The CCNA exam covers wireless security at a concept level. WPA2 has been the dominant Wi-Fi security standard since 2004; WPA3 (announced 2018) addresses several known weaknesses and is now mandatory for new Wi-Fi 6 certification. This lab is concept-only - a comparison of the two standards. Hands-on wireless labs need a WLC, an AP, and a wireless client - out of scope for CML Free.
What you will learn
- The five Wi-Fi security generations (WEP, WPA, WPA2, WPA3, OWE)
- Why WPA2 was broken (KRACK attack) and how WPA3 fixed it
- Personal (PSK) vs Enterprise (802.1X) modes
- Forward secrecy and why it matters
- OWE (Opportunistic Wireless Encryption) for open networks
What this lab does NOT cover
- Hands-on WLC configuration (out of CML Free scope)
- Specific cryptographic primitives in depth
- Wireless attack tooling (aircrack-ng, etc.)
Wi-Fi security history
WPA2 vs WPA3 comparison
The big WPA3 improvement: SAE
WPA2-Personal's 4-way handshake can be captured passively. The attacker then runs offline brute-force against the captured handshake. If the PSK is weak, the attacker recovers it - and gets retroactive access to past traffic.
WPA3-Personal replaces the 4-way handshake with SAE (Simultaneous Authentication of Equals). SAE is a dragonfly key exchange variant that:
- Prevents offline dictionary attacks - attacker must engage the AP per attempt
- Provides forward secrecy - even if PSK is later cracked, past traffic stays encrypted
- Survives KRACK-class attacks
Personal mode keeps PSK-style usability (one password for the whole network) while fixing the cryptographic weaknesses.
