4.1.5 Wireless Security Settings
WPA3, RADIUS.
Wireless security settings encompass the cryptographic protocols and authentication frameworks used to protect data transmission and control access to 802.11 networks.
WPA3: Modern Wireless Protection Wi-Fi Protected Access 3 (WPA3) is the current industry standard, replacing WPA2 to address long-standing vulnerabilities like offline brute-force attacks and packet sniffing. - Simultaneous Authentication of Equals (SAE): Replaces the vulnerable PSK "four-way handshake." It uses a Diffie-Hellman key exchange to ensure Forward Secrecy, meaning even if a session key is compromised, past traffic remains encrypted. - GCMP-256: Uses the Galois/Counter Mode Protocol for stronger encryption and authenticated integrity, providing a performance boost over the older CCMP. - Brute-Force Protection: WPA3 mandates a "dragonfly" handshake that prevents attackers from capturing traffic and trying millions of passwords offline. - WPA3-Enterprise: Increases the minimum encryption strength to 192-bit for highly sensitive environments like government or military networks.
RADIUS and Wireless Authentication Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) for users connecting to a network. - RADIUS Server: Acts as the central database of user credentials (e.g., FreeRADIUS, Microsoft NPS). Instead of the Access Point (AP) knowing the password, it forwards credentials to this server. - IEEE 802.1X: The standard for Port-Based Network Access Control (PNAC). It forces the user (Supplicant) to authenticate via the RADIUS server (Authentication Server) through the AP (Authenticator) before being granted an IP address. - EAP (Extensible Authentication Protocol): The framework used within RADIUS to transport credentials. - PEAP: Encapsulates EAP within an encrypted TLS tunnel; common in corporate environments. - EAP-TLS: Requires certificates on both the server and the client device, providing the highest level of security.
Captive Portals and Open Networks When strong encryption like WPA3 is not feasible, organizations use alternative controls to manage guest access. - Captive Portal: A web page that intercept's a user's initial traffic, requiring them to agree to an AUP (Acceptable Use Policy), provide an email, or enter a one-time code before gaining internet access. - WPA3-SAE (Transition Mode): Allows a single SSID to support both WPA2 and WPA3 clients simultaneously, though this may lower the overall security posture to maintain availability.
Quick Recall - SAE (Simultaneous Authentication of Equals): The "Dragonfly" handshake that stops offline password cracking. - Forward Secrecy: A feature of WPA3 ensures that a leaked key cannot decrypt old recorded traffic. - 802.1X: The "gold standard" for enterprise wireless security using RADIUS. - RADIUS Port 1812: Common UDP port for authentication. - EAP-TLS: Remember "Certificates on both ends" for exam questions.