CCNA Module 3

WPA requires TKIP, WPA2 requires AES and CCMP, WPA3 in 128-bit mode requires AES and CCMP, but WPA3 in 192-bit mode requires AES-GCMP.

The Wi-Fi Alliance defines all versions of the Wi-Fi Protected Access (WPA) security suite. The IEEE is not a correct answer because it defines and maintains many networking standards, including 802.11 and 802.1x, which are used in wireless networking. The FCC is not a correct answer because it is the governing body in the United States that regulates RF frequencies, channels, and transmission power. Cisco is not a correct answer because it designs and manufactures wireless networking products that must adhere to the WPA standards, but not define them.

Encryption is the only way to protect message privacy so that it can be unencrypted and understood by only the intended recipient. Authentication protects network access but does not protect privacy. The MIC function protects data integrity so that it cannot be altered without detection, but it does not affect data privacy. DPP does not affect data privacy because it is a fictitious mechanism.

WPA2-Enterprise mode uses 802.1x to control access until an EAP method successfully authenticates wireless users and devices. AES is used in WPA2-Enterprise, along with CCMP, but that is not unique to the WPA2 version. WPA and WPA3 also use AES, though with differing encryption protocols of CCMP and GCMP, respectively.

The enterprise mode of any WPA version will utilize external authentication through the EAP framework. Therefore, WPA2-Enterprise and WPA3-Enterprise are correct answers. Personal mode does not use EAP.

WPA, WPA2, and WPA3 Page number:1190

WPA2-Personal mode uses a pre-shared key to authenticate wireless devices. Therefore, the pre-shared keys must be configured on every wireless device. If the key ever needs to be changed, network administrators must touch every device to enter a new key. As well, the 4-way handshake can be captured, allowing malicious users to launch an offline dictionary attack to recover the actual pre-shared key. WPA2-Personal does not involve the use of authentication servers or digital certificates.

WPA, WPA2, and WPA3 Page number:1190

The Wi-Fi alliance defines three versions of Wi-Fi Protected Access (WPA):

- WPA: First generation of WPA certification; based on TKIP
- WPA2: Second generation based on CCMP
- WPA3: Third generation based on GCMP

Each version is meant to replace the previous version because of better security mechanisms. The Wi-Fi Alliance defined WPA before the IEEE created their 802.11i security standard. After the IEEE ratified 802.11i, the Wi-Fi Alliance defined WPA2, to replace WPA, matching the details in the 802.11i standard.  

WPA, WPA2, and WPA3 Page number:1190

The figure shows the use of EAP between the laptop (the supplicant) and the WLC (the authenticator). Those flows indicate the use of the 802.1x/EAP authentication method.

1- The device authenticates with the AP, and the actual client authentication process is done with an external authentication server through the WLC.
2- The WLC controls the user access with 802.1x and communicates with the authentication server .

The incorrect answers do not happen to use the processes shown in the figure. For instance, open authentication does not authenticate the client. In the past, WEP provided encryption and authentication, but was deprecated long ago. CCMP works as a useful current encryption method, but it does not use the protocols shown in the figure.

Wireless Client Authentication Methods Page number:1185

The most robust wireless security methods use CCMP and GCMP, which are both based on the AES algorithm. WEP does encrypt but is not robust and has been deprecated. DES is also a legacy encryption method usually used in IPsec virtual private networks (VPNs), but has been deprecated. IPsec can involve encryption algorithms but is not one itself. Instead, IPsec is a framework for VPNs.

Wireless Privacy and Integrity Methods Page number:1189

WPA3 is the only version to date that uses AES with GCMP for the strongest encryption. WPA, also known as WPA1, can use TKIP. WPA2 uses AES with CCMP.