Home » Wireless Security: WPA3, 802.1X, RADIUS, EAP, WIDS/WIPS, Rogue AP Detection และ Enterprise WiFi
Wireless Security: WPA3, 802.1X, RADIUS, EAP, WIDS/WIPS, Rogue AP Detection และ Enterprise WiFi
Wireless Security: WPA3, 802.1X, RADIUS, EAP, WIDS/WIPS, Rogue AP Detection และ Enterprise WiFi
Wireless Security ป้องกัน unauthorized access และ attacks บน WiFi networks WPA3 เป็น latest encryption standard ที่แก้ weakness ของ WPA2, 802.1X ให้ port-based authentication, RADIUS เป็น AAA server สำหรับ centralized authentication, EAP เป็น authentication framework ที่รองรับหลาย methods, WIDS/WIPS detect และ prevent wireless attacks, Rogue AP Detection หา unauthorized access points และ Enterprise WiFi รวมทุกอย่างเป็น secure wireless deployment
WiFi เป็น attack surface ที่ใหญ่ที่สุดใน enterprise: radio waves ไม่หยุดที่กำแพงอาคาร → attacker นั่งนอกตึกก็ sniff traffic ได้ Evil twin AP (fake AP ชื่อเดียวกัน), deauthentication attacks, WPA2 KRACK vulnerability, rogue APs ที่พนักงานเสียบเอง — ทุกปัญหาต้องการ comprehensive wireless security strategy
WPA Evolution
| Standard |
Encryption |
Key Exchange |
Status |
| WEP |
RC4 (40/104-bit) |
Static shared key |
Broken (crack ใน minutes) — NEVER use |
| WPA (TKIP) |
RC4 + TKIP (per-packet key) |
4-way handshake (PSK or 802.1X) |
Deprecated — weak, avoid |
| WPA2 (CCMP) |
AES-CCMP (128-bit) |
4-way handshake (PSK or 802.1X) |
Current standard — vulnerable to KRACK, PMKID |
| WPA3 (SAE) |
AES-CCMP/GCMP (128/192-bit) |
SAE (Dragonfly handshake) |
Latest — forward secrecy, stronger security |
WPA3 Features
| Feature |
WPA2 |
WPA3 |
| Key Exchange |
4-way handshake (PSK) |
SAE (Simultaneous Authentication of Equals) |
| Offline Dictionary Attack |
Vulnerable (capture handshake → brute force offline) |
Protected (SAE prevents offline attacks) |
| Forward Secrecy |
No (compromised PSK → decrypt all past traffic) |
Yes (each session has unique key) |
| Open Networks |
No encryption (public WiFi) |
OWE (Opportunistic Wireless Encryption) — encrypted without password |
| Enterprise |
192-bit mode ไม่มี |
WPA3-Enterprise 192-bit mode (CNSA suite for government) |
| PMF |
Optional |
Mandatory (Protected Management Frames — prevent deauth attacks) |
802.1X Authentication
| Component |
Role |
| Supplicant |
Client device ที่ต้องการ access (laptop, phone) — runs 802.1X client |
| Authenticator |
AP หรือ switch ที่ enforce authentication — relay messages ระหว่าง supplicant กับ server |
| Authentication Server |
RADIUS server ที่ verify credentials — grant/deny access + push policies |
| Flow |
Supplicant → EAPoL → Authenticator → RADIUS → Auth Server → Accept/Reject → VLAN assignment |
EAP Methods
| Method |
How |
Security |
Complexity |
| EAP-TLS |
Mutual certificate authentication (client + server certs) |
Strongest (no passwords) |
High (PKI infrastructure needed) |
| PEAP (EAP-MSCHAPv2) |
Server cert + username/password in TLS tunnel |
Good (most common enterprise) |
Medium (server cert + AD credentials) |
| EAP-TTLS |
Server cert + inner auth (PAP, CHAP, MSCHAPv2) |
Good (similar to PEAP) |
Medium |
| EAP-FAST |
Cisco proprietary — PAC (Protected Access Credential) |
Good (no cert needed) |
Low (Cisco-only) |
| EAP-SIM/AKA |
SIM card authentication (mobile devices) |
Good (carrier-grade) |
Low (requires carrier) |
RADIUS
| Feature |
รายละเอียด |
| คืออะไร |
Remote Authentication Dial-In User Service — AAA protocol สำหรับ network access |
| Authentication |
Verify user identity (username/password, certificate, token) |
| Authorization |
Assign policies: VLAN, ACL, bandwidth limit, session timeout |
| Accounting |
Log session: start/stop time, bytes transferred, duration |
| Products |
Cisco ISE, Aruba ClearPass, FreeRADIUS, Microsoft NPS, FortiAuthenticator |
| Protocol |
UDP 1812 (auth) + 1813 (accounting) — encrypts only password (not whole packet) |
| RadSec |
RADIUS over TLS — encrypts entire packet (more secure for cloud/WAN) |
WIDS/WIPS
| Feature |
WIDS |
WIPS |
| Full Name |
Wireless Intrusion Detection System |
Wireless Intrusion Prevention System |
| Function |
Detect wireless attacks/anomalies → alert |
Detect + actively prevent (containment) |
| Rogue AP |
Detect unauthorized APs on network |
Detect + contain (send deauth to clients of rogue AP) |
| Evil Twin |
Detect AP spoofing legitimate SSID |
Detect + contain |
| Deauth Attack |
Detect mass deauthentication frames |
Alert + WPA3 PMF prevents |
| Implementation |
Dedicated sensors or AP scanning mode |
Same + active countermeasures |
| Products |
Cisco WLC/DNA, Aruba/HPE, Mist (Juniper), Meraki |
Same vendors (integrated in wireless controllers) |
Enterprise WiFi Best Practices
| Practice |
Detail |
| WPA3-Enterprise |
Use WPA3 with 802.1X (PEAP or EAP-TLS) — not PSK for enterprise |
| Separate SSIDs |
Corporate (802.1X), Guest (captive portal), IoT (isolated VLAN) |
| RADIUS + AD |
Integrate RADIUS with Active Directory — user credentials for WiFi auth |
| Dynamic VLAN |
RADIUS assigns VLAN based on user role (employee, contractor, guest) |
| PMF Enabled |
Protected Management Frames — mandatory for WPA3, prevents deauth attacks |
| Rogue Detection |
Enable WIDS/WIPS on all APs — detect and contain unauthorized APs |
| RF Design |
Proper AP placement, channel planning, power adjustment — minimize signal outside building |
| Client Isolation |
Enable on guest network — prevent guest-to-guest communication |
ทิ้งท้าย: Wireless Security = Encryption + Authentication + Monitoring
Wireless Security WPA3: SAE (no offline attack), forward secrecy, OWE (encrypted open), mandatory PMF 802.1X: supplicant → authenticator (AP) → RADIUS server → dynamic VLAN/policy assignment EAP: EAP-TLS (strongest, certs), PEAP (most common, password+cert), EAP-TTLS, EAP-FAST RADIUS: AAA server (Cisco ISE, ClearPass, FreeRADIUS), integrate with AD, dynamic VLAN assignment WIDS/WIPS: detect rogue APs, evil twins, deauth attacks → contain (send deauth to rogue clients) Best Practices: WPA3-Enterprise, separate SSIDs, RADIUS+AD, dynamic VLAN, PMF, rogue detection, RF design Key: WPA3 + 802.1X + RADIUS = strong auth + encryption | WIDS/WIPS = continuous monitoring | both needed for enterprise
อ่านเพิ่มเติมเกี่ยวกับ WiFi 7 802.11be MLO 320MHz 4096-QAM และ Network Access Control 802.1X NAC Zero Trust ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
