Answer by Westley Julio:
There are a few reasons. Largely, it’s because security comes in layers. The purpose of the layers is to not make the network impossible to compromise (which is a fool’s goal) but to make it so difficult that an attacker will go after easier targets.
- Physical access – Notwithstanding internet facing vulnerabilities, in order to compromise a wired network you need to be able to plug in to it. If the building access is well controlled, a would be attacker has a significant obstacle. Wireless should be assumed to remove this layer.
- Broadcasted information – There’s a tremendous amount of information that can be extracted from wireless networks, without cracking passwords or otherwise compromising the network. For example, one can see the MAC address(es) of the Access Point(s) and client(s), SSIDs contained in client probes, amount of frames sent/received, etc. If I can associate a MAC with a specific person, I can know when they’re in a building as well as when and how much they send/receive data.
- Denial of service – It’s very easy to carry out a deauthentication attack on a wireless network. Essentially, this attack forces clients to disconnect and can be done infinitely, scheduled or on demand. You don’t even need to have compromised the network. This hole is built right into the 802.11 standards. This can cost companies in lost productivity and utilization of human resources to troubleshoot.
- Exposure – An attacker can capture (record) wireless transmissions and attempt to break into it later. There’s virtually no time limit on this. If a WPA-PSK password is brute forced or otherwise discovered, the attacker can decrypt wireless communications for all clients virtually live. RADIUS is a much more secure way to go since you can only compromise one client at a time. However, it’s still possible to compromise the client and/or network.
- Revocation of access – A user’s access to a network may need to be revoked. With wired only access removal from the premises is an effective means of doing so. With wireless access there are additional steps and a delay in time between the desire to the remove access and when that revocation occurs. With WPA-PSK, to revoke one user’s access to the network you have to revoke access to ALL, if temporarily, by changing the password. With RADIUS you can revoke per user.