kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-3-wireless-security.md

5.1 KiB
Raw Blame History

SEC-3: Wireless Security and Authentication Methods

Status: not started

Domain:

  • 2.0 Security

Objective alignment:

  • 2.3 Wireless security

What You Need To Know

Wireless security questions usually ask which encryption/authentication method is safest or most appropriate.

Core ideas:

  • WEP is obsolete and should not be used.
  • WPA was a temporary improvement over WEP.
  • WPA2 with AES is still common and acceptable.
  • WPA3 is newer and stronger.
  • Personal/PSK uses one shared password.
  • Enterprise/802.1X authenticates users individually, usually with RADIUS.

Memory Trick

Use 3 beats 2, AES beats TKIP, Enterprise beats shared password.

Order to remember:

  • WEP = Weak
  • WPA = temporary
  • WPA2-AES = solid
  • WPA3 = strongest common choice

Mode shortcut:

  • Personal = shared pre-shared key
  • Enterprise = individual user authentication

Wireless Encryption

WEP:

  • Wired Equivalent Privacy.
  • Broken/obsolete.
  • Do not choose it unless the question asks what should be replaced.

WPA:

  • Wi-Fi Protected Access.
  • Temporary replacement for WEP.
  • Uses TKIP.

TKIP:

  • Older encryption method used with WPA.
  • Avoid when better options exist.

WPA2:

  • Stronger replacement for WPA.
  • Uses AES.

AES:

  • Advanced Encryption Standard.
  • Stronger than TKIP.

WPA3:

  • Newer than WPA2.
  • Improves encryption and key exchange.
  • Best default answer when supported.

Wireless Modes

Open:

  • No password.
  • Avoid for private/business networks.

WPA2/WPA3-Personal:

  • Uses a pre-shared key.
  • Good for home/SOHO networks.
  • Everyone uses the same Wi-Fi password.

WPA2/WPA3-Enterprise:

  • Uses 802.1X.
  • Authenticates users individually.
  • Usually uses RADIUS.
  • Best for business networks when supported.

Authentication Methods

RADIUS:

  • Remote Authentication Dial-in User Service.
  • Centralized AAA service.
  • Common for VPN, wireless 802.1X, network devices, and server authentication.

TACACS+:

  • Authentication protocol common with Cisco/network device administration.
  • Exam clue: network device admin authentication, especially Cisco.

Kerberos:

  • Ticket-based network authentication.
  • Common in Microsoft/Active Directory environments.
  • Supports SSO-style access in Windows domains.

MFA:

  • Multi-factor authentication.
  • Uses more than one factor type:
    • Something you know
    • Something you have
    • Something you are
    • Somewhere you are
    • Something you do

Scenario Shortcuts

Home Wi-Fi:

  • WPA3-Personal if supported.
  • WPA2-AES if WPA3 is not available.

Business Wi-Fi:

  • WPA3-Enterprise or WPA2-Enterprise with 802.1X/RADIUS.

Legacy weak network:

  • Replace WEP/WPA/TKIP.

VPN authentication server:

  • RADIUS is a common answer.

Cisco/network device admin authentication:

  • TACACS+ is a common answer.

Microsoft domain authentication:

  • Kerberos is a common answer.

Commands To Enter

Windows:

netsh wlan show interfaces

What it does:

  • Shows current Wi-Fi interface, SSID, authentication, and cipher details.
  • Works only if Wi-Fi is present and connected.
netsh wlan show profiles

What it does:

  • Lists saved Wi-Fi profiles.
ipconfig /all

What it does:

  • Shows network adapter details, including DHCP and DNS information.
ncpa.cpl

What it does:

  • Opens Network Connections.

Linux:

nmcli device status

What it does:

  • Shows network devices and connection state when NetworkManager is installed.
nmcli connection show

What it does:

  • Shows configured network connections when NetworkManager is installed.
iw dev

What it does:

  • Shows wireless interface information if wireless tools are installed.
ip addr

What it does:

  • Shows network interfaces and IP addresses.

macOS, if available:

networksetup -listallhardwareports

What it does:

  • Lists network hardware ports, including Wi-Fi.
airport -I

What it does:

  • Shows current Wi-Fi details on many macOS systems.
  • On some macOS versions, the airport command path may require lookup or may be deprecated.

Mini Lab

Goal:

  • Identify current wireless mode/security without changing router settings.

Windows:

  1. Connect to a known Wi-Fi network.
  2. Run netsh wlan show interfaces.
  3. Run netsh wlan show profiles.
  4. Run ipconfig /all.
  5. Record:
    • SSID:
    • Authentication:
    • Cipher:
    • DHCP enabled:
    • DNS server:

Linux:

  1. Run nmcli device status.
  2. Run nmcli connection show.
  3. Run ip addr.
  4. Optional: run iw dev.
  5. Record:
    • Wireless interface name:
    • Active connection:
    • IP address:

Router review, if you own/admin the network:

  1. Look at Wi-Fi security mode.
  2. Confirm WEP/TKIP are not used.
  3. Prefer WPA3 or WPA2-AES.
  4. Do not change settings unless you understand the impact.

Quick Check Before Quiz

You are ready for the SEC-3 quiz when you can answer these without looking:

  • Which wireless security should be avoided?
  • Which is stronger: TKIP or AES?
  • Which mode uses one shared password?
  • Which mode uses 802.1X/RADIUS?
  • Which authentication protocol is common in Microsoft domains?
  • Which authentication protocol is common for VPN/wireless AAA?