Free and Premium CWNP CWSP-208 Dumps Questions Answers

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

After deploying a WIPS, an essential baseline activity is to classify all detected devices in the RF environment. These classifications allow the system to enforce security policies and detect policy violations. Classifications include:

Authorized (managed devices)

Rogue (unauthorized, possibly dangerous)

Neighbor (not part of your network but legitimate)

External or Ad hoc devices

Without this initial classification, WIPS cannot properly assess threats or trigger alarms.

The AKM (Authentication and Key Management) Suite List field within the RSN Information Element defines which authentication methods are supported by the AP. This field distinguishes between PSK (Pre-Shared Key) and Enterprise (802.1X) modes:

AKM Suite OUI 00-0F-AC:1 = WPA2-Personal (PSK)

AKM Suite OUI 00-0F-AC:2 = WPA2-Enterprise (802.1X)

By examining this field in Beacon or Probe Response frames, a protocol analyzer can determine the authentication method enforced by the BSS.

Hijacking attacks often rely on exploiting client behavior during signal disruption. Clients will seek better connections when RF is weak or interrupted. An attacker may:

Disrupt the signal (e.g., with a deauth attack)

Present a rogue access point (evil twin) with stronger signal

Trick the client into associating with the rogue AP, hijacking the session

Incorrect:

B. There is no standard 120-second timer behavior.

C. Loss of connectivity typically triggers reassociation and reauthentication.

D. Direct client-to-client connections are not required in infrastructure mode.

E. Band selection logic varies and is unrelated to hijacking attacks.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

A Robust Security Network (RSN) is defined by the IEEE 802.11i standard and is designed to provide a framework for secure wireless LAN communications. One of the primary criteria for a network to qualify as an RSN is that WEP (Wired Equivalent Privacy) must not be used for encryption, as WEP has well-known vulnerabilities and is considered insecure. RSN-compliant networks must use either CCMP (AES) or GCMP for encryption and 802.1X/EAP or WPA2-Personal for authentication.

Incorrect:

A. Token cards are not part of RSN criteria.

B. Dynamic WEP is still WEP and disqualifies RSN status.

D. WPA-Personal may be supported, but alone does not define an RSN.

E. SSHv1 concerns device management security, not RSN qualification.

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn't require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

Open networks with captive portals do not provide link-layer encryption, so:

A. Man-in-the-Middle (MitM): Attackers can intercept or modify traffic between the user and the legitimate network (especially before HTTPS negotiation).

B. Wi-Fi phishing: Evil twin APs may mimic the legitimate hotspot and show a fake captive portal, stealing user credentials or prompting malicious downloads.

Incorrect:

C. Management interface exploits target device admin panels, not typical client users.

D. UDP port redirection and

E. IGMP snooping are network-layer behaviors, not common user-targeted attacks.

A Denial-of-Service (DoS) attack focuses on preventing legitimate users from accessing network resources. In this case, the attacker has not accessed files or data but is interrupting services. This aligns perfectly with a DoS attack scenario.

Clients seek connectivity when their connection is lost. If the attacker broadcasts a matching SSID on a different channel and the client is disconnected (via RF jamming or deauthentication), the client will often reassociate with the stronger signal or first-responding AP broadcasting the same SSID, even if it's rogue.

Incorrect:

A. SNR alone doesn't force reassociation—clients consider multiple factors.

B. SSID priority is not a standardized field influencing client behavior.

D. Clients won’t reassociate based purely on advertised data rates unless connectivity is disrupted and other AP parameters are more attractive.

The GTK (Group Temporal Key) is used to encrypt multicast/broadcast traffic.

Each SSID has a unique GTK.

Only clients on the same SSID (ABCData) will receive and be able to decrypt multicast traffic encrypted with ABCData’s GTK.

Incorrect:

A. Application-layer authentication does not affect GTK distribution.

C. Clients on other SSIDs (e.g., Guest, ABCVoice) have different GTKs and cannot decrypt ABCData’s multicast traffic.

D. Each SSID uses a unique GTK; GTKs are not shared across SSIDs.

The PTK (Pairwise Transient Key) is derived during the 4-Way Handshake using:

PMK (from PSK or EAP authentication)

ANonce and SNonce (nonces from authenticator and supplicant)

MAC addresses of client and AP

The PTK is then split into keys used for encryption and integrity protection.

Incorrect:

A. PSK can derive the PMK, but not the PTK directly.

B. GMK is used to derive the GTK, not PTK.

D. GTK is for group traffic encryption.

E & F. PK and KCK are components of PTK or alternate key usage—not used to derive PTK.

Without traffic monitoring or filtering on guest VLANs, the following threats remain possible:

Spammers can exploit the open Internet access to send unsolicited traffic

en.wikipedia.org

Guests may launch external network attacks (e.g., scanning, DDoS)

Peer-to-peer attacks are prevented if client isolation is enabled. AP management plane security is a separate concern from VLAN separation, and VLAN isolation prevents frame sniffing into corporate networks.

Client VLAN assignment at the controller can be achieved through:

B. RADIUS attributes (e.g., Tunnel-Private-Group-ID) for dynamic VLAN assignment.

C. Static mappings in the WLAN controller’s local user DB.

D. SSID-to-VLAN bindings assign traffic from specific SSIDs to specific VLANs.

Incorrect:

A. The AP connects to the controller over a tunneled link. VLAN configuration at the AP's Ethernet port does not impact client VLAN assignment in centralized forwarding mode.

In WPA2-Enterprise:

After successful Open System authentication and 802.11 association, the next step is 802.1X/EAP authentication via EAPOL frames.

This phase establishes user identity and derives the PMK.

Incorrect:

A. Group Key Handshake comes after the 4-Way Handshake.

C. DHCP occurs after authentication and key negotiation.

D. 4-Way Handshake follows successful 802.1X authentication.

E. PSK mapping applies to WPA2-Personal, not Enterprise.

F. The RADIUS shared secret is pre-configured between authenticator and RADIUS server—not part of real-time negotiation.

In the 802.11 4-Way Handshake:

D: The ANonce (from the AP) and SNonce (from the STA) are critical entropy values used along with the PMK, MAC addresses, etc., to derive the PTK securely.

E: This process ensures both parties derive the same PTK without ever transmitting the key over the air, mitigating interception risk.

Incorrect:

A. Nonces are not padding bytes.

B. Nonces are not the MIC; MIC is a separate integrity mechanism.

C. GMK and GTK are for group keys, not derived from nonces.

TKIP (Temporal Key Integrity Protocol) is a pairwise encryption method introduced with WPA to enhance WEP security. TKIP can protect:

D. Data frames: These are the core unicast data transmissions between clients and access points.

F. QoS Data frames: These are a subtype of data frames supporting 802.11e/WMM enhancements and are also protected under TKIP.

Incorrect:

A & B. TKIP does not support robust management frame protection. Management frame protection is handled by 802.11w with AES-CCMP and BIP.

C & E. Control frames and ACKs are never encrypted, as they need to be read by all stations regardless of encryption status.

In public hotspots like coffee shops, the best way to reduce legal risk is to require users to acknowledge an Acceptable Use Policy (AUP) via a captive portal before granting network access. This approach:

Provides a legally binding acknowledgment that users agree not to misuse or engage in criminal activity

Maintains an open venue while limiting liability

Other options, like using WPA2-Enterprise or blocking ports, are either impractical for public use or ineffective at reducing underlying legal exposure.

ABC Corporation already uses PKI and smart cards. EAP-TLS:

Is a certificate-based authentication protocol.

Integrates seamlessly with PKI infrastructure.

Is supported and certified by the Wi-Fi Alliance.

Incorrect:

A. EAP-FAST uses PACs, not certificates.

C. PEAPv0/EAP-MSCHAPv2 does not use certificates on the client side and is less secure.

D. LEAP is deprecated and insecure.

E. PEAPv0/EAP-TLS is not a standardized combination.

F. EAP-TTLS/MSCHAPv2 requires password-based authentication inside a tunnel, not certificate-based authentication.