802.11 - 802.1X WPA2 & WPA3

802.1X in WPA2 & WPA3 – not just more acronyms, it’s the damn spine

Look, if you’re dealing with enterprise Wi-Fi and not using 802.1X, then sorry buddy – your network's basically a nightclub with no bouncer. Anyone walks in, grabs a beer, maybe steals your encryption keys on the way out. Good luck with that.

In WPA2 and especially in WPA3-Enterprise, 802.1X is no longer a “nice to have” – it’s the core piece of the puzzle. The whole EAP dance, RADIUS negotiation, mutual auth and all that jazz? That’s 802.1X doing the heavy lifting in the background, while your users complain that "Wi-Fi is down" just because their password changed three months ago.

This ain’t PSK, baby. We’re talking real identity-based access control. Certificates, credentials, roles, VLAN assignment, the works. It’s complicated, picky, and will absolutely ruin your day if not configured right. But it’s also what makes enterprise Wi-Fi... well, actually secure.

So yeah – we’re diving deep into how 802.1X fits into WPA2 and WPA3 setups, what it does, why it matters, and why the RADIUS server should get a holiday bonus. Let’s get into the weeds. You’re gonna love it. Maybe.

What the heck is 802.1X, and why should you care?

So, 802.1X ain’t some magical Wi-Fi sauce – it’s actually a port-based access control thingy straight from the IEEE lab rats. Sounds wired, yeah? But even on wireless, it works like a charm. Instead of trusting everyone with the same dusty old password, it says: “Yo, who are you and do you even belong here?”

The 3 dudes in the 802.1X soap opera:

Supplicant: That’s your laptop, phone, fridge – whatever tries to connect.
Authenticator: That’s your AP or controller. It’s the traffic cop that says: “Show me some ID.”
Authentication Server: Usually a RADIUS box yelling at a user database like Active Directory, asking: “Is this guy legit?”

So how does this whole dance go down?

Open Authentication: Client connects to Wi-Fi – but hey, it’s just saying hello. No secrets yet. Everything’s still wide open.
Controlled vs. Uncontrolled Port: The real stuff is still locked down. Only EAP messages are allowed until you prove yourself.
EAP Authentication: Time to bring out the Extensible Authentication Protocol – fancy talk for “you can use whatever auth you like,” like EAP-TLS, PEAP, or EAP-FAST. All of it tunneled through EAPoL to the AP, then wrapped up and sent to RADIUS.
Deriving the PMK: Once you’re greenlit, the server hands out a PMK (not the Pre-shared kind – this one’s fresh and private). Each device gets their own. Sharing is for amateurs.
4-Way Handshake: Now it gets fun. This handshake’s like a digital secret handshake with Nonces, MACs, PTKs, GTKs – the whole cryptographic kitchen sink.
Port unlocked: Keys installed, handshake done – now you can finally do normal stuff like ping the printer or open cat memes.

Why it actually rocks (and makes PSK look like a toy):

Real user-based control: You log in as YOU, not “whoever got the Wi-Fi password from IT 3 years ago.”
Scales like a boss: 5 users or 5000 – it handles it all. Central user management for the win.
Unique keys for everyone: No shared secrets, no gossip, no copying passwords on sticky notes.
Mutual auth: Not only do you prove who you are – the server proves it too. That’s called "no evil twins allowed."
Mandatory PMF (Protected Management Frames): Especially in WPA3-Enterprise – you can’t skip this. It blocks all those nasty deauth tricks from Wi-Fi trolls.
Forward Secrecy: Even if someone cracks your session key later, your past traffic’s still safe. Time travel hacks denied.

WPA2 vs WPA3 with 802.1X – what’s the deal?

WPA2-Enterprise: Good ol’ reliable, with EAP and AES-CCMP. Still decent. TKIP optional – but come on, don’t.
WPA3-Enterprise: Stricter, smarter, and more paranoid – no legacy junk allowed. 192-bit crypto strength, elliptic curves everywhere, and RADIUS servers throwing shade at non-compliant clients.

Final thoughts from the Wi-Fi trenches:

802.1X is like the bouncer at the front door of your wireless network. It doesn’t care if your device looks fancy – it wants proof. And in the age of WPA3, zero-trust, and quantum-doomsday-prepping, having 802.1X as your frontline makes your WLAN less of a wild west and more of a high-security vault – with decent throughput.

Alright, so who's doing what in this 802.1X drama?

Look, 802.1X ain’t some magic firewall. It's all about three amigos – the Supplicant, the Authenticator, and the big boss in the back – the Authentication Server. Together they decide who gets in and who stays out of your sweet, sweet Wi-Fi.

1. Supplicant (the beggar, a.k.a. the device tryna get in)

Connection attempt: The Supplicant starts the whole party by saying "Hey AP, lemme in!"
Open Auth: First comes a boring handshake (802.11 open system auth + association). Zero security, just waving hello.
EAP chatter: The Supplicant then sends EAP messages to the Authenticator – "Here’s my creds, check with the boss."
PMK magic: After the server says "You good", both Supplicant and Auth server cook up a PMK (key material – not the kind you cook with... sadly).
Handshake hustle: Supplicant joins the 4-way handshake dance to bake final session keys – PTK for 1-on-1 talk and GTK for broadcast shoutouts.
Data at last: Once the handshake’s done, traffic’s finally encrypted and it’s Netflix & Wi-Fi time.
Device zoo: Supplicants come in all shapes – Windows, Mac, Linux, maybe even your toaster. But a lotta stuff (like old printers) just can’t do 802.1X. Sad but true.

2. Authenticator (the gatekeeper a.k.a. AP or Controller)

Middleman job: It passes EAP messages between the Supplicant and the Auth Server like a digital postman.
Port biz: Got two ports – Controlled (locked till you're in) and Uncontrolled (used just for the EAP stuff).
Locks stay locked: Controlled port stays shut tight until keys are set and trust is earned.
Key party: Authenticator runs the 4-way handshake, takes the PMK from the server, and whips up session keys with the client.
GMK/GTK cookin’: Also makes Group Master Key (GMK) to later get the GTK – so group messages stay private.
WPA3-Enterprise 192 snobbery: In that mode, the Authenticator gotta send extra security info to RADIUS – making sure the client isn’t some Wi-Fi poser.

3. Authentication Server (a.k.a. The RADIUS Overlord)

AAA boss: This server runs the whole AAA game: Auth, Authorize, Account. It’s the final judge of who’s worthy.
Cred checker: Sees your username/password, certs, or magic token and says "Yeah, or nah."
LDAP homie: Can use its own local list or hook into LDAP or Active Directory, for that enterprise vibe.
MSK → PMK: After auth, it derives a Master Session Key (MSK), turns it into a PMK, and shoots it over to the Authenticator.
Mutual auth, baby: In secure setups (RSNA), the server also proves it’s not an impostor – so both sides trust each other. No evil twins allowed!
Access control: Can say stuff like “Put this guy in VLAN 42” or “No printer for you!”
Accounting logs: Keeps track of who did what and when. You know, for audits, billing, or just nerd bragging rights.

It's like a Wi-Fi bouncer team

802.1X brings together these three bad boys to keep your wireless airspace clean, controlled and secure. Supplicants ask, Authenticators forward the ask, and the RADIUS server lays down the law. No shared passwords, no guessing games, just identity-driven, per-session encryption like the grown-up networks do. Get with it, or get sniffed!

How the 802.1X Show Unfolds

1. Finding the Party (BSS Discovery + 802.11 State Machine)

Client sniffs out Access Points – either by listening to beacons (lazy) or sending probes (needy).
AP says “Here’s what I support” via beacon, probe responses, etc.
Client goes through Open System Authentication and association. Zero security here, just paperwork.
Controlled Port on AP stays locked down. Only EAP traffic allowed through the Uncontrolled Port. Client's still in the lobby.

2. EAP Dance Begins

After association, EAPoL starts the engine. Either the AP says "Hello EAP!" or client yells "Start me!".
Client sends EAP-Response with ID.
Authenticator passes that stuff to RADIUS via RADIUS Access Request. Yep, more protocols.
RADIUS talks to LDAP or Active Directory – someone’s gotta verify the client’s story.
There’s a whole bag of EAP methods: EAP-TLS, PEAP, TTLS, GTC, you name it.
Once the RADIUS Server is happy, it says “EAP-Success”, and the 4-way-handshake gets summoned.

3. The Mighty 4-Way Handshake

This is where real keys get made. PMK turns into PTK and GTK. Like cooking with fire now.
Authenticator throws out an ANonce (its own random bit).
Supplicant replies with SNonce, RSNE and a MIC (message integrity check, not a microphone).
Authenticator hashes it all together, sends GTK and confirms MIC back.
Supplicant says “got it”, confirms key install – handshake complete.

4. Let the (Encrypted) Party Begin

Now that both sides trust each other and have the right keys, real data finally flows.
Encryption? CCMP with AES, please. No WEP, no TKIP – those are fossils. Let 'em rot.

Pro Tips for the Curious and the Doomed

Wanna capture traffic? Sniff the 4-way-handshake. Miss it, and you’re in the dark, buddy.
Layer 3 info? Encrypted. No key = no IP address visibility.
Got auth issues? Check for fat fingers, mismatched EAP methods, or just plain bad passwords.

802.1X ain’t for the faint-hearted, but once it’s up, it’s solid. Each session gets its own keys. RADIUS does the hard thinking. Clients don’t share keys like in those sloppy PSK setups. It's secure, scalable, and snarky – just like a good admin should be.

Alright, so here comes the EAP Stuff (a.k.a. Extensible Authentication Protocol)

So yeah, once your device did that boring 802.11 association part – and the controlled port is still sittin’ there all blocked – we move into the real spicy part: EAP time.

First move? Either the AP drops an EAP-Request, or the client (we call it the Supplicant – fancy, right?) throws an EAPoL-Start frame into the void.
The Supplicant shouts back with an EAP-Response containing their ID – something like “Hey, it's me!”
All that chat goes over EAP over LAN (EAPoL) – yeah, even on Wi-Fi, we LAN around. It just works.
The AP (Authenticator) doesn’t really care what’s inside. It’s just the messenger – forwards the whole thing as a RADIUS Access Request to the real boss: the Auth Server.
RADIUS does the heavy lifting, checking stuff against LDAP or good old Active Directory. Old-school meets enterprise vibes.
Lots of EAP types out there – EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-GTC, EAP-SIM, PEAP – pick your flavor of authentication pain.
If the RADIUS server’s happy with what it sees, it sends back a shiny EAP-Success.
And boom – that’s your cue to head straight into the 4-Way Handshake. Bring your Nonces!

Heads up, folks! EAP-MD5 is like using a wet paper lock – no mutual auth, no key gen, easy to crack. Not cool for Wi-Fi, just don’t.

Note: If all this feels like way too much talking before actual data flows – yeah, that’s enterprise security for ya.

RADIUS – The Big Boss Behind the Wi-Fi Gate

Alright folks, meet RADIUS – your network's bouncer, accountant, and access cop, all rolled into one. It's the go-to guy for AAA: Authentication, Authorization, and Accounting – and it’s always watching. If you’re rockin’ 802.1X with EAP in an enterprise WLAN, this is the heartbeat behind your secure connections.

What does it actually do?

Authentication: Checks if you’re legit – username, cert, password, whatever – against Active Directory or some internal list from IT hell.
Authorization: Tells you what you’re allowed to do: VLAN? Bandwidth? VIP Lounge? Yup, RADIUS decides.
Accounting: Keeps tabs on your moves – forensics, billing, and all the juicy logs. No hiding here.

How does it play in the 802.1X club?

It sits in the backroom, chatting with your AP (aka Authenticator) over a wired link while you try to get in.
The AP forwards your EAP drama to RADIUS, who checks your story and gives a green light – or not.
Once approved, it hands out a PMK (Pairwise Master Key) like candy, which powers up your encryption handshake magic.
WPA3-Enterprise 192? Yup, RADIUS checks if you brought strong enough crypto muscle before letting you party.

Under the hood

Runs mostly over UDP (1812 auth / 1813 accounting), but can do TCP too. Old-school ports 1645/1646 still hang around for nostalgia.
Uses digital certs to prove it's not some sketchy impostor.
Shares a “secret handshake” (aka shared secret) with your APs to block rogue boxes from sneaking in.

A little history & why it matters

Back in the day, RADIUS managed dial-up dinosaurs – now it rules enterprise Wi-Fi kingdoms. Without it, there’s no solid 802.1X/EAP dance, no mutual trust, and your network's as good as wide open.

RADIUS is the brain and backbone of real wireless security. Skip it, and you're basically handing out backstage passes to hackers.

The Authenticator – Your Network’s Gatekeeper with Attitude

Say hi to the Authenticator – that misunderstood dude in Wi-Fi security who decides who gets in and who stays outside looking sad. In 802.1X land, it's the bouncer between your client (Supplicant) and the big brain in the back (RADIUS server).

Who is this guy?

Usually a Wi-Fi Access Point (AP) or some sleek WLAN controller running the show.
It’s not doing the actual brainwork – it just knows how to forward your drama to the RADIUS overlord.

Middleman Vibes

Catches EAP messages from the client and tosses them to the RADIUS server like a relay champ.
Receives the verdict, gives or denies entry, then lets the real handshake magic begin.

Controlled vs. Uncontrolled Ports

Uncontrolled Port: Only does one thing – lets your device beg for access (aka sends EAP).
Controlled Port: Closed till you're officially cool. No DHCP, no data, no nothing.
Once you’re in, it's handshake time and the doors open.

Keys, Handshakes & More Nerdy Goodness

Gets the PMK from RADIUS like a backstage pass.
Does the 4-Way Handshake with the client – four messages to make sure both sides are in sync, encrypted, and ready to rock.
Also cooks up the Group Temporal Key (GTK) using its own master recipe (the GMK).

WPA3-Enterprise 192 – No Slackers Allowed

This ain't basic security anymore. APs have to tell RADIUS what kind of crypto the client brought to the table.
If it’s weak sauce, access gets denied. Straight up.

Setup 101 & Street Smarts

Needs the RADIUS IP, port, and a Shared Secret – like a secret handshake between friends. Clients don’t know it. Hackers shouldn’t either.
Also helps sniff out rogue devices, weird traffic, and stuff your grandma wouldn’t approve of. WIPS style.

The Authenticator is the front door muscle with just enough brains to say “hold up, lemme ask my boss.” Configure it right, or your Wi-Fi becomes a welcome mat for the bad guys.

The Supplicant – your device tryna get in

In Wi-Fi land, especially when we talkin’ 802.1X, the Supplicant is just your regular client device trying to say: "Hey, lemme in!" – but with some ID. It’s the one that kicks off the whole dance to prove it’s legit before accessing the network vibes.

Who dis?

It’s your laptop, phone, IoT toaster – anything tryna jump on Wi-Fi securely.
It talks to the Authenticator (like the AP) who checks in with the RADIUS server (the actual gatekeeper).
The Supplicant’s job? Talk nice, show ID, prove it belongs.

Step-by-step drama

Open System Auth: Says "hello world" to the AP. No real security here, just networking foreplay.
802.1X kicks in: Sends ID via EAP to the Authenticator. Stuff only flows through the Uncontrolled Port.
Credentials time: It hands over its secrets – username, certs, or whatever’s needed – gets passed to the RADIUS brain.
Match your EAP type: If it speaks a different EAP language than the server, that’s a no-go. Certificates may be needed too.

Key things about keys

Once verified, the Supplicant and server cook up a PMK (big ol' master key).
Then comes the 4-way handshake party with the AP – they exchange Nonces, check MICs, and whip up PTK & GTK to encrypt your vibes.

In WPA3 world

WPA3-Personal: Supplicant still types in a passphrase, but SAE makes it strong and secret-friendly. Bye-bye dictionary attacks.
WPA3-Enterprise 192: Supplicant has to show it’s using strong crypto (TLS suites) or the server’s like "Nope."
OWE: You just connect – it secretly does a Diffie-Hellman key party without askin’ you for passwords.

Roaming game

When you move to another AP, Supplicant tries to skip the re-auth queue using PMKID.
It might use OKC or the cool-kid method 802.11r (FT), to pre-calculate PTKs and keep streaming smooth.

Watch your back

KRACK attacks: If the handshake gets replayed, Supplicant might reinstall keys and boom – encrypted stuff goes plaintext.
Bad configs: Wrong certs? Typo in password? You're not getting in.
Rogue APs: If the Supplicant ain’t picky, it’ll connect to the first thing that asks nicely – even if it’s an evil twin.
MAC & info leak: Even before handshake, it’s shouting its MAC and SSID interests – perfect bait for creepers.

The Supplicant's that hopeful guest at the club door. But whether it gets in, stays safe, or spills secrets depends on how smart, picky, and paranoid it is. Set it up right or you’re toast – Wi-Fi toast.

WPA2-Enterprise vs. WPA3-Enterprise – Same game, stricter rules

So here’s the thing: both WPA2 and WPA3 Enterprise use 802.1X to keep the Wi-Fi party private. But WPA3 ain't playin’ nice with old tricks. It steps the game up with better locks, tougher rules, and no more free rides for lazy configs.

PMF – Now it’s serious business

WPA2-Enterprise: PMF? Optional. You could use it, or not. And yeah, that left the door open for sneaky deauth attacks.
WPA3-Enterprise: No mercy. PMF is mandatory. If your client doesn’t support it? No entry, pal.

Cipher stuff – No more ancient magic

WPA2: AES is the way, but oldschool TKIP/RC4 still hangin’ in there… like that one dude with Windows XP.
WPA3: Hard cutoff. No TKIP, no WEP. Just fresh, clean crypto – 128-bit AES minimum or don’t bother showing up.

192-bit mode – Hardcore WPA3-Enterprise

We’re talking Suite B / CNSA level here. If your client isn’t cryptographically jacked, it’s not gettin’ in:

AES-GCM-256 – strong enough to keep spies out.
HMAC-SHA384 – because hashing ain’t just for breakfast.
ECDH & ECDSA P-384 – fancy math for key exchange and signatures.
No legacy devices allowed – even if they smile and handshake real nice.

RADIUS now wants receipts

WPA2: Authenticator passed just the basics to the RADIUS server.
WPA3 (192-bit): Nah. It’s sending the whole crypto resume. TLS cipher suite? Curve used? Signature scheme? RADIUS wants it all. If it don’t match the golden checklist – access denied.

User feels?

None. Nada. Zip. Users don’t notice a thing. Same Wi-Fi connect screen. But under the hood? It's full armored mode. Hackers cry. Admins smile.

WPA3-Enterprise takes the 802.1X model from "kinda secure" to "you-shall-not-pass" levels. No legacy junk, no weak crypto, and no shortcuts. It’s the grown-up version of Wi-Fi security – ready for real threats, without freaking out the users.

If you got the feeling now like “Yeah, I totally get Wi-Fi!” – then uh... nope. That was just a bit 802.1X, my friend. There’s a whole bookshelf waitin’ for you if you wanna be a real Wi-Fi geek. CWNA, CWDP, CWSP, CWAP... yeah, it’s a ride. Buckle up.

Just a quick FYI:
This article’s got no tables or fancy graphics – on purpose. It’s built that way so screen readers and text-to-speech tools don’t freak out. Keepin’ it clean for the accessibility crew.

Heads up, Wi-Fi nerds:
This whole guide was put together using the CWNP books CWAP-404, CWAP-402 and CWSP-207. All the dive-in stuff about 802.1X, 802.11 weirdness, and packet wrangling comes straight outta those.

Details: Written by: Enrico Aderhold; Created: 15 June 2023; Hits: 11186