CWNP CWSP-208 Certified Wireless Security Professional (CWSP) Exam Practice Test

The AKM (Authentication and Key Management) Suite List field within the RSN Information Element defines which authentication methods are supported by the AP. This field distinguishes between PSK (Pre-Shared Key) and Enterprise (802.1X) modes:

AKM Suite OUI 00-0F-AC:1 = WPA2-Personal (PSK)

AKM Suite OUI 00-0F-AC:2 = WPA2-Enterprise (802.1X)

By examining this field in Beacon or Probe Response frames, a protocol analyzer can determine the authentication method enforced by the BSS.

The correct sequence of the 4-Way Handshake frames in WPA/WPA2 is:

Message 1: Authenticator sends ANonce to the supplicant → (3)

Message 2: Supplicant sends SNonce and a MIC to the authenticator → (4)

Message 3: Authenticator sends GTK and confirms keys with MIC → (1)

Message 4: Supplicant confirms installation of PTK/GTK → (2)

This process ensures mutual key confirmation and integrity before data traffic begins.

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

The RSN (Robust Security Network) Information Element (IE) is used to advertise the security capabilities of a wireless network, particularly for WPA2 and WPA3 networks. This RSN IE is contained in Beacon and Probe Response management frames, not in Probe Request, RTS, CTS, or Data frames. The Beacon frame is sent periodically by an AP to announce its presence and includes critical information about the BSS, including security settings like the RSN IE.

You would use a protocol analyzer to capture Beacon frames and inspect the RSN IE field to confirm if a BSS is properly configured to use RSN protections such as WPA2-Enterprise or WPA2-Personal.

Without proper staging, change management, and installation procedures, significant vulnerabilities may arise:

(B) WIPS relies on a known database of authorized APs and clients. If devices are deployed without proper registration and staging, WIPS cannot accurately classify devices as authorized, rogue, or neighbor.

(D) If APs are installed without changing default credentials, attackers can exploit them through common web or SNMP-based management interfaces.

This undermines both operational visibility and network security posture.

Before conducting a security audit of an 802.11ac WLAN, it is essential to know the current security implementations—such as the use of WPA2-Enterprise, 802.1X, or MAC filtering. This helps the auditor tailor tests to identify gaps, weaknesses, or misconfigurations in the existing system. Understanding the security solutions provides the most immediate insight into potential vulnerabilities.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Hijacking attacks often rely on exploiting client behavior during signal disruption. Clients will seek better connections when RF is weak or interrupted. An attacker may:

Disrupt the signal (e.g., with a deauth attack)

Present a rogue access point (evil twin) with stronger signal

Trick the client into associating with the rogue AP, hijacking the session

Incorrect:

B. There is no standard 120-second timer behavior.

C. Loss of connectivity typically triggers reassociation and reauthentication.

D. Direct client-to-client connections are not required in infrastructure mode.

E. Band selection logic varies and is unrelated to hijacking attacks.

Aircrack-ng is a versatile toolset commonly used for WLAN penetration testing and security auditing. Its capabilities include:

A. Injecting deauth frames to simulate or test disconnection scenarios.

B. Testing WIPS responsiveness by simulating common attack frames.

D. Performing dictionary and brute-force attacks against weakly protected networks (e.g., WPA2-PSK with a weak passphrase).

Incorrect:

C. Aircrack-ng does not probe or test RADIUS shared secrets.

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.

EAP-FAST (Flexible Authentication via Secure Tunneling) provides:

Mutual authentication using Protected Access Credentials (PACs).

Does not require X.509 certificates for either client or server (although optional for servers).

Is faster and easier to deploy in environments lacking a PKI.

Incorrect:

B. EAP-MD5 provides no mutual authentication.

C. EAP-TLS requires client and server certificates.

D. PEAPv0/EAP-MSCHAPv2 requires a server certificate.

E. EAP-TTLS requires a server certificate.

F. PEAPv1/EAP-GTC still requires a server certificate.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

The Message Integrity Code (MIC) is:

A cryptographic checksum applied to the data payload.

It ensures the payload was not modified in transit and guards against tampering.

With AES-CCMP, the MIC is generated as part of the encryption process and verified upon decryption.

Incorrect:

A. Signal integrity is validated at the physical layer, not through the MIC.

C. The MIC protects data payload integrity, not just MAC headers.

D. The MIC is not generated during the 4-Way Handshake.

Different EAP types involve varying numbers of exchanges:

EAP-TLS, for example, involves more exchanges due to certificate negotiation.

EAP-MD5 or PEAP might involve fewer steps.

Thus, the most likely reason for different frame counts during successful authentication is the use of different EAP types.

Incorrect:

A. Cipher suites are negotiated after EAP, not during it.

B. Retransmissions would typically cause noticeable delay and not result in exactly 11 frames.

C. Reassociation does not significantly reduce EAP frame count.

D. RSN/TSN differences are not directly related to EAP exchange length.

Outdoor APs must be:

Protected from theft or tampering (physical security).

Shielded from weather/environmental conditions (IP-rated enclosures).

Mounted and secured to prevent unauthorized physical access or damage.

Incorrect:

A & B. Antenna type is relevant to RF coverage but does not address outdoor-specific security needs.

C. PoE is useful for power delivery but not a security solution.

In 802.1X/EAP authentication:

The EAP method (e.g., EAP-TLS, PEAP) results in the generation of a Master Session Key (MSK).

The Pairwise Master Key (PMK) is derived from the MSK.

The Pairwise Transient Key (PTK) is derived from the PMK using nonces and MAC addresses during the 4-Way Handshake.

The PTK includes the actual keys used for data encryption.

Incorrect:

B. This applies to WPA/WPA2-Personal, not 802.1X/EAP.

C. The RADIUS server sends the MSK, not the PMK directly.

D. The MSK is always derived during EAP authentication, mutual or not.

To leverage an existing LDAP user database (like Microsoft Active Directory or OpenLDAP) for WPA2-Enterprise:

Deploy a RADIUS server (e.g., FreeRADIUS or Microsoft NPS).

Configure the RADIUS server to query the LDAP directory for credential validation.

This maintains centralized authentication without the need for data duplication.

Incorrect:

A. Importing LDAP entries into RADIUS introduces sync and security issues.

B. SSL on LDAP is good practice, but it doesn’t directly handle WPA2-Enterprise authentication.

C. Mirroring LDAP into the controller is not scalable or supported.

The IEEE 802.1X framework consists of three defined roles:

Supplicant (E): The client device (STA) that requests access to the network.

Authenticator (F): The network device (usually an AP or switch) that enforces access control and acts as an intermediary between the supplicant and the authentication server.

Authentication Server (D): Typically a RADIUS server that validates credentials and responds with access decisions.

Incorrect:

A & B. Enrollee and Registrar are roles in Wi-Fi Protected Setup (WPS), not 802.1X.

C. AAA Server is a broader term; the specific role in 802.1X is “Authentication Server.”

G. “Control Point” is not a formal 802.1X role.

Comprehensive Detailed Explanation:

In the 802.1X/EAP framework:

The Authenticator is the device that controls access to the network — typically the AP or WLAN controller.

The Authenticator passes EAP messages between the Supplicant (client) and the Authentication Server (RADIUS).

Incorrect:

A. SRV21 is the RADIUS server (Authentication Server), not the Authenticator.

C. The MacBook Pro is the Supplicant.

D. RADIUS server handles Authentication, not Authenticator functionality.