Wireless Notes
Learn wireless authentication with PSK, 802.1X RADIUS EAP framework, EAP-TLS PEAP methods, SIM-based authentication, 5G-AKA SUCI protection, and authentication selection guide for engineering students.
A comprehensive guide to authentication methods used in wireless networks — from simple Pre-Shared Keys to enterprise 802.1X frameworks and modern 5G-AKA protocols that secure billions of connections daily.
Authentication Fundamentals
What Authentication Proves
Authentication is distinct from encryption and authorization. Let us clarify these three pillars of security:
- Authentication — Verifies identity ("You are really Alice")
- Encryption — Protects data confidentiality ("Only Alice can read this message")
- Authorization — Controls access ("Alice can access the engineering VLAN but not the finance VLAN")
Authentication typically comes first — you must prove who you are before the system decides what you are allowed to do.
Authentication Factors
Authentication can rely on one or more factors:
| Factor Type | What It Means | Wireless Example |
|---|---|---|
| Something you know | Password, PIN | WiFi PSK, SIM PIN |
| Something you have | Physical token | SIM card, smart card, certificate |
| Something you are | Biometric | Fingerprint to unlock phone (indirect) |
Single-factor (password only) is common for home WiFi. Enterprise and cellular networks typically use two factors (certificate + password, or SIM card + secret key).
Pre-Shared Key (PSK) Authentication
How PSK Works
PSK is the simplest wireless authentication method — both the client and the access point share the same secret password configured in advance. When you type a WiFi password at home, you are using PSK authentication.
The process for WPA2-PSK (also called WPA2-Personal):
- Both parties derive PMK — The Pre-Shared Key and network SSID are fed into PBKDF2 (a key derivation function) with 4096 iterations of SHA-1 to produce a 256-bit Pairwise Master Key (PMK)
- Four-way handshake — Client and AP exchange nonces and derive the Pairwise Transient Key (PTK) used for actual encryption
- Key confirmation — Both sides prove they derived the same PTK without ever transmitting the PSK itself
PSK Strengths and Weaknesses
| Aspect | Assessment |
|---|---|
| Simplicity | Excellent — just one password to configure |
| Scalability | Poor — all users share the same key |
| Revocation | Difficult — changing password affects everyone |
| Offline attacks | Vulnerable — captured handshake can be brute-forced |
| Suitable for | Home networks, small offices (< 10 users) |
The critical weakness of PSK is that anyone who knows the password can decrypt any other user's traffic (since all users share the same PMK). This is unacceptable for enterprises with hundreds of employees.
802.1X / EAP Framework
Why Enterprises Need 802.1X
802.1X (also called WPA2-Enterprise or WPA3-Enterprise) solves PSK's scalability problem by giving each user unique credentials and authenticating them through a central server. Think of it as the difference between everyone sharing one house key versus each person having their own keycard that can be individually activated or deactivated.
802.1X Architecture
The 802.1X framework involves three parties:
- Supplicant — The client device requesting network access
- Authenticator — The access point that acts as a gatekeeper (passes messages between supplicant and server)
- Authentication Server — A RADIUS server (like FreeRADIUS or Microsoft NPS) that validates credentials
The access point does NOT make the authentication decision — it merely relays messages between client and RADIUS server. This centralized model means you can manage thousands of users from one server.
EAP Methods
EAP (Extensible Authentication Protocol) is a framework that supports multiple authentication methods. The most common for wireless:
| EAP Method | Authentication Type | Security Level | Deployment Complexity |
|---|---|---|---|
| EAP-TLS | Mutual certificate-based | Highest | High (PKI required) |
| PEAP (MSCHAPv2) | Server cert + user password | High | Medium |
| EAP-TTLS | Server cert + inner method | High | Medium |
| EAP-SIM | SIM card authentication | High | Carrier integration |
| EAP-FAST | Cisco proprietary, PAC-based | Medium-High | Cisco environment |
EAP-TLS — The Gold Standard
EAP-TLS requires both the server and client to present X.509 certificates. This provides mutual authentication — the client verifies the server is legitimate (preventing evil twin attacks), and the server verifies the client's identity. No passwords are transmitted. The downside is managing certificates for every device (requiring a Public Key Infrastructure).
PEAP — The Practical Choice
PEAP (Protected EAP) is the most widely deployed enterprise method. It creates a TLS tunnel using only the server's certificate, then runs MSCHAPv2 (a password-based protocol) inside this encrypted tunnel. Users log in with their Active Directory username and password. The server certificate prevents man-in-the-middle attacks, while the tunnel protects the password exchange.
Cellular Authentication — SIM-Based
3G/4G: AKA Protocol
Cellular networks use the Authentication and Key Agreement (AKA) protocol based on the SIM card. Unlike WiFi where you type a password, cellular authentication is automatic and invisible to the user. The SIM card contains a secret key (Ki) that never leaves the card.
The AKA process:
- Phone sends its IMSI (identity) to the network
- Network's HSS (Home Subscriber Server) generates a random challenge (RAND)
- HSS uses Ki and RAND to compute expected response (XRES) and session keys
- Network sends RAND + authentication token to phone
- SIM card computes response (RES) using its Ki + RAND
- Phone sends RES back; network verifies RES = XRES
- Session keys are established for encryption
The beauty of AKA is that the secret key Ki never travels over the air — only derived values do.
5G-AKA — Enhanced for 5G
5G-AKA improves on 4G with:
- SUPI concealment — The permanent identity (SUPI) is encrypted before transmission, preventing IMSI catchers from tracking users
- Home network verification — Even when roaming, the home network confirms authentication (preventing certain roaming attacks)
- Unified authentication — Same framework works across 5G, WiFi, and non-3GPP access networks
- 256-bit keys — Upgraded from 128-bit for future-proof security
Comparison of Authentication Methods
| Feature | PSK | 802.1X/EAP | SIM/AKA | WPA3-SAE |
|---|---|---|---|---|
| Credential type | Shared password | Per-user (cert/password) | SIM secret key | Password (enhanced) |
| Scalability | Low (< 20 users) | High (thousands) | Very high (billions) | Medium |
| Offline attack resistance | Low | High | Very high | High (SAE) |
| Mutual authentication | No | Yes (EAP-TLS) | Yes | Yes |
| Infrastructure needed | None | RADIUS server + certs | HSS + SIM | None (built into AP) |
| Typical use | Home WiFi | Enterprise WiFi | Cellular networks | Home/SMB WiFi |
Modern Developments
WPA3-SAE (Simultaneous Authentication of Equals)
WPA3 replaces PSK's vulnerable four-way handshake with SAE, based on the Dragonfly key exchange. Even if an attacker captures the handshake, they cannot perform offline dictionary attacks. Each session generates unique keys, providing forward secrecy.
Passpoint (Hotspot 2.0)
Passpoint automates secure authentication to public WiFi hotspots using 802.1X with credentials stored on the device — eliminating the need to manually connect and log into captive portals.
Key Takeaways
- PSK authentication is simple but does not scale — all users share one secret, making it suitable only for home networks
- 802.1X with EAP provides per-user authentication through a centralized RADIUS server, essential for enterprise security
- EAP-TLS (mutual certificates) is the most secure WiFi authentication method but requires PKI infrastructure
- Cellular AKA authentication is invisible to users and relies on the SIM card's secret key that never leaves the physical chip
- 5G-AKA adds identity privacy (SUPI encryption) and home network verification to prevent IMSI catching and roaming attacks
- WPA3-SAE eliminates offline dictionary attacks against WiFi passwords through the Dragonfly key exchange
- The trend in wireless authentication moves toward zero-trust models where every connection is individually verified regardless of network location
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Wireless Authentication Techniques PSK 802.1X EAP 5G-AKA.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Wireless Communications topic.
Search Terms
wireless-communications, wireless communications, wireless, communications, security, authentication, techniques, wireless authentication techniques psk 802.1x eap 5g-aka
Related Wireless Communications Topics