WPA3 (or WPA2-Enterprise) only
Demonstrate that all production wireless access points and controllers enforce WPA3 or WPA2-Enterprise encryption exclusively, with no legacy protocols enabled or accessible.
Description
What this control does
This control mandates the exclusive use of WPA3 or WPA2-Enterprise encryption protocols for all wireless networks. WPA3 provides stronger cryptographic protection through Simultaneous Authentication of Equals (SAE) and forward secrecy, while WPA2-Enterprise requires individual user authentication via 802.1X/RADIUS rather than shared pre-shared keys. These protocols prevent common attacks such as offline password cracking, key reinstallation (KRACK), and unauthorized access through compromised shared credentials. Personal/PSK variants of WPA2 and all legacy protocols (WPA, WEP) are prohibited.
Control objective
What auditing this proves
Demonstrate that all production wireless access points and controllers enforce WPA3 or WPA2-Enterprise encryption exclusively, with no legacy protocols enabled or accessible.
Associated risks
Risks this control addresses
- Unauthorized network access through brute-force attacks on weak WPA2-PSK pre-shared keys captured via passive monitoring
- Credential compromise affecting all users when a single WPA2-PSK key is shared among multiple individuals and subsequently leaked
- Man-in-the-middle attacks exploiting WPA2 four-way handshake vulnerabilities (KRACK) on networks not using WPA3
- Offline dictionary attacks against captured WPA2-PSK handshakes without detection or alerting
- Lateral movement by attackers who gain physical proximity and exploit downgrade attacks to force clients onto WEP or open networks
- Lack of individual accountability when investigating security incidents due to shared authentication credentials in PSK environments
- Data exfiltration through passive eavesdropping on weakly encrypted or misconfigured wireless traffic
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all wireless access points, controllers, and SSIDs from network infrastructure documentation and configuration management databases.
- Export current wireless security configuration from all wireless LAN controllers and standalone access points, including enabled encryption protocols and authentication methods.
- Review configuration exports to identify the encryption standard (WPA3, WPA2-Enterprise, WPA2-PSK, WPA, WEP, or Open) configured for each SSID.
- Perform a wireless site survey using spectrum analysis tools to discover all broadcasting SSIDs and validate they match the authorized inventory.
- Connect a test device to each production SSID and capture authentication handshake traffic to verify the actual encryption protocol in use matches documented configurations.
- Examine RADIUS server integration for WPA2-Enterprise networks, confirming 802.1X authentication is enforced and individual user credentials are required.
- Query wireless controller logs for the past 90 days to identify any instances of legacy protocol usage, downgrade attempts, or configuration changes to encryption settings.
- Test access control by attempting to connect using deprecated protocols (WPA-PSK, WEP) to verify these methods are rejected at the access point level.
Where this control is tested