Solved: Re: Does WPA Personal still use EAP to perform authentication?

Mitrixsen · ‎04-23-2025

Hello, everyone.

When I was first studying for the CCNA, I thought we had two main methods of how users can be authenticated

1. Via PSKs in WPA Personal
2. By using EAP, a RADIUS server, 802.1x, and so on in WPA Enterprise

However, after labbing up the 4-way handshake today, I noticed that even if I am using PSKs as my form of authentication, EAP is still used?

It’s just a little confusing considering that it says 802.1x at the bottom even though I am not using that.

Thank you.
David

M02@rt37 · ‎04-23-2025

Hello David

Even though WPA2 personal does not use EAP for autentication (since it relies solely on a shared password...), it still uses the 4 way handshake, which is transported over EAPOL frames.

When you're analyzing the trafic and see “EAPOL” or even “802.1X,” what you're actualy seeing are the mechanics of the 4 Way handshake — not an EAP-based authentication process. Many tools and diagrams will still label these frames as "EAP" or "802.1X" simply because EAPOL was originally developed for 802.1X-based Enterprise authentication, and the same frame type is reused in WPA-Personal...

What causes confusion is that these handshake messages are EAPOL frame, even though no actual EAP exchange (like identity request, challenge...) take place — because EAPoL is just the "transport protocol" originally designed for 802.1X/EAP, but reused here !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎04-23-2025

wpa personal vs wpa enterprise

Both use shared key

But in personal the wlc/ap and client use simple exchange (not eap) for authc

In enterprise the client need to send it shared key to aaa server (via 802.1x) here it need to use eap.

MHM

View solution in original post

M02@rt37 · ‎04-23-2025

Hello David

Even though WPA2 personal does not use EAP for autentication (since it relies solely on a shared password...), it still uses the 4 way handshake, which is transported over EAPOL frames.

When you're analyzing the trafic and see “EAPOL” or even “802.1X,” what you're actualy seeing are the mechanics of the 4 Way handshake — not an EAP-based authentication process. Many tools and diagrams will still label these frames as "EAP" or "802.1X" simply because EAPOL was originally developed for 802.1X-based Enterprise authentication, and the same frame type is reused in WPA-Personal...

What causes confusion is that these handshake messages are EAPOL frame, even though no actual EAP exchange (like identity request, challenge...) take place — because EAPoL is just the "transport protocol" originally designed for 802.1X/EAP, but reused here !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Mitrixsen · ‎04-23-2025

Hi M02@rt37

So if I understand this correctly, when we say that PSK authentication doesn't use EAP, we mean that no EAP messages (challenges, requests, responses) are used for authentication.

But this doesn't mean that EAPOL isn't being used, right? So is it right to say that it's a transport protocol that carries PSK-related information and in the case of WPA Enterprise, EAP messages?

Thank you, again!
David

M02@rt37 · ‎04-23-2025

Yes sir!

EAPoL is a transport protocol used in both WPA-Personal and WPA-Enterprise.

In WPA enterprise, it carries EAP messages during the authentication phase, and in WPA personal, it caries key managment frames (4-Way Handshake), not EAP messages !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎04-23-2025

wpa personal vs wpa enterprise

Both use shared key

But in personal the wlc/ap and client use simple exchange (not eap) for authc

In enterprise the client need to send it shared key to aaa server (via 802.1x) here it need to use eap.

MHM

Mitrixsen · ‎04-23-2025

Hi @MHM Cisco World

What is typically mean't by when people say that EAP is not used for auth in personal mode? In my wireshark capture, EAPOL is still being used. Is there any major difference there?

David

MHM Cisco World · ‎04-23-2025

You must be aware the different between authc and key exchange'

As I mention for authc the client not use eap it use simple authc handshake' for key exchange PMK the ap/wlc and client use eap to drive PMK.

https://mrncciew.com/2019/11/29/wpa3-sae-mode/

In wpa enterprise both authc and key is done via eap.

MHM

marce1000 · ‎04-23-2025

- @Mitrixsen You have been posting a lot of knowledge topics only recently ; consider:
https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356#toc-hId-530438092

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mitrixsen · ‎04-23-2025

Hello @marce1000

What do you generally mean by "knowledge topics only"?

David

marce1000 · ‎04-23-2025

- @Mitrixsen By that I mean not a current technical problem that someone is confronted with ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mitrixsen · ‎04-23-2025

Hello @marce1000

I am studying for a certification exam, which is why I am asking for help here on the forums. I've read the link that you've provided and it doesn't specifically dismiss this kind of questions. They're setting expectations on how the question should look like, what information should be provided, and what the formatting should be but they don't discourage knowledge or study-related questions. I've seen many other people ask questions in a similar context before.

David

Rich R · ‎04-24-2025

Hi David

I think Marce's point is that this type of question is usually better suited to the appropriate Learning Network community which is dedicated to these topics like
https://learningnetwork.cisco.com/s/topic/0TO3i0000008jYHGAY/ccna-certification-community while these communities are more focussed on technical support and troubleshooting. You're right that such questions are not specifically excluded here but they are probably better suited to the Learning Network, especially if you have a lot of them. The answers would also be useful to other people in those communities with the same learning goals as you too.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390