Wireless Security and Enterprise Network Design

Securing the Air

Wireless extends the enterprise boundary into open space, so SY0-701 expects authentication, encryption, segmentation, management, and monitoring to all be addressed. The single biggest concept shift is WPA2 to WPA3.

Wireless Security Options

WPA3 specifics: Personal mode swaps WPA2's 4-way pre-shared-key handshake for Simultaneous Authentication of Equals (SAE), defeating offline dictionary attacks even on weak passphrases, and adds forward secrecy. WPA3-Enterprise adds an optional 192-bit security suite. WPS (the push-button/PIN setup) is brute-forceable and should be disabled.

802.1X and EAP

802.1X uses three roles: the supplicant (client), the authenticator (switch or wireless controller), and the authentication server (RADIUS). Common EAP methods: EAP-TLS (mutual certificates, strongest), PEAP and EAP-TTLS (server cert plus tunneled credentials), and the legacy EAP-FAST. Certificate-based EAP-TLS prevents credential theft and underpins evil-twin resistance.

Wireless Controls

SSID-to-VLAN Mapping

The SSID name is not the boundary. The mapped VLAN, firewall rules, identity policy, and monitoring enforce it.

Enterprise Network Design Checklist

• Redundant edge firewalls/routers where availability demands it
• Segmentation across user, server, management, guest, and IoT zones
• Centralized authentication (RADIUS/TACACS+) for access and administration
• Secure management protocols: SSH and HTTPS, never Telnet or HTTP
• SNMPv3 (authentication and encryption) instead of SNMPv1/v2c
• Centralized logging plus NTP time synchronization for correlation
• Documented IP addressing, routing, and change control
• Monitoring for rogue devices, anomalous traffic, and failed authentications

PBQ Wireless Scenario

One shared Wi-Fi password serves employees, contractors, printers, and guests; guests can reach file shares; a rogue AP was found under a desk. Best redesign: (1) employee SSID on WPA2/WPA3-Enterprise with 802.1X; (2) guest SSID on an internet-only VLAN; (3) printers/IoT in a restricted device VLAN; (4) NAC or controller policy for role-based access; (5) enable rogue-AP detection and trace the switch port; (6) restrict controller administration to the management network with MFA. Merely rotating the shared password creates no accountability or segmentation.

Wireless Exam Traps

• Captive portal equals encryption - false; it only handles onboarding/terms.
• Hidden SSID is strong security - false; clients still beacon and reveal it.
• MAC filtering is authentication - weak; MAC addresses are trivially spoofed.
• Different password means guests can share the employee VLAN - false; isolation requires segmentation, not a separate passphrase.
• Wireless security ends at the AP - false; it includes the controller, switch ports, RADIUS, certificates, logs, and firewall rules.

Wireless Attacks SY0-701 Names

• Evil twin: a rogue AP broadcasting a legitimate SSID to harvest credentials. Defense: EAP-TLS certificate validation so clients reject the impostor's server certificate.
• Disassociation/deauthentication attack: spoofed management frames knock clients offline, often as a prelude to capturing the reconnection handshake or forcing users onto an evil twin. 802.11w (management frame protection) mitigates it.
• Rogue AP: any unauthorized AP plugged into the wired network, found via WIPS and switch port security.
• Jamming: radio interference denying service; located with spectrum analysis and a site survey.
• RFID/NFC and Bluetooth attacks: bluejacking sends unsolicited messages, bluesnarfing steals data; keep devices non-discoverable and patched.

Site Survey and RF Planning

A proper deployment starts with a site survey that measures coverage, signal-to-noise ratio, and interference. Plan non-overlapping channels (1, 6, 11 in 2.4 GHz) to avoid co-channel interference, tune transmit power so coverage does not bleed into a parking lot, and design for capacity, not just coverage, in dense areas. A heat map documents expected signal strength so weak spots that tempt users into insecure workarounds are eliminated. Controllers should support fast, secure roaming (802.11r) so 802.1X clients move between APs without re-authenticating from scratch.

Putting Enterprise Design Together

The strongest SY0-701 answers combine these layers rather than relying on one. Authentication via 802.1X and certificates, encryption via WPA3, segmentation via SSID-to-VLAN mapping and NAC, secure management via SNMPv3 and SSH on a dedicated management VLAN, and visibility via WIPS, centralized logging, and NTP-synchronized timestamps together form a defensible wireless and network architecture. Any single control, such as a strong passphrase or a hidden SSID, is never the complete answer.