CWNP CWSP-208 - Certified Wireless Security Professional (CWSP)

PEAPv0/EAP-TLS is a tunneled EAP method that requires:

The server to present a certificate for TLS tunnel establishment.

The client to present a valid client certificate within the tunnel (in the case of EAP-TLS).

If the client does not have a valid X.509 certificate installed, authentication will fail.

Incorrect:

A. The server certificate is required for the TLS tunnel, and it is typically present; the issue here lies with the client cert.

B. TKIP is technically compatible with PEAPv0, although AES-CCMP is preferred.

D. Kerberos is unrelated to EAP authentication and VLAN use.

In the 802.11 4-Way Handshake:

D: The ANonce (from the AP) and SNonce (from the STA) are critical entropy values used along with the PMK, MAC addresses, etc., to derive the PTK securely.

E: This process ensures both parties derive the same PTK without ever transmitting the key over the air, mitigating interception risk.

Incorrect:

A. Nonces are not padding bytes.

B. Nonces are not the MIC; MIC is a separate integrity mechanism.

C. GMK and GTK are for group keys, not derived from nonces.

The Message Integrity Code (MIC) is:

A cryptographic checksum applied to the data payload.

It ensures the payload was not modified in transit and guards against tampering.

With AES-CCMP, the MIC is generated as part of the encryption process and verified upon decryption.

Incorrect:

A. Signal integrity is validated at the physical layer, not through the MIC.

C. The MIC protects data payload integrity, not just MAC headers.

D. The MIC is not generated during the 4-Way Handshake.

IEEE 802.1X is a port-based Network Access Control (PNAC) protocol that:

Provides authentication at the edge of the LAN (such as a wireless access point or switch port).

Encapsulates EAP messages over the LAN using the EAPoL (EAP over LAN) protocol.

This standard defines how devices are granted or denied access based on authentication status.

Incorrect:

B. Key management is part of 802.11i (not 802.1X directly).

C. VLAN assignment may occur, but it's not limited to authenticated-user VLANs.

D. AES-CCMP is a function of WPA2/802.11i, not 802.1X.

E. Only EAP is allowed over the uncontrolled port; DHCP/DNS pass only after authentication.

MS-CHAPv2 is a widely used authentication protocol, but it has notable weaknesses:

B. MS-CHAPv2 is vulnerable to offline dictionary attacks. Attackers can capture authentication exchanges and attempt password guesses offline due to predictable hashing behavior.

D. The only secure use of MS-CHAPv2 is inside a secure tunnel (e.g., EAP-TTLS or PEAP), where credentials are protected during transmission.

Incorrect:

A. MS-CHAPv2 is used in WPA2-Enterprise, not WPA-Personal, and it is allowed under WPA2-Enterprise via PEAP.

C. WEP does not enhance LEAP’s security; it compounds vulnerabilities.

E and F. MS-CHAPv2 does not use AES for authentication. Using AES-CCMP for encryption does not fix MS-CHAPv2's weaknesses.

Given that only consumer-grade routers are used and no RADIUS server or enterprise infrastructure is mentioned, WPA2-Personal is the most secure option available. It uses a pre-shared key (PSK) for authentication and AES-CCMP for encryption, offering strong protection for small businesses lacking enterprise equipment.

Enterprise methods such as WPA2-Enterprise, 802.1X, and EAP-PEAP require a RADIUS server or authentication backend, which isn’t supported in typical consumer-grade routers.

TKIP (Temporal Key Integrity Protocol) was introduced with WPA to enhance WEP security. One of the security mechanisms used in TKIP is a per-MPDU (MAC Protocol Data Unit) sequence counter called the TSC (TKIP Sequence Counter). The TSC acts as a form of replay protection by assigning a unique sequence number to each transmitted frame. If a packet is received with a sequence number lower than or equal to a previously received number, it is discarded. This directly prevents replay attacks, where a malicious actor resends previously captured frames in an attempt to spoof the session or extract data.

Wireless Intrusion Prevention Systems (WIPS) are excellent for detecting on-air threats such as rogue APs, DoS attacks, spoofing, and misconfigured devices. However, WIPS cannot detect:

C. Eavesdropping — Passive listening on wireless transmissions cannot be detected because no signal is transmitted by the attacker.

D. Social engineering — Human-based attacks like phishing or pretexting fall outside the scope of wireless monitoring.

Incorrect:

A. Rogue APs can be detected via MAC address comparison, frame analysis, and signal triangulation.

B. DoS attacks, such as deauth floods or RF jamming, can be detected with appropriate WIPS sensors.

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.

A Robust Security Network (RSN) is defined by the IEEE 802.11i standard and is designed to provide a framework for secure wireless LAN communications. One of the primary criteria for a network to qualify as an RSN is that WEP (Wired Equivalent Privacy) must not be used for encryption, as WEP has well-known vulnerabilities and is considered insecure. RSN-compliant networks must use either CCMP (AES) or GCMP for encryption and 802.1X/EAP or WPA2-Personal for authentication.

Incorrect:

A. Token cards are not part of RSN criteria.

B. Dynamic WEP is still WEP and disqualifies RSN status.

D. WPA-Personal may be supported, but alone does not define an RSN.

E. SSHv1 concerns device management security, not RSN qualification.