SecurityNetwork+

Wireless Security for CompTIA Network+ N10-009

Wireless security is a major component of the Network+ N10-009 Security domain. Wi-Fi's broadcast nature makes it inherently more vulnerable than wired networks — anyone within radio range can potentially intercept traffic or attempt to connect. You must understand wireless security protocols (WEP, WPA, WPA2, WPA3), authentication modes (Personal vs Enterprise), and wireless-specific attack mitigations.

8 min

3 sections · 7 exam key points

1 practice questions

Wireless Security Protocols

WEP (Wired Equivalent Privacy): original 802.11 security. RC4 cipher with static keys. Completely broken — cracked in minutes with freely available tools (IV attacks expose the key). Never use WEP. If you see WEP on the exam, it is always the wrong security choice.

WPA (Wi-Fi Protected Access): transitional replacement for WEP. Uses TKIP (Temporal Key Integrity Protocol) — dynamically changes keys per packet. Still has vulnerabilities (TKIP weaknesses, KRACK attacks). Deprecated. Do not use.

WPA2 (802.11i): strong security. Uses AES-CCMP encryption — Counter mode with CBC-MAC Protocol. The minimum acceptable standard. Personal mode uses PSK (Pre-Shared Key) — a passphrase shared by all clients. Enterprise mode uses 802.1X with RADIUS — each user authenticates individually.

WPA3: current best. Personal mode uses SAE (Simultaneous Authentication of Equals) — replaces PSK handshake, resistant to offline dictionary attacks, provides forward secrecy (past sessions can't be decrypted if the password is later compromised). Enterprise mode adds 192-bit encryption suite (CNSA — Commercial National Security Algorithm suite). Mandatory Management Frame Protection (802.11w).

Enterprise Wireless Authentication (802.1X)

802.1X with EAP for wireless: the AP acts as the authenticator (passes EAP messages between client and RADIUS server). Client (supplicant) must authenticate with credentials, certificate, or both before getting network access. Each user has individual authentication — when an employee leaves, disable their account without changing the network passphrase.

Common EAP methods for wireless: EAP-TLS (mutual certificate authentication — most secure, requires client certificates), PEAP-MSCHAPv2 (server certificate only, client uses Windows credentials — common in corporate environments), EAP-TTLS (similar to PEAP, cross-platform). EAP-FAST (Cisco, no certificates required).

Certificate validation: in PEAP/TTLS, clients must validate the server's certificate to prevent evil twin attacks. Clients that accept any certificate are vulnerable to credential theft — configure clients to verify the CA and server certificate name.

Wireless Threat Mitigations

Rogue AP detection: WIPS (Wireless Intrusion Prevention System) scans for unauthorized APs broadcasting SSIDs. WLCs in enterprise deployments can detect rogue APs using neighboring APs as sensors. If a rogue AP is wired into the network, the WLC can locate and report it.

Wireless hardening: disable WPS (vulnerable to PIN brute force). Change default SSID (hides AP manufacturer). Use WPA2 Enterprise or WPA3. Enable 802.11w (Management Frame Protection — prevents deauth attacks). Separate guest SSID on isolated VLAN. Disable SSID broadcast for sensitive networks (limited effectiveness). Segment IoT devices onto a dedicated SSID/VLAN.

Key exam facts — Network+

WEP: broken, never use; WPA: deprecated; WPA2-AES: minimum acceptable; WPA3: best
WPA2 Personal = PSK (passphrase); WPA2 Enterprise = 802.1X + RADIUS
WPA3 SAE: resistant to offline dictionary attacks; provides forward secrecy
EAP-TLS: mutual certificate (most secure); PEAP: server cert + credential tunnel
Disable WPS — PIN brute force vulnerability (~4-11 hours)
802.11w (Management Frame Protection) prevents deauthentication attacks
Enterprise 802.1X: per-user authentication — individual account management

Common exam traps

WPA2 Personal is secure for corporate networks

WPA2 Personal uses a shared passphrase — all users share the same credential. If one employee leaves or the password is compromised, all devices are at risk and the password must be changed. Enterprise requires individual credentials

Hiding the SSID provides strong security

Hidden SSIDs are visible in probe requests (broadcast by clients looking for their networks) and are trivially discovered by passive scanners. SSID hiding is minimal security — always combine with strong encryption and authentication

Practice questions — Wireless Security

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company requires that each employee authenticate with their individual Active Directory credentials to access the corporate Wi-Fi. Which wireless security configuration achieves this?

A.WPA2 Personal with a complex passphrase

B.WPA2 Enterprise with 802.1X and RADIUS authenticating against Active Directory

C.WPA3 Personal with SAE

D.WEP with 128-bit key and MAC filtering

Explanation: WPA2 Enterprise with 802.1X uses RADIUS to authenticate each user individually — the RADIUS server validates credentials against Active Directory. Each employee uses their AD username and password. WPA2 Personal uses a shared passphrase (not individual credentials). WPA3 Personal uses SAE but is still a shared key. WEP is insecure.

Frequently asked questions — Wireless Security

What is the difference between WPA3 Personal SAE and WPA2 Personal PSK?

WPA2 Personal PSK uses a 4-way handshake that can be captured and subjected to offline dictionary/brute-force attacks. An attacker who captures the handshake can repeatedly guess the password offline at high speed. WPA3 Personal SAE (Dragonfly handshake) does not allow offline attacks — each authentication attempt requires an online interaction with the AP, making brute-force impractical. WPA3 also provides forward secrecy, meaning past session traffic cannot be decrypted even if the password is later discovered.

Practice this topic

Network+practice questions

Test yourself on Wireless Security

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime