CWSP-208 Certified Wireless Security Professional (CWSP) Questions and Answers

For troubleshooting fast roaming (e.g. 802.11r) across channels, a portable protocol analyzer with dual- or multi-band 802.11n adapters enables:

Simultaneous packet capture on different channels

Capturing handoff-related frames and timing analysis in roaming scenarios

This setup allows detailed capture of reassociation, authentication, and 4-Way Handshake processes, essential for diagnosing roaming delays.

Other options (WIPS, spectrum analyzer, autonomous AP) do not support detailed 802.11 frame capture across multiple channels during roaming events.

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

WIPS systems provide proactive security by continuously scanning for threats and ensuring WLAN policy compliance. Their capabilities include:

B. Wireless vulnerability assessment: Scanning for misconfigured APs, weak encryption, and unauthorized devices.

E. Policy enforcement and compliance: Ensuring security settings adhere to enterprise or regulatory requirements and alerting on deviations.

Other options like application-layer inspection and AP CPU monitoring are outside the WIPS function scope.

WIPS platforms with multiple sensors can locate rogue devices using:

A. TDoA: Measures the time difference a signal takes to reach multiple sensors; requires synchronized clocks.

C. Trilateration using RSSI: Estimates distance based on signal strength from three or more known sensor positions.

E. RF Fingerprinting: Matches received signals to known RF patterns in the environment for device positioning.

AoA requires directional antennas (not typical with dipoles), and GPS is used for locating mobile sensors or vehicles, not indoor rogues.

Many protocol analyzers require special drivers or place the NIC into monitor/promiscuous mode. When used this way, the original driver stack may be altered or replaced. Afterward, if not correctly reloaded, the adapter may lack full 802.1X support or required encryption features. This is likely the case here — Mary's WLAN adapter is still under the control of or affected by the analyzer’s NIC driver, which doesn’t support PEAP properly.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

Aircrack-ng is a versatile toolset commonly used for WLAN penetration testing and security auditing. Its capabilities include:

A. Injecting deauth frames to simulate or test disconnection scenarios.

B. Testing WIPS responsiveness by simulating common attack frames.

D. Performing dictionary and brute-force attacks against weakly protected networks (e.g., WPA2-PSK with a weak passphrase).

Incorrect:

C. Aircrack-ng does not probe or test RADIUS shared secrets.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Open networks with captive portals do not provide link-layer encryption, so:

A. Man-in-the-Middle (MitM): Attackers can intercept or modify traffic between the user and the legitimate network (especially before HTTPS negotiation).

B. Wi-Fi phishing: Evil twin APs may mimic the legitimate hotspot and show a fake captive portal, stealing user credentials or prompting malicious downloads.

Incorrect:

C. Management interface exploits target device admin panels, not typical client users.

D. UDP port redirection and

E. IGMP snooping are network-layer behaviors, not common user-targeted attacks.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

Comprehensive Detailed Explanation:

In the 802.1X/EAP framework:

The Authenticator is the device that controls access to the network — typically the AP or WLAN controller.

The Authenticator passes EAP messages between the Supplicant (client) and the Authentication Server (RADIUS).

Incorrect:

A. SRV21 is the RADIUS server (Authentication Server), not the Authenticator.

C. The MacBook Pro is the Supplicant.

D. RADIUS server handles Authentication, not Authenticator functionality.

PTK (Pairwise Transient Key) is established per-client, so:

ABCData: 3 clients = 3 PTKs

ABCVoice: 2 clients = 2 PTKs

Guest: 3 clients = 3 PTKs

Total: 8 PTKs

GTK (Group Temporal Key) is shared per SSID, so:

One GTK per SSID (ABCData, ABCVoice, Guest)

Total: 3 GTKs

RBAC enables dynamic assignment of different access privileges (e.g., VLAN, ACLs, bandwidth) to users even when they connect through the same SSID. This simplifies SSID management while maintaining fine-grained access control.

Incorrect:

A. Admission control is a QoS/WMM function, not RBAC.

B. Access category (AC) affects frame prioritization, not file/app access.

D. Multiple EAP types are supported in authentication servers—not directly tied to RBAC.

Spectrum analyzer observations indicate a narrow 1–2 MHz peak with a strong signal, which broadens only when significantly attenuated. This behavior matches a high-powered narrowband interferer (like a microwave ignitor or industrial radio) – not Bluetooth hopping or standard WLAN signals

LDAP (Lightweight Directory Access Protocol) is used to query and retrieve user credential information from a directory service (like Microsoft Active Directory).

It’s not an authentication protocol itself but is used by services like RADIUS to validate user credentials during the EAP authentication process.

Incorrect:

B. LDAP is not directly compliant with X.500—it uses a simplified subset.

C. LDAP is not a SQL-compliant protocol.

D. LDAP is not a role-based access control mechanism.

E. LDAP is not an Authentication Server by itself.

EAP-MD5:

Only authenticates the client.

Does not provide mutual authentication, making it vulnerable to man-in-the-middle attacks.

It also does not protect the user’s identity or credentials in a secure tunnel.

Incorrect:

A. The outer identity concept is not relevant to EAP-MD5 since it doesn’t support tunneling.

B. EAP-MD5 is a valid EAP type, just insecure.

D. It can be used with a RADIUS server, but security is insufficient.

EAP-FAST (Flexible Authentication via Secure Tunneling) provides:

Mutual authentication using Protected Access Credentials (PACs).

Does not require X.509 certificates for either client or server (although optional for servers).

Is faster and easier to deploy in environments lacking a PKI.

Incorrect:

B. EAP-MD5 provides no mutual authentication.

C. EAP-TLS requires client and server certificates.

D. PEAPv0/EAP-MSCHAPv2 requires a server certificate.

E. EAP-TTLS requires a server certificate.

F. PEAPv1/EAP-GTC still requires a server certificate.

RADIUS supports dynamic policy assignment via return list attributes (e.g., Tunnel-Private-Group-ID, Class).

The WLAN controller reads this group attribute and applies the corresponding security profile (e.g., VLAN, QoS).

Incorrect:

A. The controller does not poll the RADIUS server.

C. LDAP may support group info, but RADIUS mediates it for WLAN usage.

D. Group attributes are not sent during the 4-Way Handshake—it occurs after EAP success.

Different EAP types involve varying numbers of exchanges:

EAP-TLS, for example, involves more exchanges due to certificate negotiation.

EAP-MD5 or PEAP might involve fewer steps.

Thus, the most likely reason for different frame counts during successful authentication is the use of different EAP types.

Incorrect:

A. Cipher suites are negotiated after EAP, not during it.

B. Retransmissions would typically cause noticeable delay and not result in exactly 11 frames.

C. Reassociation does not significantly reduce EAP frame count.

D. RSN/TSN differences are not directly related to EAP exchange length.