|
Wi-Fi Complete Series · Part 4 of 6 Wi-Fi Security: WPA3, WPA2 & 802.1XEncryption, authentication and enterprise-grade WLAN protection WPA3-SAE · 802.1X/RADIUS · EAP-TLS · PMF · Guest WLAN Segmentation · BSI Guidelines |
Overview: WEP to WPA3
WLAN security rests on two pillars: authentication (who may access the network?) and encryption (how is data protected?). The history of WLAN security standards is a history of successively discovered vulnerabilities and improved successors.
| Standard | Year | Encryption | Key Length | Security | Status |
| WEP | 1997 | RC4 | 40 / 104 bit | Broken (minutes) | ✗ Forbidden |
| WPA | 2003 | TKIP (RC4) | 128 bit | Known weaknesses | ⚠ Outdated |
| WPA2 | 2004 | AES-CCMP | 128 / 256 bit | Good (weak PWs vulnerable) | ⚠ Acceptable |
| WPA3 | 2018 | AES-GCMP-256 | 192 / 256 bit | Very good (SAE, PFS) | ✓ Recommended |
WEP — Broken, Never Use Again
WEP (Wired Equivalent Privacy, 1997) was the first WLAN security standard. Based on RC4 stream encryption with static keys and short initialisation vectors. Fundamental cryptographic weaknesses were published as early as 2001; tools like Aircrack-ng crack WEP in minutes.
✗ WEP is prohibited. Both the BSI and the Wi-Fi Alliance recommend replacing WEP-capable devices. WEP provides no meaningful security and must not be used in any enterprise network.
WPA & WPA2: Known Weaknesses
WPA (2003) was a stopgap: a software update for existing WEP hardware. It uses TKIP (Temporal Key Integrity Protocol) with dynamic keys — better than WEP, but TKIP is also considered weak today.
WPA2 (IEEE 802.11i, 2004) brought the switch to AES-CCMP (Advanced Encryption Standard in Counter Mode with CBC-MAC Protocol) — a genuinely solid cipher. Still the most widely deployed standard today. Key known vulnerabilities:
| KRACK (2017) Key Reinstallation Attack on the 4-way handshake. Fixed by patches on clients and APs. Patched devices are not vulnerable. |
Weak Passwords WPA2-PSK is susceptible to dictionary and brute-force attacks with short or common passphrases. |
PMKID Attack (2018) Allows offline attacks on WPA2-PSK without an associated client — a key argument for migrating to WPA3 or using long passwords. |
WPA3: The Current Security Standard
WPA3 was introduced in 2018 by the Wi-Fi Alliance and mandatory for all new Wi-Fi certifications since 2020. Key improvements over WPA2:
|
SAE (Simultaneous Authentication of Equals) Replaces WPA2-PSK. Based on the Dragonfly handshake (Diffie-Hellman). Offline dictionary attacks are no longer possible. Each session uses individual keys. |
Perfect Forward Secrecy (PFS) Each session is secured with a temporary session key. Even if an attacker later breaks the main key, past sessions cannot be decrypted. |
|
WPA3-Enterprise (192-bit mode) For highly sensitive environments: 192-bit security mode with GCMP-256, HMAC-SHA-384, ECDH/ECDSA-384. Meets the highest requirements (government, finance, critical infrastructure). |
PMF (Protected Management Frames) IEEE 802.11w is mandatory in WPA3. Management frames are cryptographically protected — prevents deauthentication attacks and evil-twin attacks. |
802.1X & RADIUS: Enterprise Authentication
A shared WLAN password (PSK) is not sufficient for enterprise use — all employees know the password and former employees could still access the network. The solution: IEEE 802.1X with a central RADIUS server. Each client authenticates individually against the RADIUS server; the AP merely relays the authentication request.
| EAP-TLS Certificate-based (client + server). Most secure method; requires PKI. Recommended for highest security. RFC 5216 |
PEAP / EAP-TTLS Username+password inside a TLS tunnel. Simpler rollout; widely used with Active Directory integration. |
EAP-SIM / EAP-AKA SIM card-based authentication. Relevant for carrier Wi-Fi and Hotspot 2.0 (Passpoint) environments. |
|
802.1X Flow (simplified): 1. Client connects to AP (supplicant) 2. AP forwards authentication request to RADIUS (authenticator) 3. RADIUS verifies credentials against LDAP / Active Directory (authentication server) 4. On success: RADIUS sends Access-Accept + VLAN assignment to AP 5. AP grants network access; user lands in the correct VLAN |
Best Practices & BSI Guidelines
The German Federal Office for Information Security (BSI) provides concrete recommendations for secure WLAN. Summary:
| Measure | Reason |
| WPA3 or WPA2 (never WEP/WPA) | WEP and WPA are broken. Prefer WPA3; WPA2-AES as minimum. |
| Strong WLAN password (20+ characters) | At least 20 random characters. No dictionary words. |
| Change default router password | Default admin credentials are publicly known. Change immediately on first setup. |
| Regular firmware updates | Security vulnerabilities in router and AP firmware are regularly discovered and patched. |
| Separate guest WLAN (VLAN) | Guests must never see the internal network. Separate SSID + VLAN is mandatory. |
| Disable WPS | WPS has known vulnerabilities (PIN brute-force). Disable on all devices. |
| Do not hide SSID | A hidden SSID offers no real security (trivially discoverable) and causes connection problems. |
| 802.1X in enterprise (RADIUS) | Individual authentication instead of shared passwords; immediately revocable when employees leave. |
Guest WLAN Segmentation
| Recommended Architecture: ✓ Separate SSID for guests ✓ Own VLAN (e.g. VLAN 99) ✓ Firewall rule: guest VLAN → Internet only ✓ Client isolation enabled ✓ Bandwidth limiting ✓ Captive portal (optional) |
Common Mistakes: ✗ Guest SSID without VLAN (same Layer 2) ✗ Guests can see internal servers ✗ No client isolation ✗ Guest WLAN always on, even at night ✗ Same admin password for guest AP |
FAQ
| WPA2 or WPA3 — do I need to upgrade? |
| WPA2-AES is still sufficiently secure with strong passwords. For new hardware and installations, WPA3 is recommended. Many modern APs support WPA2/WPA3 transition mode for backwards compatibility. |
| How long should a WLAN password be? |
| The BSI recommends at least 20 random characters using upper and lower case letters, digits and special characters. WPA2/WPA3-PSK accepts 8–63 characters. Shorter passwords are at risk of dictionary attacks. |
| What is the difference between WPA2-Personal and WPA2-Enterprise? |
| WPA2-Personal (PSK) uses a shared password for all users. WPA2-Enterprise uses 802.1X with individual user accounts and a RADIUS server. Enterprise mode is strongly recommended in business environments. |
| Can I trust a public Wi-Fi hotspot? |
| No, not by default. Never transmit sensitive data over unknown WLANs. Enforce VPN usage for all mobile employees. An attacker can easily set up an evil-twin hotspot with the same name. |
|
Consulting & Supply Wi-Fi Security Solutions for Enterprise RADIUS servers, WPA3-capable access points, firewall appliances and managed security solutions for your WLAN infrastructure. ► Phone: +49 (0)7666 / 88499-0 ► sales@industry-electronics.com |
|
|
|
More parts of this series
|