Pass the CWNP CWSP CWSP-208 Questions and answers with CertsForce

In WPA2-Personal with AES-CCMP:

The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.

This protects the actual application data (e.g., web content, email).

Frame headers (MAC headers) are not encrypted.

Incorrect:

B. MPDU includes MAC headers, which are not encrypted.

C. PPDU includes preamble and physical-layer components, which are never encrypted.

D. PSDU includes the MAC header and frame body; again, headers are not encrypted.

Spectrum analyzer observations indicate a narrow 1–2 MHz peak with a strong signal, which broadens only when significantly attenuated. This behavior matches a high-powered narrowband interferer (like a microwave ignitor or industrial radio) – not Bluetooth hopping or standard WLAN signals

Role-Based Access Control (RBAC) enables dynamic assignment of permissions and access rights based on a user's job function. A WLAN controller with RBAC:

Can apply policies post-authentication.

Controls access to internal services (e.g., file shares, apps).

Assigns users to different VLANs or applies firewall rules based on roles.

Incorrect:

A. MAC filtering is not scalable or secure.

B. WPA2-Personal does not support user-based policies or LDAP integration.

C. DHCP scope assignment is not linked to user roles.

E. VLAN assignment via SSID is static and does not consider job function.

LDAP (Lightweight Directory Access Protocol) is used to query and retrieve user credential information from a directory service (like Microsoft Active Directory).

It’s not an authentication protocol itself but is used by services like RADIUS to validate user credentials during the EAP authentication process.

Incorrect:

B. LDAP is not directly compliant with X.500—it uses a simplified subset.

C. LDAP is not a SQL-compliant protocol.

D. LDAP is not a role-based access control mechanism.

E. LDAP is not an Authentication Server by itself.

EAP-FAST (Flexible Authentication via Secure Tunneling) provides:

Mutual authentication using Protected Access Credentials (PACs).

Does not require X.509 certificates for either client or server (although optional for servers).

Is faster and easier to deploy in environments lacking a PKI.

Incorrect:

B. EAP-MD5 provides no mutual authentication.

C. EAP-TLS requires client and server certificates.

D. PEAPv0/EAP-MSCHAPv2 requires a server certificate.

E. EAP-TTLS requires a server certificate.

F. PEAPv1/EAP-GTC still requires a server certificate.

EAP-TTLS (Tunneled Transport Layer Security) supports flexible inner authentication methods including:

MS-CHAPv2

EAP-GTC (Generic Token Card)

EAP-TLS (in some configurations)

This versatility allows EAP-TTLS to be used with a wide range of back-end authentication systems, while only requiring a server-side certificate.

Incorrect:

A. H-REAP (now FlexConnect) is a Cisco AP deployment mode, not an EAP type.

B. EAP-GTC is a simple authentication method and not a tunnel or container for others.

D. PEAP typically supports MS-CHAPv2 but not EAP-GTC or EAP-TLS as inner methods.

E. LEAP uses MS-CHAPv1 and is considered deprecated and insecure.

Comprehensive Detailed Explanation:

B. Vendor-Specific Attributes (VSAs) allow integration with WLAN vendors' controllers to assign roles, VLANs, QoS levels, etc., during user authentication.

E. Standard or vendor-specific RADIUS attributes can dynamically assign permission levels based on group membership, department, or role.

Incorrect:

A. RADIUS does not directly manage DHCP functions.

C. SSID is selected by the user’s device, not by the RADIUS server.

D. RADIUS uses ACCESS-REJECT, not “DO-NOT-AUTHORIZE,” and it is not OS-specific.