Wireless - WPA3

Wireless - Wi-Fi Protected Access (WPA)


The [Wireless - Wi-Fi Protected Access (WPA)](/wireless-wi-fi-protected-access-wpa) 4-way handshake is a security process used in wireless networks to validate a client device's access to a secure [Wi-Fi](/wireless-wi-fi-ieee-80211) network and to negotiate a session key for encrypting the data. This handshake is part of the WPA, WPA2, and [WPA3](/wireless-wpa3) protocols, which are designed to provide secure wireless communication. Here's how the 4-way handshake works:

1. **Authentication**: The process begins with the client device (like a smartphone or laptop) requesting access to a wireless network.
2. **ANonce (Authenticator [Nonce](/security-ipsec-nonce))**: The access point (router) responds to the client's request by sending a unique value called the ANonce (Authenticator Nonce), which is used in the encryption key generation process.
3. **SNonce (Supplicant Nonce)**: The client device then sends back another unique value known as the SNonce (Supplicant Nonce), along with information that verifies the client's credentials (like a password or passphrase). This is also used in the key generation process.
4. **Confirmation**: The access point finalizes the process by sending a message to the client confirming that both parties have the correct encryption keys. This step ensures that both the access point and the client have authenticated each other and agree on the encryption key, which will be used to secure all subsequent communication.

The 4-way handshake uses [802.11 EAPOL-Key Frames](/80211-eapol-key-frames) and is important because it provides mutual authentication (both the client and the access point authenticate each other), and it establishes a fresh, unique encryption key for each session. This makes it much harder for attackers to intercept or tamper with the data transmitted over the network.

Links:

https://networklessons.com/cisco/ccnp-encor-350-401/introduction-to-wpa-key-hierarchy

https://networklessons.com/cisco/ccnp-encor-350-401/wpa-and-wpa2-4-way-handshake

https://forum.networklessons.com/t/eapol-extensible-authentication-protocol-over-lan/40778/3?u=lagapidis

https://networklessons.com/cisco/ccnp-encor-350-401/eapol-extensible-authentication-protocol-over-lan

Security - WPA 4-way handshake

STP - what is a topology change

STP BPDU Filter

STP BPDU Guard

STP BPDU Types

STP BPDU destination MAC address

STP Cost Calculation Methods

STP Loop Guard

STP Max Age

STP Message Age

STP PortFast

STP Portfast Options

STP Root Bridge selection

STP Root Guard

STP Topology Change (TC) flag

STP Topology Change Timer

STP UDLD and Autonegotiation

STP UDLD

STP bridge priority values

STP changing link cost

STP configuring on EtherChannel

STP configuring portfast

STP contents of a BPDU

STP cost long mode

STP cost short mode

STP determining blocked port using cost

STP direct vs indirect link failure

STP fine tuning the spanning tree protocol

STP how a switch identifies a BPDU

STP how to find the root bridge

STP interface type

STP prio nbr value

STP topology change process

Security - 802.1x with WLC and AAA server

Security - Cisco AnyConnect Secure Mobility Client

Security - Cisco Secure Client

Security - Cisco VPN Client

Security - Cisco VPN client software

Security - Diffie-Hellman groups

Security - Extensible Authentication Protocol over LAN (EAPOL)

Security - GETVPN

Security - IEEE 802.1X

Security - IOS Usernames and Passwords

Security - IPsec nonce

Security - Kerberos

Security - MAC Authentication Bypass

Security - Network Access Control (NAC)

Security - Next Generation Firewall

Security - Secure Unique Device Identifier (SUDI)

Security - WebVPN

Security - accessing VTY from another VRF

Security - assigning privilege levels, syntax and behavior

Security - bogons

Security - broadcast-multicast storm

Security - configuring TACACS from another VRF

Security - privilege levels and command output

Security - privilege levels and enable keyword

Security - public key exchange

Security - root CAs and private keys

Security - spoofing

Security - storm control algorithm

Security IKE policy hash command

Security Trusted Platform Module (TPM)

Security aaa new-model

Security authentication on VTY lines

Security keyrings

Segment Routing

Serial Interface default broadcast address

Session Border Controller

Session Initiation Protocol

Show open TCP-UDP ports on Cisco router

Spanning Tree Protocol (STP)

Spine and leaf architecture - connections to leaf switches

Spine and leaf architecture - connections to spine switches

Spine and leaf architecture - reducing latency

Split-horizon

StackWise Virtual

Stackwise election process

Stackwise user priority

Subscriber templating

Summarization

Supernetting

Switch configuring a routed port

Switch high availability options

Switch protected port limitations

Switch protected port

Switching - CEF

Switching - Media Access Control (MAC) addresses

Switching - Process switching

Switching - backplane

Switching - cut through

Switching - fast switching

Switching - show cable-diagnostics

Switching - store and forward

Switching - switch fabric

Switching - switched virtual interface (SVI)

Switching - switchport autostate command

Switching

Switchport - IEEE 802.1q

Security - WPA 4-way handshake

Links to this page: