CWSP-208 Certified Wireless Security Professional (CWSP) Questions and Answers

In a large enterprise:

A central RADIUS (like Microsoft NPS) connected to Active Directory is preferred for scalability and centralized policy control.

WLAN controller internal RADIUS servers are minimal and not scalable for thousands of users.

Incorrect:

A. WPA2-Enterprise is essential for strong security.

C. WIPS support is vital for intrusion detection/prevention.

D. VLAN trunking is needed for network segmentation.

E. SNMPv3 is important for secure device monitoring and management.

A. 802.11w (now part of 802.11-2012) introduces protection for management frames, especially disassociation and deauthentication frames, helping prevent spoofing-based DoS attacks. However, it cannot prevent all types of Layer 2 DoS (e.g., RF jamming).

D. Specifically, 802.11w protects disassociation and deauthentication frames by signing them with cryptographic keys.

Incorrect:

B. The MAC header and PHY preamble are not encrypted under any standard.

C. Authentication and association frames are not protected by 802.11w; only certain management frames are.

In 802.1X/EAP authentication:

The EAP method (e.g., EAP-TLS, PEAP) results in the generation of a Master Session Key (MSK).

The Pairwise Master Key (PMK) is derived from the MSK.

The Pairwise Transient Key (PTK) is derived from the PMK using nonces and MAC addresses during the 4-Way Handshake.

The PTK includes the actual keys used for data encryption.

Incorrect:

B. This applies to WPA/WPA2-Personal, not 802.1X/EAP.

C. The RADIUS server sends the MSK, not the PMK directly.

D. The MSK is always derived during EAP authentication, mutual or not.

Without traffic monitoring or filtering on guest VLANs, the following threats remain possible:

Spammers can exploit the open Internet access to send unsolicited traffic

en.wikipedia.org

Guests may launch external network attacks (e.g., scanning, DDoS)

Peer-to-peer attacks are prevented if client isolation is enabled. AP management plane security is a separate concern from VLAN separation, and VLAN isolation prevents frame sniffing into corporate networks.

Comprehensive Detailed Explanation:

To support real-time applications like Voice over Wi-Fi:

WPA2-Enterprise ensures robust security using 802.1X and AES-CCMP.

Fast secure roaming (802.11r) is essential to maintain voice session quality.

VLAN segmentation improves network performance and security between voice and data devices.

Incorrect:

A. WPA-Enterprise is less secure than WPA2, and frequency band segmentation doesn’t address QoS and security together.

C. WEP is deprecated and insecure even with added measures.

D. WPA-Personal lacks centralized authentication and doesn’t support enterprise-grade security or fast roaming.

To leverage an existing LDAP user database (like Microsoft Active Directory or OpenLDAP) for WPA2-Enterprise:

Deploy a RADIUS server (e.g., FreeRADIUS or Microsoft NPS).

Configure the RADIUS server to query the LDAP directory for credential validation.

This maintains centralized authentication without the need for data duplication.

Incorrect:

A. Importing LDAP entries into RADIUS introduces sync and security issues.

B. SSL on LDAP is good practice, but it doesn’t directly handle WPA2-Enterprise authentication.

C. Mirroring LDAP into the controller is not scalable or supported.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Without proper staging, change management, and installation procedures, significant vulnerabilities may arise:

(B) WIPS relies on a known database of authorized APs and clients. If devices are deployed without proper registration and staging, WIPS cannot accurately classify devices as authorized, rogue, or neighbor.

(D) If APs are installed without changing default credentials, attackers can exploit them through common web or SNMP-based management interfaces.

This undermines both operational visibility and network security posture.

In a security context, outdated firmware is one of the most critical vulnerabilities. Firmware updates typically patch known security issues, fix bugs, and provide new features or improved encryption support. If the APs have not been updated or checked in over 18 months, they could be running firmware with known exploits or lacking critical security patches, making firmware review a top priority.

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

Hijacking attacks often rely on exploiting client behavior during signal disruption. Clients will seek better connections when RF is weak or interrupted. An attacker may:

Disrupt the signal (e.g., with a deauth attack)

Present a rogue access point (evil twin) with stronger signal

Trick the client into associating with the rogue AP, hijacking the session

Incorrect:

B. There is no standard 120-second timer behavior.

C. Loss of connectivity typically triggers reassociation and reauthentication.

D. Direct client-to-client connections are not required in infrastructure mode.

E. Band selection logic varies and is unrelated to hijacking attacks.

To recreate the Pairwise Transient Key (PTK) during an offline attack on WPA2-Personal, the following components must be collected:

PMK (derived from the passphrase)

Supplicant MAC address (SA)

Authenticator MAC address (BSSID)

Supplicant Nonce (SNonce)

Authenticator Nonce (ANonce)

These values are used in the PTK derivation function:

PTK = PRF(PMK, “Pairwise key expansion”, Min(AA, SPA) || Max(AA, SPA) || Min(ANonce, SNonce) || Max(ANonce, SNonce))

Incorrect:

D. GTKSA refers to the Group Temporal Key Security Association, unrelated to PTK derivation.

E. Authentication Server nonce is used in 802.1X-based Enterprise networks, not in WPA2-Personal.

To hijack a wireless client, attackers often use:

An RF jamming device to disconnect the client from the legitimate AP (via deauth attacks or RF disruption)

A rogue AP (created using access point software) that impersonates the real network

DHCP server software to assign IP addresses and act as a gateway, completing the fake network

Incorrect:

B. Terminal emulation is not relevant.

C. Workgroup bridges and protocol analyzers are for monitoring, not attacking.

E. MAC spoofing and DoS do not complete a hijack.

Given that only consumer-grade routers are used and no RADIUS server or enterprise infrastructure is mentioned, WPA2-Personal is the most secure option available. It uses a pre-shared key (PSK) for authentication and AES-CCMP for encryption, offering strong protection for small businesses lacking enterprise equipment.

Enterprise methods such as WPA2-Enterprise, 802.1X, and EAP-PEAP require a RADIUS server or authentication backend, which isn’t supported in typical consumer-grade routers.

Clients seek connectivity when their connection is lost. If the attacker broadcasts a matching SSID on a different channel and the client is disconnected (via RF jamming or deauthentication), the client will often reassociate with the stronger signal or first-responding AP broadcasting the same SSID, even if it's rogue.

Incorrect:

A. SNR alone doesn't force reassociation—clients consider multiple factors.

B. SSID priority is not a standardized field influencing client behavior.

D. Clients won’t reassociate based purely on advertised data rates unless connectivity is disrupted and other AP parameters are more attractive.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

C. RF DoS attacks use signal jamming or interference to prevent communication.

D. Hijacking uses deauthentication and re-association to force users onto rogue APs.

E. Social engineering uses manipulation to acquire credentials or sensitive information.

Incorrect:

A. Management interface exploit attacks typically involve web or CLI interface vulnerabilities, not social engineering.

B. Zero-day attacks are based on unknown vulnerabilities, not just limited to authentication or encryption.

F. Association flood attacks occur at Layer 2, not Layer 3.

A Denial-of-Service (DoS) attack focuses on preventing legitimate users from accessing network resources. In this case, the attacker has not accessed files or data but is interrupting services. This aligns perfectly with a DoS attack scenario.

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.