for open (no-password) networks — provides per-session encryption even without authentication, replacing completely open WPA2 hotspots
192-bit Security Mode Available in WPA3-Enterprise for high-security environments (government, financial) — uses GCMP-256 and Suite-B cryptographic algorithms
CCNA exam tip: WPA3's most important improvements are SAE (replaces PSK — prevents offline cracking), Forward Secrecy (past sessions protected even if password is compromised), and mandatory PMF (prevents spoofed deauthentication attacks). These three are the most commonly tested WPA3 distinctions. See WPA / WPA2 / WPA3 Comparison.

6. EAP — Extensible Authentication Protocol

EAP (Extensible Authentication Protocol), defined in RFC 3748, is the authentication framework used in WPA2/WPA3-Enterprise and 802.1X. EAP itself is not an authentication method — it is a flexible framework that supports many different authentication methods (called EAP types or EAP methods), each with different credential requirements and security characteristics.

EAP messages between the wireless client (supplicant) and the RADIUS server are transported by the AP (authenticator), which encapsulates them in RADIUS packets. The AP does not see or process the EAP credentials — it is purely a passthrough. See AAA Authentication Methods for the broader authentication context.

SupplicantAuthenticator (AP/WLC)RADIUS Server(client)EAP-Request (Identity)EAP-Response (Identity)RADIUS Access-RequestRADIUS Access-ChallengeEAP-Request (method)EAP-Response (creds)

7. EAP Types — PEAP, EAP-TLS, EAP-TTLS, LEAP, EAP-FAST

Different EAP methods vary in what credentials they use, whether they require a server-side certificate, a client-side certificate, or both, and how strongly they protect credentials in transit. The following are the most important EAP types for the CCNA exam and enterprise deployments.

7.1 PEAP — Protected EAP

PEAP (Protected EAP) is the most widely deployed EAP method in enterprise Wi-Fi. It creates an encrypted TLS tunnel between the client and the RADIUS server using only a server-side certificate (the client does not need a certificate). Inside the tunnel, credentials are exchanged using a simpler inner authentication method — most commonly MSCHAPv2 (username and password).

PEAP authentication flow:Phase 1 — TLS tunnel establishment:Client validates server certificate (from RADIUS/CA)→ Encrypted TLS tunnel is establishedPhase 2 — Inner authentication (inside the tunnel):Client sends username + password (via MSCHAPv2)RADIUS server validates against Active Directory / user database→ Access-Accept returned if validCredentials: Username + password (client), Certificate (server only)Infrastructure: RADIUS server certificate from a trusted CACommon use: Windows domain environments with Active Directory

7.2 EAP-TLS — Mutual Certificate Authentication

EAP-TLS is the most secure EAP method. Both the RADIUS server and the client must present valid digital certificates. There is no password involved — authentication is purely certificate-based. This requires a full PKI (Public Key Infrastructure) to issue and manage client certificates for every device.

EAP-TLS mutual authentication:
Client ──────── presents client certificate ────────► RADIUS Server
Client ◄─────── presents server certificate ─────────  RADIUS Server
Both sides validate each other's certificates.
No username/password is used.
Pros: Strongest available — certificate-based, no password to steal
Cons: Requires PKI; client certificates must be issued and managed
for every device — high operational overhead
Use:  High-security environments (government, financial, healthcare)

7.3 EAP-TTLS — Tunnelled TLS

EAP-TTLS (Tunnelled TLS) is similar to PEAP — it creates a TLS tunnel using a server certificate and performs inner authentication inside. The difference is that EAP-TTLS supports a wider range of inner authentication methods (PAP, CHAP, MSCHAPv2, EAP, etc.) and is more flexible across different operating systems. It is popular in Linux/non-Windows environments.

7.4 LEAP — Lightweight EAP (Cisco Proprietary — Deprecated)

LEAP was Cisco's proprietary EAP method, introduced before PEAP/EAP-TLS were standardised. It uses MS-CHAPv1 for mutual authentication but has serious vulnerabilities — it is susceptible to offline dictionary attacks (ASLEAP attack). LEAP is deprecated and should never be used in new deployments.

7.5 EAP-FAST — Flexible Authentication via Secure Tunnelling

EAP-FAST was developed by Cisco as a replacement for LEAP. It uses a PAC (Protected Access Credential) — a shared secret provisioned to the client — to establish a TLS tunnel without requiring a certificate. It was designed for environments where deploying certificates is not practical. EAP-FAST is secure but less commonly encountered than PEAP today.

EAP Method Server Cert? Client Cert? Client Credentials Security Level Status
PEAP Yes No Username + password (MSCHAPv2) High Current — widely used
EAP-TLS Yes Yes Client certificate (no password) Highest Current — highest security
EAP-TTLS Yes No Username + password (flexible inner method) High Current — common on Linux
EAP-FAST No (PAC used) No Username + password (inside PAC tunnel) High Current — Cisco environments
LEAP No No Username + password (MS-CHAPv1) Low — vulnerable Deprecated — never use
CCNA exam tip: For the CCNA, focus on these three: PEAP (server cert + username/password — most common), EAP-TLS (mutual certs — most secure, requires PKI), EAP-FAST (Cisco — uses PAC instead of certificate). Remember: LEAP = Cisco legacy = deprecated and insecure. See AAA Authentication Methods for the full context.

8. 802.1X Wireless Authentication — How It Works End to End

IEEE 802.1X is the port-based network access control standard that underpins WPA2/WPA3-Enterprise authentication. It defines the roles of supplicant, authenticator, and authentication server, and controls network access at the port level until authentication succeeds. See 802.1X Port Authentication Lab for hands-on configuration.

802.1X wireless — full flow with WPA2-Enterprise:
Step 1 — Client associates with the SSID (open association, not yet authed)
Client ──────── 802.11 Association Request ────────────► AP
Step 2 — AP opens a controlled port (only EAP traffic allowed)
AP ◄──────── EAP-Request/Identity ──────────────────── AP sends to client
Step 3 — Client identifies itself
Client ──── EAP-Response/Identity (username) ─────────► AP → RADIUS
Step 4 — EAP method negotiation and credential exchange
(PEAP: TLS tunnel built, MSCHAPv2 inside)
(EAP-TLS: mutual certificates exchanged)
Client ↔ AP (relay) ↔ RADIUS server
Step 5 — RADIUS returns Access-Accept with PMK (key material)
RADIUS ──── Access-Accept + MSK (Master Session Key) ──► AP
Step 6 — AP sends EAP-Success to client
AP ──────── EAP-Success ───────────────────────────────► Client
Step 7 — WPA2/WPA3 4-Way Handshake
Client ↔ AP derive PTK and GTK from MSK → encrypted data begins
Step 8 — AP opens controlled port for all traffic
Client can now send/receive normal network traffic.

802.1X Port States

Port State Traffic Allowed When
Unauthorised EAP/802.1X only — no data traffic Before authentication completes
Authorised All traffic permitted (based on RADIUS policy) After successful authentication
RADIUS server options: Common RADIUS server implementations for 802.1X wireless include: Cisco ISE (Identity Services Engine), Microsoft NPS (Network Policy Server — integrates with Active Directory), and FreeRADIUS (open source). The RADIUS server typically validates credentials against a directory service (Active Directory, LDAP) and can return additional authorisation attributes such as VLAN assignment. See AAA Local vs RADIUS for configuration details.

9. Additional Wireless Security Mechanisms

9.1 SSID Hiding (Not a Security Control)

Some administrators disable SSID broadcasting so the network name does not appear in client scan results. This is not a security control — SSIDs are visible in probe requests and can be discovered in seconds with wireless sniffing tools like Wireshark. SSID hiding creates management overhead without providing meaningful protection.

9.2 MAC Address Filtering (Weak)

MAC address filtering allows only devices with pre-approved MAC addresses to associate with the AP. This provides a very low level of security — MAC addresses are transmitted unencrypted in 802.11 frames and can be trivially spoofed by any attacker with a wireless adapter. It is useful only as an additional layer alongside strong WPA2/WPA3 — never as a primary security mechanism.

9.3 PMF — Protected Management Frames (802.11w)

PMF (Protected Management Frames), defined in IEEE 802.11w, encrypts and authenticates wireless management frames — specifically deauthentication and disassociation frames. Without PMF, an attacker can send spoofed deauthentication frames to disconnect clients from the network (a deauth attack, commonly used as part of WPA2 handshake capture). PMF makes these attacks ineffective.

Standard PMF Status
WPA2 Optional — can be set to Disabled, Optional, or Required
WPA3 Mandatory — always enabled, cannot be disabled

9.4 Wireless Intrusion Prevention System (WIPS)

A WIPS monitors the RF environment for rogue access points, ad-hoc networks, and wireless attacks. It can automatically contain rogue APs by sending deauthentication frames (in coordination with a WLC) to disconnect clients from unauthorised networks. Cisco's WLC supports WIPS functionality through its CleanAir and Rogue Management features.

9.5 Guest WLAN Isolation

Guest Wi-Fi networks should be isolated from the corporate LAN using a separate VLAN, firewall policy, or client isolation feature on the AP/WLC. This prevents guest devices from accessing internal resources. See: Guest WLAN & WebAuth Lab

10. Comparing All Wi-Fi Security Standards

Standard Encryption Auth (Personal) Auth (Enterprise) Forward Secrecy PMF Use Today?
WEP RC4 (broken) Static key None No No Never
WPA TKIP/RC4 PSK (4-way handshake) 802.1X/EAP No No No — deprecated
WPA2-Personal CCMP/AES-128 PSK (4-way handshake) No Optional Yes — home/SMB
WPA2-Enterprise CCMP/AES-128 802.1X/EAP No Optional Yes — corporate
WPA3-Personal CCMP/AES-128 SAE (Dragonfly) Yes Mandatory Recommended
WPA3-Enterprise CCMP-128 or GCMP-256 802.1X/EAP (Suite-B) Yes Mandatory Recommended
Quick selection guide — which security mode to use:Home network / small office with no RADIUS server?→ WPA3-Personal (SAE) if all devices support it→ WPA2-Personal (PSK + AES) if legacy devices require it→ Use a strong random passphrase (20+ characters)→ Never use WEP or WPA/TKIPCorporate network with Active Directory / user management?→ WPA3-Enterprise or WPA2-Enterprise (802.1X)→ Use PEAP-MSCHAPv2 for username/password (simpler deployment)→ Use EAP-TLS for certificate-based (highest security)→ Deploy RADIUS server (Cisco ISE, Microsoft NPS, FreeRADIUS)Guest / public hotspot?→ WPA3-Personal with separate VLAN→ Or WPA3 Enhanced Open (OWE) if supported→ Enable client isolation to prevent guest-to-guest attacks→ Captive portal / WebAuth for acceptable-use policy

See also: 802.1X Authentication | AAA Overview | AAA Local vs RADIUS | AAA Authentication Methods | WPA / WPA2 / WPA3 Comparison | Wi-Fi Overview | Access Points & WLC | Wireshark | Firewalls | VLANs | AAA RADIUS Configuration Lab | WLC SSID & VLAN Mapping Lab | 802.1X Port Authentication Lab

Test Your Knowledge — Wi-Fi Security Quiz

Why is WEP considered completely broken and unsuitable for use, regardless of key length?

Correct answer is B. WEP's fatal flaw is its 24-bit Initialization Vector (IV). With only ~16.7 million possible IVs, on a busy network IVs repeat within minutes. When two packets share the same IV and key, the RC4 keystream is identical — and mathematical analysis of the ciphertext reveals the key. Tools like aircrack-ng can crack WEP in under 60 seconds using this weakness. Key length (64-bit vs 128-bit) does not protect against this attack. See WPA / WPA2 / WPA3 Comparison for how later standards addressed these flaws.

What encryption cipher does WPA2 use, and why is it considered significantly stronger than WEP/WPA?

Correct answer is C. WPA2 uses CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) based on AES-128. AES is a block cipher (not a stream cipher like RC4) that is FIPS 140-2 approved and considered computationally secure. TKIP (used by WPA) is still RC4-based. SAE is WPA3's key exchange mechanism, not an encryption cipher. See WPA / WPA2 / WPA3 Comparison.

What is the main difference between WPA2-Personal and WPA2-Enterprise authentication?

Correct answer is A. WPA2-Personal uses a Pre-Shared Key (PSK) — the same password for all users. WPA2-Enterprise uses 802.1X with EAP — each user authenticates with individual credentials (username/password or certificate) validated by a RADIUS server. This means in Enterprise mode, revoking a single user's access is as simple as disabling their account — no need to change the wireless password on every device. See AAA Authentication Methods and 802.1X Authentication.

What is SAE in WPA3, and what specific WPA2 vulnerability does it address?

Correct answer is D. SAE (Simultaneous Authentication of Equals), also called Dragonfly, is WPA3-Personal's replacement for the WPA2 PSK 4-Way Handshake. In WPA2-PSK, the handshake can be captured and subjected to offline brute-force attacks. SAE uses a Diffie-Hellman-based exchange where even capturing the authentication exchange yields nothing useful for offline cracking. Each session gets a unique PMK, providing forward secrecy. See WPA / WPA2 / WPA3 Comparison.

Which EAP method requires digital certificates on BOTH the client and the RADIUS server?

Correct answer is B. EAP-TLS is the only common EAP method that requires certificates on both the RADIUS server and every client device. This makes it the most secure EAP method — no passwords that can be guessed or stolen — but also the most operationally complex, requiring a full PKI to issue and manage client certificates. PEAP only requires a server certificate; EAP-FAST uses a PAC (not a certificate) on the client side. See AAA Authentication Methods.

What is PMF (Protected Management Frames), and why is it mandatory in WPA3 but only optional in WPA2?

Correct answer is C. Without PMF (defined in IEEE 802.11w), an attacker can inject spoofed deauthentication or disassociation frames into the wireless channel — the AP or client has no way to verify they are legitimate. This forces clients off the network (deauth attack) and is commonly used to capture WPA2 4-Way Handshakes for offline cracking. PMF cryptographically signs management frames so spoofed frames are rejected. WPA2 made PMF optional; WPA3 made it mandatory — closing this attack vector entirely. See WPA / WPA2 / WPA3 Comparison.

Which wireless authentication architecture involves a Supplicant, Authenticator, and Authentication Server?

Correct answer is D. IEEE 802.1X defines the three-party architecture: the Supplicant (wireless client requesting access), the Authenticator (the AP or WLC — controls port access, relays EAP messages to the RADIUS server), and the Authentication Server (RADIUS server — validates credentials and returns Accept/Reject). The Authenticator never processes credentials directly — it is a transparent relay between client and RADIUS. See AAA Overview.

Which certificate(s) are required for PEAP authentication?

Correct answer is D. PEAP requires only a server-side certificate (on the RADIUS server) to establish the TLS tunnel. The client does not need a certificate — it authenticates inside the encrypted tunnel using a username and password (via MSCHAPv2). This makes PEAP much simpler to deploy than EAP-TLS (which requires client certificates on every device) while still protecting credentials from eavesdropping. See AAA Local vs RADIUS for deployment context.

Why is SSID hiding (disabling SSID broadcast) NOT considered an effective wireless security control?

Correct answer is B. Even with SSID broadcast disabled, the SSID appears in plaintext in 802.11 probe request frames (sent by clients looking for the network) and probe response frames. Any passive wireless capture tool (Wireshark, Kismet, airodump-ng) will display hidden SSIDs within seconds of a client connecting. SSID hiding adds configuration complexity without any meaningful security benefit — it is considered security through obscurity.

An enterprise deploys WPA2-Enterprise with PEAP. A user's account is compromised. What action removes that user's wireless access without affecting other users?

Correct answer is C. This illustrates the key operational advantage of WPA2/WPA3-Enterprise over Personal mode. Because each user has individual credentials validated by the RADIUS server against a directory (Active Directory, LDAP), disabling a single user account immediately prevents that user from re-authenticating — with zero impact on other users. In WPA2-Personal, you would have to change the PSK on every AP and every client device. See: AAA Local vs RADIUS

Related Topics & Step-by-Step Tutorials

Continue your wireless networking studies:

Back to Home