Enterprise WLAN Security: WPA3, 802.1X and Secure Guest Wi-Fi

"The Wi-Fi password? It's on the sticker under the router." An alarming number of Wi-Fi security policies in companies begin with this sentence. WPA2-PSK with a single shared password is acceptable for home use—but for businesses with a constant flow of employees, suppliers, and guests, it poses a security risk.

WPA2-PSK vs. WPA2/WPA3-Enterprise

Why WPA2-PSK Is Inadequate in a Corporate Setting

Problem 1: No Individual Identification

• All employees, suppliers, and guests use the same password
• Log shows only: Device XY was on the Wi-Fi—no username!
• GDPR: Attribution is virtually impossible
• Forensics after an incident: Who was on the Wi-Fi and when?

Problem 2: Password Management

• Former employees know the Wi-Fi password
• Password rotation: Must be communicated to ALL employees (time-consuming!)
• Employees send the password to visitors, family, etc.

Problem 3: Retrospective Decryption

• Wi-Fi traffic can be recorded
• With PSK: Third parties who know the PSK can decrypt recorded traffic!
• Competitors, former employees: potential attackers

WPA2/WPA3-Enterprise: The Enterprise Solution

Instead of a shared password: individual login credentials per device/user.

Standard: IEEE 802.1X with RADIUS server EAP method: EAP-TLS (certificates) or PEAP-MSCHAPv2 (username/password)

Process:

1. Device connects to Wi-Fi
2. Access point requests identification (802.1X)
3. Device sends credentials (certificate or username/password)
4. Access point forwards to RADIUS server
5. RADIUS server verifies against Active Directory / Entra ID
6. Either: Access granted (with VLAN assignment!) or denied

Advantages:

• Individual access: Employee resignation → immediate revocation (deactivate in AD)
• Logging by user/device
• Certificate-based EAP-TLS: no passwords required
• Forward secrecy: recorded traffic cannot be decrypted retroactively
• VLAN assignment: Marketing employees are automatically placed in the marketing VLAN

WPA3 improvements:

• Individual data protection: Devices cannot see each other’s traffic (SAE instead of PSK)
• WPA3-SAE (Simultaneous Authentication of Equals): better protection against PMKID attacks
• 192-bit security for Enterprise (GCMP-256 instead of AES-128-CCM)

Configuring RADIUS and 802.1X

Microsoft NPS as a RADIUS server (included in Windows Server)

Install-WindowsFeature NPAS -IncludeManagementTools

Configuration for Wi-Fi:

1. NPS → RADIUS Clients: Register access points
   (AP IP address + shared secret between AP and NPS)

2. Connection Request Policy:
   Type of network access server: Wireless - IEEE 802.11

3. Network Policy:
   Conditions:
     User Groups: "Domain Users" or specific Wi-Fi group
   Authentication Method: EAP-MSCHAPV2 (PEAP) or EAP-TLS (Certificate)
   VLAN Assignment:
     RADIUS Attributes → Tunnel Type: VLAN
     Tunnel Medium Type: 802
     Tunnel Pvt Group Id: 20  (VLAN ID for employees)

EAP-TLS (Certificate-based - recommended)

No password required: Device authenticates with certificate. Entra ID / AD PKI issues certificates; Intune automatically distributes certificates to managed devices.

Intune → Configuration → Certificate Profiles → SCEP Certificate:
  Key storage provider: TPM (stored in the hardware security module!)
  Subject name format: CN={{UserName}},DC=company,DC=de
  Extended key usage: Client Authentication
  Validity period: 1 year
  SCEP server: https://ndes.firma.de/certsrv/mscep/mscep.dll

Then: Wi-Fi Profile in Intune:
  Security type: WPA2-Enterprise / WPA3-Enterprise
  EAP type: EAP-TLS
  Client certificate: {{Cert from SCEP profile}}
  Trusted server certificate: Company CA certificate

FreeRADIUS (Alternative, free)

apt install freeradius freeradius-utils

# Configuration /etc/freeradius/3.0/clients.conf:
client access_point_1 {
  ipaddr = 192.168.1.10        # IP of the AP
  secret = supersecret123      # Shared Secret
  shortname = ap-1
  nastype = cisco
}

# LDAP connection /etc/freeradius/3.0/mods-enabled/ldap:
ldap {
  server = 'ldap.company.com'
  identity = 'CN=freeradius,OU=Service,DC=company,DC=com'
  password = ${ldap_password}
  base_dn = 'DC=company,DC=com'
  user {
    base_dn = "${..base_dn}"
    filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  }
}

Setting Up Guest Wi-Fi Correctly

Design Principles

Strict separation from the production Wi-Fi:

• Dedicated SSID for guests
• Dedicated VLAN (e.g., VLAN 99)
• Firewall between guest VLAN and corporate network:
  • DENY: VLAN 99 → VLAN 10 (employees), VLAN 20 (servers)
  • ALLOW: VLAN 99 → Internet (Port 80/443)

Authentication options for guests:

Option 1: Captive Portal (Landing Page with Registration)

• Guest enters name + email
• Accepts terms of use
• Receives access code
• Access for a limited time (e.g., 8 hours)

Option 2: Voucher System

• Front desk/reception issues time-limited vouchers
• Code valid for 1 day, 1 week, etc.
• No guest account required

Option 3: WPA2-PSK with regular rotation

• Less secure, but simple
• Change code weekly; post on whiteboard in conference room
• ONLY if guests cannot have sensitive data

Captive Portal Solutions:

Solution	Description
pfSense + Captive Portal	Open Source
Cisco Identity Service Engine (ISE)	Enterprise
Aruba ClearPass	Enterprise
Unifi Network Application	For Ubiquiti networks, very simple!

GDPR in Guest Wi-Fi

• Guest registration data: GDPR obligations!
• Privacy notice required in the captive portal
• Define retention period (access logs: typically 7–30 days)
• Purpose limitation: for network administration only

Guest Wi-Fi Configuration (Unifi Example)

Settings → WiFi → Add New WiFi Network:
  Name: Company Guests
  Password: (blank; Captive Portal handles this)
  Network: Guest VLAN (create beforehand)
  Guest Policy: Enable (activates isolation)

Hotspot Manager:
  Authentication: Voucher
  Voucher Expiry: 8 hours
  Voucher Usage: Single Use

Automatic Firewall Rule (Guest Policy):
  Block: Guests → internal networks (automatic)
  Allow: Guests → Internet

Detecting and Preventing Wi-Fi Attacks

Common Wi-Fi Attacks

1. Evil Twin / Rogue Access Point

• Attacker sets up an AP with the same SSID as the company’s Wi-Fi
• Stronger signal → Devices connect automatically
• Man-in-the-Middle: All traffic can be intercepted
• Protection: 802.1X + Certificates (Devices verify server certificate!)

2. PMKID Attack (WPA2-PSK)

• Attacker intercepts PMKID hash during connection setup
• Offline brute force against PMKID → password cracked
• Tool: hcxdumptool + hcxtools + hashcat
• Protection: WPA3-SAE (PMKID attack no longer possible!) or long, random WPA2-PSK (>25 characters)

3. Deauthentication attacks

• Attacker sends fake deauthentication packets → all clients disconnected
• DoS or forcing a new connection (for Evil Twin)
• Protection: 802.11w (Management Frame Protection) - WPA3 enforces it!

4. KRACK (Key Reinstallation Attack, WPA2)

• Vulnerability in WPA2 handshake implementation
• Already patched in current operating systems
• Protection: Patch all clients and APs immediately

Wi-Fi Monitoring (Rogue AP Detection)

• Cisco Wireless Controller: automatic rogue AP detection
• Unifi: Wireless Intrusion Detection/Prevention
• Kismet (Open Source): Passive Wi-Fi scanner + rogue detection

apt install kismet
kismet -c wlan0mon
# Web GUI at localhost:2501
# Displays all Wi-Fi networks within range, flags unknown APs

Wi-Fi Hardening Checklist

• WPA3-Enterprise or WPA2-Enterprise (802.1X) for employee Wi-Fi
• No WPA2-PSK on the corporate network
• Guest Wi-Fi: separate VLAN, captive portal
• Management Frame Protection (802.11w) enabled
• Rogue Access Point Detection enabled
• Wi-Fi password (if PSK): min. 25 characters, random
• SSID should not be the company name (prevents targeting): choose an anonymous SSID
• No WPS function (PIN-based, vulnerable)
• RADIUS/NPS server secured with a certificate (no self-signed ones!)
• Regular Wi-Fi security audit (annually)
• Keep AP firmware up to date

---

WPA3: An Overview of the Current Encryption Standard

WPA3 has been available in modern routers for several years and offers significant security improvements over WPA2—but also presents challenges during migration.

What Makes WPA3 Better

Protected Management Frames (PMF): WPA3 enforces PMF (802.11w), which significantly complicates deauthentication attacks. With WPA2 without PMF, an attacker can send fake deauth packets and disconnect all clients—a precursor to Evil Twin attacks.

Simultaneous Authentication of Equals (SAE): The new handshake protocol makes dictionary attacks against the connection key virtually impossible. With WPA2-PSK, an attacker can record the 4-way handshake and try passwords offline—with WPA3-SAE, this is no longer possible.

192-Bit Security Mode (WPA3-Enterprise): For particularly sensitive environments, WPA3-Enterprise offers significantly stronger encryption using GCMP-256 instead of AES-128-CCM.

Compatibility and Migration

WPA3 requires firmware updates on both the router and the end devices:

• Windows 10 version 1903 or later with the appropriate network adapter driver
• macOS version 10.15 (Catalina) or later
• iOS version 13 or later
• Android: supported by software starting with Android 10; older devices depend on the manufacturer

Recommendation: Set the router to "WPA2+WPA3" (transition mode). This way, modern devices will automatically connect via WPA3, while older devices—such as printers or IoT devices—will remain accessible via WPA2. Note: In transition mode, the router automatically enables PMF for WPA2 connections as well. Not all older devices support PMF, which can lead to connection issues.

Problem with Android in transition mode: Some Android devices continue to use WPA2 even though the router offers WPA3. Solution: Remove the known Wi-Fi network and reconnect by entering the password (do not use a QR code or WPS—these often force WPA2).

---

Nearest Neighbor Attack: When Your Neighbor Attacks Your Wi-Fi

Attacks from the immediate vicinity are an often underestimated threat. In apartment buildings or densely populated commercial areas, potential attackers are within Wi-Fi range—without ever having to enter the building.

How a Neighbor Becomes a Security Problem

Cybercriminals use the following methods for neighborhood attacks:

Network scans: Tools like Aircrack-ng or Wireshark allow for the systematic detection of all Wi-Fi networks in the vicinity, including SSID, encryption standard, and signal strength. WEP networks and those using WPS are immediately identifiable as easy targets.

Brute-force attacks on weak passwords: For WPA2-PSK with a short or simple password, capturing a single handshake is sufficient. The subsequent offline analysis with Hashcat can crack a password like “Company2024” in seconds.

WPS exploitation: WPS (Wi-Fi Protected Setup) allows devices to connect via an eight-digit PIN—split into two four-digit blocks, reducing the number of possible combinations to 11,000. With the Reaver tool, WPS can be compromised in just a few hours.

Social Engineering: Attackers can pose as technicians or service providers to directly request Wi-Fi access credentials.

Real-World Consequences of Insecure Wi-Fi Networks

The legal consequences of a compromised Wi-Fi network often fall on the account holder first: If illegal activities take place via your connection, you will initially be treated as a suspect. The burden of proof for your own innocence lies with the connection owner—investigations, legal fees, and reputational damage are the result, even if it later turns out that a stranger misused your connection.

Another risk: If an attacker gains access to your Wi-Fi, they can read all unencrypted network traffic. If WPS was active and compromised, the attacker has permanent network access—until you change the password. Data from cloud services, email accounts, and internal documents can thus be accessed unnoticed for weeks.

---

Guest Wi-Fi: Convenience Without Security Risks

A guest Wi-Fi network is virtually indispensable in modern businesses. Auditors, external consultants, suppliers, and business partners expect hassle-free internet access—without it opening a path to the internal network.

Typical guest groups and their requirements

Auditors and accountants need access to cloud tools and online documents. A guest Wi-Fi network enables this without opening the internal network.

External lawyers and consultants regularly work with sensitive data. Isolated internet access prevents the unintentional disclosure of internal resources.

External IT service providers often need internet access for maintenance work. An isolated guest Wi-Fi network allows them to perform tasks while keeping the production network protected.

Customers and business partners expect Wi-Fi to work during meetings and presentations. A professionally set up guest Wi-Fi network leaves a good impression while minimizing risks.

Risks of a poorly configured guest Wi-Fi network

Lateral Movement: Without strict network segmentation, attackers can gradually penetrate the internal network via a compromised guest device. A device infected with malware on the guest Wi-Fi then becomes the starting point for attacks on servers and workstations.

GDPR Risks: Guest registration data is subject to the GDPR. A lack of privacy notices in the captive portal or retaining access logs for too long can result in fines.

Bandwidth Abuse: Without bandwidth limits, a single guest can slow down the entire corporate network.

Protective Measures for the Guest Wi-Fi

1. Network Segmentation: The guest Wi-Fi must run on its own VLAN (e.g., VLAN 99). Firewall rules must block access from the guest VLAN to all internal VLANs.

2. Time-Limited Access: Voucher codes with automatic expiration (e.g., 8 hours or 24 hours) prevent continuous access by guests who are no longer present.

3. Captive Portal with Privacy Notice: Guests must confirm the terms of use before gaining access. The captive portal must include a GDPR-compliant privacy notice.

4. Network Access Control (NAC): For sensitive environments: Only devices with an up-to-date operating system and active antivirus protection are granted access.

5. Monitoring: Monitor network traffic on the guest Wi-Fi for anomalies. Retain access logs (standard retention period: 7–30 days), but store only the necessary data.

6. Employee Training: Reception staff and IT support must know how to set up, monitor, and immediately block guest access in an emergency.

Guest Wi-Fi — A Real-World Example

A company set up an open Wi-Fi network for guests without a password. An attacker exploited the unsecured access to inject malware. Since there was no segmentation between the guest and corporate networks, internal systems were compromised. The incident led to technical outages and lasting reputational damage with business partners.

A law firm solved the problem differently: guests receive individual access codes via a captive portal, valid for a maximum of 24 hours. The guest Wi-Fi is strictly separated from the internal network via VLANs. Access is automatically deactivated upon expiration. This simultaneously meets visitor convenience and compliance requirements.

---

Seven Basic Rules for Secure Wi-Fi Networks

These rules apply to both home and corporate networks and form the basis of every security concept:

1. Modern encryption method: WPA3 or at least WPA2 with AES. WEP and WPA (without a number) have known vulnerabilities and must be replaced. WPA2-PSK with AES remains the minimum requirement for environments that do not yet fully support WPA3.

2. Strong, random password: For home networks, at least 16 characters including numbers, letters, and special characters. For enterprise PSK, at least 25 random characters. Passwords that are easy for humans to remember, such as “Company2024Secure!”, are easier to crack in brute-force attacks than random character strings.

3. Disable WPS: The WPS PIN effectively has only 11,000 combinations (the eighth digit is a checksum; the standard checks the first four and last three digits separately). The Reaver tool can automatically brute-force WPS PINs. WPS should be disabled on every network.

4. Keep router firmware up to date: Manufacturers regularly release updates that patch security vulnerabilities. Enable automatic firmware updates whenever possible. Outdated router firmware with known CVEs is a common attack vector.

5. Disable Unnecessary Services: Only enable FTP, SSH, Telnet, and similar services on the router if they are actually needed. Every open service is a potential attack surface.

6. Separate password management: Use different passwords for the Wi-Fi, the guest Wi-Fi, and the router admin access. An attacker who knows the guest password should not be able to deduce the admin password.

7. Regularly check connected devices: Regularly check the router interface to see which devices are connected. Unknown devices on the network are a warning sign—if you suspect anything, change the Wi-Fi password immediately.

---

Wi-Fi Basics: How Wireless Connections Work Technically

Understanding the technical basics helps you better understand security measures.

Radio Frequencies and Range

Wi-Fi transmits data as radio waves on two frequency bands:

2.4 GHz: Greater range, penetrates walls better, but more congested (microwave ovens and Bluetooth use the same band). More susceptible to interference from other devices.

5 GHz: Higher data rate, fewer sources of interference, but shorter range and poorer wall penetration. Devices with high bandwidth requirements should preferably operate on the 5 GHz band.

Both bands are divided into multiple channels to avoid interference from overlapping networks. Many routers are dual-band and support both frequency bands simultaneously.

IEEE 802.11 Standards

The Wi-Fi standard is based on IEEE 802.11. Relevant versions:

• 802.11n (Wi-Fi 4): Up to 600 Mbps, 2.4 and 5 GHz
• 802.11ac (Wi-Fi 5): Up to several Gbps, 5 GHz
• 802.11ax (Wi-Fi 6/6E): More efficient with many simultaneous devices, 2.4, 5, and 6 GHz
• 802.11w: Management Frame Protection (MFP) — important for security against deauthentication attacks

Why Wi-Fi Signals Know No Physical Boundaries

A Wi-Fi signal does not stop at the office wall. It radiates in all directions, including into neighboring rooms, adjacent buildings, and public spaces. This is precisely where the fundamental security problem lies: Anyone with a Wi-Fi adapter within range can receive your signal. Whether they can exploit it depends on the quality of your encryption and your password.

---

Further Resources

If you want to understand how attackers specifically target Wi-Fi networks—and which tools, methods, and attack scenarios professional penetration testers use to assess Wi-Fi infrastructures—you’ll find all the details in the accompanying article:

Wi-Fi Penetration Testing: Tools, Methods, and Attack Vectors

---

A professionally configured Wi-Fi network differs little from consumer Wi-Fi in terms of operation, but significantly in terms of security. WPA3-Enterprise with 802.1X takes a little more time to set up, but saves hours of forensic work after an incident. AWARE7 checks Wi-Fi configurations as part of network penetration tests.

Schedule a free initial consultation | Network Penetration Testing | Security Awareness Training