CWSP-208 Certified Wireless Security Professional (CWSP) Question and Answers

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

While BSSID and SSID help identify and classify rogue APs, physically locating them requires using signal strength (often displayed as RSSI or dBm). By measuring signal strength from different locations, administrators can use a method called "triangulation" or "directional analysis" to approximate the physical location of the rogue device.

A Wireless Network Management System (WNMS) often uses SNMP to manage APs. SNMPv3 is the secure version of SNMP because it supports authentication, encryption, and message integrity. Unlike SNMPv1 and SNMPv2c, which transmit data (including community strings) in plaintext, SNMPv3 provides secure management communications.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

A WIPS (Wireless Intrusion Prevention System) is designed to monitor WLAN activity and provide visualization and reporting related to:

Security threats (e.g., DoS attacks, rogue devices)

Policy compliance (e.g., allowed SSIDs, encryption types)

Rogue threat classification (e.g., rogue, neighbor, ad hoc)

The dashboard displaying this type of security-centric overview is characteristic of a WIPS platform.

The correct sequence of the 4-Way Handshake frames in WPA/WPA2 is:

Message 1: Authenticator sends ANonce to the supplicant → (3)

Message 2: Supplicant sends SNonce and a MIC to the authenticator → (4)

Message 3: Authenticator sends GTK and confirms keys with MIC → (1)

Message 4: Supplicant confirms installation of PTK/GTK → (2)

This process ensures mutual key confirmation and integrity before data traffic begins.

Client VLAN assignment at the controller can be achieved through:

B. RADIUS attributes (e.g., Tunnel-Private-Group-ID) for dynamic VLAN assignment.

C. Static mappings in the WLAN controller’s local user DB.

D. SSID-to-VLAN bindings assign traffic from specific SSIDs to specific VLANs.

Incorrect:

A. The AP connects to the controller over a tunneled link. VLAN configuration at the AP's Ethernet port does not impact client VLAN assignment in centralized forwarding mode.

PCI-DSS (Payment Card Industry Data Security Standard) applies to all entities that process, store, or transmit credit card data. Since Point-of-Sale (PoS) systems handle such transactions in retail environments, the wireless network supporting them must comply with PCI-DSS. This includes encrypting wireless transmissions, segmenting network traffic, and implementing WIPS for rogue detection and logging.

LDAP (Lightweight Directory Access Protocol) is used to query and retrieve user credential information from a directory service (like Microsoft Active Directory).

It’s not an authentication protocol itself but is used by services like RADIUS to validate user credentials during the EAP authentication process.

Incorrect:

B. LDAP is not directly compliant with X.500—it uses a simplified subset.

C. LDAP is not a SQL-compliant protocol.

D. LDAP is not a role-based access control mechanism.

E. LDAP is not an Authentication Server by itself.

The IEEE 802.1X framework consists of three defined roles:

Supplicant (E): The client device (STA) that requests access to the network.

Authenticator (F): The network device (usually an AP or switch) that enforces access control and acts as an intermediary between the supplicant and the authentication server.

Authentication Server (D): Typically a RADIUS server that validates credentials and responds with access decisions.

Incorrect:

A & B. Enrollee and Registrar are roles in Wi-Fi Protected Setup (WPS), not 802.1X.

C. AAA Server is a broader term; the specific role in 802.1X is “Authentication Server.”

G. “Control Point” is not a formal 802.1X role.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS is considered one of the most secure EAP types, but:

It requires a Public Key Infrastructure (PKI).

Every client device must have a unique certificate, adding to administrative burden and cost.

Incorrect:

A. Roaming speed is not inherently slower with EAP-TLS if supported by the infrastructure.

B. EAP-TLS protects client credentials; passwords aren’t even used—it uses certificates.

C. EAP-TLS does establish a secure tunnel—it's the original TLS-based method.

D. EAP-TLS is vendor-agnostic and supported by most enterprise WLAN infrastructure.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

For security and proper management, each autonomous AP must have:

A unique, non-default administrative password.

This ensures attackers cannot guess login credentials and access AP settings.

Especially critical when managing via web interface, which may expose login portals to the local network.

Incorrect:

A. Fragmentation threshold is rarely adjusted except for special performance tuning.

C & D. Output power and cell radius settings are adjusted during RF design, but they don't relate to staging/security directly.

Aircrack-ng is a versatile toolset commonly used for WLAN penetration testing and security auditing. Its capabilities include:

A. Injecting deauth frames to simulate or test disconnection scenarios.

B. Testing WIPS responsiveness by simulating common attack frames.

D. Performing dictionary and brute-force attacks against weakly protected networks (e.g., WPA2-PSK with a weak passphrase).

Incorrect:

C. Aircrack-ng does not probe or test RADIUS shared secrets.

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn't require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

To hijack a wireless client, attackers often use:

An RF jamming device to disconnect the client from the legitimate AP (via deauth attacks or RF disruption)

A rogue AP (created using access point software) that impersonates the real network

DHCP server software to assign IP addresses and act as a gateway, completing the fake network

Incorrect:

B. Terminal emulation is not relevant.

C. Workgroup bridges and protocol analyzers are for monitoring, not attacking.

E. MAC spoofing and DoS do not complete a hijack.

In WPA2-Personal, each client derives its Pairwise Transient Key (PTK) based on a shared Pairwise Master Key (PMK) and values exchanged during the 4-Way Handshake. Therefore, even if the passphrase is cracked, an attacker must still capture the 4-Way Handshake for each target client in order to decrypt their unicast traffic.

Incorrect:

A. Incorrect because cracking the passphrase allows decrypting data traffic after capturing the 4-Way Handshake.

C. WPA2 encrypts multicast and broadcast traffic using the GTK, which unauthorized clients cannot derive.

D. Capturing BSSID and MAC isn’t enough without knowing the passphrase and the full 4-Way Handshake.

E. Hijacking is harder in WPA2-Personal due to the dynamic PTK derived per session.

Mutual authentication involves both the client and the authentication server verifying each other’s identity before network access is granted. This prevents attackers from spoofing an access point (AP) and luring clients to connect to rogue APs (often used in wireless hijacking or evil twin attacks). When mutual authentication (typically via 802.1X with EAP-TLS) is used, clients will not connect unless they can verify the server certificate, which thwarts hijacking attempts.

Most integrated Wi-Fi adapters in Windows laptops are not capable of entering “monitor mode” or capturing 802.11ac frames properly. Compatibility with protocol analyzers like Wireshark or Omnipeek requires special drivers or specific USB adapters. Therefore, it is recommended to use a USB adapter known to support monitor mode and frame capture on 802.11ac for accurate and complete data capture.

Incorrect:

A. Not all adapters support protocol analyzer features.

C. MU-MIMO support is irrelevant for frame capture.

D. Other analyzers besides Wireshark can decode 802.11ac (e.g., Omnipeek).

E. Remote capture is not the only method—local USB adapters are effective too.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.

This network uses WPA-Personal (Pre-Shared Key) and MAC filtering. While it does offer some basic protections, it is still vulnerable to several well-known attack vectors:

A. Offline dictionary attacks: An attacker can capture the 4-way handshake and perform offline dictionary or brute-force attacks to guess the PSK.

B. MAC Spoofing: Since MAC filtering is based on easily observed MAC addresses, attackers can spoof an authorized MAC address.

D. DoS: Attacks such as deauthentication floods or RF jamming can deny users access without needing to break encryption.

Incorrect:

C. ASLEAP: This is specific to LEAP (a weak EAP type), which is not used in WPA-Personal.

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

A Transitional Security Network (TSN) allows legacy stations to interoperate by using older encryption methods. If AES (CCMP) is unsupported by older equipment, the network can fall back to TKIP, which uses RC4 as its encryption algorithm. TKIP enables AES encryption on newer devices while accommodating legacy clients.

Options A, C, D are current or deprecated standards with AES; only RC4 matches the transitional need.

In WPA2-Personal with AES-CCMP:

The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.

This protects the actual application data (e.g., web content, email).

Frame headers (MAC headers) are not encrypted.

Incorrect:

B. MPDU includes MAC headers, which are not encrypted.

C. PPDU includes preamble and physical-layer components, which are never encrypted.

D. PSDU includes the MAC header and frame body; again, headers are not encrypted.