Why is WPA Enterprise more secure than WPA2?

  • In personal mode WPA2 is more secure than WPA. However, I have read that WPA Enterprise provides stronger security than WPA2 and I am unsure exactly how this is achieved.

    Where exactly did you read this? There is no doubt `WPA2` is more secure then `WPA`. I would argue that `WPA Enterprise` is an entirely different authentication model then `WPA`

    You don't have to argue, it is. WPA2 Personal uses Preshared Keys. That means you have to know the key and it can be shared amongst users. With enterprise, you have to have an account on a back end RADIUS server. This means that you have to have a username and password to gain access to the Wireless network.

  • Correct answer

    8 years ago

    The PSK variants of WPA and WPA2 uses a 256-bit key derived from a password for authentication.

    The Enterprise variants of WPA and WPA2, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.

    The key difference between WPA and WPA2 is the encryption protocol used. WPA uses the TKIP protocol whilst WPA2 introduces suport for the CCMP protocol.

    So when using a RADIUS server, an EAP protocol will be used instead of TKIP or CCMP?

    @Unw0und No, EAP is an *authentication* protocol while TKIP and CCMP is an *encryption* protocol.

    This answer isn't very informative. How is EAP “more secure”? Does it protect against more threats, or provide greater strength against brute force? What difference does TKIP vs CCMP make?

    EAP is more secure because the keying material is unique and created between client and AP rather than generated based on a known value (PSK). In personal mode, the keying material is generated based off a known value (the PSK) and anyone with that known value is able to capture the key negotiation and therefore decrypt all the resulting traffic. Additionally, with EAP, the keying material can be changed during the session, making it more secure.

    I think I could make this clarification simpler again. Put simply every user has their own "password" (key) instead of using a shared one that everyone is using.

    WPA2 Personal uses one key. Everyone with the key knows how to decrypt your computer's traffic. The WiFi segment is one big broadcast network. Wired networks will generally keep your computer's traffic private as long as the switches are secured. Your traffic goes along the wire and is handed to its destination only. Even someone plugged in to another jack can't see the traffic unless the switch is not set up correctly. WPA Enterprise gives every user their own private session key. This removes the broadcast effect. Now the WiFi network behaves like everyone has their own wire.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM