2.2: Wireless Security Protocols and Authentication Methods

Wireless network security

Protect data confidentiality, restrict access to authorized users, encrypt transmissions, and verify data integrity.

Preventing wireless eavesdropping

Encrypt communications so only users with the correct key can send/receive data.

WPA2

Wireless security standard (2004) using CCMP with AES encryption and CBC-MAC for integrity.

WPA3

Wireless security standard (2018) using GCMP with AES encryption and GMAC for integrity.

WPA2 PSK vulnerability

Attackers can capture the 4-way handshake or derive the PSK hash without it, then brute force weak PSKs more easily using GPUs or cloud cracking; once cracked, they get the wireless key for everyone.

SAE in WPA3

Uses mutual authentication and Diffie-Hellman–derived keys to eliminate handshake-based brute-force attacks.

Wireless security modes

Open system (no password/authentication), WPA/2/3-Personal (PSK — same 256-bit key for all users), WPA/2/3-Enterprise (802.1X — individual authentication via a server such as RADIUS).

RADIUS

Centralized AAA protocol for devices like routers, switches, VPNs, and 802.1X networks; supported on most OSs.

TACACS protocols

Authentication protocol family; TACACS+ is an open standard with enhanced features, common on Cisco devices.

Kerberos

Network authentication protocol with SSO, mutual authentication, and replay/on-path attack protection; used in Microsoft networks since Windows 2000.

Kerberos SSO

Single authentication grants tickets for multiple resources without re-entering credentials.

Authentication method selection

VPN → RADIUS; Cisco devices → TACACS+; Microsoft networks → Kerberos.