Threat model: how an attacker breaks the protection of the wireless network of the enterprise
A wireless network is the only segment of corporate infrastructure where an attacker does not need physical access to the switch port. Enough parking, floors above or cafe through the wall. According to the MITRE ATT&CK classification, interception through a front access point - Adversary in the Middle (T1557), one of the main vectors of credential access.
The attacking chain on a corporate wireless network looks like this:
1. Exploration - airodump-ngor Kismet: collection of SSID, BSSID, channels, encryption types, number of customers. The attacker understands - PSK or 802.1X - and selects the vector.
2. Initial Access - rolling out evil twin with the same SSID. With WPA2-PSK, customers are reconnected automatically. At 802.1X - hostapd-wpe intercepts EAP-hash.
3. Credential Access - interception of NTLM hashes through PEAP/MSCHAPv2 on fake RADIUS, capture cookies through HTTP-downgrade, the theft of Kerberos-ticks.
4. Lateral Movement - from the guest VLAN to the corporate segment, if inter-VLAN routing is not blocked on the firewall.
Business impact direct: leakage of personal data - negotiable fines under the FZ-152 (up to 3% of annual revenue for repeated violation), reputational damage, simple business processes.
A separate vector is insider threat. The employee plugs a household router for $30 on the Ethernet socket so that the signal is better. This router creates an unguided bridge between Wi-Fi and internal LAN, completely bypassing the perimeter. According to the case from the retail (Purple.ai), the WIPS after the deployment found 23 unauthorized APs in networks of 500 points - 18 of them turned out to be household routers, which were attracted to the staff. Twenty-three pieces. In the same network.
WIDS WIPS Wi-Fi Intrusion Detection System: Architecture and Verification
WIDS fixes anomalies on the radio and generates alerta. WIPS does the same thing, but adds automatic suppression: deauthentiction-frames to rogue AP clients or disabling the switch port via SNMP. The difference between them is between alarms and alarms with an automatic security call.
Two modes of operation of sensors:
Dedicated sensor mode - The AP works exclusively to monitor all 2.4/5/6 GHz channels continuously. Maximum detection accuracy, reaction time 30-90 seconds. Requires separate equipment. For environments with PCI DSS or PD treatment - in fact, it is mandatory.
Background scanning (time-slicing) - AP serves customers and periodically switches to scanning. Cheaper, but creates blind windows: rogue AP, active between cycles, remains invisible. Plus delays, they hit the latency of customer traffic. In practice - savings, for which you then pay with missed incidents.
Classification by risk level is the same setting without which WIDS turns into a noise generator. Enterprise-appropriate matrix (Purple.ai, Cisco aWIPS):
Vendor implementations and their limitations in the context of the security of the corporate Wi-Fi network:
Cisco aWIPS (Catalyst 9800 + DNA Center) - CleanAir ASIC at points 9120/9130 analyzes Layer 1 without influencing data radio. Correlation of RF-data with wired topology is a powerful thing. Restriction: Requires a DNA Advantage license and a Cisco full stack. Wendor-lok in its pure form.
Aruba WIDS (AirWave/Central) is a good integration with ClearPass NAC, but the default classification rules are too soft. Without a tuning RSSI thresholds, you will receive false positive for each smartphone within a radius. I spent half a day on one project on the calibration of the thresholds.
Meraki Air Marshal - the simplicity of cloud management bribes, but the customization is scarce and the API for SOC integration is poorly documented. For small businesses - normal, for an enterprise with a serious SOC - lack flexibility.
WIDS Efficiency Test: Rogue AP Simulation
It is necessary to check the security of the wireless network of the enterprise on the radio, and not in the vendor documentation. According to the documents, everything works. In practice, it depends on the configuration.
Adjustments to the environment: Kali Linux (or distribution with hostapd and aircrack-ng), Wi-Fi adapter with AP-mode support (Alfa AWUS036ACH, TP-Link TL-WN722N v1), written permission of the owner of the infrastructure (without it - st. 272 of the Criminal Code of the Russian Federation).
Code:
# hostapd.conf - evil twin for test WIDS
interface=wlan0
ssid=Corp-WiFi
channel=6
hw_mode=g
wpa=2
wpa_passphrase=TestOnly12345
wpa_key_mgmt=WPA-PSK
Launch: sudo hostapd hostapd.conf. The point appears on the air. We take the time to the alert. Target KPIs: detecting 100% rogue AP within 10 minutes, MTTD wireless anomalies - less than 15 minutes. If the alet has not come in 10 minutes - WIDS configuration is inoperable, baseline (DE.AE-01 by NIST CSF v2.0) not set up.
Limitation: In the background scanning mode, detection can take 20-30 minutes or more - depending on the interval between cycles. In dedicated sensor mode - 30-90 seconds. The difference is an order of magnitude.
802.1X authentication and hardening EAP-TLS: setting without typical errors
WPA2/WPA3-Enterprise with 802.1X is the minimum threshold for corporate Wi-Fi network. PSK in the enterprise-enembasy - a ready-made vulnerability: one fired fired a disservice employee who knows the password. I’ve seen a company where PSK from corporate Wi-Fi has not changed for three years. Three years and four waves of dismissals.
Critical error that I find in 4 of 5 audits: RADIUS certificate is not fixed on client devices. Without a certificate pinning, the attacker lifts hostapd-wpe, an RADIUS server, and customers obediently give MSCHAPv2 hash. GPU decryption - hours, not days. And then, hey, Active Directory.
Hardening 802.1X - specific actions:
1. Go to EAP-TLS with client certificates, distribute via MDM (Intune, Kaspersky Security Center, Jamf).
2. If EAP-TLS is not possible - enable the strict certificate validation: in the Wi-Fi profile of the client to specify CA and server name RADIUS. Without it, PEAP is a paper lock.
3. Include 802.11w (Protected Management Frames) - mandatory in WPA3, optional in WPA2. Protects from deauth attacks that guide customers to evil twin.
4. On FreeRADIUS/NPS, enable failed authentication and configure forward to SIEM. Without it, you are blind to the brothros.
5. RADIAUS shared secret rotation - quarterly. Rotation of client certificates - annually or at dismissal.
Wireless Network Segmentation and Rogue AP Access Point Detection
The minimum model is three VLANs, three SSIDs:
• Corporate (VLAN 10): 802.1X/EAP-TLS, full access to internal resources.
• Guest (VLAN 20): captive portal, only Internet. Inter-VLAN routing is blocked.
• IoT (VLAN 30): cameras, printers, sensors. Access only to specific cloud endpoints over HTTPS.
Segmentation check is a mandatory part of the wireless network security audit. From the device in Guest VLAN launch nmap -sn 10.10.10.0/24 (Cord addressing). If one host responds, firewall is crooked between VLAN. I’ve seen this more than I’d like.
802.1X on wired ports of switches is the main measure against wired rogue AP. Household router, stuck in the Ethernet socket, will not be authenticated, the port will remain in an unauthorized state. Rogue AP will never get an IP address and become a bridge in LAN. This directly implements PR.AA-01 (authentication management) and ID.AM-01 (employment inventory) from NIST CSF v2.0.
Wi-Fi infrastructure monitoring: detection rule for SIEM
The security of a corporate Wi-Fi network does not end on the setting – it starts with continuous monitoring. WIDS generates events, but without correlation in SIEM, they remain in the controller interface where no one is looking. A familiar picture?
Logs for collection:
• WIDS/WIPS controller: rogue detection AP, deauth flood, new SSID proximity in
• RADIUS: auth success/failure, EAP type, client MAC, username
• Switches: 802.1X port auths, MAC address table change
• DNS/DHCP: queries from IoT/Guest VLAN to internal resources
Detection Rule 1 - EAP Downgrade (pseudo-Sigma):
YAML:
title: EAP Downgrade on Corporate SSID
logsource:
product: radius
service: authentication
detection:
selection:
eap_type|contains: ['EAP-MD5','EAP-GTC','LEAP']
ssid: 'Corp-*'
condition: selection
level: high
tags: [attack.credential_access, attack.t1557]
Attempting authentication with outdated EAP on enterprise SSID is a sign of a downgrade attack. The attacker forces the customer to use a weak protocol to intercept credentials. EAP-MD5, LEAP in 2025 on the corporate SSID is not a “legas”, it’s a hole.
Detection rule 2 - Rogue AP by BSSID whitelist (pseudo-Sigma):
YAML:
title: Rogue AP - BSSID Not in Whitelist
logsource:
product: wids
service: rogue_detection
detection:
selection:
event_type: 'ap_detected'
ssid|contains: 'Corp'
filter:
bssid|startswith: 'AA:BB:CC'
condition: selection and not filter
level: critical
tags: [attack.initial_access, attack.t1557]
The point with corporate SSID, but BSSID outside the range of authorized AP is likely twin. Severity: critical. This is the rule that would save that company from the beginning of the article.
A wireless network is the only segment of corporate infrastructure where an attacker does not need physical access to the switch port. Enough parking, floors above or cafe through the wall. According to the MITRE ATT&CK classification, interception through a front access point - Adversary in the Middle (T1557), one of the main vectors of credential access.
The attacking chain on a corporate wireless network looks like this:
1. Exploration - airodump-ngor Kismet: collection of SSID, BSSID, channels, encryption types, number of customers. The attacker understands - PSK or 802.1X - and selects the vector.
2. Initial Access - rolling out evil twin with the same SSID. With WPA2-PSK, customers are reconnected automatically. At 802.1X - hostapd-wpe intercepts EAP-hash.
3. Credential Access - interception of NTLM hashes through PEAP/MSCHAPv2 on fake RADIUS, capture cookies through HTTP-downgrade, the theft of Kerberos-ticks.
4. Lateral Movement - from the guest VLAN to the corporate segment, if inter-VLAN routing is not blocked on the firewall.
Business impact direct: leakage of personal data - negotiable fines under the FZ-152 (up to 3% of annual revenue for repeated violation), reputational damage, simple business processes.
A separate vector is insider threat. The employee plugs a household router for $30 on the Ethernet socket so that the signal is better. This router creates an unguided bridge between Wi-Fi and internal LAN, completely bypassing the perimeter. According to the case from the retail (Purple.ai), the WIPS after the deployment found 23 unauthorized APs in networks of 500 points - 18 of them turned out to be household routers, which were attracted to the staff. Twenty-three pieces. In the same network.
WIDS WIPS Wi-Fi Intrusion Detection System: Architecture and Verification
WIDS fixes anomalies on the radio and generates alerta. WIPS does the same thing, but adds automatic suppression: deauthentiction-frames to rogue AP clients or disabling the switch port via SNMP. The difference between them is between alarms and alarms with an automatic security call.
Two modes of operation of sensors:
Dedicated sensor mode - The AP works exclusively to monitor all 2.4/5/6 GHz channels continuously. Maximum detection accuracy, reaction time 30-90 seconds. Requires separate equipment. For environments with PCI DSS or PD treatment - in fact, it is mandatory.
Background scanning (time-slicing) - AP serves customers and periodically switches to scanning. Cheaper, but creates blind windows: rogue AP, active between cycles, remains invisible. Plus delays, they hit the latency of customer traffic. In practice - savings, for which you then pay with missed incidents.
Classification by risk level is the same setting without which WIDS turns into a noise generator. Enterprise-appropriate matrix (Purple.ai, Cisco aWIPS):
Vendor implementations and their limitations in the context of the security of the corporate Wi-Fi network:
Cisco aWIPS (Catalyst 9800 + DNA Center) - CleanAir ASIC at points 9120/9130 analyzes Layer 1 without influencing data radio. Correlation of RF-data with wired topology is a powerful thing. Restriction: Requires a DNA Advantage license and a Cisco full stack. Wendor-lok in its pure form.
Aruba WIDS (AirWave/Central) is a good integration with ClearPass NAC, but the default classification rules are too soft. Without a tuning RSSI thresholds, you will receive false positive for each smartphone within a radius. I spent half a day on one project on the calibration of the thresholds.
Meraki Air Marshal - the simplicity of cloud management bribes, but the customization is scarce and the API for SOC integration is poorly documented. For small businesses - normal, for an enterprise with a serious SOC - lack flexibility.
WIDS Efficiency Test: Rogue AP Simulation
It is necessary to check the security of the wireless network of the enterprise on the radio, and not in the vendor documentation. According to the documents, everything works. In practice, it depends on the configuration.
Adjustments to the environment: Kali Linux (or distribution with hostapd and aircrack-ng), Wi-Fi adapter with AP-mode support (Alfa AWUS036ACH, TP-Link TL-WN722N v1), written permission of the owner of the infrastructure (without it - st. 272 of the Criminal Code of the Russian Federation).
Code:
# hostapd.conf - evil twin for test WIDS
interface=wlan0
ssid=Corp-WiFi
channel=6
hw_mode=g
wpa=2
wpa_passphrase=TestOnly12345
wpa_key_mgmt=WPA-PSK
Launch: sudo hostapd hostapd.conf. The point appears on the air. We take the time to the alert. Target KPIs: detecting 100% rogue AP within 10 minutes, MTTD wireless anomalies - less than 15 minutes. If the alet has not come in 10 minutes - WIDS configuration is inoperable, baseline (DE.AE-01 by NIST CSF v2.0) not set up.
Limitation: In the background scanning mode, detection can take 20-30 minutes or more - depending on the interval between cycles. In dedicated sensor mode - 30-90 seconds. The difference is an order of magnitude.
802.1X authentication and hardening EAP-TLS: setting without typical errors
WPA2/WPA3-Enterprise with 802.1X is the minimum threshold for corporate Wi-Fi network. PSK in the enterprise-enembasy - a ready-made vulnerability: one fired fired a disservice employee who knows the password. I’ve seen a company where PSK from corporate Wi-Fi has not changed for three years. Three years and four waves of dismissals.
Critical error that I find in 4 of 5 audits: RADIUS certificate is not fixed on client devices. Without a certificate pinning, the attacker lifts hostapd-wpe, an RADIUS server, and customers obediently give MSCHAPv2 hash. GPU decryption - hours, not days. And then, hey, Active Directory.
Hardening 802.1X - specific actions:
1. Go to EAP-TLS with client certificates, distribute via MDM (Intune, Kaspersky Security Center, Jamf).
2. If EAP-TLS is not possible - enable the strict certificate validation: in the Wi-Fi profile of the client to specify CA and server name RADIUS. Without it, PEAP is a paper lock.
3. Include 802.11w (Protected Management Frames) - mandatory in WPA3, optional in WPA2. Protects from deauth attacks that guide customers to evil twin.
4. On FreeRADIUS/NPS, enable failed authentication and configure forward to SIEM. Without it, you are blind to the brothros.
5. RADIAUS shared secret rotation - quarterly. Rotation of client certificates - annually or at dismissal.
Wireless Network Segmentation and Rogue AP Access Point Detection
The minimum model is three VLANs, three SSIDs:
• Corporate (VLAN 10): 802.1X/EAP-TLS, full access to internal resources.
• Guest (VLAN 20): captive portal, only Internet. Inter-VLAN routing is blocked.
• IoT (VLAN 30): cameras, printers, sensors. Access only to specific cloud endpoints over HTTPS.
Segmentation check is a mandatory part of the wireless network security audit. From the device in Guest VLAN launch nmap -sn 10.10.10.0/24 (Cord addressing). If one host responds, firewall is crooked between VLAN. I’ve seen this more than I’d like.
802.1X on wired ports of switches is the main measure against wired rogue AP. Household router, stuck in the Ethernet socket, will not be authenticated, the port will remain in an unauthorized state. Rogue AP will never get an IP address and become a bridge in LAN. This directly implements PR.AA-01 (authentication management) and ID.AM-01 (employment inventory) from NIST CSF v2.0.
Wi-Fi infrastructure monitoring: detection rule for SIEM
The security of a corporate Wi-Fi network does not end on the setting – it starts with continuous monitoring. WIDS generates events, but without correlation in SIEM, they remain in the controller interface where no one is looking. A familiar picture?
Logs for collection:
• WIDS/WIPS controller: rogue detection AP, deauth flood, new SSID proximity in
• RADIUS: auth success/failure, EAP type, client MAC, username
• Switches: 802.1X port auths, MAC address table change
• DNS/DHCP: queries from IoT/Guest VLAN to internal resources
Detection Rule 1 - EAP Downgrade (pseudo-Sigma):
YAML:
title: EAP Downgrade on Corporate SSID
logsource:
product: radius
service: authentication
detection:
selection:
eap_type|contains: ['EAP-MD5','EAP-GTC','LEAP']
ssid: 'Corp-*'
condition: selection
level: high
tags: [attack.credential_access, attack.t1557]
Attempting authentication with outdated EAP on enterprise SSID is a sign of a downgrade attack. The attacker forces the customer to use a weak protocol to intercept credentials. EAP-MD5, LEAP in 2025 on the corporate SSID is not a “legas”, it’s a hole.
Detection rule 2 - Rogue AP by BSSID whitelist (pseudo-Sigma):
YAML:
title: Rogue AP - BSSID Not in Whitelist
logsource:
product: wids
service: rogue_detection
detection:
selection:
event_type: 'ap_detected'
ssid|contains: 'Corp'
filter:
bssid|startswith: 'AA:BB:CC'
condition: selection and not filter
level: critical
tags: [attack.initial_access, attack.t1557]
The point with corporate SSID, but BSSID outside the range of authorized AP is likely twin. Severity: critical. This is the rule that would save that company from the beginning of the article.
