Overview
Wireless signals extend beyond walls, so authentication, encryption, and integrity are mandatory. CCNA covers WEP→WPA evolution, 802.1X/EAP, and WPA2/WPA3 personal vs enterprise modes.
Wireless Security (Day 57)
Video credit: Jeremy's IT Lab
Watch on YouTubeThree security pillars
| Pillar | Goal |
|---|---|
| Authentication | Only trusted users/devices join |
| Encryption | Over-the-air traffic unreadable to eavesdroppers |
| Integrity | Frames not altered in transit (MIC) |
Corporate design: staff SSID with strong auth; separate guest SSID isolated from internal resources. Clients should authenticate the AP too — rogue APs mimic legitimate SSIDs.
Legacy methods (know why they fail)
| Method | Status |
|---|---|
| Open authentication | No security — used before captive portal or 802.1X overlay |
| WEP | Broken — RC4, short IV — never deploy |
802.1X and EAP
802.1X provides port-based network access control on LAN and WLAN.
| Role | Device |
|---|---|
| Supplicant | Client requesting access |
| Authenticator | AP or WLC |
| Authentication server | RADIUS (typically) |
EAP is the framework; methods include:
| Method | CCNA note |
|---|---|
| LEAP | Cisco legacy — vulnerable, deprecated |
| EAP-FAST | PAC + TLS tunnel — Cisco enterprise |
| PEAP | Server cert + TLS tunnel; client auth inside (e.g. MS-CHAP) |
| EAP-TLS | Mutual certificates — strongest, hardest to scale |
Encryption and integrity evolution
| Protocol | Used in | Notes |
|---|---|---|
| TKIP | WPA | MIC, per-frame keys, longer IV — WEP hardware workaround |
| CCMP (AES) | WPA2 | AES counter mode + CBC-MAC MIC — current baseline |
| GCMP (AES) | WPA3 | More efficient; GMAC for integrity |
WPA certifications
Both Personal and Enterprise modes exist for WPA, WPA2, and WPA3:
| Mode | Authentication | Typical use |
|---|---|---|
| Personal (PSK) | Pre-shared passphrase | Home, lab, small office — GUI topic 5.10 |
| Enterprise | 802.1X + RADIUS | Corporate — per-user credentials |
Four-way handshake (awareness)
PSK is not sent over the air. Personal mode uses a four-way handshake to derive session keys.
WPA3 improvements (awareness)
- SAE — stronger personal-mode handshake vs WPA2 PSK
- PMF — protected management frames
- Forward secrecy — past captures harder to decrypt later
| Standard | Encryption | Auth |
|---|---|---|
| WPA | TKIP | PSK or 802.1X |
| WPA2 | CCMP (AES) | PSK or 802.1X |
| WPA3 | GCMP | PSK (SAE) or 802.1X |
Hidden SSID and MAC filtering are not substitutes for WPA2/WPA3 encryption. They appear in GUI advanced options as weak distractions.
Guest access options (GUI awareness)
| Method | Behavior |
|---|---|
| Web authentication | Captive portal — username/password after DHCP |
| Web passthrough | Accept policy page — no credentials |
| 802.1X + redirect | Layer 2 auth plus conditional redirect variants |
AAA on wireless
Authentication (who), Authorization (what VLAN/QoS), Accounting (logging) — RADIUS is the usual authentication server for enterprise WLANs. TACACS+ is for device admin AAA, not wireless client auth.
Exam checklist
- Explain why WEP is unacceptable
- Name 802.1X roles: supplicant, authenticator, authentication server
- Compare WPA2-Personal (PSK) vs WPA2-Enterprise (802.1X)
- Match TKIP → WPA, CCMP → WPA2, GCMP → WPA3
- Know PEAP vs EAP-TLS at high level
- Configure WPA2-PSK in WLC GUI (Wireless Configuration)