Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
CWNP
CWSP
CWSP-208
Certified Wireless Security Professional (CWSP) Questions and Answers

Pass the CWNP CWSP CWSP-208 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam CWSP-208 Premium Access

View all detail and faqs for the CWSP-208 exam

Go to Exam

840 Students Passed

92% Average Score

91% Same Questions

Viewing page 3 out of 3 pages

Viewing questions 21-30 out of questions

Questions # 21:

While performing a manual scan of your environment using a spectrum analyzer on a laptop computer, you notice a signal in the real time FFT view. The signal is characterized by having peak power centered on channel 11 with an approximate width of 20 MHz at its peak. The signal widens to approximately 40 MHz after it has weakened by about 30 dB.

What kind of signal is displayed in the spectrum analyzer?

Options:

A frequency hopping device is being used as a signal jammer in 5 GHz

A low-power wideband RF attack is in progress in 2.4 GHz, causing significant 802.11 interference

An 802.11g AP operating normally in 2.4 GHz

An 802.11a AP operating normally in 5 GHz

Answer

Explanation

An 802.11g AP uses a 20 MHz-wide channel centered around a specific frequency (e.g., channel 11 at 2.462 GHz). On a spectrum analyzer:

The signal will peak at the center frequency with high power.

The width of approximately 20 MHz at peak and extending to 40 MHz as it drops 30 dB is typical for OFDM-based transmissions (802.11g uses OFDM).

Incorrect:

A. Frequency hopping is characteristic of Bluetooth and looks different on the spectrum (bursty, narrow signals that shift rapidly).

B. A wideband attack would appear more constant and not centered like a normal AP.

D. 802.11a operates in the 5 GHz band, not channel 11 (which is 2.4 GHz).

[References:, , CWSP-208 Study Guide, Chapter 6 (RF Analysis and Interference), , CWNP RF Spectrum Interpretation Guide]

Questions # 22:

In the IEEE 802.11-2012 standard, what is the purpose of the 802.1X Uncontrolled Port?

Options:

To allow only authentication frames to flow between the Supplicant and Authentication Server

To block authentication traffic until the 4-Way Handshake completes

To pass general data traffic after the completion of 802.11 authentication and key management

To block unencrypted user traffic after a 4-Way Handshake completes

Answer

Explanation

The 802.1X Uncontrolled Port exists before a client is fully authenticated. It:

Permits only EAP/EAPoL frames to pass between the Supplicant and the Authenticator (AP or switch).

Blocks general data traffic until authentication completes.

After authentication, the Controlled Port is opened, allowing normal data flow.

Incorrect:

B. Authentication must complete before the 4-Way Handshake, not the other way around.

C. General data traffic uses the Controlled Port, not the Uncontrolled Port.

D. The Uncontrolled Port doesn't specifically deal with encrypted or decrypted user traffic.

[References:, , CWSP-208 Study Guide, Chapter 4 (802.1X Port Behavior), , IEEE 802.1X Overview]

Questions # 23:

Given: ABC Company has 20 employees and only needs one access point to cover their entire facility. Ten of ABC Company’s employees have laptops with radio cards capable of only WPA security. The other ten employees have laptops with radio cards capable of WPA2 security. The network administrator wishes to secure all wireless communications (broadcast and unicast) for each laptop with its strongest supported security mechanism, but does not wish to implement a RADIUS/AAA server due to complexity.

What security implementation will allow the network administrator to achieve this goal?

Options:

Implement an SSID with WPA2-Personal that allows both AES-CCMP and TKIP clients to connect.

Implement an SSID with WPA-Personal that allows both AES-CCMP and TKIP clients to connect.

Implement two separate SSIDs on the AP—one for WPA-Personal using TKIP and one for WPA2-Personal using AES-CCMP.

Implement an SSID with WPA2-Personal that sends all broadcast traffic using AES-CCMP and unicast traffic using either TKIP or AES-CCMP.

Answer

Questions # 24:

Given: When the CCMP cipher suite is used for protection of data frames, 16 bytes of overhead are added to the Layer 2 frame. 8 of these bytes comprise the MIC.

What purpose does the encrypted MIC play in protecting the data frame?

Options:

The MIC is used as a first layer of validation to ensure that the wireless receiver does not incorrectly process corrupted signals.

The MIC provides for a cryptographic integrity check against the data payload to ensure that it matches the original transmitted data.

The MIC is a hash computation performed by the receiver against the MAC header to detect replay attacks prior to processing the encrypted payload.

The MIC is a random value generated during the 4-way handshake and is used for key mixing to enhance the strength of the derived PTK.

Answer

Explanation

The Message Integrity Code (MIC) is:

A cryptographic checksum applied to the data payload.

It ensures the payload was not modified in transit and guards against tampering.

With AES-CCMP, the MIC is generated as part of the encryption process and verified upon decryption.

Incorrect:

A. Signal integrity is validated at the physical layer, not through the MIC.

C. The MIC protects data payload integrity, not just MAC headers.

D. The MIC is not generated during the 4-Way Handshake.

[References:, , CWSP-208 Study Guide, Chapter 3 (CCMP and Frame Protection), , IEEE 802.11i-2004 Specification, ]

Questions # 25:

Role-Based Access Control (RBAC) allows a WLAN administrator to perform what network function?

Options:

Minimize traffic load on an AP by requiring mandatory admission control for use of the Voice access category.

Allow access to specific files and applications based on the user's WMM access category.

Provide two or more user groups connected to the same SSID with different levels of network privileges.

Allow simultaneous support for multiple EAP types on a single access point.

Answer

Explanation

RBAC enables dynamic assignment of different access privileges (e.g., VLAN, ACLs, bandwidth) to users even when they connect through the same SSID. This simplifies SSID management while maintaining fine-grained access control.

Incorrect:

A. Admission control is a QoS/WMM function, not RBAC.

B. Access category (AC) affects frame prioritization, not file/app access.

D. Multiple EAP types are supported in authentication servers—not directly tied to RBAC.

[References:, , CWSP-208 Study Guide, Chapter 6 (Role-Based Access Control and SSID Simplification), ]

Questions # 26:

Given: You are installing 6 APs on the outside of your facility. They will be mounted at a height of 6 feet. What must you do to implement these APs in a secure manner beyond the normal indoor AP implementations? (Choose the single best answer.)

Options:

User external antennas.

Use internal antennas.

Power the APs using PoE.

Ensure proper physical and environmental security using outdoor ruggedized APs or enclosures.

Answer

Explanation

Outdoor APs must be:

Protected from theft or tampering (physical security).

Shielded from weather/environmental conditions (IP-rated enclosures).

Mounted and secured to prevent unauthorized physical access or damage.

Incorrect:

A & B. Antenna type is relevant to RF coverage but does not address outdoor-specific security needs.

C. PoE is useful for power delivery but not a security solution.

[References:, , CWSP-208 Study Guide, Chapter 7 (Physical Security for Wireless Devices), , CWNP Outdoor WLAN Deployment Guidelines]

Questions # 27:

Given: Your network includes a controller-based WLAN architecture with centralized data forwarding. The AP builds an encrypted tunnel to the WLAN controller. The WLAN controller is uplinked to the network via a trunked 1 Gbps Ethernet port supporting all necessary VLANs for management, control, and client traffic.

What processes can be used to force an authenticated WLAN client's data traffic into a specific VLAN as it exits the WLAN controller interface onto the wired uplink? (Choose 3)

Options:

On the Ethernet switch that connects to the AP, configure the switch port as an access port (not trunking) in the VLAN of supported clients.

During 802.1X authentication, RADIUS sends a return list attribute to the WLAN controller assigning the user and all traffic to a specific VLAN.

In the WLAN controller’s local user database, create a static username-to-VLAN mapping on the WLAN controller to direct data traffic from a specific user to a designated VLAN.

Configure the WLAN controller with static SSID-to-VLAN mappings; the user will be assigned to a VLAN according to the SSID being used.

Answer

B, C, D

Explanation

Client VLAN assignment at the controller can be achieved through:

B. RADIUS attributes (e.g., Tunnel-Private-Group-ID) for dynamic VLAN assignment.

C. Static mappings in the WLAN controller’s local user DB.

D. SSID-to-VLAN bindings assign traffic from specific SSIDs to specific VLANs.

Incorrect:

A. The AP connects to the controller over a tunneled link. VLAN configuration at the AP's Ethernet port does not impact client VLAN assignment in centralized forwarding mode.

[References:, , CWSP-208 Study Guide, Chapter 6 (Dynamic VLAN Assignment), , CWNP WLAN Controller Configuration Guides]

Viewing page 3 out of 3 pages

Viewing questions 21-30 out of questions