Wi-Fi is a Passion


Security - WPA2-Enterprise

In a previous blog, I mentioned the differences between personal and enterprise security. Personal uses a Pre-Shared Key and enterprise uses the 802.1X framework for authentication. It doesn’t matter that we are using Open System Authentication, since WPA2-personal and WPA2-enterprise is secure enough. After the Open System Authentication, you will see the EAP frames. In the below screenshot, you will see the whole process. Starting with the authentication and association frames (without the Ack-frames), then you will see all the EAP frames with EAP-PEAP and at the end the 4-way handshake.


In 802.1X are three components. You have the Supplicant (client), the Authenticator (access point or the controller) and the last one is the Authenticator Server (RADIUS/TACAS). The EAP frames are between the supplicant and the authenticator. The RADIUS protocol is between the authenticator and the authenticator server. For the last part, you need to capture on the wired site of the authenticator.


As you can see in the above screenshots, the 802.1X authentication is between the Open System Authentication and the 4-way handshake. The 4-way handshake is discussed in the WPA2-Personal blog.

There are multiple EAP types (in this example it is EAP-PEAP). All the different kind of EAPs belongs to the CWSP study material and will not be discussed here. For troubleshooting it is important that you know what kind of frames you can expect between the Open System Authentication and the 4-way handshake.


As you can see in the trace and in the EAP-PEAP process, the authenticator starts with an EAP Request, the supplicant replies with an EAP Response. This is to let the authenticator know who wants to authenticate to the network. After this, the authenticator sends an access request to the authenticator server. From this point, depending on the EAP type, there will be multiple frames for the secure authentication. EAP-PEAP uses a TLS-based encryption tunnel. All the frames after the established tunnel will be encrypted. After all the EAP frames the authentication server reply with an Access Accept or Failure and the authenticator transmit this Access Accept or Failure to the supplicant. When the access is accepted the 4-way handshake starts.