WLAN security in the company: From WPA3 to 802.1X
Enterprise Wi-Fi Security: WPA3-Enterprise vs. WPA3-SAE, 802.1X Authentication (RADIUS + EAP-TLS/PEAP), SSID Segmentation (Corporate vs. BYOD vs. Guests), Rogue Access Point Detection, Wi-Fi IDS/IPS, PMF (Protected Management Frames), Evil Twin Attack Detection, Secure Wi-Fi Configuration for Cisco, Aruba, and Ubiquiti, and Wi-Fi Penetration Testing Methodology.
Table of Contents (5 sections)
Wi-Fi is one of the most commonly overlooked attack vectors. Weak pre-shared keys, public SSIDs without guest isolation, and a lack of rogue AP detection make corporate networks easy prey.
Comparing Wi-Fi Security Standards
WEP / WPA / WPA2 / WPA3:
WEP (Wired Equivalent Privacy):
→ Introduced in 1999, cracked as early as 2001
→ AIRODUMP-NG + AIRCRACK-NG: cracked in minutes
→ NEVER use! (Museum artifact)
WPA2-Personal (PSK):
→ Pre-Shared Key: everyone shares the SAME key
→ Risk: Key compromised = everyone affected!
→ PMKID attack: Key can be cracked offline (Hashcat)
→ Crack 4-way handshake offline: if captured
→ Use: only at home/small office with a strong key
# Cracking a weak WPA2-PSK (pen test):
airmon-ng start wlan0
airodump-ng wlan0mon --bssid BSSID -c CHANNEL -w capture
aircrack-ng capture.cap -w /usr/share/wordlists/rockyou.txt
WPA3-SAE (Simultaneous Authentication of Equals):
→ Dragonfly Key Exchange: offline cracking impossible!
→ Forward Secrecy: compromised key = past sessions secure
→ Downgrade protection: no fallback to WPA2
→ Use: BYOD network, small business
WPA3-Enterprise (802.1X + EAP):
→ Individual per user (no shared key!)
→ RADIUS backend: AD authentication
→ EAP-TLS: Certificate-based (no password risk)
→ PMF (Protected Management Frames): Mandatory
→ 192-bit mode: CNSA suite for highly sensitive environments
→ Recommended: for all enterprise networks!Multi-SSID Strategy
SSID Segmentation in the Enterprise:
Recommended SSID Structure:
CORP-INTERNAL:
→ Authentication: 802.1X (EAP-TLS/PEAP)
→ VLAN: 30 (Corporate Users)
→ Access: Full internal access
→ Devices: Company laptops, smartphones (with MDM)
BYOD-WIFI:
→ Authentication: 802.1X (PEAP-MSCHAPv2, AD credentials)
→ VLAN: 35 (BYOD - restricted)
→ Access: Internet + specific internal resources
→ Conditional Access: MFA + device compliance check
GUEST-WIFI:
→ Authentication: Captive Portal (click or code)
→ VLAN: 60 (Guests – completely isolated)
→ Access: Internet only (no access to internal resources!)
→ Bandwidth Limit: 10 Mbit/s (to ensure quality)
→ Client Isolation: Guests cannot see each other
MANAGEMENT-WIFI:
→ Authentication: 802.1X + EAP-TLS (Certificates)
→ VLAN: 90 (Management)
→ Access: Network Infrastructure Management
→ For IT Admins Only (few devices!)
Hidden SSID? No security benefit!
→ SSID "hidden": Beacons are missing, but probe requests are visible
→ AIRODUMP-NG reveals hidden SSIDs immediately
→ "Security through obscurity" does not apply!
→ Instead: Use true authentication802.1X Wi-Fi Configuration
Enterprise Wi-Fi with RADIUS:
Cisco Meraki (Cloud-managed):
# Dashboard → Wireless → SSIDs → CORP-INTERNAL
Security: WPA2/3 Enterprise
RADIUS:
Primary: 192.168.90.10:1812 (FreeRADIUS/NPS)
Secret: "StrongRADIUSSecret123!"
VLAN: 30
PMF: Required (!)
WPA3 Transition Mode: active (during migration)
Ubiquiti UniFi:
# UniFi Network Controller → WiFi → New WiFi Network
SSID: CORP-INTERNAL
Security: WPA Enterprise
RADIUS Profile:
IP: 192.168.90.10
Port: 1812
Secret: "RADIUS-Secret"
VLAN: 30
Fast Roaming: 802.11r (for VoIP/Mobile)
PMF: Required
Aruba (HPE):
# Aruba Central or ArubaOS:
aaa server-group "CORP-RADIUS"
auth-server "dc01-nps" host 192.168.90.10
key "StrongRadiusSecret"
wlan ssid-profile "CORP-INTERNAL"
essid "CORP-INTERNAL"
opmode wpa3-enterprise-ccmp-256
auth-req 802.1x
server-group "CORP-RADIUS"
Certificate Deployment (EAP-TLS) via Intune:
# SCEP Profile: Automatically Assign Client Certificate
# Device Configuration → Profiles → SCEP Certificate
# Then: WLAN profile with this certificate
# Result: Company laptop connects automatically → no password!Rogue Access Point Detection
Detecting unauthorized APs on the network:
What is a rogue AP?
→ Employee brings in a personal router ("because the Wi-Fi is bad")
→ Attacker places an AP on the network (Evil Twin)
→ Both: bypass security controls!
Detection methods:
Integrated into the Wi-Fi controller (best method):
→ Cisco/Aruba/Ubiquiti: RF scanning of APs
→ APs continuously scan all channels
→ Unknown BSSIDs → Alert!
→ Wired-side detection: Can rogue APs also be detected in the switch?
Automatic classification:
→ BSSID on the network: internal rogue (someone plugged in an AP)
→ External BSSID: Neighbor AP (not necessarily a threat)
→ BSSID has the same SSID as ours: Evil Twin! (P1 alert!)
Aruba RAPIDS (Rogue AP Detection):
→ Classified: Known, Rogue, Suspected Rogue, Neighbor
→ Automatic Containment: sends deauthentication frames to rogue clients
WARNING: Deauthentication flooding could violate telecommunications laws
→ only within your own network!
Evil Twin Attack Detection:
→ Attacker clones our SSID with the same SSID
→ Positions themselves closer than our AP → stronger signal
→ Clients connect to the attacker’s AP!
Protection:
→ PMF (Protected Management Frames): Mandatory!
→ 802.1X: Attacker can clone the SSID, but not the RADIUS certificate
→ With EAP-TLS: Client validates server certificate → fake AP detected!
→ Without server certificate validation: Attacker wins!Wi-Fi Penetration Testing Methodology
What AWARE7 checks during Wi-Fi pen tests:
Reconnaissance:
Kismet or Wireshark:
→ Which SSIDs are visible?
→ What encryption is used?
→ Which clients are connecting?
→ Probe requests: Which SSIDs are clients searching for?
WPA2-PSK cracking (if available):
→ Capture 4-way handshake
→ PMKID attack (no client required!)
→ Offline crack: Dictionary attack + rules
→ Result: Key found or not (report: time required)
Evil Twin Attack Test:
→ Clone own SSID
→ Hostapd-WPE (PEAP credential harvesting)
→ Will employees connect? Credentials intercepted?
→ Detectable: RADIUS certificate validation configured?
Isolation Test (Guest Wi-Fi):
→ Connect to guest Wi-Fi
→ Can I reach internal IPs? (Should be: NO)
→ Can I access other guests (client isolation)?
→ Can I reach the AP’s management interface?
AP Security:
→ Default credentials on management interface?
→ Telnet/HTTP disabled? (SSH/HTTPS only!)
→ Management accessible only from MGMT VLAN?
→ Firmware up to date?
Typical Findings:
→ WPA2-PSK with weak key (cracked in <1h)
→ No guest isolation (guests can see company servers)
→ Management interface accessible from all VLANs
→ Default credentials on AP (admin/admin)
→ PEAP without server certificate validation → Evil Twin attack possibleQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
