Lab sec-10 - Wireless Security WPA2 vs WPA3 (Concept Lab)

The CCNA exam covers wireless security at a concept level. WPA2 has been the dominant Wi-Fi security standard since 2004; WPA3 (announced 2018) addresses several known weaknesses and is now mandatory for new Wi-Fi 6 certification. This lab is concept-only - a comparison of the two standards. Hands-on wireless labs need a WLC, an AP, and a wireless client - out of scope for CML Free.

What you will learn

• The five Wi-Fi security generations (WEP, WPA, WPA2, WPA3, OWE)
• Why WPA2 was broken (KRACK attack) and how WPA3 fixed it
• Personal (PSK) vs Enterprise (802.1X) modes
• Forward secrecy and why it matters
• OWE (Opportunistic Wireless Encryption) for open networks

What this lab does NOT cover

• Hands-on WLC configuration (out of CML Free scope)
• Specific cryptographic primitives in depth
• Wireless attack tooling (aircrack-ng, etc.)

Wi-Fi security history

WPA2 vs WPA3 comparison

The big WPA3 improvement: SAE

WPA2-Personal's 4-way handshake can be captured passively. The attacker then runs offline brute-force against the captured handshake. If the PSK is weak, the attacker recovers it - and gets retroactive access to past traffic.

WPA3-Personal replaces the 4-way handshake with SAE (Simultaneous Authentication of Equals). SAE is a dragonfly key exchange variant that:

• Prevents offline dictionary attacks - attacker must engage the AP per attempt
• Provides forward secrecy - even if PSK is later cracked, past traffic stays encrypted
• Survives KRACK-class attacks

Personal mode keeps PSK-style usability (one password for the whole network) while fixing the cryptographic weaknesses.