CWSP-208 Certified Wireless Security Professional (CWSP) Questions and Answers

RADIUS supports dynamic policy assignment via return list attributes (e.g., Tunnel-Private-Group-ID, Class).

The WLAN controller reads this group attribute and applies the corresponding security profile (e.g., VLAN, QoS).

Incorrect:

A. The controller does not poll the RADIUS server.

C. LDAP may support group info, but RADIUS mediates it for WLAN usage.

D. Group attributes are not sent during the 4-Way Handshake—it occurs after EAP success.

IEEE 802.1X is a port-based Network Access Control (PNAC) protocol that:

Provides authentication at the edge of the LAN (such as a wireless access point or switch port).

Encapsulates EAP messages over the LAN using the EAPoL (EAP over LAN) protocol.

This standard defines how devices are granted or denied access based on authentication status.

Incorrect:

B. Key management is part of 802.11i (not 802.1X directly).

C. VLAN assignment may occur, but it ' s not limited to authenticated-user VLANs.

D. AES-CCMP is a function of WPA2/802.11i, not 802.1X.

E. Only EAP is allowed over the uncontrolled port; DHCP/DNS pass only after authentication.

TKIP (used with WPA) introduced “Michael” as a message integrity check (MIC) algorithm to replace the insecure CRC-32 used in WEP. Michael:

Adds tamper protection to each packet.

Helps detect packet forgery.

Incorrect:

A. CRC-32 was used in WEP and proven weak.

B. Sequence counters help prevent replay attacks, not integrity checking.

C. RC5 is not used in WLAN security.

E. TKIP does not support block ciphers—it uses RC4, a stream cipher.

ABC Corporation already uses PKI and smart cards. EAP-TLS:

Is a certificate-based authentication protocol.

Integrates seamlessly with PKI infrastructure.

Is supported and certified by the Wi-Fi Alliance.

Incorrect:

A. EAP-FAST uses PACs, not certificates.

C. PEAPv0/EAP-MSCHAPv2 does not use certificates on the client side and is less secure.

D. LEAP is deprecated and insecure.

E. PEAPv0/EAP-TLS is not a standardized combination.

F. EAP-TTLS/MSCHAPv2 requires password-based authentication inside a tunnel, not certificate-based authentication.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

Spectrum analyzer observations indicate a narrow 1–2 MHz peak with a strong signal, which broadens only when significantly attenuated. This behavior matches a high-powered narrowband interferer (like a microwave ignitor or industrial radio) – not Bluetooth hopping or standard WLAN signals

Comprehensive Detailed Explanation:

In 802.1X/EAP-based authentication:

After Open System authentication, clients send EAP messages via the uncontrolled port.

The Controlled Port remains blocked until the 802.1X/EAP and 4-Way Handshake processes are complete.

Incorrect:

A. The AP or controller is the authenticator, not the client.

B. EAP types must match between supplicant and server.

D. Controlled port remains blocked until full authentication and key negotiation completes.

In an 802.1X/EAP authentication model:

Supplicant: The device requesting access (the Windows client).

Authenticator: The AP or switch enforcing access decisions.

Authentication Server: The RADIUS server (Linux in this case), which communicates with a backend credential database (Active Directory).

The Windows client runs the EAP supplicant software to initiate authentication.

Incorrect:

A. The Linux server is the Authentication Server (not Supplicant).

C. The AP acts as the Authenticator.

D. The Windows Server is the credential store, not the supplicant.

Comprehensive Detailed Explanation:

On public Wi-Fi hotspots (typically unsecured), attackers often perform:

Eavesdropping: By passively listening to unencrypted traffic, an attacker can capture credentials or sensitive data.

Social engineering: Users may be tricked into entering their credentials on a spoofed login page or disclosing them directly through phishing or manipulation.

These are the most effective and common methods for credential theft in open network environments.

Incorrect:

B & C. Physical theft is not network-based and not relevant to hotspot-based credential acquisition.

D. Authentication cracking is not applicable to open networks with captive portals.

E. Code injection/XSS may happen in web apps but are not directly methods for acquiring hotspot credentials.

This network uses WPA-Personal (Pre-Shared Key) and MAC filtering. While it does offer some basic protections, it is still vulnerable to several well-known attack vectors:

A. Offline dictionary attacks: An attacker can capture the 4-way handshake and perform offline dictionary or brute-force attacks to guess the PSK.

B. MAC Spoofing: Since MAC filtering is based on easily observed MAC addresses, attackers can spoof an authorized MAC address.

D. DoS: Attacks such as deauthentication floods or RF jamming can deny users access without needing to break encryption.

Incorrect:

C. ASLEAP: This is specific to LEAP (a weak EAP type), which is not used in WPA-Personal.

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

To hijack a wireless client, attackers often use:

An RF jamming device to disconnect the client from the legitimate AP (via deauth attacks or RF disruption)

A rogue AP (created using access point software) that impersonates the real network

DHCP server software to assign IP addresses and act as a gateway, completing the fake network

Incorrect:

B. Terminal emulation is not relevant.

C. Workgroup bridges and protocol analyzers are for monitoring, not attacking.

E. MAC spoofing and DoS do not complete a hijack.

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you ' re most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn ' t require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

Most integrated Wi-Fi adapters in Windows laptops are not capable of entering “monitor mode” or capturing 802.11ac frames properly. Compatibility with protocol analyzers like Wireshark or Omnipeek requires special drivers or specific USB adapters. Therefore, it is recommended to use a USB adapter known to support monitor mode and frame capture on 802.11ac for accurate and complete data capture.

Incorrect:

A. Not all adapters support protocol analyzer features.

C. MU-MIMO support is irrelevant for frame capture.

D. Other analyzers besides Wireshark can decode 802.11ac (e.g., Omnipeek).

E. Remote capture is not the only method—local USB adapters are effective too.

In WPA2-Personal, each client derives its Pairwise Transient Key (PTK) based on a shared Pairwise Master Key (PMK) and values exchanged during the 4-Way Handshake. Therefore, even if the passphrase is cracked, an attacker must still capture the 4-Way Handshake for each target client in order to decrypt their unicast traffic.

Incorrect:

A. Incorrect because cracking the passphrase allows decrypting data traffic after capturing the 4-Way Handshake.

C. WPA2 encrypts multicast and broadcast traffic using the GTK, which unauthorized clients cannot derive.

D. Capturing BSSID and MAC isn’t enough without knowing the passphrase and the full 4-Way Handshake.

E. Hijacking is harder in WPA2-Personal due to the dynamic PTK derived per session.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

A WIPS (Wireless Intrusion Prevention System) is designed to monitor WLAN activity and provide visualization and reporting related to:

Security threats (e.g., DoS attacks, rogue devices)

Policy compliance (e.g., allowed SSIDs, encryption types)

Rogue threat classification (e.g., rogue, neighbor, ad hoc)

The dashboard displaying this type of security-centric overview is characteristic of a WIPS platform.

While BSSID and SSID help identify and classify rogue APs, physically locating them requires using signal strength (often displayed as RSSI or dBm). By measuring signal strength from different locations, administrators can use a method called " triangulation " or " directional analysis " to approximate the physical location of the rogue device.