Free CWNP CWSP-208 Practice Exam with Questions & Answers | Set: 2

TKIP (used with WPA) introduced “Michael” as a message integrity check (MIC) algorithm to replace the insecure CRC-32 used in WEP. Michael:

Adds tamper protection to each packet.

Helps detect packet forgery.

Incorrect:

A. CRC-32 was used in WEP and proven weak.

B. Sequence counters help prevent replay attacks, not integrity checking.

C. RC5 is not used in WLAN security.

E. TKIP does not support block ciphers—it uses RC4, a stream cipher.

PEAPv0/EAP-TLS is a tunneled EAP method that requires:

The server to present a certificate for TLS tunnel establishment.

The client to present a valid client certificate within the tunnel (in the case of EAP-TLS).

If the client does not have a valid X.509 certificate installed, authentication will fail.

Incorrect:

A. The server certificate is required for the TLS tunnel, and it is typically present; the issue here lies with the client cert.

B. TKIP is technically compatible with PEAPv0, although AES-CCMP is preferred.

D. Kerberos is unrelated to EAP authentication and VLAN use.

A. 802.11w (now part of 802.11-2012) introduces protection for management frames, especially disassociation and deauthentication frames, helping prevent spoofing-based DoS attacks. However, it cannot prevent all types of Layer 2 DoS (e.g., RF jamming).

D. Specifically, 802.11w protects disassociation and deauthentication frames by signing them with cryptographic keys.

Incorrect:

B. The MAC header and PHY preamble are not encrypted under any standard.

C. Authentication and association frames are not protected by 802.11w; only certain management frames are.

All three EAP methods — EAP-TLS, PEAPv0, and EAP-TTLS — establish a secure TLS tunnel between the supplicant and the authentication server before client credentials are passed:

B. EAP-TLS uses mutual certificate authentication inside a TLS tunnel.

D. PEAPv0/MSCHAPv2 creates a TLS tunnel and then authenticates the user with MSCHAPv2 inside the tunnel.

E. EAP-TTLS creates a TLS tunnel and then supports legacy credentials (e.g., PAP, CHAP, MSCHAPv2) securely within it.

Incorrect:

A. EAP-MD5 does not use TLS at all.

C. LEAP is not TLS-based and is considered insecure.

RBAC enables dynamic assignment of different access privileges (e.g., VLAN, ACLs, bandwidth) to users even when they connect through the same SSID. This simplifies SSID management while maintaining fine-grained access control.

Incorrect:

A. Admission control is a QoS/WMM function, not RBAC.

B. Access category (AC) affects frame prioritization, not file/app access.

D. Multiple EAP types are supported in authentication servers—not directly tied to RBAC.

Because all APs (even those at branch offices) connect to a central controller:

Their control/data traffic must traverse the public internet or WAN.

VPNs (IPSec, GRE, or similar) ensure confidentiality and integrity of authentication traffic and user data over insecure links.

Incorrect:

B. Using different SSIDs complicates management and user experience unnecessarily.

C. Remote RADIUS at small branches contradicts the goal of centralized management.

D. Remote access protocols (SSH, HTTPS) should be secured, not entirely prohibited, to allow remote management.

In a large enterprise:

A central RADIUS (like Microsoft NPS) connected to Active Directory is preferred for scalability and centralized policy control.

WLAN controller internal RADIUS servers are minimal and not scalable for thousands of users.

Incorrect:

A. WPA2-Enterprise is essential for strong security.

C. WIPS support is vital for intrusion detection/prevention.

D. VLAN trunking is needed for network segmentation.

E. SNMPv3 is important for secure device monitoring and management.

Comprehensive Detailed Explanation:

In the 802.1X/EAP framework:

The Authenticator is the device that controls access to the network — typically the AP or WLAN controller.

The Authenticator passes EAP messages between the Supplicant (client) and the Authentication Server (RADIUS).

Incorrect:

A. SRV21 is the RADIUS server (Authentication Server), not the Authenticator.

C. The MacBook Pro is the Supplicant.

D. RADIUS server handles Authentication, not Authenticator functionality.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

In a security context, outdated firmware is one of the most critical vulnerabilities. Firmware updates typically patch known security issues, fix bugs, and provide new features or improved encryption support. If the APs have not been updated or checked in over 18 months, they could be running firmware with known exploits or lacking critical security patches, making firmware review a top priority.