Mental model
Wireless is fundamentally an open broadcast — anyone within radio range hears your packets. Wi-Fi security is the cryptography that makes those broadcasts unreadable to anyone without the key.
The history is a story of breakage and patches:
- WEP (1997): the original attempt. Broken by 2001 because of weak RC4 IV usage. Cracking tools became laptop-installable. Never use.
- WPA (2003): emergency patch on WEP-era hardware while WPA2 was being finalized. Vulnerable to dictionary attacks. Deprecated.
- WPA2 (2004): proper rewrite with AES-CCMP. Solid for ~15 years. Still acceptable in 2026 (though deprecated for new deployments).
- WPA3 (2018): replaces PSK with SAE (Simultaneous Authentication of Equals) — adds forward secrecy, kills offline dictionary attacks, beefs up enterprise crypto.
Personal vs Enterprise
Every WPA variant has two modes:
| Mode | How it authenticates | Best for |
|---|---|---|
| Personal (PSK / SAE) | Pre-shared key (a password everyone knows) | Home, small office, guest networks |
| Enterprise (802.1X) | Each user authenticates against a RADIUS server | Corporate, university, anywhere with managed users |
Both encrypt the data link the same way. They differ only in how the keys are derived.
- PSK = everyone with the password is welcome. If the password leaks, change it on every device.
- 802.1X = each user has their own credentials. Disable one user without affecting others.
For CCNA, know both flavors and the key differences.
What each standard actually does
WEP (1997, BROKEN)
- RC4 stream cipher with 24-bit IV (initialization vector)
- IVs reused too often → key recovered from ~10 minutes of traffic
- 64-bit “WEP” key is really 40-bit + 24-bit IV — laughably weak
- Cracking tools: aircrack-ng, 5 lines of bash. Do not use WEP for anything.
WPA (2003, DEPRECATED)
- Same RC4 cipher but with TKIP (Temporal Key Integrity Protocol)
- Per-packet key mixing — fixed the IV reuse problem
- Designed to run on old WEP hardware via firmware update — that constraint limited its strength
- Vulnerable to chopchop and Beck-Tews attacks (2008)
WPA2 (2004, ACCEPTABLE)
- New cipher: AES-CCMP (AES in counter mode with CBC-MAC). Strong, modern, hardware-accelerated on most chipsets.
- Personal: PSK with 8–63 character password. Vulnerable to offline dictionary attack if the 4-way handshake is captured.
- Enterprise: 802.1X with PEAP / EAP-TLS / EAP-FAST.
- KRACK vulnerability (2017) — patched in all major OSes.
WPA3 (2018, CURRENT)
- Personal: replaces PSK with SAE (Simultaneous Authentication of Equals) — also known as the Dragonfly handshake. Forward secrecy (capturing the handshake doesn’t help an attacker), no offline dictionary attack.
- Enterprise: optional 192-bit suite with GCMP-256 + SHA-384 — for high-security environments.
- Protected Management Frames (PMF) mandatory — prevents deauth/disassoc spoofing attacks.
- Easy Connect for IoT / headless devices via QR code.
The 4-way handshake (in 90 seconds)
When a WPA2 / WPA3 client associates with an AP, both sides go through a 4-message exchange to derive session keys:
1. AP → Client: ANonce (AP's random nonce)
2. Client → AP: SNonce + MIC (proves client has the PSK / SAE result)
3. AP → Client: GTK (group key for multicast) + MIC
4. Client → AP: ACK
After this, both sides have:
- A PTK (Pairwise Transient Key) — unique per client, encrypts unicast
- A GTK (Group Temporal Key) — shared, encrypts multicast/broadcast
The handshake is recorded if someone captures the exchange. In WPA2 PSK, a captured handshake plus a dictionary can brute-force the password offline (no need to be near the AP anymore). WPA3’s SAE makes this infeasible.
Configuration — Cisco 9800 WLC
WPA3-Personal
WLC(config)# wlan WIFI-HOME 1 WIFI-HOME
WLC(config-wlan)# security wpa
WLC(config-wlan)# security wpa wpa3
WLC(config-wlan)# security wpa wpa3 ciphers gcmp256
WLC(config-wlan)# security wpa wpa3 dot11w required
WLC(config-wlan)# security wpa psk
WLC(config-wlan)# security wpa psk set-key ascii 0 my-passphrase
WLC(config-wlan)# no shutdown
WPA2/WPA3 mixed (transition mode)
For environments with both new and legacy clients:
WLC(config-wlan)# security wpa
WLC(config-wlan)# security wpa wpa2
WLC(config-wlan)# security wpa wpa3
WLC(config-wlan)# security wpa wpa2 ciphers aes
WLC(config-wlan)# security wpa wpa3 ciphers gcmp256
Modern clients use WPA3; legacy clients fall back to WPA2.
WPA3-Enterprise
WLC(config-wlan)# security wpa wpa3 dot11w required
WLC(config-wlan)# security dot1x authentication-list AUTH-RADIUS
WLC(config-wlan)# no security wpa psk
The RADIUS server (AUTH-RADIUS) handles 802.1X authentication.
Common mistakes
-
Still running WEP somewhere. Audit. There’s always one legacy IoT device that someone enabled WEP for in 2012 and forgot.
-
WPA2 with a weak PSK. “Cisco123” is in every dictionary. WPA2 PSK strength entirely depends on password complexity. Use a 16+ character random string.
-
Mixed-mode WPA2/WPA3 with weak ciphers. Mixed mode falls back to the lowest common denominator. Pin your minimum:
security wpa wpa2 ciphers aes(don’t allow TKIP). -
WPA-Enterprise without certificate validation. Clients that don’t validate the RADIUS server’s certificate can be MITM’d by an evil twin AP. Always deploy proper CA certs and enable cert validation on supplicants.
-
PMF (Protected Management Frames) optional or disabled. Without PMF, an attacker can deauth clients. WPA3 requires PMF; WPA2 should enable it where supported.
-
Treating PSK like it’s secure forever. PSK is shared. Someone leaves the company, they still have the Wi-Fi key. Either rotate it regularly, or use Enterprise so you can disable just their account.
-
Disabling SSID broadcast as “security.” It’s not. Tools list hidden SSIDs in seconds. Hidden SSID just makes legitimate users’ lives harder.
Lab to try tonight
If you have a home AP or a Cisco WLC sandbox:
- Configure two WLANs: one WPA2-Personal, one WPA3-Personal.
- Connect a modern phone (WPA3-capable) to each. Check which standard it actually negotiates.
- Try to crack the WPA2 handshake with aircrack-ng using a tiny dictionary that includes your test password. Should work.
- Try the same against WPA3 — fails by design (SAE doesn’t expose a handshake usable for offline cracking).
- Configure mixed-mode WPA2/WPA3. Connect both modern and legacy devices. Verify each negotiates its best protocol.
- Bonus: set up WPA3-Enterprise with FreeRADIUS and one test user. Configure your laptop’s supplicant. Watch the EAP exchange in Wireshark.
Cheat strip
| Standard | Year | Status | Use? |
|---|---|---|---|
| WEP | 1997 | BROKEN since 2001 | Never |
| WPA | 2003 | Deprecated | No |
| WPA2-Personal | 2004 | Acceptable | Legacy ok |
| WPA2-Enterprise | 2004 | Acceptable | Legacy ok |
| WPA3-Personal | 2018 | Current | Yes |
| WPA3-Enterprise | 2018 | Current | Yes |
| Personal mode | PSK / SAE — one password | Home, guest | |
| Enterprise mode | 802.1X + RADIUS — per-user | Corporate | |
| PMF | Protected Management Frames | Always enable | |
| AES-CCMP | WPA2’s cipher | Solid | |
| GCMP-256 | WPA3’s strong cipher | Modern |