SSID Security, Guest Networks, and Authentication
Key Takeaways
- An SSID is just a network name; SSID hiding is not a real security control because management frames leak it.
- WPA3-Personal replaces WPA2's pre-shared key handshake with SAE, defeating offline dictionary attacks.
- WPA2/WPA3-Enterprise use 802.1X with RADIUS for per-user identity, so one account can be revoked without changing a shared password.
- In 802.1X the client is the supplicant, the AP/controller is the authenticator, and RADIUS is the authentication server.
- Guest WLANs belong on an isolated VLAN with internet-only access; a captive portal handles onboarding, not encryption.
Framing Wireless Security Questions
N10-009 security items describe who is connecting and what they should reach. A good answer separates five concerns: identity (authentication), permission (authorization), encryption, segmentation, and onboarding. Mixing these up is how wrong answers are written.
SSID Design
An SSID (Service Set Identifier) is the network name a client selects. APs can broadcast several SSIDs, but each one adds management overhead and consumes airtime through extra beacon frames, so do not create more than the design needs.
| SSID | Users | Typical access |
|---|---|---|
| Corp | Managed employee devices | Internal apps per user/device policy |
| Guest | Visitors, BYOD | Internet only, blocked from RFC 1918 internal ranges |
| IoT | Printers, cameras, sensors | Narrow device-specific access |
| Voice | Wi-Fi phones | Voice VLAN with QoS |
SSID hiding (disabling broadcast) is not security. Suppressing the beacon only removes the network name from the periodic broadcast; the name still appears in association requests, probe requests, and probe responses, so any wireless analyzer reveals it within seconds. Worse, hidden SSIDs force clients to actively probe for the network everywhere they go, which leaks the name and can break roaming and battery life. The exam consistently treats SSID hiding as a weak or non-existent control - if a question lists it as a security measure, it is almost always the wrong answer.
Rely on encryption, authentication, and VLAN segmentation instead.
Also watch for MAC filtering as a distractor. Allow-listing client MAC addresses sounds protective, but MAC addresses are sent in the clear in every frame and are trivially spoofed, so MAC filtering is administrative convenience, not a security boundary.
Personal vs Enterprise Security
| Mode | Authentication | Encryption | Best fit |
|---|---|---|---|
| WPA2-Personal | Pre-shared key (PSK) | AES-CCMP | Home/small office |
| WPA3-Personal | SAE (replaces PSK 4-way) | AES-CCMP | Modern small deployments |
| WPA2-Enterprise | 802.1X + RADIUS | AES-CCMP | Business WLAN |
| WPA3-Enterprise | 802.1X (192-bit optional) | GCMP-256 | High-security WLAN |
WPA3-Personal uses SAE (Simultaneous Authentication of Equals), a handshake that resists the offline dictionary cracking that plagued WPA2's captured 4-way handshake. Avoid the deprecated WEP and WPA entirely - WEP's RC4 keys are trivially broken, and any answer suggesting WEP or WEP+MAC filtering is wrong on a modern exam.
802.1X and RADIUS Flow
Enterprise mode lets you give every user a unique identity and revoke one account without re-keying everyone. The three 802.1X roles:
- Supplicant - the client device
- Authenticator - the AP or wireless controller (blocks data until auth succeeds)
- Authentication server - the RADIUS server
Typical sequence:
- Client associates to the SSID.
- Authenticator opens only the EAPOL port and blocks data traffic.
- Supplicant and RADIUS run an EAP method (e.g., EAP-TLS with certificates, or PEAP with credentials).
- RADIUS returns Access-Accept or Access-Reject plus policy attributes.
- The authenticator assigns the correct VLAN and access policy.
Exam clue: if a company needs per-user accountability and centralized control, choose WPA2/WPA3-Enterprise with RADIUS - never a shared passphrase. The reason is operational: with a PSK, the only way to revoke a departed employee is to change the key on every device, which is exactly the help-desk pain the scenario describes. With RADIUS you simply disable that one account in the directory. RADIUS also returns authorization attributes (such as a VLAN ID or a session timeout) alongside the accept message, so identity and network placement are decided in one transaction.
A related distractor is TACACS+: it is also an AAA protocol with a RADIUS-like role, but Network+ associates TACACS+ primarily with administrative device login (command authorization on switches and routers), while RADIUS is the protocol behind 802.1X network access. If the scenario is Wi-Fi user authentication, the answer is RADIUS.
Guest Networks and Captive Portals
| Requirement | Implementation |
|---|---|
| Visitors need internet | Permit outbound DNS, HTTP, HTTPS |
| No internal reachability | Deny guest VLAN to internal subnets at the firewall |
| Accept terms / register | Captive portal |
| Protect business apps | Per-client bandwidth or QoS limits |
| Temporary access | Expiring vouchers or time-limited accounts |
A captive portal intercepts the first web request to force acknowledgement, registration, or payment. It is not encryption - an open SSID with only a portal leaves the air unencrypted. WPA3 added Opportunistic Wireless Encryption (OWE) to encrypt open guest networks without a password, which the exam may reference.
PBQ-Style Security Scenario
Facts: employees need internal apps; contractors need internet plus one portal; visitors need internet only; the help desk is overwhelmed every time the shared Wi-Fi password rotates.
- Enterprise SSID with 802.1X/RADIUS for employees.
- Use RADIUS group attributes to assign VLANs dynamically.
- Contractors on a restricted VLAN reaching only the project portal and internet.
- Visitors on an isolated guest VLAN with a captive portal, no internal access.
- Eliminate the single shared business passphrase.
The core principle: authentication proves identity; authorization (VLAN/firewall) decides reach. Separating them solves the password-rotation pain.
A company wants each employee to use individual credentials for Wi-Fi and to disable one user without changing a shared password. Which option best fits?
Which controls are appropriate for a guest wireless network? Choose two.
Select all that apply
Which WPA3-Personal feature specifically defends against offline dictionary attacks that affected WPA2-Personal?