Back to 2.0 Network Access

2.7 WLAN Security

Securing the airwaves. Master the evolution of WPA encryption, 802.1X Enterprise authentication, and WLC graphical interface configurations.

Authentication & Access Control

Personal Mode (PSK)

Uses a Pre-Shared Key (a standard Wi-Fi password). Every device connects using the exact same password. While easy to configure for small offices, it is terrible for enterprise security. If an employee leaves, you must change the password on every device in the building.

Enterprise Mode (802.1X / EAP)

Uses an external AAA/RADIUS server (like Cisco ISE or Windows NPS). Users log in to the Wi-Fi using their individual Active Directory usernames and passwords. The WLC acts as the 'Authenticator', passing credentials securely to the server.

MAC Filtering (The Illusion of Security)

You can configure the WLC to only allow specific MAC addresses to connect. The CCNA considers this a weak security mechanism. Threat actors can sniff legitimate MAC addresses out of the air using Wireshark and spoof their own adapters to bypass the filter in seconds.

Encryption Standards & Ciphers

LEGACY / BROKEN

WEP & WPA (TKIP)

WEP uses a static key and can be cracked in minutes. WPA was a band-aid fix that used TKIP (Temporal Key Integrity Protocol). Cisco and the IEEE consider both entirely compromised. Never select TKIP on the exam.

ENTERPRISE STD

WPA2 (AES / CCMP)

The current enterprise standard everywhere. It uses the AES (Advanced Encryption Standard) cipher combined with the CCMP protocol. It requires dedicated hardware on the Access Point to process the complex encryption without lagging the network.

MODERN / FUTURE

WPA3 (SAE)

The newest standard. It replaces the vulnerable 4-way handshake of WPA2 with SAE (Simultaneous Authentication of Equals). This completely prevents hackers from capturing the handshake and running offline brute-force or dictionary attacks against the password.

WLC GUI Configuration & Gotchas

Where to Configure SSIDs

Cisco loves GUI simulation questions. To secure an SSID, you must navigate to: WLANs Tab ➔ Click the WLAN ID ➔ Security Tab ➔ Layer 2 Sub-tab. From here, you select WPA+WPA2 and check the boxes for 802.1X or PSK.

The RADIUS Server Definition

If you choose 802.1X/Enterprise, the WLC needs to know where your RADIUS server is. Configure this under the Security Tab (Main Menu) ➔ AAA ➔ RADIUS ➔ Authentication. You must input the server IP and the Shared Secret.

Pairing the Protocols

The absolute most critical thing to memorize: WPA2 maps to AES / CCMP. WPA3 maps to SAE. If a multiple-choice question tries to pair WPA2 with TKIP, immediately eliminate it as a wrong answer!