# SEC-3: Wireless Security and Authentication Methods

Status: not started

Domain:
- 2.0 Security

Objective alignment:
- 2.3 Wireless security

## What You Need To Know

Wireless security questions usually ask which encryption/authentication method is safest or most appropriate.

Core ideas:
- WEP is obsolete and should not be used.
- WPA was a temporary improvement over WEP.
- WPA2 with AES is still common and acceptable.
- WPA3 is newer and stronger.
- Personal/PSK uses one shared password.
- Enterprise/802.1X authenticates users individually, usually with RADIUS.

## Memory Trick

Use **3 beats 2, AES beats TKIP, Enterprise beats shared password**.

Order to remember:
- **WEP = Weak**
- **WPA = temporary**
- **WPA2-AES = solid**
- **WPA3 = strongest common choice**

Mode shortcut:
- **Personal = shared pre-shared key**
- **Enterprise = individual user authentication**

## Wireless Encryption

WEP:
- Wired Equivalent Privacy.
- Broken/obsolete.
- Do not choose it unless the question asks what should be replaced.

WPA:
- Wi-Fi Protected Access.
- Temporary replacement for WEP.
- Uses TKIP.

TKIP:
- Older encryption method used with WPA.
- Avoid when better options exist.

WPA2:
- Stronger replacement for WPA.
- Uses AES.

AES:
- Advanced Encryption Standard.
- Stronger than TKIP.

WPA3:
- Newer than WPA2.
- Improves encryption and key exchange.
- Best default answer when supported.

## Wireless Modes

Open:
- No password.
- Avoid for private/business networks.

WPA2/WPA3-Personal:
- Uses a pre-shared key.
- Good for home/SOHO networks.
- Everyone uses the same Wi-Fi password.

WPA2/WPA3-Enterprise:
- Uses 802.1X.
- Authenticates users individually.
- Usually uses RADIUS.
- Best for business networks when supported.

## Authentication Methods

RADIUS:
- Remote Authentication Dial-in User Service.
- Centralized AAA service.
- Common for VPN, wireless 802.1X, network devices, and server authentication.

TACACS+:
- Authentication protocol common with Cisco/network device administration.
- Exam clue: network device admin authentication, especially Cisco.

Kerberos:
- Ticket-based network authentication.
- Common in Microsoft/Active Directory environments.
- Supports SSO-style access in Windows domains.

MFA:
- Multi-factor authentication.
- Uses more than one factor type:
  - Something you know
  - Something you have
  - Something you are
  - Somewhere you are
  - Something you do

## Scenario Shortcuts

Home Wi-Fi:
- WPA3-Personal if supported.
- WPA2-AES if WPA3 is not available.

Business Wi-Fi:
- WPA3-Enterprise or WPA2-Enterprise with 802.1X/RADIUS.

Legacy weak network:
- Replace WEP/WPA/TKIP.

VPN authentication server:
- RADIUS is a common answer.

Cisco/network device admin authentication:
- TACACS+ is a common answer.

Microsoft domain authentication:
- Kerberos is a common answer.

## Commands To Enter

Windows:

```powershell
netsh wlan show interfaces
```

What it does:
- Shows current Wi-Fi interface, SSID, authentication, and cipher details.
- Works only if Wi-Fi is present and connected.

```powershell
netsh wlan show profiles
```

What it does:
- Lists saved Wi-Fi profiles.

```powershell
ipconfig /all
```

What it does:
- Shows network adapter details, including DHCP and DNS information.

```powershell
ncpa.cpl
```

What it does:
- Opens Network Connections.

Linux:

```bash
nmcli device status
```

What it does:
- Shows network devices and connection state when NetworkManager is installed.

```bash
nmcli connection show
```

What it does:
- Shows configured network connections when NetworkManager is installed.

```bash
iw dev
```

What it does:
- Shows wireless interface information if wireless tools are installed.

```bash
ip addr
```

What it does:
- Shows network interfaces and IP addresses.

macOS, if available:

```bash
networksetup -listallhardwareports
```

What it does:
- Lists network hardware ports, including Wi-Fi.

```bash
airport -I
```

What it does:
- Shows current Wi-Fi details on many macOS systems.
- On some macOS versions, the `airport` command path may require lookup or may be deprecated.

## Mini Lab

Goal:
- Identify current wireless mode/security without changing router settings.

Windows:
1. Connect to a known Wi-Fi network.
2. Run `netsh wlan show interfaces`.
3. Run `netsh wlan show profiles`.
4. Run `ipconfig /all`.
5. Record:
   - SSID:
   - Authentication:
   - Cipher:
   - DHCP enabled:
   - DNS server:

Linux:
1. Run `nmcli device status`.
2. Run `nmcli connection show`.
3. Run `ip addr`.
4. Optional: run `iw dev`.
5. Record:
   - Wireless interface name:
   - Active connection:
   - IP address:

Router review, if you own/admin the network:
1. Look at Wi-Fi security mode.
2. Confirm WEP/TKIP are not used.
3. Prefer WPA3 or WPA2-AES.
4. Do not change settings unless you understand the impact.

## Quick Check Before Quiz

You are ready for the SEC-3 quiz when you can answer these without looking:
- Which wireless security should be avoided?
- Which is stronger: TKIP or AES?
- Which mode uses one shared password?
- Which mode uses 802.1X/RADIUS?
- Which authentication protocol is common in Microsoft domains?
- Which authentication protocol is common for VPN/wireless AAA?