Wireless security is a major component of the Network+ N10-009 Security domain. Wi-Fi's broadcast nature makes it inherently more vulnerable than wired networks — anyone within radio range can potentially intercept traffic or attempt to connect. You must understand wireless security protocols (WEP, WPA, WPA2, WPA3), authentication modes (Personal vs Enterprise), and wireless-specific attack mitigations.
Practice this topic
WEP (Wired Equivalent Privacy): original 802.11 security. RC4 cipher with static keys. Completely broken — cracked in minutes with freely available tools (IV attacks expose the key). Never use WEP. If you see WEP on the exam, it is always the wrong security choice.
WPA (Wi-Fi Protected Access): transitional replacement for WEP. Uses TKIP (Temporal Key Integrity Protocol) — dynamically changes keys per packet. Still has vulnerabilities (TKIP weaknesses, KRACK attacks). Deprecated. Do not use.
WPA2 (802.11i): strong security. Uses AES-CCMP encryption — Counter mode with CBC-MAC Protocol. The minimum acceptable standard. Personal mode uses PSK (Pre-Shared Key) — a passphrase shared by all clients. Enterprise mode uses 802.1X with RADIUS — each user authenticates individually.
WPA3: current best. Personal mode uses SAE (Simultaneous Authentication of Equals) — replaces PSK handshake, resistant to offline dictionary attacks, provides forward secrecy (past sessions can't be decrypted if the password is later compromised). Enterprise mode adds 192-bit encryption suite (CNSA — Commercial National Security Algorithm suite). Mandatory Management Frame Protection (802.11w).
802.1X with EAP for wireless: the AP acts as the authenticator (passes EAP messages between client and RADIUS server). Client (supplicant) must authenticate with credentials, certificate, or both before getting network access. Each user has individual authentication — when an employee leaves, disable their account without changing the network passphrase.
Common EAP methods for wireless: EAP-TLS (mutual certificate authentication — most secure, requires client certificates), PEAP-MSCHAPv2 (server certificate only, client uses Windows credentials — common in corporate environments), EAP-TTLS (similar to PEAP, cross-platform). EAP-FAST (Cisco, no certificates required).
Certificate validation: in PEAP/TTLS, clients must validate the server's certificate to prevent evil twin attacks. Clients that accept any certificate are vulnerable to credential theft — configure clients to verify the CA and server certificate name.
Rogue AP detection: WIPS (Wireless Intrusion Prevention System) scans for unauthorized APs broadcasting SSIDs. WLCs in enterprise deployments can detect rogue APs using neighboring APs as sensors. If a rogue AP is wired into the network, the WLC can locate and report it.
Wireless hardening: disable WPS (vulnerable to PIN brute force). Change default SSID (hides AP manufacturer). Use WPA2 Enterprise or WPA3. Enable 802.11w (Management Frame Protection — prevents deauth attacks). Separate guest SSID on isolated VLAN. Disable SSID broadcast for sensitive networks (limited effectiveness). Segment IoT devices onto a dedicated SSID/VLAN.
WPA2 Personal is secure for corporate networks
WPA2 Personal uses a shared passphrase — all users share the same credential. If one employee leaves or the password is compromised, all devices are at risk and the password must be changed. Enterprise requires individual credentials
Hiding the SSID provides strong security
Hidden SSIDs are visible in probe requests (broadcast by clients looking for their networks) and are trivially discovered by passive scanners. SSID hiding is minimal security — always combine with strong encryption and authentication
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A company requires that each employee authenticate with their individual Active Directory credentials to access the corporate Wi-Fi. Which wireless security configuration achieves this?
Explanation: WPA2 Enterprise with 802.1X uses RADIUS to authenticate each user individually — the RADIUS server validates credentials against Active Directory. Each employee uses their AD username and password. WPA2 Personal uses a shared passphrase (not individual credentials). WPA3 Personal uses SAE but is still a shared key. WEP is insecure.
WPA2 Personal PSK uses a 4-way handshake that can be captured and subjected to offline dictionary/brute-force attacks. An attacker who captures the handshake can repeatedly guess the password offline at high speed. WPA3 Personal SAE (Dragonfly handshake) does not allow offline attacks — each authentication attempt requires an online interaction with the AP, making brute-force impractical. WPA3 also provides forward secrecy, meaning past session traffic cannot be decrypted even if the password is later discovered.
Try free Wireless Security practice questions with explanations, topic links and progress tracking.