Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.3

Compare and contrast wireless security protocols and authentication methods

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.3: Compare and contrast wireless security protocols and authentication methods

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Compare and contrast. The candidate must distinguish wireless encryption protocols, encryption algorithms, and enterprise authentication methods.

What this objective tests

You should know the strength ranking of wireless security protocols, the encryption algorithms behind them, and the enterprise authentication systems used with WPA2/WPA3 Enterprise (RADIUS, TACACS+, Kerberos, MFA).

This objective pairs with Core 1 obj 2.2 (wireless networking standards) and Core 2 obj 1.7 (Windows network connections).

Key facts

Wi-Fi Protected Access 2 (WPA2):

  • Wireless security protocol introduced in 2004. Replaced WPA (which replaced WEP).
  • Two modes: WPA2-Personal (PSK, pre-shared key) for home/SMB; WPA2-Enterprise (802.1X with RADIUS) for businesses.
  • Still acceptable in 2025 but being phased toward WPA3.

Wi-Fi Protected Access 3 (WPA3):

  • Successor to WPA2, introduced 2018. Required for Wi-Fi 6 certification.
  • Adds Simultaneous Authentication of Equals (SAE) replacing PSK, making offline dictionary attacks much harder.
  • WPA3-Personal and WPA3-Enterprise modes.
  • Current recommended baseline. Many APs support WPA2/WPA3 transition mode for legacy device compatibility.

Temporal Key Integrity Protocol (TKIP):

  • Older encryption used with original WPA. Designed as a stopgap to replace WEP without requiring new hardware.
  • Now considered insecure. WPA2 introduced AES; TKIP should not be used.
  • Some legacy devices may still negotiate TKIP if the AP allows it. Disable TKIP on the AP.

Advanced Encryption Standard (AES):

  • Strong symmetric encryption algorithm used by WPA2 and WPA3.
  • AES-CCMP is the implementation for Wi-Fi.
  • This is the algorithm you want; configure the AP to use WPA2-AES or WPA3 (which mandates AES).

Remote Authentication Dial-In User Service (RADIUS):

  • Authentication, authorization, and accounting (AAA) protocol.
  • Used with WPA2/WPA3 Enterprise: AP forwards 802.1X auth to a RADIUS server; RADIUS validates against a directory (AD, LDAP) and replies.
  • Each user has their own credentials; revoking one user doesn't require rotating the network password.
  • Default ports: UDP 1812 (auth), UDP 1813 (accounting).

Terminal Access Controller Access-Control System (TACACS+):

  • Cisco-developed AAA protocol. Separates authentication, authorization, and accounting (vs RADIUS which combines auth and authz).
  • Encrypts the entire packet body (RADIUS only encrypts the password).
  • Common for network device admin authentication (router/switch login). Less common for end-user Wi-Fi.
  • TCP port 49.

Kerberos:

  • Network authentication protocol using time-limited tickets and a Key Distribution Center (KDC).
  • Foundation of Active Directory authentication.
  • Used with WPA2/WPA3 Enterprise on AD-joined networks (clients present Kerberos tickets via 802.1X).
  • TCP/UDP port 88.

Multifactor (Wi-Fi):

  • Adding a second factor to wireless authentication. Less common than MFA on apps because Wi-Fi auth happens at connect time, not per-action.
  • Enterprise wireless with certificate-based 802.1X (EAP-TLS) provides strong device authentication; combine with MDM and conditional access for effective multifactor.

Common gotchas

  • WPA2 with TKIP enabled. Old config that mixes WPA + WPA2 may negotiate TKIP. Disable WPA + TKIP; use WPA2-AES only or WPA3.
  • WPS still enabled. Wi-Fi Protected Setup PIN is brute-forceable in hours. Disable on any business AP (covered in Core 1 obj 2.6).
  • PSK shared across the office. Anyone who's seen the password can connect from the parking lot. Enterprise auth (RADIUS) revokes per-user.
  • WPA3 transition mode confusion. Allowing WPA2 fallback means legacy clients connect with WPA2 (weaker). Plan to retire WPA2-only devices.
  • RADIUS server unavailable. WPA2/WPA3 Enterprise clients can't authenticate. Have redundant RADIUS servers or AP fallback (often nothing useful).
  • Time skew breaks Kerberos. Kerberos tickets are time-limited. Client and server clocks more than 5 minutes apart = authentication fails.

Real-world context

Wireless security choice by environment:

  • Home / very small office: WPA3-Personal (or WPA2/WPA3 transition for older devices). Strong passphrase.
  • SMB office (20-50 people): WPA3-Personal with a strong shared passphrase, separate isolated guest network. Some offices move to WPA2/3-Enterprise once they have a domain.
  • Mid-size business (50-500): WPA2/3-Enterprise with RADIUS backed by AD. Per-user credentials, easy revocation, audit logging.
  • Large enterprise / regulated industry: WPA3-Enterprise with EAP-TLS certificate authentication, MDM-enrolled devices, conditional access.

RADIUS deployment for SMB:

  • Windows Server with Network Policy Server (NPS) role. Free with the Server license.
  • Cloud-hosted RADIUS (Cisco Meraki, Aruba Central, JumpCloud) for orgs without on-prem servers.
  • Configure AP with the RADIUS server IP + shared secret. Configure NPS to validate against AD users/groups.

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.3](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [Wi-Fi Alliance: WPA3](https://www.wi-fi.org/discover-wi-fi/security)
  • [RFC 2865: RADIUS](https://www.rfc-editor.org/rfc/rfc2865)
  • [RFC 4120: Kerberos V5](https://www.rfc-editor.org/rfc/rfc4120)
  • [Wikipedia: TACACS+](https://en.wikipedia.org/wiki/TACACS)
  • [Wikipedia: TKIP](https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol)