What are the differences between WPA2-PSK and WPA2 EAP-PSK? What are the pros and cons of using one configuration or the other?
2 Answers
WPA2 EAP-PSK uses WPA2-Enterprise to do an 802.1X authentication to server. It uses the PSK method of EAP and allows a client to authenticate with just the use of a PSK.
The pros of WPA2-PSK is that it is supported in every 802.11 device of relatively recent manufacture (2nd gen 802.11g or so). It is simple to set up and simple to use.
WPA2 EAP-PSK should be somewhat more secure in that it would be harder to calculate the PSK from captured traffic. However, many of the same vulnerabilities exist if an attacker were able to get a hold of the PSK (social engineering, written down, etc).
There are a number of drawbacks:
- Like other WPA2-Enterprise methods, you need to have an authentication server set up to authenticate against which adds complexity.
- Both the server and the client supplicant need to support the EAP method. AFAIK, only wpa_supplicant has support for EAP-PSK and you will not find this native on most devices.
- EAP-PSK has never passed the "experimental" stage of development.
- There doesn't seem to be a lot of interest in it, either people don't want the complexity of WPA2-Enterprise at all (even with a simple authentication method) or they are content to use other more widely supported EAP methods.
- 3,967
- 1
- 17
- 34
-
1Does EAP-PSK has one password for all clients or one password for client ? – boos Sep 29 '14 at 10:11
-
1Generally speaking, just like WPA2-PSK, there is only one PSK for all client devices. I would imagine it is at least possible (in theory) to configure your RADIUS server to provide different PSK depending on MAC. However, this would make the configuration of the server much more complicated and remove the one real advantage EAP-PSK has over other EAP methods, simplicity. – YLearn Sep 29 '14 at 12:15
-
@YLearn, if it's all one password for all clients, what's really the point of having a whole RADIUS server to authenticate with just a single password?! – cnst Feb 16 '16 at 00:17
-
2@cnst, a PSK isn't a password, it is used as the PMK (pairwise master key) for both sides to generate the encryption key or PTK (pairwise transient key). With PSK, all devices use the same PMK so someone with the PSK and the four way handshake (when the PTK is generated/exchanged) is also captured, that someone can decrypt the traffic. With EAP-PSK an 802.1X authentication takes place with a RADIUS server and the RADIUS server returns unique PMK material for each successful authentication. WPA2-Enterprise is always more secure than WPA2-PSK. – YLearn Feb 16 '16 at 00:32
-
@YLearn, that's quite some more useful details than what you have in your answer! – cnst Feb 16 '16 at 00:37
-
@cnst, in a sense it is already in my answer. `WPA2 EAP-PSK uses WPA2-Enterprise to do an 802.1X authentication to server.` The OP's question wasn't about the differences between WPA2-PSK and WPA2-Enterprise, it was asking about the differences/pros/cons of using PSK vs. EAP-PSK. I stuck to the question that was asked; there are plenty of questions here about the differences between WPA2-PSK and WPA2-Enterprise already. – YLearn Feb 16 '16 at 00:44
The major distinction between the two should not be about cryptography. WPA2-PSK, provided the shared password is of sufficient complexity, is unbreakable given current resources. The use of WPA-EAP-PSK or any WPA Enterprise (i.e. EAP) implementation should not be in an effort to increase the cryptographic strength of a wireless network but to provide other benefits such as granular control over who or what connects to the network.
With the EAP options under WPA-Enterprise each user and device can have its own credentials and this increases control and auditing. However, some of those options are very cryptographically weak. To use an analogy, WPA-PSK is like having a dead bolt on your company door and providing every employee the same key. WPA-Enterprise/EAP is like having an key card system that electronically unlocks the door. To carry the analogy further, while those key cards give great control and auditing for each employee, the underlying lock often is weaker than the good old-fashioned deadbolt.
Back to the crypto, with a 256 bit key, the only feasible attack is to capture the wireless handshake and then run a dictionary attack. As long as you choose a password of such complexity that it wouldn't appear in a dictionary list, WPA-PSK will be unbreakable. Now, if you have a need or concern about all users or devices sharing one key because of social engineering, trust, etc., then you do need to look at EAP/Enterprise options, but cryptographically, you're probably not going to beat WPA-PSK.