Defending Wireless

A shared passphrase does not belong on a corporate network. A WPA2/WPA3-Personal PSK is one captured handshake away from an offline crack (see WPA2-Personal), it cannot be revoked per user, and it walks out the door with every employee who leaves. Move to 802.1X (WPA2-Enterprise or, where the fleet supports it, WPA3-Enterprise), which authenticates every user or device individually against a RADIUS server backed by your identity store.

Prefer EAP-TLS, where each client presents its own certificate and no password ever crosses the air. It is the strongest option and it is immune to the credential-phishing attack below. If you must use a password-based method (PEAP or EAP-TTLS), one configuration detail decides whether the whole scheme is sound or worthless:

The client must validate the RADIUS server's certificate. This is the single most-missed control in enterprise Wi-Fi. If clients are not configured to verify the authentication server's certificate (the issuing CA and the expected server name), an attacker stands up an evil-twin AP with their own RADIUS server, your devices connect to it, and they hand over the inner credentials. With PEAP-MSCHAPv2 those captured credentials are then cracked offline. Validation is what stops it: a rogue server cannot present a certificate your clients trust.

Lock the server-certificate settings down through device management (MDM/group policy) rather than trusting users to configure them, since a single "connect anyway" tap defeats the control. Issue client and server certificates from a private CA you control, and pin the exact server name. For the highest-assurance environments, WPA3-Enterprise 192-bit mode mandates a consistent suite of strong algorithms end to end.

Every legacy option left enabled is an attack path a defender chose not to close:

• WEP and WPA/TKIP: disable completely. WEP is broken in minutes (see WEP) and TKIP is deprecated; run CCMP/AES only. Leaving TKIP on can also cap the network at legacy data rates.
• WPS: turn it off on every access point. The PIN is brute-forceable regardless of passphrase strength (see WPS), and it has no place on a managed network.
• WPA2/WPA3 transition (mixed) mode: understand that it preserves the weaker path for downlevel clients. Where the fleet allows, move to WPA3-only; see WPA3-Transition for the trade-off.

Inventory what your APs actually advertise rather than what you think they do. A single forgotten controller template re-enabling TKIP or WPS undoes the policy everywhere it deploys.

Protected Management Frames (PMF, IEEE 802.11w) authenticate the management frames that 802.11 historically sent in the clear. Without it, an attacker forges deauthentication and disassociation frames to knock clients off at will, which is both a denial-of-service primitive and the lever that forces the reconnect needed to capture a WPA2 handshake. PMF is mandatory in WPA3 and optional in WPA2; enable it (required where every client supports it, optional/transitional otherwise) so deauth floods stop working. It does not fix every availability attack (an attacker can still jam the spectrum), but it closes the cheap, targeted ones.

Do not run an open guest SSID. Use OWE (Enhanced Open) so guest traffic is encrypted over the air even without a password (see OWE), and isolate the guest network completely: its own VLAN, client isolation on, internet-only, no route to anything internal. A guest or contractor device is untrusted by definition, and OWE plus isolation means a compromised one cannot see another guest's traffic or reach the corporate side.

Wireless is just an access layer onto your network; the blast radius of any wireless compromise is decided by what that access layer can reach. Separate VLANs per trust tier, enforce the boundaries at a firewall, and use client isolation so devices on the same untrusted segment cannot talk to each other. Network Access Control (NAC) can posture-check devices before admitting them.

Your wired controls cannot see the air. A Wireless Intrusion Detection/Prevention System (WIDS/WIPS) uses sensors to spot rogue access points plugged into your network, evil twins broadcasting your SSID, and deauthentication floods in progress. Rogue-AP detection in particular is a hard requirement under PCI DSS, which expects organizations to identify unauthorized wireless on a defined schedule.

There is a legal line here that defenders cross more often than they realize. Do not configure automated "containment" that transmits deauthentication frames to knock out APs you do not own. In the United States the FCC treats this as unlawful interference and has issued substantial fines (the Marriott case is the well-known example) against operators who blocked guests' personal hotspots. Detect, locate, and physically remediate rogue devices; never answer a rogue radio by jamming it.

• Keep firmware current on both access points and clients. The headline wireless vulnerabilities, KRACK (the WPA2 four-way-handshake key reinstallation flaws), FragAttacks (frame aggregation and fragmentation), Dragonblood (WPA3 SAE), and kr00k, are all fixed in patches. An unpatched fleet re-opens attacks the protocol design already closed.
• Retire end-of-life equipment. An access point the vendor no longer updates is a standing liability no configuration can fix.
• Tune power and placement. Do not broadcast the corporate SSID across the parking lot. Right-sizing transmit power and channel plans both improves performance and shrinks how far an attacker can work from; see RF, Density & Tuning.

You do not have to invent this program. The recognized references map closely to the controls above:

• NIST SP 800-97, Establishing Wireless Robust Security Networks, is the foundational guide to 802.11i/RSN deployment.
• NIST SP 800-153, Guidelines for Securing Wireless Local Area Networks, covers WLAN security configuration and monitoring.
• PCI DSS requires strong wireless encryption and periodic detection of unauthorized (rogue) wireless for any environment touching cardholder data.
• The NSA and CISA publish current wireless and network hardening guidance that consolidates the same practices.

Have a wireless incident-response path ready before you need it. If a rogue AP or evil twin is detected: locate it using sensor signal strength, physically remove or disconnect it, and preserve what you can for analysis. If a password-based EAP method may have leaked credentials (the validation-off scenario above), force a credential reset for affected users and treat it as an account-compromise event, not just a Wi-Fi one. Then close the gap that allowed it, which is almost always one of the first three controls on this page.

• NIST SP 800-97, "Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i": https://csrc.nist.gov/pubs/sp/800/97/final
• NIST SP 800-153, "Guidelines for Securing Wireless Local Area Networks (WLANs)": https://csrc.nist.gov/pubs/sp/800/153/final
• NSA, "Cybersecurity Information: Securing Wireless Devices in Public Settings": https://media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF
• CISA, "Secure Our World: Wireless and Network Security Guidance": https://www.cisa.gov/secure-our-world
• Wi-Fi Alliance, "Wi-Fi CERTIFIED WPA3" (Enterprise, 192-bit mode, PMF, Enhanced Open): https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security
• PCI Security Standards Council, "PCI DSS" (strong wireless crypto; rogue wireless detection): https://www.pcisecuritystandards.org/document_library/
• FCC, "Marriott to Pay $600K to Resolve WiFi-Blocking Investigation": https://www.fcc.gov/document/marriott-pay-600k-resolve-wifi-blocking-investigation
• Vanhoef and Piessens, "Key Reinstallation Attacks (KRACK)": https://www.krackattacks.com/
• Vanhoef, "FragAttacks: Fragmentation and Aggregation Attacks": https://www.fragattacks.com/
• Vanhoef and Ronen, "Dragonblood: Analysing WPA3's SAE Handshake": https://wpa3.mathyvanhoef.com/