All topic guides
Wireless & WANAmalgamated guide

Wireless Security

WEP through WPA3, 802.1X/EAP, PSK vs enterprise, and integrity protocols.

How the sources were combined

jdepew88 and Panagiss security sections merged with p-saumur Wireless Security (TKIP, CCMP, GCMP, PEAP/EAP-TLS, WPA personal vs enterprise).

Overview

Wireless signals extend beyond walls, so authentication, encryption, and integrity are mandatory. CCNA covers WEP→WPA evolution, 802.1X/EAP, and WPA2/WPA3 personal vs enterprise modes.

Recommended video

Wireless Security (Day 57)

Video credit: Jeremy's IT Lab

Watch on YouTube

Three security pillars

PillarGoal
AuthenticationOnly trusted users/devices join
EncryptionOver-the-air traffic unreadable to eavesdroppers
IntegrityFrames not altered in transit (MIC)

Corporate design: staff SSID with strong auth; separate guest SSID isolated from internal resources. Clients should authenticate the AP too — rogue APs mimic legitimate SSIDs.

Legacy methods (know why they fail)

MethodStatus
Open authenticationNo security — used before captive portal or 802.1X overlay
WEPBroken — RC4, short IV — never deploy

802.1X and EAP

802.1X provides port-based network access control on LAN and WLAN.

RoleDevice
SupplicantClient requesting access
AuthenticatorAP or WLC
Authentication serverRADIUS (typically)

EAP is the framework; methods include:

MethodCCNA note
LEAPCisco legacy — vulnerable, deprecated
EAP-FASTPAC + TLS tunnel — Cisco enterprise
PEAPServer cert + TLS tunnel; client auth inside (e.g. MS-CHAP)
EAP-TLSMutual certificates — strongest, hardest to scale

Encryption and integrity evolution

ProtocolUsed inNotes
TKIPWPAMIC, per-frame keys, longer IV — WEP hardware workaround
CCMP (AES)WPA2AES counter mode + CBC-MAC MIC — current baseline
GCMP (AES)WPA3More efficient; GMAC for integrity

WPA certifications

Both Personal and Enterprise modes exist for WPA, WPA2, and WPA3:

ModeAuthenticationTypical use
Personal (PSK)Pre-shared passphraseHome, lab, small office — GUI topic 5.10
Enterprise802.1X + RADIUSCorporate — per-user credentials

Four-way handshake (awareness)

PSK is not sent over the air. Personal mode uses a four-way handshake to derive session keys.

WPA3 improvements (awareness)

  • SAE — stronger personal-mode handshake vs WPA2 PSK
  • PMF — protected management frames
  • Forward secrecy — past captures harder to decrypt later
StandardEncryptionAuth
WPATKIPPSK or 802.1X
WPA2CCMP (AES)PSK or 802.1X
WPA3GCMPPSK (SAE) or 802.1X
Exam trap

Hidden SSID and MAC filtering are not substitutes for WPA2/WPA3 encryption. They appear in GUI advanced options as weak distractions.

Guest access options (GUI awareness)

MethodBehavior
Web authenticationCaptive portal — username/password after DHCP
Web passthroughAccept policy page — no credentials
802.1X + redirectLayer 2 auth plus conditional redirect variants

AAA on wireless

Authentication (who), Authorization (what VLAN/QoS), Accounting (logging) — RADIUS is the usual authentication server for enterprise WLANs. TACACS+ is for device admin AAA, not wireless client auth.

Exam checklist

  • Explain why WEP is unacceptable
  • Name 802.1X roles: supplicant, authenticator, authentication server
  • Compare WPA2-Personal (PSK) vs WPA2-Enterprise (802.1X)
  • Match TKIP → WPA, CCMP → WPA2, GCMP → WPA3
  • Know PEAP vs EAP-TLS at high level
  • Configure WPA2-PSK in WLC GUI (Wireless Configuration)

Related lessons on this site

Continue in this domain

Wireless & WAN · guide 4 of 5

Sources & further reading

Panagiss CCNAmd

jdepew88 CCNA Notes (markdown)

psaumur CCNA Course Notes

This page is an amalgamated study guide synthesized from the markdown sources above, cross-checked against Cisco's official CCNA exam topics. Verify scope before your exam date.