Wireless Security Audit: Meridian Corp

NE-08 -- Wireless Networking Scenario Lab

8 Steps 25-35 min Scenario Lab

Incident Brief

Meridian Corp's IT department has received multiple complaints about the wireless network. Users on Floor 2 report complete dead zones, employees across all floors experience slow WiFi during peak hours, and a routine scan detected an unauthorized access point on the corporate VLAN. You have been brought in to audit the entire wireless deployment, identify every issue, and remediate them before the upcoming PCI-DSS compliance audit.

TICKET-4401: Dead zones Floor 2 TICKET-4402: Slow WiFi all floors TICKET-4403: Rogue AP detected TICKET-4404: PCI audit in 48 hours

0 / 8 findings resolved

AP Channel Assignment Analysis

PENDING

Wireless Controller -- Channel Map Report +------------------+--------+----------+--------+-----------+ | Access Point | Floor | Band | Channel| Clients | +------------------+--------+----------+--------+-----------+ | AP-FL1-LOBBY | 1 | 2.4 GHz | 1 | 34 | | AP-FL1-EAST | 1 | 2.4 GHz | 6 | 28 | | AP-FL2-CENTER | 2 | 2.4 GHz | 6 | 41 | | AP-FL2-WEST | 2 | 2.4 GHz | 11 | 22 | | AP-FL3-NORTH | 3 | 2.4 GHz | 1 | 38 | | AP-FL3-SOUTH | 3 | 2.4 GHz | 6 | 31 | +------------------+--------+----------+--------+-----------+ Note: AP-FL1-LOBBY and AP-FL3-NORTH are vertically adjacent (directly above/below). Signal bleed between floors measured at -45 dBm (strong overlap).

AP-FL1-LOBBY (Floor 1) and AP-FL3-NORTH (Floor 3) are both on channel 1 with strong signal overlap. What is the problem, and what should Floor 3 be changed to?

The three non-overlapping channels on 2.4 GHz are 1, 6, and 11. When two APs on the same channel have overlapping coverage areas, they must share airtime via CSMA/CA, causing co-channel interference (CCI). Moving to a different non-overlapping channel eliminates the overlap.

Floor 2 Dead Zone Investigation

PENDING

AP-FL2-CENTER -- Radio Configuration Radio 0 (2.4 GHz): Status: Enabled Channel: 6 Channel Width: 20 MHz Tx Power: 5 dBm (min: 5, max: 23) EIRP: 7 dBm Connected: 41 clients Radio 1 (5 GHz): Status: DISABLED Channel: -- Channel Width: -- Tx Power: -- Connected: 0 clients Site Survey Note: Floor 2 open plan, 4200 sq ft. Signal drops to -82 dBm at 15m from AP (unusable). Recommended minimum: -67 dBm for VoIP, -70 dBm for data.

Users on Floor 2 report dead zones. Given the AP configuration above, what two changes are needed?

The 5 GHz radio is completely disabled -- that means zero 5 GHz coverage on Floor 2. The 2.4 GHz radio is at minimum transmit power (5 dBm), far too low for a 4,200 sq ft open floor plan. Typical enterprise deployments use 14-20 dBm depending on density.

Spectrum Congestion Analysis

PENDING

Spectrum Analyzer -- 2.4 GHz Band Survey Channel 1: [||||||||||||||||||||] 92% utilization (4 Meridian + 5 neighbor APs) Channel 2: [|||||||||||||||||| ] 85% utilization (3 neighbor APs) Channel 3: [||||||||||||||||| ] 80% utilization (2 neighbor APs) Channel 4: [|||||||||||||||| ] 78% utilization (2 neighbor APs) Channel 5: [||||||||||||||| ] 74% utilization (1 neighbor AP) Channel 6: [|||||||||||||||||||| ] 95% utilization (3 Meridian + 4 neighbor APs) Channel 7: [||||||||||||||||| ] 82% utilization (3 neighbor APs) Channel 8: [|||||||||||||||| ] 76% utilization (2 neighbor APs) Channel 9: [|||||||||||||| ] 68% utilization (1 neighbor AP) Channel 10: [||||||||||||||||| ] 80% utilization (3 neighbor APs) Channel 11: [||||||||||||||||||||] 90% utilization (2 Meridian + 5 neighbor APs) Total neighboring SSIDs detected: 12 5 GHz Band Survey: Channel 36: [||||| ] 22% utilization (1 neighbor AP) Channel 40: [||| ] 14% utilization Channel 44: [|||| ] 18% utilization (1 neighbor AP) Channel 149: [|| ] 8% utilization Channel 153: [||| ] 12% utilization 24 non-overlapping channels available (UNII-1/2/2e/3)

The 2.4 GHz band is heavily congested with 12 neighboring networks. What is the best mitigation strategy?

The 2.4 GHz band has only 3 non-overlapping channels (1, 6, 11) and is saturated by neighboring networks. The 5 GHz band offers 24+ non-overlapping channels with much lower utilization. Band steering and preferring 5 GHz is the standard enterprise approach in congested environments.

Guest SSID Security Assessment

PENDING

SSID Configuration -- MeridianGuest SSID Name: MeridianGuest VLAN: 100 (Guest) Security Mode: WEP WEP Key Type: 64-bit WEP Key: A1B2C (ASCII) Authentication: Open System MAC Filtering: Disabled Broadcast SSID: Yes Client Isolation: Disabled Rate Limiting: None Captive Portal: Disabled Wireless Controller Alert: WARNING: WEP encryption is deprecated and cryptographically broken. Aircrack-ng can recover a WEP key in under 5 minutes with sufficient IVs.

The guest network MeridianGuest is using WEP encryption. What is the security risk?

WEP (Wired Equivalent Privacy) was broken in 2001. The RC4 stream cipher implementation has a fatal IV (initialization vector) weakness. Tools like aircrack-ng can recover the key in minutes by capturing enough packets. WPA3 with SAE (Simultaneous Authentication of Equals) is the current standard.

Corporate SSID Authentication Review

PENDING

SSID Configuration -- MeridianCorp SSID Name: MeridianCorp VLAN: 10 (Corporate) Security Mode: WPA2-Personal (PSK) Encryption: AES-CCMP Pre-Shared Key: meridian123 Key Rotation: Never changed (set 14 months ago) Connected Clients: 187 Authentication: PSK (all users share same key) 802.1X: Not configured RADIUS Server: Not configured PCI-DSS Requirement 4.1: "Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks." Risk Assessment: - PSK is a dictionary word + numbers (crackable) - 187 users share the same password - No per-user authentication or accountability - Former employees still have the key

MeridianCorp uses WPA2-PSK with "meridian123" shared among 187 users. What authentication method is needed for PCI compliance?

Enterprise environments need per-user authentication for accountability and access control. 802.1X with RADIUS provides individual credentials (username/password or certificates), automatic key rotation per session, and the ability to revoke access for individual users. WPA3-Enterprise adds 192-bit security suite for sensitive networks.

Rogue Access Point Response

PENDING

Wireless IDS -- Rogue AP Detection Log [2026-03-27 02:14:33] ALERT: Rogue AP Detected BSSID: DE:AD:BE:EF:CA:FE SSID: MeridianCorp Channel: 6 (2.4 GHz) Signal: -38 dBm (very strong -- likely on-site) Security: WPA2-PSK (matching corporate SSID) First Seen: 2026-03-25 19:22:01 Clients: 14 connected [2026-03-27 02:14:33] CLASSIFICATION: EVIL TWIN - SSID matches corporate network name - Not registered in wireless controller - MAC OUI: Unknown vendor (possibly spoofed) - Connected to VLAN 10 (Corporate) - Located: Floor 2, East Wing (triangulated) WIDS Policy: Auto-containment = DISABLED Switch Port Trace: Port Gi1/0/24, no 802.1X on port

A rogue AP with MAC DE:AD:BE:EF:CA:FE is spoofing MeridianCorp on the corporate VLAN with 14 clients connected. What is the correct immediate action?

A rogue AP on the corporate VLAN is a critical security incident. The wireless controller can send deauthentication frames to clients connected to the rogue, preventing data exfiltration. Simultaneously, the switch port (Gi1/0/24) should be shut down. This is containment -- the standard WIDS response to an evil twin attack.

Guest Network Isolation Audit

PENDING

MeridianGuest SSID -- Advanced Settings SSID: MeridianGuest VLAN: 100 (Guest) Layer 2 Settings: Client Isolation: DISABLED Peer-to-Peer: ALLOWED Proxy ARP: Disabled Multicast: Allowed Layer 3 Settings: DHCP Pool: 10.100.0.0/24 Gateway: 10.100.0.1 DNS: 8.8.8.8, 8.8.4.4 Firewall to Corp: BLOCKED (ACL applied) Internet Access: Allowed Penetration Test Finding (excerpt): "With client isolation disabled, an attacker on MeridianGuest can ARP spoof other guests and perform man-in-the-middle attacks. ARP requests and responses flow freely between all clients on VLAN 100. Wireshark capture confirmed cleartext credentials intercepted from 3 guests during a 10-minute test window."

The guest SSID has no client isolation enabled. What is the security risk?

Client isolation (also called peer-to-peer blocking or AP isolation) prevents wireless clients on the same SSID from communicating directly with each other. Without it, any guest can ARP spoof, run Wireshark, or launch MITM attacks against other guests on the same network segment.

RADIUS Authentication Failure

PENDING

RADIUS Server Configuration (FreeRADIUS -- 10.1.1.50) # /etc/freeradius/clients.conf client meridian-wlc { ipaddr = 10.1.1.10 secret = M3ridian$ecure! shortname = wireless-controller nastype = other } --- Wireless Controller RADIUS Settings RADIUS Server: 10.1.1.50 RADIUS Port: 1812 Shared Secret: M3ridianSecure! Auth Protocol: EAP-PEAP Timeout: 5 seconds Retries: 3 --- Authentication Log (last 24 hours) [03-27 08:01:12] EAP: user jsmith@meridian.com -> REJECT (shared secret mismatch) [03-27 08:01:44] EAP: user agarcia@meridian.com -> REJECT (shared secret mismatch) [03-27 08:02:09] EAP: user kwilson@meridian.com -> REJECT (shared secret mismatch) [03-27 08:02:15] EAP: user tpatel@meridian.com -> REJECT (shared secret mismatch) Total rejections: 143 in 24 hours -- 100% failure rate

All 802.1X authentications are failing with "shared secret mismatch." Compare the RADIUS server and wireless controller configs above. Why is authentication failing?

Look carefully at the shared secret on each side. The RADIUS server has "M3ridian$ecure!" while the wireless controller has "M3ridianSecure!" -- a single character difference. RADIUS shared secrets must match exactly (case-sensitive, special characters included) between the NAS (network access server) and the RADIUS server.

Audit Complete -- All Issues Resolved

You have successfully identified and remediated all wireless security and performance issues at Meridian Corp. The network is now ready for the PCI-DSS compliance audit.

Key fixes applied: channel reassignment, radio enablement, band migration, WEP removal, enterprise authentication, rogue AP containment, client isolation, and RADIUS remediation.