2.2: Wireless Security Protocols and Authentication Methods

Wireless network security

Protects Wi-Fi data confidentiality by controlling access and encrypting traffic; uses standards like WEP, WPA, WPA2, WPA3, with WPA3 being the most secure; best practices include strong passwords, disabling WPS, and changing defaults.

Wireless Eavesdropping

Unauthorized interception of Wi-Fi traffic; easy on open networks, harder on encrypted ones; prevented by using WPA2/WPA3 security and VPNs. Encrypt communications so only users with the correct key can send/receive data.

WEP (Wired Equivalent Privacy)

Early Wi-Fi security using RC4; weak, easily cracked, not secure.

It aims to provide a level of security comparable to wired networks but has significant vulnerabilities. It is largely outdated and has been replaced by stronger protocols.

WPA (Wi-Fi Protected Access)

A security protocol designed to improve upon WEP by providing stronger data protection and network access control. WPA uses TKIP for encryption and enhances security measures compared to its predecessor. It is now outdated and vulnerable.

WPA2

An enhanced version of WPA that uses AES encryption with CCMP for stronger security, providing better data protection and network integrity. It is widely used and considered secure compared to earlier protocols.

WPA3

The latest Wi-Fi security protocol that builds on the previous one, offering improved encryption methods via the SAE handshake and enhanced security features such as stronger protections against brute-force attacks. It is the strongest Wi-Fi protection.

PSK vulnerability

Weakness in WPA/WPA2-Personal where attackers can capture the 4-way handshake between a client and access point, then brute-force the shared Wi-Fi password via GPUs or cloud cracking.

Mitigated with strong passphrases, WPA3 SAE, or enterprise authentication.

SAE (Simultaneous Authentication of Equals)

WPA3 key exchange method replacing PSK; prevents offline brute-force attacks and provides forward secrecy using the Dragonfly handshake.

Wireless security modes

Options include Open (no security), WEP (outdated), WPA/WPA2-Personal with shared PSK, WPA/WPA2/WPA3-Enterprise with RADIUS authentication, and WPA3-Personal with SAE for the strongest protection.

RADIUS

Authentication protocol providing centralized AAA services for devices like routers, switches, VPNs, and 802.1X networks

Used in WPA2/WPA3-Enterprise to give each user unique login credentials instead of a shared PSK.

An open standard that uses UDP and encrypts only passwords

TACACS protocols

Cisco-proprietary AAA protocol using TCP; encrypts all authentication data and separates authentication, authorization, and accounting for granular control of network device access.

Kerberos

Network authentication protocol using encrypted tickets from a Key Distribution Center (KDC) to provide secure, mutual authentication, replay/on-path attack protection, and single sign-on in Microsoft Windows domains.

Kerberos SSO

Single Sign-On system where a user logs in once, receives a ticket-granting ticket (TGT), and uses it to access multiple network services securely without re-entering credentials.

Authentication method selection

VPN → RADIUS; Cisco devices → TACACS+; Microsoft networks → Kerberos.