Cisco Blogs

Understanding the Difference Between Wireless Encryption Protocols

March 28, 2012 - 2 Comments

The WPA data encryption protocol you choose depends on your wireless network’s needs

It’s critically important to secure your wireless networks, but security can be complex, particularly when it comes to configuring each network component appropriately. A smart place to start is with the wireless router, which connects your local area network (LAN) to the Internet. Routers allow you to encrypt data as it travels in and out of your network, making it much more difficult to be read or altered by hackers trying to steal confidential information. Most small business routers let you choose which data encryption protocol you want to use, but in order to make the best choice for your network, you need to understand the differences between encryption protocols.

For wireless networks, the data encryption protocol is WPA, or Wi-Fi Protected Access. WPA was introduced in 1999 after significant flaws were discovered in the original wireless encryption protocol, WEP (Wired Equivalent Privacy); even though many routers still include WEP, it’s too insecure to rely on to protect your business. Instead, opt for one of the protocols in the WPA family.

Since the introduction of WPA, one more encryption protocol has been added to the family, along with two different modes: WPA2 and the WPA2-PSK (Pre-Shared Key) and WPA2-ENT (Enterprise) modes. Using WPA2 has become the general default, but the mode you choose depends on your business needs and IT environment.

Launched in 2004, WPA2 is even more secure than WPA. It is the full implementation of the 802.11i standard for securing wireless networks, while WPA was a subset of the standard and intended only as a stop-gap solution until WPA2 was completed. WPA2 uses the AES (Advanced Encryption Standard), which provides government-grade encryption capabilities that are stronger than the TKIP (Temporal Key Integrity Protocol) used by WPA. In fact, AES is thought to be uncrackable by even the most skilled hacker.

The two other WPA protocols are designed for different types of networks. WPA2-PSK is intended for home and very small office networks. Each wireless device is authenticated by the same 256-bit key. With this mode, you set an encryption passphrase that must be entered by each user when connecting to the network. This passphrase can be stored on each computer, but it must be entered—or changed—individually for each device. All users share a locally stored passphrase, which can be found and copied from a computer by anyone. This makes WPA2-PSK less secure than the WPA2-ENT mode.

WPA2-ENT is made for the enterprise network, but it’s a smart choice for any business network. It provides security against more attacks than WPA2-PSK and separates users from the router’s passphrase to the network. WPA2-ENT creates new encryption keys each time users log on to the network with their unique passwords, and the passphrase to the network is not stored locally. It also allows for centralized control over users’ access to the wireless network, which makes management easier than with the WPA2-PSK mode.

However, WPA2-ENT also requires the use of a RADIUS (Remote Authentication Dial In User Service) authentication server; with the PSK mode, you don’t need any additional security applications, so it’s simpler to set up. RADIUS is often an enterprise-grade server, but there are options available to the smaller company. For instance, small businesses can use either the Internet Authentication Service (IAS) in Windows 2003 or the Network Proxy Server (NPS) in Windows 2008, if you already have Windows Server installed. Or, you could outsource the RADIUS server to a hosted service, such as AuthenticateMyWiFi, to get the benefits of WPA2-ENT without the installation complexity of a RADIUS server.

No matter which mode you choose, you must set all of your wireless networking devices to the same one for them to communicate properly.

Finally, keep in mind that a router’s security doesn’t end with the encryption protocol. A business-grade router for small companies should also support VPNs (virtual private networks), firewalls, and even IPSes (intrusion prevention systems).

Which WPA2 mode does your small business use?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. oh itz a coool and aWesoMe post…i lyk it…Thankuu..
    Bt mem, I have one doubt in WPA2 is that, i knw itz encryption is really strong as compare to previous stuffs… Bt it is not really Uncrackable, it z simply breakable not only through aircrack.. Then how can i trust WPA2?? Do u have any plan to announce WPA3 or somethin lyk that??

  2. be sending more notes about network