The distinction between WPA2-Personal and WPA2-Enterprise is one of the most consequential — and most misunderstood — decisions in enterprise wireless security. Many organizations run WPA2-Personal on networks that handle sensitive business data, assuming that a strong password provides adequate protection. It often does not. Understanding why requires looking at what each mode actually does.
How Each Mode Works
WPA2-Personal (PSK)
WPA2-Personal uses a Pre-Shared Key (PSK) — a single password that all devices use to authenticate to the network. The PSK is used in the 4-way handshake to derive the Pairwise Transient Key (PTK), which encrypts traffic between each client and the access point.
The critical security implication: every device on the network uses the same secret. When a device connects, an attacker who captures the 4-way handshake can attempt to recover the PSK offline. If the PSK is in a dictionary, it can be recovered in seconds. Even with a strong password, the shared-secret model creates systemic risk.
WPA2-Enterprise (802.1X/RADIUS)
WPA2-Enterprise eliminates the shared secret. Instead, each user or device authenticates using individual credentials — typically a certificate (EAP-TLS), username/password (PEAP-MSCHAPv2), or a hardware token. Authentication is handled by a RADIUS server (Remote Authentication Dial-In User Service) that validates credentials before allowing network access.
Each session generates unique encryption keys. Compromising one user's credentials does not expose other users' traffic. Revoking access for a departing employee means deleting their account on the RADIUS server — not changing the WiFi password across every device in the organization.
Side-by-Side Comparison
| Property | WPA2-Personal (PSK) | WPA2-Enterprise (802.1X) |
|---|---|---|
| Authentication | Shared password | Individual credentials (cert/user/token) |
| Credential management | Single secret for all devices | Per-user/device, centrally managed |
| Revoking access | Change password on all devices | Disable account on RADIUS server |
| Offline attack surface | PSK recoverable from captured handshake | No shared secret to recover |
| Traffic isolation | All clients share same key material | Per-session unique keys |
| BYOD support | Simple (one password) | Complex (requires certificate or MDM) |
| Infrastructure needed | None beyond AP | RADIUS server, PKI (for EAP-TLS) |
| Setup complexity | Low | High |
| NIS2 / ISO 27001 fit | Acceptable only for low-risk networks | Preferred for regulated environments |
BYOD Implications
Bring-Your-Own-Device (BYOD) programs create a specific challenge for enterprise WiFi. With WPA2-Personal, onboarding a personal device is trivial — hand the employee the WiFi password. The problem is that personal devices are statistically more likely to be lost, stolen, or compromised. If the device stores the PSK (which WiFi devices do by default), a stolen personal laptop is also a stolen WiFi credential.
WPA2-Enterprise solves this cleanly: each user has individual credentials, and a lost device means revoking that user's certificate or password — not rotating the WiFi password across your entire organization. The tradeoff is that personal devices need to be enrolled in your certificate management or MDM (Mobile Device Management) system, which adds IT overhead.
Practical advice: Many organizations run a hybrid model — WPA2-Enterprise for corporate devices and a separate guest SSID with WPA2-Personal (and strong password rotation) for BYOD or visitor access. This provides enterprise-grade security for sensitive data while maintaining operational flexibility.
Compliance Requirements: NIS2 and ISO 27001
Both NIS2 and ISO 27001 include requirements that have direct implications for wireless authentication mode.
NIS2 (Directive 2022/2555, implemented in CZ as Zákon 264/2025)
NIS2 Article 21 requires regulated entities to implement "policies and procedures regarding the use of cryptography and encryption" and "access control policies." The specific text does not mandate WPA2-Enterprise, but the requirements for individual accountability, access control auditability, and the ability to revoke access promptly are difficult to satisfy with WPA2-Personal on networks handling regulated data.
When NÚKIB (Czech NIS2 regulator) or any EU NIS2 supervisory body reviews your wireless security controls, they will look for evidence that network access is tied to identifiable, managed credentials. A shared PSK provides none of this — there is no audit trail of who connected when, and revocation requires operational disruption.
ISO 27001:2022
Control A.8.20 (Network security) and A.5.17 (Authentication information) together create a strong preference for individual authentication on networks carrying confidential data. The ISO 27001 auditor will ask: "If an employee leaves, how do you ensure they can no longer access the WiFi?" With WPA2-Personal, the only satisfactory answer is "we changed the password" — which implies you informed all remaining users and updated all devices, a process that is rarely done consistently.
When WPA2-Personal Is Acceptable
WPA2-Personal is not inherently insecure. It is appropriate in specific contexts:
- Guest networks: Short-lived credentials, no access to internal resources, regular rotation
- Small teams (fewer than 10 people) where credential management overhead of Enterprise is disproportionate and the risk profile is low
- Non-sensitive network segments: IoT networks, building management systems isolated from business data
- Home offices: Where the threat model is primarily external and the user population is stable
Not acceptable with WPA2-Personal: Networks carrying payment card data (PCI DSS Requirement 1.3.2), patient health records, classified or regulated information, or networks connecting to critical infrastructure. For these environments, WPA2-Enterprise is a baseline expectation, not an enhancement.
Migration Considerations
Migrating from WPA2-Personal to WPA2-Enterprise requires planning but is achievable for most organizations. The key components:
- RADIUS server: FreeRADIUS (open source), Windows NPS, or a cloud RADIUS service (e.g., Cisco ISE, Okta RADIUS, JumpCloud)
- EAP method selection: EAP-TLS (certificate-based, most secure), PEAP-MSCHAPv2 (username/password, simpler to deploy), EAP-TTLS
- Certificate infrastructure: Required for EAP-TLS; your CA can be an internal Windows CA, Let's Encrypt, or a commercial PKI
- Device enrollment: MDM or manual certificate distribution for all devices in scope
- Staged rollout: Deploy Enterprise SSID in parallel with existing PSK SSID, migrate device groups progressively
For organizations already using Microsoft Active Directory or Azure AD, the migration is significantly simpler — NPS integrates directly with AD, and device certificates can be distributed via Group Policy or Microsoft Intune.
Auditing Your Current WiFi Security Mode
Regardless of which mode you use, your wireless security posture requires regular documentation. For WPA2-Personal networks, password strength testing is the most critical control — you need to demonstrate that the PSK is not recoverable from a captured handshake.
The wifiaudit.io API provides exactly this: upload a WPA2 handshake capture and receive a compliance-ready PDF documenting whether the password was found in a 14M+ dictionary. This evidence satisfies NIS2, ISO 27001, and SOC 2 auditors who need to see that wireless password strength is actively monitored.
For WPA2-Enterprise networks, audit focus shifts to RADIUS server configuration, certificate validity, EAP method security, and access revocation procedures. The wifiaudit.io report documents the authentication mode observed in the capture as part of the compliance record.