CWNP CWSP-208 Certified Wireless Security Professional (CWSP) Exam Practice Test

Outdoor APs must be:

Protected from theft or tampering (physical security).

Shielded from weather/environmental conditions (IP-rated enclosures).

Mounted and secured to prevent unauthorized physical access or damage.

Incorrect:

A & B. Antenna type is relevant to RF coverage but does not address outdoor-specific security needs.

C. PoE is useful for power delivery but not a security solution.

In WPA2-Personal with AES-CCMP:

The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.

This protects the actual application data (e.g., web content, email).

Frame headers (MAC headers) are not encrypted.

Incorrect:

B. MPDU includes MAC headers, which are not encrypted.

C. PPDU includes preamble and physical-layer components, which are never encrypted.

D. PSDU includes the MAC header and frame body; again, headers are not encrypted.

A. 802.11w (now part of 802.11-2012) introduces protection for management frames, especially disassociation and deauthentication frames, helping prevent spoofing-based DoS attacks. However, it cannot prevent all types of Layer 2 DoS (e.g., RF jamming).

D. Specifically, 802.11w protects disassociation and deauthentication frames by signing them with cryptographic keys.

Incorrect:

B. The MAC header and PHY preamble are not encrypted under any standard.

C. Authentication and association frames are not protected by 802.11w; only certain management frames are.

A utility that combines a secret and salt to generate a random string is effectively a key derivation tool. It can be used to:

Generate PMKs (Pairwise Master Keys) to preload ready-made keys into RSN devices

Generate shared secrets (e.g., RADIUS shared secrets, WLAN controller keys)

Create strong passphrases for WPA2-Personal networks

Using it for IPSec session keys is less common (those are usually dynamically negotiated), and creating management passwords is possible but not the main us

With PEAPv0/EAP-MSCHAPv2:

The TLS tunnel is created between the supplicant and the RADIUS server.

Therefore, the RADIUS server must have the X.509 server certificate and private key to authenticate itself and establish the tunnel.

Incorrect:

A. Supplicants verify the server’s certificate, not hold it.

B. LDAP server is used for querying, not for EAP termination.

C. APs and

D. Controllers pass the authentication info but don’t require certificates for PEAP termination.

Secure configuration of network devices requires encrypted management protocols:

HTTPS: Provides secure web-based GUI access using TLS encryption.

SSHv2: Provides secure CLI access using encrypted channels.

Incorrect:

A. SNMPv1 is not secure — lacks encryption and authentication.

C. Telnet sends credentials and commands in clear text.

D. TFTP is used for file transfer without encryption or authentication.

E. FTP is also insecure—transmits credentials in plain text.

PTK (Pairwise Transient Key) is established per-client, so:

ABCData: 3 clients = 3 PTKs

ABCVoice: 2 clients = 2 PTKs

Guest: 3 clients = 3 PTKs

Total: 8 PTKs

GTK (Group Temporal Key) is shared per SSID, so:

One GTK per SSID (ABCData, ABCVoice, Guest)

Total: 3 GTKs

Role-Based Access Control (RBAC) allows administrators to define user roles and enforce network access permissions based on the user’s identity. By implementing RBAC in the WLAN, you can:

Grant the Marketing group access only to the file/email server and the Internet

Prevent access to other internal resources

This single feature enables fine-grained restriction without needing multiple SSIDs or ACLs.

Other options don’t provide the necessary flexibility:

A. Mutual authentication ensures secure identity verification but doesn't control network access scope

B & D & E do not provide targeted resource-level access control

Comprehensive Detailed Explanation:

In 802.1X/EAP-based authentication:

After Open System authentication, clients send EAP messages via the uncontrolled port.

The Controlled Port remains blocked until the 802.1X/EAP and 4-Way Handshake processes are complete.

Incorrect:

A. The AP or controller is the authenticator, not the client.

B. EAP types must match between supplicant and server.

D. Controlled port remains blocked until full authentication and key negotiation completes.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.

A Denial-of-Service (DoS) attack focuses on preventing legitimate users from accessing network resources. In this case, the attacker has not accessed files or data but is interrupting services. This aligns perfectly with a DoS attack scenario.

Most integrated Wi-Fi adapters in Windows laptops are not capable of entering “monitor mode” or capturing 802.11ac frames properly. Compatibility with protocol analyzers like Wireshark or Omnipeek requires special drivers or specific USB adapters. Therefore, it is recommended to use a USB adapter known to support monitor mode and frame capture on 802.11ac for accurate and complete data capture.

Incorrect:

A. Not all adapters support protocol analyzer features.

C. MU-MIMO support is irrelevant for frame capture.

D. Other analyzers besides Wireshark can decode 802.11ac (e.g., Omnipeek).

E. Remote capture is not the only method—local USB adapters are effective too.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

C. RF DoS attacks use signal jamming or interference to prevent communication.

D. Hijacking uses deauthentication and re-association to force users onto rogue APs.

E. Social engineering uses manipulation to acquire credentials or sensitive information.

Incorrect:

A. Management interface exploit attacks typically involve web or CLI interface vulnerabilities, not social engineering.

B. Zero-day attacks are based on unknown vulnerabilities, not just limited to authentication or encryption.

F. Association flood attacks occur at Layer 2, not Layer 3.

MS-CHAPv2 is a widely used authentication protocol, but it has notable weaknesses:

B. MS-CHAPv2 is vulnerable to offline dictionary attacks. Attackers can capture authentication exchanges and attempt password guesses offline due to predictable hashing behavior.

D. The only secure use of MS-CHAPv2 is inside a secure tunnel (e.g., EAP-TTLS or PEAP), where credentials are protected during transmission.

Incorrect:

A. MS-CHAPv2 is used in WPA2-Enterprise, not WPA-Personal, and it is allowed under WPA2-Enterprise via PEAP.

C. WEP does not enhance LEAP’s security; it compounds vulnerabilities.

E and F. MS-CHAPv2 does not use AES for authentication. Using AES-CCMP for encryption does not fix MS-CHAPv2's weaknesses.

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn't require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

The RSN (Robust Security Network) Information Element (IE) is used to advertise the security capabilities of a wireless network, particularly for WPA2 and WPA3 networks. This RSN IE is contained in Beacon and Probe Response management frames, not in Probe Request, RTS, CTS, or Data frames. The Beacon frame is sent periodically by an AP to announce its presence and includes critical information about the BSS, including security settings like the RSN IE.

You would use a protocol analyzer to capture Beacon frames and inspect the RSN IE field to confirm if a BSS is properly configured to use RSN protections such as WPA2-Enterprise or WPA2-Personal.

A. WPA2-Enterprise authentication: The multiple EAP Request/Response exchanges followed by an EAP Success and a 4-Way Handshake (EAPOL-Key frames) indicate 802.1X authentication, characteristic of WPA2-Enterprise.

C. 802.11 Open System authentication: Two Auth frames (request and response) without encryption negotiation signify Open System Authentication — a default in RSN setups.

F. Active Scanning: Begins with Probe Request and Probe Response — part of an active scan process.

G. 4-Way Handshake: Identified by four sequential EAPOL-Key frames, completing the authentication process in WPA2.