Wireless is one of those Security+ topics where the study guides just throw a wall of acronyms at you. WPA2, WPA3, PSK, SAE, 802.1X, EAP, PEAP, EAP-TLS, RADIUS. People try to memorize the list, then freeze when a scenario question asks which one actually fits.
Here is the good news. You do not need that whole pile in your head. Almost every wireless question on SY0-701 is really asking one of two things:
- Which generation is running, WPA2 or WPA3, and what changed between them.
- How people prove who they are: one shared password for the whole network, or a separate identity per user.
Get those two forks straight and the acronyms fall into place.
Fork one: WPA2 versus WPA3, and why the handshake matters
WPA2 has been the default for years. Its weak spot is the handshake. When a device joins a WPA2 network with a pre-shared key, the two sides run a four-way handshake to prove they both know the password and to set up a session key. Here is the problem. An attacker sitting nearby can capture that handshake and walk away with it. Offline, disconnected from the network, they throw billions of password guesses at the capture until one lands. No lockout. No rate limit. Nothing to stop them but the strength of your passphrase. In some cases they do not even need a client to connect, because the PMKID from the access point is enough.
WPA3 changes the exact part that made all of that possible. It swaps the old key exchange for SAE, Simultaneous Authentication of Equals, sometimes called the Dragonfly handshake. The idea that matters for the exam: the password never crosses the air in a form an attacker can crack offline. Both sides prove they know it without handing over anything a captured recording could be brute-forced against. That kills the offline dictionary attack that haunted WPA2.
Two more WPA3 properties show up in questions:
- Forward secrecy. Each session gets its own key. Record my traffic today, crack the password a year from now, and the old traffic still does not open. In WPA2 that same crack would decrypt everything the attacker had saved.
- Management frame protection. WPA3 requires it, which makes the classic deauthentication attack (spamming frames to kick clients off the network) much harder to pull off.
One honest caveat, so a tricky question does not catch you. WPA3 transition mode runs WPA3 and WPA2 at the same time for compatibility, and it can be downgraded back to WPA2 and attacked the old way. Mixed mode is a convenience. It is not full protection.
Fork two: Personal versus Enterprise
This is the fork people skip, and it hides a lot of points.
Personal mode (also called PSK) uses one shared passphrase for the entire network. Everyone who connects types the same secret. Simple, and fine for a home or a small shop, but you cannot tell one user from another, and if the passphrase leaks you are changing it for everybody at once.
Enterprise mode drops the shared password entirely. It uses 802.1X, which pulls in a separate authentication server, almost always RADIUS. Now every user logs in with their own credentials. Someone leaves the company? You disable their one account, and nobody else has to reset anything. That per-user identity is the whole reason Enterprise exists, and it is usually the answer when a scenario mentions many users, central management, or the need to cut off one person's access.
802.1X has three roles, and CompTIA likes to test them by name:
- Supplicant: the device trying to join.
- Authenticator: the access point or switch that gates the connection.
- Authentication server: the RADIUS box that actually makes the decision.
Where EAP fits
EAP is a framework rather than a single protocol. It is the language 802.1X uses to carry the real authentication, and the variants are what get tested:
- EAP-TLS: both the server and the client present certificates. Strongest of the bunch, and the hardest to phish, but you have to run a certificate infrastructure and put a cert on every device.
- PEAP: only the server needs a certificate. It builds an encrypted tunnel first, then the user authenticates inside it, often with a username and password. Less setup than EAP-TLS.
- EAP-TTLS: same tunnel idea, a little more flexible about what runs inside.
- EAP-FAST: Cisco's take, using a protected credential in place of a server certificate.
The shortcut: if a question stresses certificates on both ends, think EAP-TLS. If it stresses a server certificate plus a tunnel for username-and-password logins, think PEAP.
The two questions, again
When a wireless scenario shows up, do not go hunting for the acronym you memorized. Ask:
- WPA2 or WPA3, and is the weak spot the offline-crackable handshake? If the fix kills offline attacks and adds forward secrecy, that is SAE, which means WPA3.
- One shared password, or an identity per user with a RADIUS server behind it? Shared is Personal/PSK. Per-user is Enterprise with 802.1X and EAP.
Answer those two and you have handled most of what the exam throws at you here.
Want to drill this instead of just reading about it? The free diagnostic at secplusmastery.com/diagnostic shows you fast whether the wireless objectives are solid or still fuzzy, and the full course at secplusmastery.com has the labs and question bank to close the gap.
Top comments (0)