PSK

5.4 Configure and verify wireless security features

📘CCNP Encore (350-401-ENCORE-v1.1)

PSK (Pre-Shared Key) is one of the simplest methods to secure a Wi-Fi network. It’s commonly used in small offices, branch offices, or home networks, but it can also appear in enterprise environments for guest Wi-Fi networks or temporary setups.

1. What is PSK?

  • PSK is a shared password used to authenticate users or devices to a Wi-Fi network.
  • All devices connecting to the network must know the same key.
  • PSK works with WPA (Wi-Fi Protected Access) and WPA2/WPA3 standards.
  • It is symmetric, meaning the same key is used to both authenticate and encrypt traffic.

Key points for the exam:

  • PSK is easier to configure than 802.1X.
  • It does not require a RADIUS server.
  • Ideal for small deployments, but less secure in large environments.

2. PSK Authentication Types

When you configure PSK, you typically choose:

  1. WPA-Personal / WPA2-Personal / WPA3-Personal
    • Uses a pre-shared key (password).
    • Password must be at least 8 characters.
    • Encrypts wireless traffic using TKIP (WPA) or AES/CCMP (WPA2/WPA3).
  2. Passphrase / Hex Key
    • PSK can be a human-readable passphrase (like “MySecureWiFi123”) or a hexadecimal key.
    • Hexadecimal key is often used in enterprise setups for stronger security.

3. How PSK Works (Step-by-Step)

Here’s the simplified process of PSK authentication:

  1. A device tries to join the Wi-Fi network.
  2. The device enters the pre-shared key.
  3. The access point (AP) verifies the key.
  4. If the key matches:
    • The AP grants access.
    • Data is encrypted using the key.
  5. If the key is wrong:
    • The AP blocks the device from connecting.

Exam Tip: Know the difference between PSK and 802.1X:

  • PSK = shared password, simple, no server needed.
  • 802.1X = uses RADIUS, unique credentials, more secure for enterprise.

4. PSK Configuration on Cisco Devices

Here’s a typical configuration flow for a Cisco Access Point (AP) using PSK:

! Define the WLAN SSID and enable it
dot11 ssid OFFICE_WIFI
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 0 MySecurePassword123

! Apply WLAN to the interface
interface Dot11Radio0
   ssid OFFICE_WIFI
   no shutdown

Explanation:

  • dot11 ssid OFFICE_WIFI → creates the SSID.
  • authentication key-management wpa version 2 → sets WPA2.
  • wpa-psk ascii 0 MySecurePassword123 → sets the PSK password.
  • The SSID is then applied to the radio interface.

Exam Tip: Remember:

  • ascii 0 → password is readable.
  • ascii 7 → password is encrypted in the configuration file.

5. Security Considerations

  • PSK is less secure than 802.1X in large networks because:
    • Everyone shares the same password.
    • If one user leaves, you may need to change the key for all users.
  • Use WPA2 or WPA3 over WPA for strong encryption.
  • PSK is still fine for:
    • Guest networks
    • Small branch offices
    • Temporary deployments

6. Verification Commands (Cisco CLI)

To verify PSK configuration and client connections:

  1. Check WLAN status:
show wlan summary
  1. Check connected clients:
show dot11 associations
  1. Check encryption method:
show wlan <SSID> | include WPA
  1. Verify PSK in use:
show running-config | include wpa-psk

Exam Tip: You may be asked how to verify clients are using PSK or which encryption method is applied.

7. Key Exam Takeaways for PSK

  • PSK is shared password-based authentication.
  • Works with WPA/WPA2/WPA3-Personal.
  • Simple setup, no RADIUS server needed.
  • All users share the same key.
  • Better for small networks; less secure for large environments.
  • Must use strong passwords to prevent brute-force attacks.
  • Commands for configuration and verification are important for the exam.

Summary Table:

FeaturePSK (Pre-Shared Key)
Authentication MethodShared password (no RADIUS)
Best ForSmall offices, guest Wi-Fi
Security LevelMedium (depends on password strength)
EncryptionWPA/WPA2/WPA3 (AES/TKIP)
Server RequiredNo
Verification Commandsshow wlan summary, show dot11 associations

This explanation covers everything you need to know for the PSK section on the CCNP Encore exam: definition, authentication process, configuration, verification, and security considerations.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by