
Aug-2025 CWNP CWSP-208 Actual Questions and 100% Cover Real Exam Questions
CWSP-208 Free Exam Questions and Answers PDF Updated on Aug-2025
NEW QUESTION # 65
What EAP type supports using MS-CHAPv2, EAP-GTC or EAP-TLS for wireless client authentication?
- A. LEAP
- B. EAP-GTC
- C. EAP-TTLS
- D. H-REAP
- E. PEAP
Answer: C
Explanation:
EAP-TTLS (Tunneled Transport Layer Security) supports flexible inner authentication methods including:
MS-CHAPv2
EAP-GTC (Generic Token Card)
EAP-TLS (in some configurations)
This versatility allows EAP-TTLS to be used with a wide range of back-end authentication systems, while only requiring a server-side certificate.
Incorrect:
A). H-REAP (now FlexConnect) is a Cisco AP deployment mode, not an EAP type.
B). EAP-GTC is a simple authentication method and not a tunnel or container for others.
D). PEAP typically supports MS-CHAPv2 but not EAP-GTC or EAP-TLS as inner methods.
E). LEAP uses MS-CHAPv1 and is considered deprecated and insecure.
References:
CWSP-208 Study Guide, Chapter 4 (EAP Methods)
NEW QUESTION # 66
Given: AAA is an architectural framework used to provide three separate security components in a network.
Listed below are three phrases that each describe one aspect of the AAA framework.
Option-1 - This AAA function is performed first and validates user identify prior to determining the network resources to which they will be granted access.
Option-2 - This function is used for monitoring and auditing purposes and includes the collection of data that identifies what a user has done while connected.
Option-3 - This function is used to designate permissions to a particular user.
What answer correctly pairs the AAA component with the descriptions provided above?
- A. Option-1 - Authorization
Option-2 - Access Control
Option-3 - Association - B. Option-1 - Authentication
Option-2 - Accounting
Option-3 - Authorization - C. Option-1 - Access Control
Option-2 - Authorization
Option-3 - Accounting - D. Option-1 - Authentication
Option-2 - Accounting
Option-3 - Association
Answer: B
Explanation:
AAA stands for:
Authentication: Validates user identity (Option 1).
Authorization: Grants access to specific resources based on policy (Option 3).
Accounting: Tracks user activity (Option 2).
This ordering matches standard network security architecture:
Who are you? # Authentication
What are you allowed to do? # Authorization
What did you do? # Accounting
Incorrect:
A-C. Misplace or mislabel AAA functions.
References:
CWSP-208 Study Guide, Chapter 4 (AAA Framework)
CWNP AAA and WLAN Policy Documents
NEW QUESTION # 67
When used as part of a WLAN authentication solution, what is the role of LDAP?
- A. An IEEE X.500 standard compliant database that participates in the 802.1X port-based access control process
- B. A role-based access control protocol for filtering data to/from authenticated stations.
- C. A SQL compliant authentication service capable of dynamic key generation and distribution
- D. A data retrieval protocol used by an authentication service such as RADIUS
- E. An Authentication Server (AS) that communicates directly with, and provides authentication for, the Supplicant.
Answer: D
Explanation:
LDAP (Lightweight Directory Access Protocol) is used to query and retrieve user credential information from a directory service (like Microsoft Active Directory).
It's not an authentication protocol itself but is used by services like RADIUS to validate user credentials during the EAP authentication process.
Incorrect:
B). LDAP is not directly compliant with X.500-it uses a simplified subset.
C). LDAP is not a SQL-compliant protocol.
D). LDAP is not a role-based access control mechanism.
E). LDAP is not an Authentication Server by itself.
References:
CWSP-208 Study Guide, Chapter 4 (LDAP Integration with RADIUS)
CWNP AAA Architecture Overview
NEW QUESTION # 68
As a part of a large organization's security policy, how should a wireless security professional address the problem of rogue access points?
- A. Hide the SSID of all legitimate APs on the network so that intruders cannot copy this parameter on rogue APs.
- B. A trained employee should install and configure a WIPS for rogue detection and response measures.
- C. Use a WPA2-Enterprise compliant security solution with strong mutual authentication and encryption for network access of corporate devices.
- D. Enable port security on Ethernet switch ports with a maximum of only 3 MAC addresses on each port.
- E. Conduct thorough manual facility scans with spectrum analyzers to detect rogue AP RF signatures.
Answer: B
Explanation:
Rogue APs pose a significant risk and should be detected and mitigated automatically.
D). A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.
Incorrect:
A). While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.
B). Hiding SSIDs is ineffective-SSIDs are still discoverable in management frames.
C). Manual scans are labor-intensive and impractical for ongoing monitoring.
E). Port security controls wired threats but cannot detect rogue APs using wireless signals.
References:
CWSP-208 Study Guide, Chapter 6 (Wireless Intrusion Prevention Systems) CWNP Rogue Detection Strategies
NEW QUESTION # 69
Given: XYZ Company has recently installed an 802.11ac WLAN. The company needs the ability to control access to network services, such as file shares, intranet web servers, and Internet access based on an employee's job responsibilities.
What WLAN security solution meets this requirement?
- A. A WLAN controller with RBAC features
- B. A VPN server with multiple DHCP scopes
- C. A WLAN router with wireless VLAN support
- D. An autonomous AP system with MAC filters
- E. WPA2-Personal with support for LDAP queries
Answer: A
Explanation:
Role-Based Access Control (RBAC) enables dynamic assignment of permissions and access rights based on a user's job function. A WLAN controller with RBAC:
Can apply policies post-authentication.
Controls access to internal services (e.g., file shares, apps).
Assigns users to different VLANs or applies firewall rules based on roles.
Incorrect:
A). MAC filtering is not scalable or secure.
B). WPA2-Personal does not support user-based policies or LDAP integration.
C). DHCP scope assignment is not linked to user roles.
E). VLAN assignment via SSID is static and does not consider job function.
References:
CWSP-208 Study Guide, Chapter 6 (Access Control and Role-Based Policies) CWNP Enterprise WLAN Design Practices
NEW QUESTION # 70
What policy would help mitigate the impact of peer-to-peer attacks against wireless-enabled corporate laptop computers when the laptops are also used on public access networks such as wireless hot-spots?
- A. Require WPA2-Enterprise as the minimal WLAN security solution.
- B. Require secure applications such as POP, HTTP, and SSH.
- C. Require VPN software for connectivity to the corporate network.
- D. Require Port Address Translation (PAT) on each laptop.
Answer: C
Explanation:
EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.
EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.
Incorrect:
A). EAP-TLS also encrypts credentials using TLS.
B). EAP-TLS supports client certificates (it's the core requirement).
C). Both EAP methods require an authentication server.
References:
CWSP-208 Study Guide, Chapter 4 (EAP Methods Comparison)
CWNP EAP-TTLS Deployment Guide
NEW QUESTION # 71
Given: A network security auditor is preparing to perform a comprehensive assessment of an 802.11ac network's security.
What task should be performed at the beginning of the audit to maximize the auditor's ability to expose network vulnerabilities?
- A. Identify the wireless security solution(s) currently in use.
- B. Identify the skill level of the wireless network security administrator(s).
- C. Identify the manufacturer of the wireless infrastructure hardware.
- D. Identify the manufacturer of the wireless intrusion prevention system.
- E. Identify the IP subnet information for each network segment.
Answer: A
Explanation:
Before conducting a security audit of an 802.11ac WLAN, it is essential to know the current security implementations-such as the use of WPA2-Enterprise, 802.1X, or MAC filtering. This helps the auditor tailor tests to identify gaps, weaknesses, or misconfigurations in the existing system. Understanding the security solutions provides the most immediate insight into potential vulnerabilities.
NEW QUESTION # 72
When using the 802.1X/EAP framework for authentication in 802.11 WLANs, why is the 802.1X Controlled Port still blocked after the 802.1X/EAP framework has completed successfully?
- A. The 802.1X Controlled Port is blocked until Vender Specific Attributes (VSAs) are exchanged inside a RADIUS packet between the Authenticator and Authentication Server.
- B. The 802.1X Controlled Port remains blocked until an IP address is requested and accepted by the Supplicant.
- C. The 4-Way Handshake must be performed before the 802.1X Controlled Port changes to the unblocked state.
- D. The 802.1X Controlled Port is always blocked, but the Uncontrolled Port opens after the EAP authentication process completes.
Answer: C
Explanation:
The 802.1X Controlled Port remains blocked after EAP authentication is complete. It is only unblocked once the 4-Way Handshake completes successfully. This handshake:
Confirms that both client and AP have the same PMK.
Derives the PTK and installs keys.
Once encryption keys are in place, the Controlled Port is opened for data.
Incorrect:
A). The Controlled Port is what opens after successful authentication and key establishment.
B). IP addressing (via DHCP) happens after the Controlled Port is open.
D). Vendor-Specific Attributes may play a role in policy assignment but do not govern port control timing.
References:
CWSP-208 Study Guide, Chapter 4 (802.1X and Controlled Port Behavior)
IEEE 802.1X and 802.11i Standards
NEW QUESTION # 73
You must locate non-compliant 802.11 devices. Which one of the following tools will you use and why?
- A. A protocol analyzer, because it can be used to view the spectrum energy of non-compliant 802.11 devices, which is always different from compliant devices.
- B. A protocol analyzer, because it can be used to report on security settings and regulatory or rule compliance
- C. A spectrum analyzer, because it can show the energy footprint of a device using WPA differently from a device using WPA2.
- D. A spectrum analyzer, because it can decode the PHY preamble of a non-compliant device.
Answer: B
Explanation:
In a security context, outdated firmware is one of the most critical vulnerabilities. Firmware updates typically patch known security issues, fix bugs, and provide new features or improved encryption support. If the APs have not been updated or checked in over 18 months, they could be running firmware with known exploits or lacking critical security patches, making firmware review a top priority.
References:
CWSP-208 Study Guide, Chapter 8 - WLAN Security Lifecycle and Maintenance CWNP CWSP-208 Objectives: "Firmware and Security Patch Management"
NEW QUESTION # 74
Given: Your network implements an 802.1X/EAP-based wireless security solution. A WLAN controller is installed and manages seven APs. FreeRADIUS is used for the RADIUS server and is installed on a dedicated server named SRV21. One example client is a MacBook Pro with 8 GB RAM.
What device functions as the 802.1X/EAP Authenticator?
- A. WLAN Controller/AP
- B. MacBook Pro
- C. RADIUS server
- D. SRV21
Answer: A
Explanation:
Comprehensive Detailed Explanation:
In the 802.1X/EAP framework:
The Authenticator is the device that controls access to the network - typically the AP or WLAN controller.
The Authenticator passes EAP messages between the Supplicant (client) and the Authentication Server (RADIUS).
Incorrect:
A). SRV21 is the RADIUS server (Authentication Server), not the Authenticator.
C). The MacBook Pro is the Supplicant.
D). RADIUS server handles Authentication, not Authenticator functionality.
References:
CWSP-208 Study Guide, Chapter 4 (802.1X Architecture Roles)
CWNP AAA and Authentication Design
NEW QUESTION # 75
Given: In XYZ's small business, two autonomous 802.11ac APs and 12 client devices are in use with WPA2- Personal.
What statement about the WLAN security of this company is true?
- A. An unauthorized WLAN user with a protocol analyzer can decode data frames of authorized users if he captures the BSSID, client MAC address, and a user's 4-Way Handshake.
- B. Because WPA2-Personal uses Open System authentication followed by a 4-Way Handshake, hijacking attacks are easily performed.
- C. An unauthorized wireless client device cannot associate, but can eavesdrop on some data because WPA2-Personal does not encrypt multicast or broadcast traffic.
- D. A successful attack against all unicast traffic on the network would require a weak passphrase dictionary attack and the capture of the latest 4-Way Handshake for each client.
- E. Intruders may obtain the passphrase with an offline dictionary attack and gain network access, but will be unable to decrypt the data traffic of other users.
Answer: D
Explanation:
In WPA2-Personal, each client derives its Pairwise Transient Key (PTK) based on a shared Pairwise Master Key (PMK) and values exchanged during the 4-Way Handshake. Therefore, even if the passphrase is cracked, an attacker must still capture the 4-Way Handshake for each target client in order to decrypt their unicast traffic.
Incorrect:
A). Incorrect because cracking the passphrase allows decrypting data traffic after capturing the 4-Way Handshake.
C). WPA2 encrypts multicast and broadcast traffic using the GTK, which unauthorized clients cannot derive.
D). Capturing BSSID and MAC isn't enough without knowing the passphrase and the full 4-Way Handshake.
E). Hijacking is harder in WPA2-Personal due to the dynamic PTK derived per session.
References:
CWSP-208 Study Guide, Chapter 3 (WPA2-PSK Key Management)
CWNP Learning: WLAN Encryption and PTK Derivation
NEW QUESTION # 76
ABC Company uses the wireless network for highly sensitive network traffic. For that reason, they intend to protect their network in all possible ways. They are continually researching new network threats and new preventative measures. They are interested in the security benefits of 802.11w, but would like to know its limitations.
What types of wireless attacks are protected by 802.11w? (Choose 2)
- A. Social engineering attacks
- B. Layer 2 Disassociation attacks
- C. Robust management frame replay attacks
- D. RF DoS attacks
Answer: B,C
Explanation:
802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.
PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.
References:
CWSP-208 Study Guide, Chapter 6 (Wireless LAN Security Solutions)
IEEE 802.11w-2009 amendment
CWNP Whitepapers on PMF and Management Frame Protection
NEW QUESTION # 77
While seeking the source of interference on channel 11 in your 802.11n WLAN running within 2.4 GHz, you notice a signal in the spectrum analyzer real time FFT display. The signal is characterized with the greatest strength utilizing only 1-2 megahertz of bandwidth and it does not use significantly more bandwidth until it has weakened by roughly 20 dB. At approximately -70 dB, it spreads across as much as 35 megahertz of bandwidth.
What kind of signal is described?
- A. A high-power, narrowband signal
- B. A 2.4 GHz WLAN transmission using transmit beam forming
- C. A frequency hopping wireless device in discovery mode
- D. A high-power ultra wideband (UWB) Bluetooth transmission
- E. An HT-OFDM access point
- F. A deauthentication flood from a WIPS blocking an AP
Answer: A
Explanation:
Spectrum analyzer observations indicate a narrow 1-2 MHz peak with a strong signal, which broadens only when significantly attenuated. This behavior matches a high-powered narrowband interferer (like a microwave ignitor or industrial radio) - not Bluetooth hopping or standard WLAN signals
NEW QUESTION # 78
Given: You are using a Wireless Aggregator utility to combine multiple packet captures. One capture exists for each of channels 1, 6 and 11. What kind of troubleshooting are you likely performing with such a tool?
- A. Interference source location.
- B. Fast secure roaming problems.
- C. Wireless adapter failure analysis.
- D. Narrowband DoS attack detection.
Answer: B
Explanation:
When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non- overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.
Incorrect:
A). Adapter failure doesn't require multi-channel capture.
B). Interference location is typically single-channel and spectrum-analysis focused.
D). Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.
References:
CWSP-208 Study Guide, Chapter 6 (Roaming and Mobility)
CWNP Whitepaper: WLAN Troubleshooting Methodologies
CWNP Learning Portal: 802.11 Roaming and Analysis
NEW QUESTION # 79
What wireless security protocol provides mutual authentication without using an X.509 certificate?
- A. PEAPv1/EAP-GTC
- B. EAP-TLS
- C. EAP-MD5
- D. EAP-TTLS
- E. EAP-FAST
- F. PEAPv0/EAP-MSCHAPv2
Answer: E
Explanation:
EAP-FAST (Flexible Authentication via Secure Tunneling) provides:
Mutual authentication using Protected Access Credentials (PACs).
Does not require X.509 certificates for either client or server (although optional for servers).
Is faster and easier to deploy in environments lacking a PKI.
Incorrect:
B). EAP-MD5 provides no mutual authentication.
C). EAP-TLS requires client and server certificates.
D). PEAPv0/EAP-MSCHAPv2 requires a server certificate.
E). EAP-TTLS requires a server certificate.
F). PEAPv1/EAP-GTC still requires a server certificate.
References:
CWSP-208 Study Guide, Chapter 4 (EAP Method Comparisons)
Cisco EAP-FAST Whitepaper
Wi-Fi Alliance EAP Interoperability Matrix
NEW QUESTION # 80
Given: Your network includes a controller-based WLAN architecture with centralized data forwarding. The AP builds an encrypted tunnel to the WLAN controller. The WLAN controller is uplinked to the network via a trunked 1 Gbps Ethernet port supporting all necessary VLANs for management, control, and client traffic.
What processes can be used to force an authenticated WLAN client's data traffic into a specific VLAN as it exits the WLAN controller interface onto the wired uplink? (Choose 3)
- A. On the Ethernet switch that connects to the AP, configure the switch port as an access port (not trunking) in the VLAN of supported clients.
- B. In the WLAN controller's local user database, create a static username-to-VLAN mapping on the WLAN controller to direct data traffic from a specific user to a designated VLAN.
- C. Configure the WLAN controller with static SSID-to-VLAN mappings; the user will be assigned to a VLAN according to the SSID being used.
- D. During 802.1X authentication, RADIUS sends a return list attribute to the WLAN controller assigning the user and all traffic to a specific VLAN.
Answer: B,C,D
Explanation:
Client VLAN assignment at the controller can be achieved through:
B). RADIUS attributes (e.g., Tunnel-Private-Group-ID) for dynamic VLAN assignment.
C). Static mappings in the WLAN controller's local user DB.
D). SSID-to-VLAN bindings assign traffic from specific SSIDs to specific VLANs.
Incorrect:
A). The AP connects to the controller over a tunneled link. VLAN configuration at the AP's Ethernet port does not impact client VLAN assignment in centralized forwarding mode.
References:
CWSP-208 Study Guide, Chapter 6 (Dynamic VLAN Assignment)
CWNP WLAN Controller Configuration Guides
NEW QUESTION # 81
You are configuring seven APs to prevent common security attacks. The APs are to be installed in a small business and to reduce costs, the company decided to install all consumer-grade wireless routers. The wireless routers will connect to a switch, which connects directly to the Internet connection providing 50 Mbps of Internet bandwidth that will be shared among 53 wireless clients and 17 wired clients.
To ensure the wireless network is as secure as possible from common attacks, what security measure can you implement given only the hardware referenced?
- A. WPA2-Enterprise
- B. 802.1X/EAP-PEAP
- C. WPA2-Personal
- D. WPA-Enterprise
Answer: C
Explanation:
Given that only consumer-grade routers are used and no RADIUS server or enterprise infrastructure is mentioned, WPA2-Personal is the most secure option available. It uses a pre-shared key (PSK) for authentication and AES-CCMP for encryption, offering strong protection for small businesses lacking enterprise equipment.
Enterprise methods such as WPA2-Enterprise, 802.1X, and EAP-PEAP require a RADIUS server or authentication backend, which isn't supported in typical consumer-grade routers.
References:
CWSP-208 Study Guide, Chapter 3 (WLAN Security Technologies)
CWNP Wi-Fi Security Deployment Guide for Small Businesses
CWNP E-Learning Modules: WPA2-PSK vs WPA2-Enterprise
NEW QUESTION # 82
Given: During 802.1X/LEAP authentication, the username is passed across the wireless medium in clear text.
From a security perspective, why is this significant?
- A. 4-Way Handshake nonces are based on the username in WPA and WPA2 authentication.
- B. The username can be looked up in a dictionary file that lists common username/password combinations.
- C. The username is needed for Personal Access Credential (PAC) and X.509 certificate validation.
- D. The username is an input to the LEAP challenge/response hash that is exploited, so the username must be known to conduct authentication cracking.
Answer: D
Explanation:
In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.
Incorrect:
A). PACs are used in EAP-FAST, not LEAP.
C). The 4-Way Handshake nonces are unrelated to the username.
D). While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.
References:
CWSP-208 Study Guide, Chapter 4 (EAP Types and Authentication Attacks)
CWNP Whitepaper: LEAP Vulnerabilities
NEW QUESTION # 83
Given: You are using WEP as an encryption solution. You are using VLANs for network segregation.
Why can you not establish an RSNA?
- A. RSNA connections require BIP and do not support TKIP, CCMP or WEP.
- B. RSNA connections do not work in conjunction with VLANs.
- C. RSNA connections require TKIP or CCMP.
- D. RSNA connections require CCMP and do not support TKIP or WEP.
Answer: C
Explanation:
RSNA (Robust Security Network Association), as defined by 802.11i, requires:
TKIP (WPA) or CCMP (WPA2) for encryption.
WEP is deprecated and not supported for RSNA since it does not meet RSN standards.
Incorrect:
B & C. BIP is not required for RSNA formation-it is used for management frame protection (802.11w).
D). VLANs are orthogonal to RSNA-network segmentation does not interfere with RSNA formation.
References:
CWSP-208 Study Guide, Chapter 3 (RSNA Formation and Key Hierarchy)
IEEE 802.11i and 802.11-2012 Standards
NEW QUESTION # 84
You work as the security administrator for your organization. In relation to the WLAN, you are viewing a dashboard that shows security threat, policy compliance and rogue threat charts. What type of system is in view?
- A. Wireshark Protocol Analyzer
- B. WLAN Emulation System
- C. Wireless Intrusion Prevention System
- D. Wireless VPN Management Systems
- E. Distributed RF Spectrum Analyzer
Answer: C
Explanation:
A WIPS (Wireless Intrusion Prevention System) is designed to monitor WLAN activity and provide visualization and reporting related to:
Security threats (e.g., DoS attacks, rogue devices)
Policy compliance (e.g., allowed SSIDs, encryption types)
Rogue threat classification (e.g., rogue, neighbor, ad hoc)
The dashboard displaying this type of security-centric overview is characteristic of a WIPS platform.
References:
CWSP-208 Study Guide, Chapter 7 - WIPS Visualization and Monitoring
CWNP CWSP-208 Objectives: "Threat Visualization and Reporting"
NEW QUESTION # 85
When implementing a WPA2-Enterprise security solution, what protocol must the selected RADIUS server support?
- A. LDAP
- B. LWAPP, GRE, or CAPWAP
- C. IPSec/ESP
- D. EAP
- E. CCMP and TKIP
Answer: D
Explanation:
WPA2-Enterprise relies on the IEEE 802.1X framework for authentication, which requires the use of the Extensible Authentication Protocol (EAP). The RADIUS server must support EAP to facilitate the exchange of authentication credentials and method negotiation between the client (supplicant) and the authentication server.
Incorrect:
A). LWAPP, GRE, and CAPWAP are used between APs and controllers-not for client authentication.
B). IPSec/ESP is a VPN protocol, not relevant here.
D). CCMP and TKIP are encryption protocols used between clients and APs, not within the RADIUS server.
E). LDAP may be queried by the RADIUS server, but it is not sufficient on its own-it doesn't replace EAP.
References:
CWSP-208 Study Guide, Chapter 4 (802.1X Authentication Framework)
CWNP AAA Architecture Overview
NEW QUESTION # 86
......
CWNP CWSP-208 Real 2025 Braindumps Mock Exam Dumps: https://validexam.pass4cram.com/CWSP-208-dumps-torrent.html