Practise CCNA 200-301 v2 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.
Wireless questions on the CCNA cover 802.11 standards (ax/ac/n), WPA3, SSID/BSSID concepts, WLC architecture (FlexConnect, local switching), and client connectivity troubleshooting. These are mostly MCQ and multi-select.
Quick answer
Wireless security questions usually test authentication protocols (WPA2/WPA3), encryption modes, 802.11 standards and troubleshooting clients that cannot connect or associate.
WPA2 vs WPA3 authentication and encryption standards.
802.11 wireless standards, frequency bands and channel behaviour.
WLAN client troubleshooting — association, authentication and DHCP.
How SSID, authentication method and pre-shared key affect wireless access.
Related practice questions
Related 200-301 topic practice pages
Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.
Drag and drop the following steps into the correct order to configure an SSID on a WLC and complete a WPA3-Personal client association with DHCP address assignment.
A
Create an SSID profile, enable the SSID, configure WPA3-Personal security, configure DHCP scope, client associates and obtains IP address.
Why wrong: This is the correct sequence. First, you create the SSID profile on the WLC. Then you enable it. Next, you configure WPA3-Personal security settings. After that, you configure DHCP (either on the WLC or external server) to assign IP addresses. Finally, the client associates and obtains an IP address via DHCP.
B
Configure DHCP scope, create an SSID profile, enable the SSID, configure WPA3-Personal security, client associates and obtains IP address.
This is incorrect because DHCP configuration should come after the SSID is enabled and security is set, not before creating the SSID. The DHCP scope is part of the network infrastructure that supports the WLAN, but the logical order on the WLC starts with the SSID profile.
C
Create an SSID profile, configure WPA3-Personal security, enable the SSID, configure DHCP scope, client associates and obtains IP address.
This correct order first creates the WLAN, then secures it with WPA3 before enabling it, preventing any open-air gap. After security, the SSID is activated, DHCP is configured, and the client can associate and obtain an IP.
D
Create an SSID profile, enable the SSID, configure DHCP scope, configure WPA3-Personal security, client associates and obtains IP address.
This is incorrect because DHCP configuration should come after security configuration, not before. The DHCP scope is part of the network services that support the WLAN, but the security settings must be in place before the client can associate and request an IP.
Drag and drop the wireless terms on the left to the correct descriptions on the right.
A
SSID: The network name broadcast by an access point to identify the wireless network.
SSID (Service Set Identifier) is the human-readable name that identifies a wireless network. Clients use it to select and connect to the desired network.
B
BSSID: The MAC address of the access point's radio interface, used to uniquely identify a BSS.
Why wrong: This is incorrect because BSSID is indeed the MAC address of the AP's radio, but the description is accurate; however, the correct answer for the given description is SSID. This option is a distractor that matches a different term.
C
RSSI: A measurement of the power level of the received radio signal, indicating signal strength.
Why wrong: This is incorrect because RSSI (Received Signal Strength Indicator) measures signal strength, but the description in the question is for SSID. This option correctly defines RSSI but does not match the given description.
D
DFS: A mechanism that allows wireless devices to avoid interference with radar systems by dynamically selecting channels.
Why wrong: This is incorrect because DFS (Dynamic Frequency Selection) is a channel selection mechanism to avoid radar, not a network name. The description in the question is for SSID.
A client can join a secure employee SSID, but traffic is consistently placed into a guest-style restricted path. Which area should be investigated first?
A
The policy, role, or VLAN mapping applied after successful authentication.
This is correct because the symptom points to wrong post-authentication placement.
B
Whether the client can see the SSID at all.
Why wrong: This is wrong because the client already joins successfully.
C
Whether the RADIUS server is returning a guest VLAN attribute.
Why wrong: This is wrong because PPP is unrelated to WLAN policy mapping.
D
Whether OSPF area 0 is configured on the client.
Why wrong: This is wrong because client WLAN policy is not about local OSPF configuration.
Drag and drop the wireless LAN terms on the left to the correct descriptions on the right.
A
Access Point (AP)
An Access Point (AP) is a device that connects wireless clients to a wired network, acting as a bridge between the wireless and wired domains.
B
Service Set Identifier (SSID)
Why wrong: This is incorrect because the SSID is the network name that identifies a wireless network, not a device that connects wireless to wired.
C
Basic Service Set (BSS)
Why wrong: This is incorrect because a BSS describes a single AP with its associated clients, not the device that connects wireless to wired.
D
Wireless LAN Controller (WLC)
Why wrong: This is incorrect because a WLC manages multiple APs centrally, but it does not directly connect wireless clients to the wired network; that is the AP's role.
You are connected to WLC-1 via SSH. A new SSID 'CorpSecure' must be configured for 5 GHz clients using WPA3-Personal. However, after creation, clients can see the SSID but fail to associate. Review the WLC configuration and fix the issue so that clients can successfully associate and obtain an IP address from VLAN 100 (subnet 10.0.100.0/24).
Exhibit
WLC-1# show running-config
!
hostname WLC-1
!
interface GigabitEthernet0/0
ip address 192.168.1.10 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet0/2
ip address 10.0.100.1 255.255.255.0
!
wireless management interface GigabitEthernet0/0
!
wlan CorpSecure 1 CorpSecure
ssid CorpSecure
security wpa psk ascii 7 1234567890
no security wpa aes-ccmp
security wpa2 ciphers aes
security wpa2 psk ascii 7 1234567890
no shutdown
!
wireless ap 1
country US
!
wireless client vlan 100
!
A
Change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, set the radio policy to 5 GHz, and ensure the WLAN is mapped to the dynamic interface for VLAN 100.
This is correct because WPA3-Personal requires AES-CCMP encryption, and the radio policy must be set to 5 GHz to match the requirement. Additionally, the management interface must be on the correct VLAN for client traffic to reach VLAN 100.
B
Change the WLAN security to WPA2-Personal, enable TKIP encryption, and set the radio policy to 5 GHz.
Why wrong: This is incorrect because the requirement specifies WPA3-Personal, not WPA2-Personal. WPA3 uses AES-CCMP, not TKIP, and TKIP is not supported with WPA3.
C
Change the WLAN security to WPA3-Personal, enable AES-CCMP, but leave the radio policy as 'All' (both 2.4 GHz and 5 GHz).
Why wrong: This is incorrect because the requirement specifies that the SSID should be for 5 GHz clients only. Leaving the radio policy as 'All' would allow 2.4 GHz clients to associate, which is not desired and could cause configuration issues.
D
Change the WLAN security to WPA3-Personal, enable AES-CCMP, set the radio policy to 5 GHz, but do not enable the WLAN after changes.
Why wrong: This is incorrect because the WLAN must be enabled after configuration changes for clients to associate. The command 'config wlan enable 1' is necessary to activate the WLAN.
A network administrator has several access points. All APs except one have successfully joined the wireless controller. The administrator verifies the failing AP’s IP address, subnet mask, and controller IP address are correctly configured. What is the most likely reason the AP cannot join the controller?
Exhibit
Controller status:
- 14 APs joined successfully
AP-15 status:
- Power on: yes
- Ethernet link: up
- IP address: 10.60.15.44/24
- Default gateway configured: 10.60.14.1
- Controller management IP: 10.60.15.10
A
The AP has an incorrect default gateway for its subnet.
If the AP's default gateway is wrong, it cannot send packets to the controller that resides on a different subnet, even if the IP address and controller discovery settings are correct.
B
CAPWAP can be used only if the AP has no IP address.
Why wrong: This is wrong because the AP does need valid IP connectivity to join the controller.
C
The AP must use PPP instead of Ethernet to reach the controller.
Why wrong: This is wrong because controller-based APs do not require PPP to join over Ethernet networks.
D
The controller can support only 14 APs maximum.
Why wrong: This is wrong because the exhibit does not indicate any capacity limit and the symptoms point to a local path issue.
A network engineer is troubleshooting a wireless performance issue in a dense office environment. Clients on the 5 GHz band are experiencing low throughput even though they are close to the AP. The AP is a Cisco 9130AXI running IOS-XE 17.9. What is the most likely cause of the poor performance?
Exhibit
AP Name : AP9130-01
MAC Address : aabb.cc00.0100
Admin State : ENABLED
Operational State : UP
Channel Width : 80 MHz
Channel : 36
DFS Status : DFS-NON-COMPLIANT
Primary Channel : 36
Secondary Channel : 40
Radio Band : 5 GHz
Client Count : 25
Utilization : 75%
Interference : HIGH
Power Level : 1 (Maximum)
Antenna Type : Internal
Antenna Gain : 4 dBi
802.11 Protocol : 802.11ac
Beacon Interval : 100 TU
DTIM Period : 2
Supported Data Rates : 6,9,12,18,24,36,48,54 Mbps
MCS Rates : 0-9 (HT), 0-9 (VHT)
QoS Parameters : WMM Enabled
Security : WPA2-PSK
Rogue Detection : Enabled
A
The AP is using an incorrect channel width of 80 MHz, which is not supported by 802.11ac.
Why wrong: 802.11ac does support 80 MHz channel bonding (and up to 160 MHz), so this is not the issue.
B
The AP is operating in 802.11ac mode instead of 802.11ax, and the 80 MHz channel bonding is causing high interference in the dense environment.
802.11ax (Wi-Fi 6) uses OFDMA to reduce interference and improve efficiency in dense environments. The AP is using 802.11ac with 80 MHz channel bonding, which is more prone to interference, leading to poor throughput.
C
The AP has DFS non-compliance, which prevents it from using channel 36 and causes the radio to operate at reduced power.
Why wrong: DFS non-compliance means the AP is not properly detecting radar, but it does not necessarily reduce power; it may cause the AP to avoid certain channels. The power level is set to maximum (1), so power reduction is not the issue.
D
The AP is using WPA2-PSK instead of WPA3, which causes lower throughput due to weaker encryption.
Why wrong: WPA2-PSK does not inherently reduce throughput compared to WPA3; encryption overhead is negligible. The performance issue is due to interference and protocol choice, not security.
A user reports that the corporate SSID is visible and accepts the correct password, but the client always lands in a quarantined remediation network. Which troubleshooting area is strongest?
A
Post-authentication policy, role, or VLAN assignment logic
This is correct because the symptom points to how the authenticated client is being classified after joining.
B
Whether the SSID is hidden instead of broadcast
Why wrong: This is wrong because the client already sees and joins the SSID.
C
Whether the AP uplink uses PPP encapsulation
Why wrong: This is wrong because PPP is unrelated to WLAN role placement.
D
Whether OSPF designated routers are elected correctly
Why wrong: This is wrong because the symptom is post-authentication segmentation, not OSPF adjacency.
A user on a wireless guest network can associate successfully, obtains an IP address, but cannot reach the Internet. Which troubleshooting area should be examined first if the WLAN itself is working?
A
The post-association forwarding or policy path, such as guest routing or Internet access policy
This is correct because WLAN join and IP assignment have already succeeded.
B
The SSID broadcast name, because it must be wrong
Why wrong: This is wrong because the client already associated successfully.
C
The AP radio antenna type only
Why wrong: This is wrong because the client already has connectivity to the WLAN and an IP address.
D
OSPFv3 area configuration on the laptop
Why wrong: This is wrong because client Internet access here is not about local OSPFv3 configuration.
Drag and drop the following steps into the correct order to configure a new WLAN on a Cisco WLC using IOS-XE CLI, including WPA3-Personal security, and to complete a wireless client association with DHCP.
A
Enter global configuration mode, create WLAN profile, configure WPA3-Personal (SAE) security, enable WLAN, client associates, client obtains IP via DHCP.
This is the correct order per Cisco IOS-XE WLC CLI: first enter global config, create the WLAN profile, set security (WPA3-Personal/SAE), enable the WLAN, then the client associates and gets an IP via DHCP.
B
Enter global configuration mode, create WLAN profile, enable WLAN, configure WPA3-Personal (SAE) security, client associates, client obtains IP via DHCP.
Why wrong: This is incorrect because security must be configured before enabling the WLAN; enabling a WLAN without security first can leave it open temporarily.
C
Enter global configuration mode, configure WPA3-Personal (SAE) security, create WLAN profile, enable WLAN, client associates, client obtains IP via DHCP.
Why wrong: This is incorrect because the WLAN profile must be created before security can be applied to it; security parameters are part of the WLAN profile configuration.
D
Enter global configuration mode, create WLAN profile, configure WPA3-Personal (SAE) security, enable WLAN, client obtains IP via DHCP, client associates.
Why wrong: This is incorrect because the client must associate with the WLAN before obtaining an IP via DHCP; DHCP occurs after association.
You are managing a Cisco WLC (192.168.1.10) via its web UI. The wireless network 'CorpSecure' has been configured but clients cannot associate. Some report 'wrong password' errors; others see the SSID but fail to connect. Additionally, management access to the WLC web UI is intermittent. Identify and resolve the issues so that wireless clients can successfully associate with 'CorpSecure' using WPA3-Personal and the WLC web UI is reliably accessible from the management VLAN (VLAN 10).
Exhibit
=== WLC Configuration (Partial) ===
WLAN ID: 1
Profile Name: CorpSecure
SSID: CorpSecure
Status: Enabled
Security: WPA2-PSK (AES)
PSK Passphrase: Cisco123!
VLAN: 20
Interface: VLAN20
Broadcast SSID: Disabled
=== Interface Configuration ===
Management Interface:
IP Address: 192.168.1.10/24
VLAN: 10
Default Gateway: 192.168.1.1
=== Show summary (from CLI) ===
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 1
WLAN ID WLAN Profile Name / SSID Status Interface
------- ------------------------------------ ------- ---------
1 CorpSecure / CorpSecure Enabled VLAN20
(Cisco Controller) >show client summary
Number of Clients................................ 0
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... 00:1a:2b:3c:4d:5e
IP Address....................................... 192.168.1.10
IP Netmask....................................... 255.255.255.0
Default Router................................... 192.168.1.1
VLAN............................................ 10
(Cisco Controller) >show interface detailed vlan20
Interface Name................................... vlan20
MAC Address...................................... 00:1a:2b:3c:4d:5f
IP Address....................................... 10.0.20.1
IP Netmask....................................... 255.255.255.0
Default Router................................... 10.0.20.254
VLAN............................................ 20
A
Configure the SSID with WPA3-Personal; verify management interface is on VLAN 10 with correct gateway.
The root cause is the WPA2 vs WPA3 mismatch; the SSID is already visible, so broadcast is fine. Ensuring the management interface is on VLAN 10 resolves intermittent web UI access.
B
Change the SSID security to WPA2-PSK and disable SSID broadcast; reset the WLC to factory defaults.
Why wrong: This is incorrect because WPA2-PSK is not the required security (WPA3-Personal is needed), and disabling SSID broadcast would worsen client visibility. Resetting to factory defaults is unnecessary and would erase all configurations.
C
Update the WLC firmware to the latest version and change the management VLAN to VLAN 1.
Why wrong: This is incorrect because changing the management VLAN to VLAN 1 is not recommended and does not address the SSID security or broadcast issues. Firmware update may not resolve the specific configuration errors.
D
Reconfigure the SSID with WPA3-Enterprise and enable SSID broadcast; set the management interface to use DHCP.
Why wrong: This is incorrect because WPA3-Enterprise requires a RADIUS server, which is not mentioned; the scenario specifies WPA3-Personal. Using DHCP for the management interface could cause IP address changes, worsening intermittent access.
Exhibit: Users report that they can see the corporate SSID but fail authentication immediately after entering credentials. Guest wireless works on the same access point. Which issue is most likely?
Exhibit
WLAN Corp uses WPA2-Enterprise
WLAN Guest uses WPA2-PSK
AP joined to WLC successfully
Recent event: AAA server unreachable
A
The AP is using the wrong channel width
Why wrong: That could affect performance, but it does not fit the immediate authentication failure pattern.
B
The RADIUS or AAA server is unreachable for the enterprise WLAN
WPA2-Enterprise depends on AAA communication for user authentication.
C
The corporate SSID has a mismatched RADIUS shared secret
Why wrong: Guest service is working already.
D
The SSID must be configured as hidden
Why wrong: Hiding the SSID would not solve authentication.
These 200-301 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-301 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.