How Wi-Fi Authorization Works: From Passwords to Corporate Access

When you pick up a smartphone or laptop and try to connect to a wireless network, a complex data exchange process takes place that is usually hidden from the user's view. In a home scenario, everything seems simple: you select the network name from a list, enter the password, and within a few seconds, the device gains internet access. However, behind those seconds lies a multi-layered authentication system known as authorization, which ensures that only a trusted device connects to the network.

In the corporate sector, this process becomes significantly more complex and transparent for the user, often requiring the employee's login and password or the use of digital certificates. Understanding how your device "presents" itself to the router helps not only with equipment setup but also with making an informed choice of security level for your office or home.

There is a fundamental difference between home networks, where a shared key is used, and corporate networks, where access is individual for each user. It is the mechanism authentication Determines how difficult it is for an attacker to intercept your data or penetrate your local network. In this article, we'll take a detailed look at the handshake stages, protocol differences, and modern traffic security methods.

Basic principles of authentication in wireless networks

The process of connecting to an access point begins long before you enter a password. First, your device (the client) scans the air for available networks, analyzing SSID — the name displayed in the list. After selecting a network, the association phase begins, followed by the critical access rights verification phase. If this phase is skipped on open networks, then on secure networks, the exchange of service packets begins.

The main goal of authorization is to prove to the access point that the client has the correct key without transmitting the key in cleartext. This is achieved using cryptographic algorithms that create unique sessions. In modern standards, such as WPA2 And WPA3, a four-way handshake is used to generate temporary encryption keys for a specific session.

It's important to understand that authorization isn't just a password check, but the process of generating a shared secret for traffic encryption. If this step fails, the device may display an "Incorrect Password" error or remain stuck indefinitely in the "Obtaining IP Address" status. This indicates that the handshake was unsuccessful due to a mismatch in the cryptographic hashes.

⚠️ Attention: When setting up corporate networks, it's critical to synchronize the time on all infrastructure devices (controllers, access points, RADIUS servers). Even a few minutes' misalignment can result in authorization failure due to expired certificates.

📊 What type of Wi-Fi security do you have at home?
WPA2-Personal
WPA3-Personal
WEP (old)
Open network
Don't know

Personal Area Networks and the PSK Method

In the home segment and small business, the most common method is Pre-Shared Key (PSK), known to the user as the "Wi-Fi password." In this scenario, the same secret key is known to all devices and the network administrator. When connecting, the device uses this key to generate a hash, which is compared with the hash on the router.

The main advantage of PSK is its ease of deployment: you don't need to set up complex servers; knowing the password is enough. However, this method has a significant drawback: if the key is compromised (for example, by a guest or former employee), the security of the entire network is compromised. You'll have to change the password on all connected devices, which becomes a logistical nightmare in a large home or office.

Modern routers support the standard WPA3-SAE (Simultaneous Authentication of Equals), which replaced the outdated WPA2-PSK. The new protocol protects against brute-force attacks and handshake interception, making the authentication process robust even when using relatively simple passwords. This is achieved through the use of elliptic curve cryptography.

Technically, the process works like this: the client and access point exchange random numbers (nonces), which, along with a shared password, are used to calculate a temporary encryption key. The password itself is never transmitted over the air, making interception useless for gaining access unless the password is trivially simple.

Corporate authentication via 802.1X and RADIUS

For organizations where personal accountability and the ability to quickly revoke access are important, the standard is used IEEE 802.1XThis technology divides the process into three components: a supplicant (client), an authenticator (access point), and an authorization server (usually RADIUS). The access point in this scheme acts merely as an intermediary, forwarding credentials to the central server.

Usage RADIUSServers allow for flexible access policies. For example, the accounting department may have access only to financial servers, while the marketing department may have access to the internet and printers, all while connected to the same physical Wi-Fi network. Authorization can be achieved using a domain account login and password or digital certificates.

Connecting to a corporate network is more complex for the end user, but it provides the highest level of security. Each device or user is assigned unique encryption keys that are updated periodically. This means that even if an employee loses a laptop, an attacker won't be able to use it to access the network once the account is locked in Active Directory.

How does EAP-TLS work?

The EAP-TLS protocol is considered the "gold standard" of security. It requires a digital certificate on both the server and the client device. This eliminates the possibility of phishing, as the client device also verifies the server's authenticity before sending its credentials.

Implementing such a system requires a public key infrastructure (PKI) and qualified personnel to maintain it. However, for banks, medical institutions, and large enterprises, this is the only reliable way to meet the strict data protection requirements of regulators.

Comparison of security methods and protocols

The choice of authentication method directly impacts network performance and user experience. Below is a table comparing the key characteristics of popular security protocols used today.

Protocol Key type Encryption Difficulty of implementation
WPA2-Personal General (PSK) AES-CCMP Low
WPA3-Personal General (SAE) GCMP-256 Low
WPA2-Enterprise Individual AES-CCMP High
WPA3-Enterprise Individual GCMP-256 Very high

Transition to WPA3 is a mandatory step for new devices, as it eliminates vulnerabilities associated with KRACK-type attacks that were relevant for WPA2. In the corporate sector, the transition to WPA3-Enterprise With 192-bit security, it provides a level of protection comparable to government encryption standards.

It's worth noting that older devices may not support new protocols. In such cases, administrators are forced to create guest networks with less restrictive settings or segment the network, leaving legacy devices on an isolated VLAN. This is a tradeoff between compatibility and security, requiring careful network topology planning.

The 4-Way Handshake Process

The heart of the authentication process in WPA networks is the 4-Way Handshake mechanism. It is necessary to confirm that both parties (the client and the access point) know the correct PSK and to generate temporary encryption keys. This process occurs every time a connection is established and is repeated periodically to refresh the keys.

In the first step, the access point sends a random number (ANonce) to the client. The client uses this number, its own random number generator (SNonce), and the shared password to calculate keys. The client then sends its own number and the hash code (MIC) to the access point. This confirms that the client knows the password without revealing it.

The access point verifies the received MIC. If it is correct, it generates a group key (for broadcast traffic) and sends it to the client, protected by a new temporary key. A final acknowledgement from the client completes the process, and user data transmission begins. Any packet corruption at this stage will result in the connection being terminated.

⚠️ Attention: Specialized sniffers can record handshake packets. Although they don't contain the password itself, the captured handshake can be used for offline password cracking. This is why password length and complexity remain critical even when using AES encryption.

Guest Access and Captive Portal

Hotels, cafes and airports often use a different authorization method - Captive PortalIn this case, the device connects to an open network, but all traffic is redirected to a dedicated web page. The user must accept the terms of use or enter a code received via SMS before accessing the internet.

Technically, this is accomplished by intercepting DNS requests or HTTP traffic. The router or controller blocks all requests except those leading to the authorization page. After successful verification (for example, with a one-time code), the device's MAC address is whitelisted, and access is granted.

This method is convenient for temporary access, but it doesn't encrypt traffic between the client and the access point, as the connection remains technically open. To protect data on such networks, using a VPN is highly recommended, as an attacker on the same network could attempt to intercept your unencrypted data.

☑️ Guest network security

Completed: 0 / 4

It's important to distinguish between an open network with a portal and a secure network. In a corporate environment, guest access via a captive portal should be strictly isolated from the company's internal infrastructure to prevent potential attacks from visitors.

Common problems and connection diagnostics

Authorization issues often manifest as cyclical connection attempts. The device constantly requests a password or hangs for a long time at the "Obtaining IP address" stage. This may indicate incompatible encryption methods, for example, when the client only supports TKIP, and the network is configured to AES.

Another common cause is overflowing the DHCP table or RADIUS server limits. If the authorization server fails to respond in a timely manner, the access point terminates the connection. This is often reflected in the equipment logs as a timeout or radius error. Troubleshooting requires analyzing logs on both the client and the infrastructure.

To resolve these issues, we recommend updating your wireless adapter drivers and router firmware. Sometimes, resetting the network settings on the client device helps, as this removes old network profiles with incorrect security settings. In complex corporate cases, it may be necessary to analyze traffic with Wireshark to view EAP error codes.

Why does the phone say "Saved" but won't connect?

This often means that the device has successfully authenticated but is unable to obtain an IP address. Check your DHCP server settings, ensure there are free addresses in the pool, and ensure the VLAN is configured correctly on the port to which the access point is connected.

The Future of Wireless Security

The industry is moving towards a complete elimination of passwords in the corporate segment. Standard WPA3-Enterprise 192-bit sets a new bar, requiring the use of more robust encryption algorithms. The widespread adoption of AI-based technologies that will analyze device behavior and block anomalies in real time is expected.

The concept of Zero Trust Network Access (ZTNA) is also developing, where authorization occurs not only upon network login but also continuously, every time a resource is accessed. Wi-Fi becomes merely a transport channel, and the level of trust is determined by the context: who the user is, where they are located, and the state of their device.

For users, this means the connection process will become even more seamless, but device security requirements will increase. Antivirus protection and an up-to-date operating system will become mandatory for accessing corporate Wi-Fi, and will be automatically checked before network access.

What is the difference between authentication and authorization in Wi-Fi?

Authentication is the process of verifying identity (for example, entering a password or certificate), answering the question "Who are you?" Authorization is the process of verifying access rights, answering the question "What are you allowed to do?" In Wi-Fi, these processes often occur simultaneously, but are technically distinct stages.

Is it possible to hack WPA3?

Currently, the WPA3 protocol is considered cryptographically secure. The main vulnerabilities are not related to the protocol itself, but to improper implementation in devices or the use of weak passwords in Transition Mode. Directly cracking WPA3-SAE encryption using brute-force attacks in real time is virtually impossible.

Why do you need a separate RADIUS server for a small office?

For a small office (up to 10-15 people), deploying a full-fledged RADIUS system may be overkill. However, if you have remote employees or require strict access auditing, using cloud RADIUS services or built-in features in modern business routers (Cloud RADIUS) allows you to achieve the benefits of corporate security without the need for a complex infrastructure.