Pass the CWNP CWSP CWSP-208 Questions and answers with ValidTests

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Comprehensive Detailed Explanation:

B. Vendor-Specific Attributes (VSAs) allow integration with WLAN vendors' controllers to assign roles, VLANs, QoS levels, etc., during user authentication.

E. Standard or vendor-specific RADIUS attributes can dynamically assign permission levels based on group membership, department, or role.

Incorrect:

A. RADIUS does not directly manage DHCP functions.

C. SSID is selected by the user’s device, not by the RADIUS server.

D. RADIUS uses ACCESS-REJECT, not “DO-NOT-AUTHORIZE,” and it is not OS-specific.

A Transitional Security Network (TSN) allows legacy stations to interoperate by using older encryption methods. If AES (CCMP) is unsupported by older equipment, the network can fall back to TKIP, which uses RC4 as its encryption algorithm. TKIP enables AES encryption on newer devices while accommodating legacy clients.

Options A, C, D are current or deprecated standards with AES; only RC4 matches the transitional need.

The IEEE 802.1X framework consists of three defined roles:

Supplicant (E): The client device (STA) that requests access to the network.

Authenticator (F): The network device (usually an AP or switch) that enforces access control and acts as an intermediary between the supplicant and the authentication server.

Authentication Server (D): Typically a RADIUS server that validates credentials and responds with access decisions.

Incorrect:

A & B. Enrollee and Registrar are roles in Wi-Fi Protected Setup (WPS), not 802.1X.

C. AAA Server is a broader term; the specific role in 802.1X is “Authentication Server.”

G. “Control Point” is not a formal 802.1X role.

A. 802.11w (now part of 802.11-2012) introduces protection for management frames, especially disassociation and deauthentication frames, helping prevent spoofing-based DoS attacks. However, it cannot prevent all types of Layer 2 DoS (e.g., RF jamming).

D. Specifically, 802.11w protects disassociation and deauthentication frames by signing them with cryptographic keys.

Incorrect:

B. The MAC header and PHY preamble are not encrypted under any standard.

C. Authentication and association frames are not protected by 802.11w; only certain management frames are.

To hijack a wireless client, attackers often use:

An RF jamming device to disconnect the client from the legitimate AP (via deauth attacks or RF disruption)

A rogue AP (created using access point software) that impersonates the real network

DHCP server software to assign IP addresses and act as a gateway, completing the fake network

Incorrect:

B. Terminal emulation is not relevant.

C. Workgroup bridges and protocol analyzers are for monitoring, not attacking.

E. MAC spoofing and DoS do not complete a hijack.

In WPA2-Personal, each client derives its Pairwise Transient Key (PTK) based on a shared Pairwise Master Key (PMK) and values exchanged during the 4-Way Handshake. Therefore, even if the passphrase is cracked, an attacker must still capture the 4-Way Handshake for each target client in order to decrypt their unicast traffic.

Incorrect:

A. Incorrect because cracking the passphrase allows decrypting data traffic after capturing the 4-Way Handshake.

C. WPA2 encrypts multicast and broadcast traffic using the GTK, which unauthorized clients cannot derive.

D. Capturing BSSID and MAC isn’t enough without knowing the passphrase and the full 4-Way Handshake.

E. Hijacking is harder in WPA2-Personal due to the dynamic PTK derived per session.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Mutual authentication involves both the client and the authentication server verifying each other’s identity before network access is granted. This prevents attackers from spoofing an access point (AP) and luring clients to connect to rogue APs (often used in wireless hijacking or evil twin attacks). When mutual authentication (typically via 802.1X with EAP-TLS) is used, clients will not connect unless they can verify the server certificate, which thwarts hijacking attempts.