CWSP-208 Questions and Answers

Without proper staging, change management, and installation procedures, significant vulnerabilities may arise:

(B) WIPS relies on a known database of authorized APs and clients. If devices are deployed without proper registration and staging, WIPS cannot accurately classify devices as authorized, rogue, or neighbor.

(D) If APs are installed without changing default credentials, attackers can exploit them through common web or SNMP-based management interfaces.

This undermines both operational visibility and network security posture.

A. WPA2-Enterprise authentication: The multiple EAP Request/Response exchanges followed by an EAP Success and a 4-Way Handshake (EAPOL-Key frames) indicate 802.1X authentication, characteristic of WPA2-Enterprise.

C. 802.11 Open System authentication: Two Auth frames (request and response) without encryption negotiation signify Open System Authentication — a default in RSN setups.

F. Active Scanning: Begins with Probe Request and Probe Response — part of an active scan process.

G. 4-Way Handshake: Identified by four sequential EAPOL-Key frames, completing the authentication process in WPA2.

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

The RSN (Robust Security Network) Information Element (IE) is used to advertise the security capabilities of a wireless network, particularly for WPA2 and WPA3 networks. This RSN IE is contained in Beacon and Probe Response management frames, not in Probe Request, RTS, CTS, or Data frames. The Beacon frame is sent periodically by an AP to announce its presence and includes critical information about the BSS, including security settings like the RSN IE.

You would use a protocol analyzer to capture Beacon frames and inspect the RSN IE field to confirm if a BSS is properly configured to use RSN protections such as WPA2-Enterprise or WPA2-Personal.

To leverage an existing LDAP user database (like Microsoft Active Directory or OpenLDAP) for WPA2-Enterprise:

Deploy a RADIUS server (e.g., FreeRADIUS or Microsoft NPS).

Configure the RADIUS server to query the LDAP directory for credential validation.

This maintains centralized authentication without the need for data duplication.

Incorrect:

A. Importing LDAP entries into RADIUS introduces sync and security issues.

B. SSL on LDAP is good practice, but it doesn’t directly handle WPA2-Enterprise authentication.

C. Mirroring LDAP into the controller is not scalable or supported.

A Transitional Security Network (TSN) allows legacy stations to interoperate by using older encryption methods. If AES (CCMP) is unsupported by older equipment, the network can fall back to TKIP, which uses RC4 as its encryption algorithm. TKIP enables AES encryption on newer devices while accommodating legacy clients.

Options A, C, D are current or deprecated standards with AES; only RC4 matches the transitional need.

In WPA2-Personal with AES-CCMP:

The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.

This protects the actual application data (e.g., web content, email).

Frame headers (MAC headers) are not encrypted.

Incorrect:

B. MPDU includes MAC headers, which are not encrypted.

C. PPDU includes preamble and physical-layer components, which are never encrypted.

D. PSDU includes the MAC header and frame body; again, headers are not encrypted.

Comprehensive Detailed Explanation:

To support real-time applications like Voice over Wi-Fi:

WPA2-Enterprise ensures robust security using 802.1X and AES-CCMP.

Fast secure roaming (802.11r) is essential to maintain voice session quality.

VLAN segmentation improves network performance and security between voice and data devices.

Incorrect:

A. WPA-Enterprise is less secure than WPA2, and frequency band segmentation doesn’t address QoS and security together.

C. WEP is deprecated and insecure even with added measures.

D. WPA-Personal lacks centralized authentication and doesn’t support enterprise-grade security or fast roaming.

Without traffic monitoring or filtering on guest VLANs, the following threats remain possible:

Spammers can exploit the open Internet access to send unsolicited traffic

en.wikipedia.org

Guests may launch external network attacks (e.g., scanning, DDoS)

Peer-to-peer attacks are prevented if client isolation is enabled. AP management plane security is a separate concern from VLAN separation, and VLAN isolation prevents frame sniffing into corporate networks.

WPA2-Enterprise relies on the IEEE 802.1X framework for authentication, which requires the use of the Extensible Authentication Protocol (EAP). The RADIUS server must support EAP to facilitate the exchange of authentication credentials and method negotiation between the client (supplicant) and the authentication server.

Incorrect:

A. LWAPP, GRE, and CAPWAP are used between APs and controllers—not for client authentication.

B. IPSec/ESP is a VPN protocol, not relevant here.

D. CCMP and TKIP are encryption protocols used between clients and APs, not within the RADIUS server.

E. LDAP may be queried by the RADIUS server, but it is not sufficient on its own—it doesn’t replace EAP.

The 802.1X Uncontrolled Port exists before a client is fully authenticated. It:

Permits only EAP/EAPoL frames to pass between the Supplicant and the Authenticator (AP or switch).

Blocks general data traffic until authentication completes.

After authentication, the Controlled Port is opened, allowing normal data flow.

Incorrect:

B. Authentication must complete before the 4-Way Handshake, not the other way around.

C. General data traffic uses the Controlled Port, not the Uncontrolled Port.

D. The Uncontrolled Port doesn't specifically deal with encrypted or decrypted user traffic.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

PTK (Pairwise Transient Key) is established per-client, so:

ABCData: 3 clients = 3 PTKs

ABCVoice: 2 clients = 2 PTKs

Guest: 3 clients = 3 PTKs

Total: 8 PTKs

GTK (Group Temporal Key) is shared per SSID, so:

One GTK per SSID (ABCData, ABCVoice, Guest)

Total: 3 GTKs

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.

C. RF DoS attacks use signal jamming or interference to prevent communication.

D. Hijacking uses deauthentication and re-association to force users onto rogue APs.

E. Social engineering uses manipulation to acquire credentials or sensitive information.

Incorrect:

A. Management interface exploit attacks typically involve web or CLI interface vulnerabilities, not social engineering.

B. Zero-day attacks are based on unknown vulnerabilities, not just limited to authentication or encryption.

F. Association flood attacks occur at Layer 2, not Layer 3.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.