CWNP Certified Wireless Security Professional (CWSP) CWSP-208 Exam Dumps: Updated Questions & Answers (September 2025)

In WPA2-Personal with AES-CCMP:

The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.

This protects the actual application data (e.g., web content, email).

Frame headers (MAC headers) are not encrypted.

Incorrect:

B. MPDU includes MAC headers, which are not encrypted.

C. PPDU includes preamble and physical-layer components, which are never encrypted.

D. PSDU includes the MAC header and frame body; again, headers are not encrypted.

For security and proper management, each autonomous AP must have:

A unique, non-default administrative password.

This ensures attackers cannot guess login credentials and access AP settings.

Especially critical when managing via web interface, which may expose login portals to the local network.

Incorrect:

A. Fragmentation threshold is rarely adjusted except for special performance tuning.

C & D. Output power and cell radius settings are adjusted during RF design, but they don't relate to staging/security directly.

In the 802.11 4-Way Handshake:

D: The ANonce (from the AP) and SNonce (from the STA) are critical entropy values used along with the PMK, MAC addresses, etc., to derive the PTK securely.

E: This process ensures both parties derive the same PTK without ever transmitting the key over the air, mitigating interception risk.

Incorrect:

A. Nonces are not padding bytes.

B. Nonces are not the MIC; MIC is a separate integrity mechanism.

C. GMK and GTK are for group keys, not derived from nonces.

PTK (Pairwise Transient Key) is established per-client, so:

ABCData: 3 clients = 3 PTKs

ABCVoice: 2 clients = 2 PTKs

Guest: 3 clients = 3 PTKs

Total: 8 PTKs

GTK (Group Temporal Key) is shared per SSID, so:

One GTK per SSID (ABCData, ABCVoice, Guest)

Total: 3 GTKs

The 802.1X Uncontrolled Port exists before a client is fully authenticated. It:

Permits only EAP/EAPoL frames to pass between the Supplicant and the Authenticator (AP or switch).

Blocks general data traffic until authentication completes.

After authentication, the Controlled Port is opened, allowing normal data flow.

Incorrect:

B. Authentication must complete before the 4-Way Handshake, not the other way around.

C. General data traffic uses the Controlled Port, not the Uncontrolled Port.

D. The Uncontrolled Port doesn't specifically deal with encrypted or decrypted user traffic.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

To prevent data decryption:

B. The 4-Way Handshake derives and installs unique unicast keys (PTKs) on both client and AP.

F. The GTK is used to encrypt broadcast and multicast frames, ensuring group traffic is protected.

Incorrect:

A. Multi-factor authentication enhances identity assurance but not encryption.

C. PLCP CRC checks for transmission errors but does not secure data.

D. EPP is not a valid or recognized encryption protocol.

E. ICV was used in WEP and is cryptographically weak.

EAP-TLS is considered one of the most secure EAP types, but:

It requires a Public Key Infrastructure (PKI).

Every client device must have a unique certificate, adding to administrative burden and cost.

Incorrect:

A. Roaming speed is not inherently slower with EAP-TLS if supported by the infrastructure.

B. EAP-TLS protects client credentials; passwords aren’t even used—it uses certificates.

C. EAP-TLS does establish a secure tunnel—it's the original TLS-based method.

D. EAP-TLS is vendor-agnostic and supported by most enterprise WLAN infrastructure.

IEEE 802.1X is a port-based Network Access Control (PNAC) protocol that:

Provides authentication at the edge of the LAN (such as a wireless access point or switch port).

Encapsulates EAP messages over the LAN using the EAPoL (EAP over LAN) protocol.

This standard defines how devices are granted or denied access based on authentication status.

Incorrect:

B. Key management is part of 802.11i (not 802.1X directly).

C. VLAN assignment may occur, but it's not limited to authenticated-user VLANs.

D. AES-CCMP is a function of WPA2/802.11i, not 802.1X.

E. Only EAP is allowed over the uncontrolled port; DHCP/DNS pass only after authentication.

WIPS systems provide proactive security by continuously scanning for threats and ensuring WLAN policy compliance. Their capabilities include:

B. Wireless vulnerability assessment: Scanning for misconfigured APs, weak encryption, and unauthorized devices.

E. Policy enforcement and compliance: Ensuring security settings adhere to enterprise or regulatory requirements and alerting on deviations.

Other options like application-layer inspection and AP CPU monitoring are outside the WIPS function scope.