CCNA Wireless Security Questions

44 questions · Wireless Security topic · All types, answers revealed

1
Multi-Selectmedium

Which TWO statements correctly compare 802.11ac and 802.11ax features?

Select 2 answers
A.802.11ax uses OFDMA, while 802.11ac uses OFDM.
B.Both 802.11ac and 802.11ax support 1024-QAM modulation.
C.WPA3 is mandatory for 802.11ax and optional for 802.11ac.
D.Both standards use only the 5 GHz band.
E.802.11ac uses 80 MHz channels, while 802.11ax uses 160 MHz channels exclusively.
AnswersA, C

OFDMA allows multiple users to share subcarriers simultaneously, improving efficiency in dense environments.

Why this answer

Option A is correct because 802.11ax (Wi‑Fi 6) introduces Orthogonal Frequency Division Multiple Access (OFDMA), which allows multiple users to share subcarriers simultaneously, improving efficiency in dense environments. In contrast, 802.11ac (Wi‑Fi 5) uses Orthogonal Frequency Division Multiplexing (OFDM), where each transmission occupies the entire channel for a single user, leading to less efficient channel utilization. Option C is correct: WPA3 is mandatory for Wi‑Fi 6 (802.11ax) certification, while for 802.11ac it is optional—devices can still obtain Wi‑Fi 5 certification with WPA2 only.

Option B is incorrect because 802.11ac supports a maximum of 256‑QAM; 1024‑QAM is first introduced with 802.11ax. Option D is wrong: 802.11ac operates exclusively in the 5 GHz band, but 802.11ax operates in both 2.4 GHz and 5 GHz. Option E is false: both standards support 20, 40, 80, and 160 MHz channel widths; 802.11ac does not exclusively use 80 MHz, and 802.11ax does not use 160 MHz exclusively.

Exam trap

Cisco often tests the misconception that higher QAM values (like 1024-QAM) are backward-compatible across Wi-Fi generations, but 802.11ac is limited to 256-QAM, and 802.11ax is the first to support 1024-QAM.

Why the other options are wrong

B

802.11ac supports only up to 256‑QAM; 1024‑QAM is introduced with 802.11ax.

D

802.11ac operates only in the 5 GHz band, but 802.11ax operates in both 2.4 GHz and 5 GHz.

E

Both 802.11ac and 802.11ax support a range of channel widths, including 20, 40, 80, and 160 MHz; neither standard restricts to a single channel width.

2
Matchingmedium

Drag and drop the 802.11 standards on the left to their correct frequency band and maximum throughput on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2.4 GHz, 11 Mbps

5 GHz, 54 Mbps

2.4 GHz, 54 Mbps

2.4/5 GHz, 600 Mbps

5 GHz, 6.9 Gbps

Why these pairings

Each 802.11 standard operates in specific frequency bands and has a maximum theoretical throughput. 802.11a uses 5 GHz at 54 Mbps, 802.11b uses 2.4 GHz at 11 Mbps, 802.11g uses 2.4 GHz at 54 Mbps, 802.11n uses both 2.4 and 5 GHz up to 600 Mbps, 802.11ac uses 5 GHz up to 6.9 Gbps, and 802.11ax uses 2.4, 5, and 6 GHz up to 9.6 Gbps.

Exam trap

A common trap is confusing 802.11a with 802.11g because both have 54 Mbps throughput, but they operate in different frequency bands. Remember that 802.11a uses 5 GHz exclusively, while 802.11g uses 2.4 GHz.

3
MCQhard

A network administrator is troubleshooting a wireless connectivity issue in a large office. Users on the 5 GHz band report intermittent disconnections and slow performance, while 2.4 GHz clients are unaffected. The office uses a Cisco 9800 WLC with APs that support 802.11ac Wave 2. The administrator checks the WLC's RF profile and notices a high number of channel utilization reports on channel 36. What is the most likely cause of the problem?

A.Enable DFS channels to avoid radar interference.
B.Change some APs to use channels 40, 44, or 48 to reduce co-channel interference.
C.Increase the channel width to 160 MHz to improve throughput.
D.Disable the 2.4 GHz radios to force all clients to 5 GHz.
AnswerB

Co-channel interference occurs when multiple APs use the same frequency channel, causing contention. Changing some APs to non-overlapping channels reduces this.

Why this answer

Channel 36 is a 20 MHz channel in the 5 GHz band. When many APs use the same channel (channel 36), they share the same medium, leading to co-channel interference (CCI). This causes intermittent disconnections and slow performance for 5 GHz clients because they must contend for airtime.

Spreading APs across non-overlapping channels like 40, 44, or 48 reduces CCI and improves performance.

Exam trap

Cisco often tests the misconception that DFS channels are the solution for any 5 GHz interference issue, but the trap here is that high channel utilization on a non-DFS channel (36) indicates co-channel interference, not radar avoidance.

Why the other options are wrong

A

DFS channels are used to avoid radar interference, but the problem described is co-channel interference on channel 36, not radar events. The exhibit shows no radar events, so enabling DFS channels would not address the high channel utilization.

C

Increasing channel width to 160 MHz would actually increase the likelihood of co-channel interference because fewer non-overlapping channels are available, and it would not solve the existing high utilization on channel 36.

D

Disabling 2.4 GHz radios would force all clients to 5 GHz, potentially worsening the co-channel interference on channel 36 by adding more clients to an already congested channel. The 2.4 GHz band is not the source of the problem.

4
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an SSID on a WLC and complete a WPA3-Personal client association with DHCP address assignment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to first create the SSID profile, then configure WPA3-Personal security to ensure the WLAN is protected before it becomes active, then enable the SSID, set up the DHCP scope for address assignment, and finally allow the client to associate and obtain an IP address. Option A enables the SSID before setting security, exposing the network to unauthorized access during that window. Option B incorrectly starts with DHCP configuration before the SSID even exists.

Option D also enables the SSID before security, leading to the same vulnerability as option A. Only option C follows the secure configuration order recommended by Cisco.

Exam trap

A common mistake is enabling the WLAN before applying WPA3 security, but the recommended practice is to configure security first to prevent a temporary open SSID.

5
MCQhard

A network administrator notices that wireless clients are unable to associate with the corporate SSID 'CorpNet' on an AP that is managed by a WLC. The AP has been joined to the WLC successfully, and the WLC is reachable from the AP. The administrator checks the WLC configuration. Based on the exhibit, what is the most likely cause of the association failure?

A.The WLAN is disabled.
B.The WLAN is missing a pre-shared key.
C.CCKM is not supported by the clients.
D.The WLAN is mapped to the management interface.
AnswerD

The management interface should not be used for client data traffic; it should be a dynamic interface.

Why this answer

The exhibit shows the WLAN 'CorpNet' is mapped to the management interface. While the association process may succeed, the management interface is reserved for control and management traffic (e.g., CAPWAP, SSH) and is not designed to carry client data. This misconfiguration prevents the client from obtaining network access (e.g., IP address via DHCP), which manifests as an apparent association failure.

Client data must be mapped to a dynamic interface (VLAN) or the guest interface for proper operation.

Exam trap

Cisco often tests the misconception that mapping to the management interface blocks 802.11 association; in reality, association may succeed, but the client fails to obtain network services.

Why the other options are wrong

A

The 'show wlan summary' output explicitly shows the WLAN status as 'Enabled', so the WLAN is not disabled. A disabled WLAN would prevent associations, but that is not the case here.

B

The output shows PSK is enabled with a passphrase 'Cisco123', so a pre-shared key is configured. Missing PSK would cause authentication failures, but that is not the issue here.

C

CCKM is a fast roaming method that is optional for client association. Clients can associate without CCKM support; it only affects roaming performance, not initial association.

6
MCQhard

A client can join a corporate SSID and authenticate successfully, but it consistently loses connectivity when moving between floors. Which area is most strongly suggested for deeper investigation?

A.Roaming and RF behavior between AP coverage areas
B.Whether the SSID is visible at all
C.Whether the host has a BGP autonomous system number
D.Whether the switch uses a smaller wildcard mask
AnswerA

This is correct because the failure occurs during movement rather than initial join.

Why this answer

The strongest area for deeper investigation is wireless mobility and RF behavior between the AP coverage areas involved. In practical terms, the client can already authenticate and use the WLAN initially, so the issue is more likely tied to movement, signal transition, channel behavior, or roaming-related operation rather than basic SSID existence or initial authentication alone.

This is a mobility-troubleshooting question, not a simple association problem.

Exam trap

A common exam trap is assuming that connectivity loss during movement is caused by SSID visibility or initial authentication failure. Since the client can join and authenticate successfully, the problem is not with the SSID broadcast or basic network access. Another tempting mistake is to consider unrelated network configurations such as BGP autonomous system numbers or ACL wildcard masks, which do not affect wireless roaming.

The key is to focus on roaming and RF behavior between AP coverage areas, as these directly impact client mobility and session continuity in a wireless environment.

Why the other options are wrong

B

Incorrect because the client already successfully joins and authenticates to the SSID, so SSID visibility is not the issue.

C

Incorrect because BGP autonomous system numbers relate to routing protocols and have no impact on wireless client roaming or connectivity.

D

Incorrect because ACL wildcard masks affect packet filtering rules and do not influence wireless roaming or client mobility between access points.

7
PBQhard

You are troubleshooting a wireless client connectivity issue on the Cisco WLC at 192.168.1.100. The client reports it can see the SSID 'CorpNet' and successfully associates, but cannot obtain an IP address or reach network resources. The WLAN is already configured with WPA3 security, and the SSID should remain hidden. Identify and correct the configuration issue.

Hints

  • Check which interface the WLAN is mapped to.
  • The management interface is not meant for client data traffic.
  • Use the 'config wlan interface' command to change the binding.
A.The WLAN is mapped to the management interface. Use 'config wlan interface 1 CorpNet_VLAN' to assign the correct interface.
B.The SSID is not hidden. Use 'config wlan disable-broadcast-ssid 1 enable' to hide the SSID.
C.WPA3 is not enabled on the WLAN. Use 'config wlan security wpa akm 6 enable' to enable WPA3.
D.The WLAN is disabled. Use 'config wlan enable 1' to enable the WLAN.
AnswerA
solution
! WLC
config wlan interface 1 CorpNet_VLAN

Why this answer

The WLAN is incorrectly mapped to the management interface, which places client traffic in the management VLAN instead of the correct CorpNet_VLAN. As a result, clients cannot obtain IP addresses or communicate beyond the WLC. Reassigning the WLAN to the CorpNet_VLAN interface with 'config wlan interface 1 CorpNet_VLAN' resolves the issue by placing client data in the proper VLAN.

Exam trap

Clients seeing the SSID indicates the WLAN is enabled and broadcasting; association can complete even on the wrong interface. The actual symptom is a lack of IP connectivity, not an association failure. Always check the WLAN-to-interface mapping when clients associate but cannot reach network services.

Why the other options are wrong

B

Hiding the SSID is already satisfied; changing broadcast settings would make the SSID visible, contradicting the requirement.

C

WPA3 is already enabled on the WLAN, so there is no need to configure security. The client associates successfully, proving security is not the issue.

D

The WLAN is enabled because the client can see the SSID and associates; enabling it again would not fix the VLAN mismatch.

8
PBQhard

You are connected to the WLC via its management IP 192.168.10.10. A new corporate SSID 'SecureCorp' must be configured for WPA3-Personal with PSK 'Cisco123' on the 5 GHz radio only. The SSID should be broadcast. The WLAN must be mapped to interface 'corp_vlan' (VLAN 100). After configuration, a wireless client reports it cannot see or connect to the SSID. Troubleshoot and resolve the client's association failure.

Network Topology
192.168.10.50192.168.10.50APWLCClient

Hints

  • The client cannot see the SSID in its Wi-Fi list — check broadcast setting.
  • All other WLAN parameters are correct; only one setting prevents discovery.
  • Use the 'broadcast-ssid' command under the WLAN configuration.
A.Enable SSID broadcast for the SecureCorp WLAN.
B.Change the security mode to WPA2-Personal with the same PSK.
C.Reconfigure the WLAN to use interface 'management' instead of 'corp_vlan'.
D.Disable the 5 GHz radio and enable the 2.4 GHz radio for the SecureCorp WLAN.
AnswerA
solution
! WLC
config wlan 1
broadcast-ssid
end

Why this answer

The client cannot see the SSID because SSID broadcast is disabled. The SSID is configured to be broadcast, but the actual setting is off. To resolve, enable SSID broadcast on the WLAN.

The security and VLAN settings are correct. Enabling broadcast allows the client to discover the network without manual entry.

Exam trap

Do not confuse SSID visibility issues with security or VLAN misconfigurations. A hidden SSID prevents discovery; the client must either manually configure the SSID or the administrator must enable broadcast. Always check the broadcast setting first when a client cannot see a WLAN.

Why the other options are wrong

B

The specific factual error is that the security mode does not affect SSID visibility; the problem is the broadcast setting.

C

The specific factual error is that interface mapping controls VLAN assignment for traffic, not SSID broadcast.

D

The specific factual error is that radio band selection does not affect SSID broadcast; the hidden SSID prevents discovery on any band.

9
MCQmedium

A wireless client can see two SSIDs from the same company: Corp and Guest. Which statement best explains what an SSID represents in this situation?

A.It is the wireless network name presented to clients for a specific WLAN.
B.It is the encryption algorithm securing the WLAN.
C.It is the radio antenna inside the AP.
D.It is the management IP address of the controller.
AnswerA

This is correct because an SSID identifies the WLAN to users and devices.

Why this answer

An SSID is the name that identifies a specific wireless LAN to clients. In practical terms, Corp and Guest are two different WLAN identifiers presented to users, even if they are broadcast by the same physical access point infrastructure. The SSID tells the client which wireless network it is trying to join.

This matters because people often confuse SSIDs with the access point itself or with the security protocol. The SSID is the network identifier, not the hardware or the encryption standard.

Exam trap

Do not confuse SSIDs with physical devices or security protocols; they are identifiers for networks.

Why the other options are wrong

B

The SSID is simply the network name broadcast by the access point; encryption algorithms like WPA2 or WPA3 are configured separately on the WLAN and are not part of the SSID itself.

C

An SSID is a logical identifier, not a physical component. The radio antenna is hardware that transmits and receives wireless signals, but it does not define the network name.

D

The management IP address of a wireless controller is used for administrative access to the controller, not for client connectivity. Clients use the SSID to identify and connect to a WLAN, not the controller's IP.

10
MCQhard

A wireless client can associate to the correct corporate SSID and authenticate successfully, but receives an address from the guest network instead of the employee network. Which troubleshooting area is strongest?

A.Incorrect WLAN-to-role or VLAN mapping after successful authentication.
B.The client must be using the wrong subnet mask manually.
C.The AP must be missing PPP encapsulation.
D.The issue is that STP root election failed.
AnswerA

This is correct because the client is landing in the wrong logical segment after joining successfully.

Why this answer

The client successfully authenticates to the corporate SSID but receives an IP address from the guest network, indicating that the authentication phase is working correctly. The issue lies in the post-authentication mapping: the WLAN is likely mapped to the wrong VLAN or role (e.g., a RADIUS server attribute or local VLAN assignment is misconfigured), causing the client to be placed in the guest VLAN instead of the employee VLAN. This is a common misconfiguration in WLAN-to-VLAN or WLAN-to-role mapping after successful 802.1X authentication.

Exam trap

Cisco often tests the distinction between authentication success and post-authentication authorization (VLAN/role mapping), tricking candidates into focusing on DHCP or IP configuration issues when the real problem is the VLAN assignment after authentication.

Why the other options are wrong

B

The client receives an address from the guest network, indicating that the DHCP server or VLAN assignment is incorrect. A manually configured wrong subnet mask would not cause the client to obtain an IP from a different network; it would simply prevent proper communication within the assigned subnet. The issue is at the network assignment level, not a host configuration error.

C

PPP encapsulation is used on serial WAN links, not in wireless LAN environments. Wireless clients connect via 802.11, and APs use Ethernet or CAPWAP to connect to the network. PPP has no role in VLAN assignment or DHCP for wireless clients.

D

STP root election determines the root bridge in a switched network to prevent loops, but it does not affect VLAN assignment for wireless clients. Even if STP root election failed, it would not cause a client to receive an IP from the wrong network; it would more likely cause network instability or loops.

11
MCQhard

A wireless client associates to an AP and successfully authenticates to the correct SSID, but it does not obtain an IP address. The WLC is running in local mode. What should the technician do next?

A.Check the DHCP server to ensure it has available leases.
B.Verify the AP’s operating channel for interference.
C.Verify the VLAN mapping on the WLC for the client’s WLAN.
D.Verify the WPA3 PSK on the client.
AnswerC

In local mode, the WLC bridges client traffic to a specified VLAN. An incorrect or missing VLAN ID prevents the DHCP discovery from reaching the DHCP server. This step directly confirms whether the client’s traffic is placed on the correct subnet.

Why this answer

Option C is correct because when a wireless client authenticates to the SSID but fails to obtain an IP address, the most likely cause is a VLAN mapping mismatch on the WLC. In local mode, the WLC maps the WLAN to a specific VLAN (via the interface or VLAN tag), and if that VLAN does not have a DHCP relay or is not trunked to the correct switch, the client's DHCP requests will never reach the DHCP server. This is a common Layer 2 connectivity issue that prevents IP address assignment even though authentication succeeds.

Exam trap

Cisco often tests the misconception that DHCP issues are always server-side (Option A), when in reality the WLC's VLAN-to-interface mapping is a critical Layer 2 configuration that must be verified first in a wireless context.

Why the other options are wrong

A

Troubleshooting at Layer 3 (IP) before verifying Layer 2 (VLAN) connectivity skips a fundamental step in the OSI model.

B

Confuses a Layer 1 problem with a Layer 2/3 problem. The client’s association proves the RF link is functional.

D

This investigates a condition that has already been ruled out (authentication succeeded) and does not address the IP assignment failure.

12
MCQhard

A wireless client joins the correct SSID and gets an address in the correct employee subnet, but cannot reach only one internal application while everything else works. Which troubleshooting area is the strongest first target?

A.The path or policy specific to that application, since general employee connectivity already works.
B.The SSID broadcast setting, because the client must not be joined correctly.
C.The voice VLAN on the wired access port connected to the AP uplink.
D.The OSPF router ID on the client device.
AnswerA

This is correct because the symptoms isolate the problem to one application rather than general WLAN access.

Why this answer

The strongest first target is the application path or policy specific to that application because the client already has general connectivity: it joined the correct SSID, authenticated, and obtained an IP address in the employee subnet. A failure limited to one internal application indicates that basic WLAN join, DHCP, and overall routing are working; therefore, ACLs, firewall rules, DNS resolution for that service, or application-specific policies are the likely cause. Option B (SSID broadcast setting) is irrelevant because the client successfully joined the SSID and has connectivity.

Option C (voice VLAN on the wired access port) is not a first target because the symptom involves a single data application, not voice, and the client is on the employee subnet, not a voice VLAN. Option D (OSPF router ID on the client) is invalid because client devices do not typically run OSPF; OSPF runs on routers, not wireless clients.

Exam trap

Avoid restarting troubleshooting from basic connectivity steps when the problem is isolated to a specific application.

Why the other options are wrong

B

The client has already joined the correct SSID, authenticated, and received an IP address in the correct subnet, so the SSID broadcast setting is not the issue. The problem is specific to one application, not general connectivity.

C

The voice VLAN on the AP uplink is used for VoIP traffic, not for general data applications. Since the client can access other internal resources, the issue is not related to the AP uplink configuration.

D

OSPF router IDs are used by routers in OSPF routing, not by end-client devices. Clients do not run OSPF, so this is irrelevant to the problem.

13
Matchingmedium

Match each wireless or edge-switch concept on the left to the description on the right that best fits it. Not all descriptions will be used. Concepts: • SSID • CAPWAP • Voice VLANPortFast Descriptions: A. Name of the wireless LAN shown to clients B. Communication relationship between lightweight APs and controller C. Separates phone traffic from ordinary data on an edge port D. Allows an endpoint-facing switchport to move quickly toward forwarding E. Delivers power to devices over Ethernet (PoE) F. Authenticates users before granting network access (802.1X) G. Aggregates multiple physical links for increased bandwidth (LACP/EtherChannel)

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless LAN shown to clients

Communication relationship between lightweight APs and controller

Separates phone traffic from ordinary data on an edge port

Allows an endpoint-facing switchport to move quickly toward forwarding

Why these pairings

SSID is the service set identifier, the human-readable name broadcast by access points so clients can identify the WLAN. CAPWAP (Control and Provisioning of Wireless Access Points) defines the split-MAC architecture and communication between lightweight APs and a wireless LAN controller. Voice VLAN is an access port feature that dynamically assigns IP phone traffic to a separate VLAN, isolating it from data traffic.

PortFast is a spanning-tree enhancement that bypasses listening and learning states on access ports to allow immediate forwarding, preventing connectivity delays for endpoints. Distractor E refers to Power over Ethernet, not a wireless or edge-switch naming concept; F describes 802.1X authentication, not a WLAN name or AP-controller protocol; G refers to link aggregation, not a VLAN or spanning-tree feature.

Exam trap

Do not confuse Voice VLAN with a trunk port that carries multiple VLANs — Voice VLAN actually uses the access port in conjunction with a voice VLAN ID, and PortFast is often mistaken for disabling spanning tree entirely rather than accelerating convergence.

14
PBQhard

You are connected to WLC-1 via the management interface (192.168.1.100/24). The wireless network 'CustomerNet' uses WPA3-Personal, but clients are failing to associate. The SSID is hidden and the correct VLAN is 30. Configure the WLAN and SSID parameters to allow successful client associations and verify the configuration.

Network Topology
Cisco APWLC-1Clients

Hints

  • Remember to create the interface before assigning it to the WLAN.
  • WPA3-Personal uses a pre-shared key (PSK) but the command is 'security wpa3'.
  • The SSID broadcast must be enabled ('broadcast-ssid enable') for clients to discover it.
A.Create a new interface 'vlan30' with VLAN 30, then create a new WLAN with SSID 'CustomerNet', set security to WPA3-Personal, enable SSID broadcast, and assign the 'vlan30' interface.
B.Modify the existing GuestNet WLAN: change security to WPA3-Personal, enable SSID broadcast, and change the interface to 'guest' (VLAN 20).
C.Create a new WLAN with SSID 'CustomerNet', set security to WPA2-PSK, enable SSID broadcast, and assign the 'guest' interface (VLAN 20).
D.Modify the GuestNet WLAN: change security to WPA3-Personal, keep SSID broadcast disabled, and change the interface to a new interface mapped to VLAN 30.
AnswerA
solution
! WLC-1
config terminal
interface customer
vlan 30
ip address 192.168.30.1 255.255.255.0
exit
wlan 3
ssid CustomerNet
broadcast-ssid enable
security wpa3
security wpa akm psk set-key ascii 0 CiscoSecure123
interface customer
no shutdown
end

Why this answer

The GuestNet WLAN (ID 2) currently uses WPA2 with PSK, but clients expect WPA3-Personal. Additionally, the SSID is hidden (broadcast disabled) and the interface is set to guest (VLAN 20) instead of the required VLAN 30. To fix, create a new WLAN (or modify WLAN 2) to use WPA3-Personal, enable SSID broadcast, and assign it to a new interface mapped to VLAN 30.

Configure the interface first, then apply to the WLAN.

Exam trap

A common trap is to assume that modifying the existing WLAN is sufficient, but you must also ensure the correct VLAN interface exists and is assigned. Additionally, candidates often forget that a hidden SSID must be broadcast for clients to discover it, especially when clients are failing to associate.

Why the other options are wrong

B

The specific factual error is that the interface remains set to 'guest' (VLAN 20) instead of being changed to VLAN 30 as required.

C

The specific factual errors are using WPA2-PSK (clients expect WPA3-Personal) and assigning the wrong VLAN (20 instead of 30).

D

The specific factual error is that the SSID broadcast remains disabled, which means clients cannot see the SSID and will not attempt to associate.

15
PBQhard

You are managing a Cisco WLC (WLC-1) with IP 10.10.10.10. A wireless client reports it can see the SSID 'CorpNet' but fails to associate. The SSID is configured for WPA3, but the client only supports WPA2. Additionally, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a mismatch. Your task: reconfigure the WLAN to use WPA2-PSK with AES encryption, correct the VLAN assignment to 10, and ensure the SSID is hidden. Also, verify that management access via the WLC web UI is restricted to the 192.168.1.0/24 subnet.

Network Topology
APWLC-1Client

Hints

  • The client cannot join because WPA3 is required but the client only supports WPA2.
  • The WLAN is on VLAN 100, but the AP is on VLAN 10 — this mismatch prevents client traffic from being properly bridged.
  • Management access is open to all; restrict it to the subnet that contains your admin workstation.
A.Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
B.Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.
C.Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.
D.Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
AnswerA
solution
! WLC-1
config wlan 1
no security wpa3
security wpa2
security wpa2 akm psk
security wpa2 encryption aes
no security wpa3 pmf
interface VLAN10
no broadcast-ssid
end
config management
management http subnet 192.168.1.0 255.255.255.0
management https subnet 192.168.1.0 255.255.255.0
end

Why this answer

The client cannot associate because the WLAN requires WPA3 (PMF required) but the client only supports WPA2. Also, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a VLAN mismatch that prevents client traffic from reaching the correct subnet. The SSID is broadcast (visible), and management access is open to all subnets.

To fix: change the WLAN security to WPA2-PSK with AES, disable PMF, map the WLAN to the management interface (VLAN 10), disable SSID broadcast, and restrict HTTP/HTTPS access to subnet 192.168.1.0/24.

Exam trap

The exam trap is that candidates may overlook the VLAN mismatch or the requirement to disable PMF when switching from WPA3 to WPA2. Also, they might forget to restrict both HTTP and HTTPS, or confuse the management subnet with the WLC IP address. Always verify client capabilities and VLAN assignments.

Why the other options are wrong

B

The specific factual error: TKIP is deprecated and not used with WPA2-PSK; PMF must be disabled for WPA2-only clients; VLAN 100 is incorrect; SSID broadcast should be disabled; HTTPS access must also be restricted.

C

The specific factual error: WPA3-PSK requires PMF and is incompatible with WPA2-only clients; the allowed subnet for management is 192.168.1.0/24, not 10.10.10.0/24.

D

The specific factual error: PMF is not supported by all WPA2 clients and can cause association issues; SSID broadcast should be disabled to hide the SSID.

16
PBQhard

You are connected to the Cisco WLC (WLC-1) via its management IP 192.168.1.10. The wireless network 'CorpNet' is configured but clients cannot associate. Troubleshoot and resolve the issue: clients report 'Association failed' and the SSID is not visible in site surveys. Ensure that after your fix, the SSID is broadcast, WPA3 is used, and the WLAN is mapped to VLAN 20. Also, verify the WLC management interface is accessible over HTTPS.

Network Topology
switchWLC-1clients

Hints

  • Check if the WLAN is enabled and broadcasting the SSID.
  • Verify that the WLAN is mapped to a user VLAN, not the management interface.
  • Ensure HTTPS is enabled for web management access.
A.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
B.Enable the WLAN, set Broadcast SSID to Enabled, change the interface to the management interface, and enable the HTTPS server.
C.Enable the WLAN, keep Broadcast SSID Disabled for security, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
D.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, but leave HTTPS disabled for security.
AnswerA
solution
! WLC-1
config wlan 1 enable
config wlan 1 broadcast-ssid enable
config wlan 1 interface vlan20
config interface create vlan20 20
config interface address vlan20 192.168.20.1 255.255.255.0
config wlan 1 interface vlan20
ip http secure-server

Why this answer

The WLAN was disabled, the SSID was hidden (Broadcast SSID Disabled), and it was incorrectly mapped to the management interface instead of a user VLAN. Additionally, HTTPS access was disabled. The solution: enable the WLAN, enable SSID broadcast, change the interface to a VLAN 20 interface (e.g., create a dynamic interface 'vlan20' with VLAN 20), and enable the HTTPS server for management access.

Note: On an AireOS WLC, the correct commands use `config wlan enable <wlan_id>`, `config wlan broadcast-ssid enable <wlan_id>`, and `config network secureweb enable` for HTTPS.

Exam trap

This question tests your ability to identify multiple misconfigurations simultaneously. Common traps: confusing management interface with user VLANs, thinking hidden SSID is acceptable when broadcast is required, and overlooking the HTTPS requirement. Also, ensure you use AireOS-specific commands, not IOS commands like `ip http secure-server`.

Always verify all requirements in the question.

Why the other options are wrong

B

The specific factual error: The management interface is for WLC management traffic, not client data. Client traffic should be on a separate user VLAN.

C

The specific factual error: Broadcast SSID must be enabled for the SSID to be visible. Disabling it hides the SSID, which contradicts the requirement to make it visible.

D

The specific factual error: HTTPS must be enabled for management access. Disabling it would block HTTPS connections to the WLC.

17
MCQhard

Exhibit: Clients can see the corporate SSID but fail authentication after entering valid usernames and passwords. Which issue is the best explanation?

A.The AP is using the wrong RF channel
B.The RADIUS path or shared secret is failing
C.The SSID must be hidden for enterprise authentication
D.The clients need a voice VLAN assignment first
AnswerB

WPA2-Enterprise depends on successful RADIUS authentication.

Why this answer

WPA2-Enterprise relies on 802.1X with a RADIUS server. If the RADIUS server is unreachable or the shared secret is wrong, users can see the SSID and attempt to authenticate, but the login process fails. Option A is incorrect because RF channel issues would cause connectivity problems, not authentication failures after association.

Option C is incorrect because hiding the SSID is irrelevant to enterprise authentication; the issue is server-side. Option D is incorrect because a voice VLAN is not required for standard client authentication and would not cause login failure.

Exam trap

Remember that WPA2-Enterprise relies on a RADIUS server. Authentication issues often stem from server communication problems, not client-side settings.

Why the other options are wrong

A

RF channel issues cause connectivity or performance problems, not authentication failures after a successful association.

C

Hiding the SSID does not affect the 802.1X authentication process; the failure is likely due to RADIUS communication.

D

Voice VLAN assignment is unrelated to client authentication; clients do not need a voice VLAN to authenticate.

18
Multi-Selectmedium

Which two statements accurately describe WPA2 and WPA3 in wireless security?

Select 2 answers
A.Both are wireless security standards used to help protect WLAN access and traffic.
B.WPA3 is the newer standard relative to WPA2.
C.Both are names for specific 802.11 radio frequencies.
D.WPA2 and WPA3 are types of trunk ports.
E.WPA3 eliminates the need for SSIDs.
AnswersA, B

This is correct because WPA2 and WPA3 are both WLAN security standards.

Why this answer

WPA2 and WPA3 are wireless security standards used to protect WLAN access and traffic. In practical terms, both are associated with securing wireless communication, but WPA3 is generally positioned as the newer standard with security improvements over WPA2. The key idea at CCNA level is recognizing them as WLAN security standards rather than confusing them with SSIDs, controllers, or radio bands.

You do not need deep protocol internals here. You need the role and relative positioning right.

Exam trap

Avoid assuming WPA3 is limited to specific frequency bands or that WPA2 offers superior security features.

Why the other options are wrong

C

WPA2 and WPA3 are security protocols, not radio frequencies. 802.11 radio frequencies refer to bands like 2.4 GHz and 5 GHz, which are unrelated to security standards.

D

Trunk ports are a concept in switched networks for carrying multiple VLANs, typically using 802.1Q tagging. WPA2 and WPA3 have nothing to do with switch port configuration.

E

WPA3 does not eliminate the need for SSIDs; SSIDs are still required to identify and differentiate wireless networks. WPA3 focuses on authentication and encryption, not network identification.

19
MCQmedium

Exhibit: A wireless client can see the SSID and associates successfully, but it never gets network access. Other users on the same SSID work. Which issue is the best fit?

A.The AP is advertising the wrong channel width
B.The client failed to obtain a valid IP address from DHCP
C.The SSID must be changed from broadcast to hidden
D.WPA2 automatically blocks clients until NTP is configured
AnswerB

Association without a working IP configuration is a classic symptom.

Why this answer

Successful association means the radio connection is up. If only one client fails to get network access while others work, the most likely issue is a client-specific addressing problem such as not obtaining a valid DHCP lease. Option A is incorrect because channel width affects all clients, not just one.

Option C is incorrect because hiding the SSID does not affect network access after association. Option D is incorrect because WPA2 does not block clients due to NTP; NTP is unrelated to client authentication.

Exam trap

Don't confuse association issues with post-association network access problems. Ensure you understand the difference between connecting to the SSID and obtaining network access.

Why the other options are wrong

A

Channel width affects all clients on the AP, not just a single client.

C

Hiding the SSID only prevents the SSID from being broadcast; it does not impact network access after association.

D

WPA2 does not require NTP for client authentication; NTP is for time synchronization, not client access control.

20
PBQhard

You are troubleshooting a wireless client association failure on a Cisco WLC. The client is unable to connect to the corporate SSID 'CorpNet' and reports an authentication error. Review the WLC configuration and fix the issue so that the client can associate and obtain an IP address from VLAN 100. The WLC management IP is 192.168.1.10/24.

Hints

  • Check the security settings — the client may not support WPA3.
  • Verify if the SSID is hidden — the client cannot scan for it.
  • Ensure the VLAN assigned to the WLAN matches the client's subnet.
A.Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
B.Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.
C.Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.
D.Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.
AnswerA
solution
! WLC
configure terminal
wlan CorpNet 1 CorpNet
security wpa2
security wpa akm psk
security wpa psk ascii 7 1234567890abcdef
no security wpa3-sae
broadcast-ssid enable
interface wlan 1
vlan 100
end

Why this answer

The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.

Exam trap

Be careful not to confuse the management interface VLAN with the client data VLAN. Also, remember that SSID broadcast must be enabled for clients to discover the network, and security settings must match client capabilities. Always verify DHCP scope placement matches the client VLAN.

Why the other options are wrong

B

The specific factual error is that WPA3-only security may not be supported by the client, and changing the management interface IP does not resolve the client VLAN assignment issue.

C

The specific factual errors are: WPA3 may not be compatible, disabling SSID broadcast hides the network, and DHCP scope must be on the same VLAN as the client (VLAN 100).

D

The specific factual errors are: SSID broadcast must be enabled for client discovery, and the WLAN interface must be mapped to VLAN 100, not VLAN 1.

21
MCQhard

A user can connect to the employee SSID and receive the correct employee IP subnet, but access to one internal application fails only for that WLAN while wired users succeed. Which troubleshooting area is the strongest first focus?

A.A WLAN-specific policy or filtering rule affecting access to that application
B.The SSID broadcast setting
C.Whether the access point has a valid hostname
D.Whether the client is using PPP instead of Ethernet
AnswerA

This is correct because the failure is selective by WLAN and application, not a total connectivity problem.

Why this answer

The strongest first focus is the policy or filtering path specific to that WLAN or traffic class. In practical terms, the user has already shown that the correct WLAN join, authentication, and subnet assignment are working. Because wired users succeed and only one application fails from that WLAN, the most likely issue is a WLAN-specific policy, ACL, firewall rule, or path treatment affecting that application.

This is a realistic selective-access troubleshooting scenario and tests whether the candidate narrows the fault domain correctly.

Exam trap

Avoid assuming the problem is with the user's device or general network settings when the issue is isolated to a specific WLAN.

Why the other options are wrong

B

The SSID broadcast setting does not directly impact the ability of users to connect to an internal application once they are authenticated and assigned an IP address. Since wired users can access the application, the issue is likely related to WLAN-specific configurations rather than SSID visibility.

C

The access point's hostname does not directly impact application access; it primarily affects network identification and management. Since the issue is specific to WLAN access and not present for wired users, the hostname is unlikely to be the cause.

D

This option is wrong because the issue pertains to application access over a specific WLAN, not the type of connection (PPP vs. Ethernet). The problem likely lies in WLAN configuration rather than the protocol used by the client device.

22
PBQhard

You are managing a Cisco WLC (192.168.1.10) via its web UI. The wireless network 'CorpSecure' has been configured but clients cannot associate. Some report 'wrong password' errors; others see the SSID but fail to connect. Additionally, management access to the WLC web UI is intermittent. Identify and resolve the issues so that wireless clients can successfully associate with 'CorpSecure' using WPA3-Personal and the WLC web UI is reliably accessible from the management VLAN (VLAN 10).

Hints

  • Check the security settings on the WLAN; clients expecting WPA3 will fail with WPA2 configured.
  • An SSID that is hidden (Broadcast disabled) may not appear in client scans unless manually entered.
  • Management access issues might be unrelated to the WLAN config; verify the management interface IP and default gateway are correct.
A.Configure the SSID with WPA3-Personal; verify management interface is on VLAN 10 with correct gateway.
B.Change the SSID security to WPA2-PSK and disable SSID broadcast; reset the WLC to factory defaults.
C.Update the WLC firmware to the latest version and change the management VLAN to VLAN 1.
D.Reconfigure the SSID with WPA3-Enterprise and enable SSID broadcast; set the management interface to use DHCP.
AnswerA
solution
! WLC
Navigate to WLANs > Edit CorpSecure > Security > Layer 2 > Select WPA3-Personal (AES) > Apply
Navigate to WLANs > Edit CorpSecure > SSID > Enable Broadcast SSID > Apply

Why this answer

The primary issue is a security mismatch: the SSID is set to WPA2-PSK while clients expect WPA3, causing 'wrong password' errors. Since clients can see the SSID, broadcast is already enabled; the secondary connection failures may be due to incompatible devices, but the correct fix is to change the security to WPA3-Personal (AES). Additionally, verify that the management interface is on VLAN 10 with the correct gateway to ensure reliable WLC web UI access.

Exam trap

Candidates might mistakenly conclude the SSID broadcast is disabled and enable it unnecessarily, overlooking that the visible SSID indicates broadcast is already on, or they might ignore the management VLAN configuration.

Why the other options are wrong

B

The specific factual error: WPA2-PSK is not compatible with clients expecting WPA3-Personal, and hiding the SSID prevents clients from seeing it.

C

The specific factual error: VLAN 1 is the default and often discouraged for management; the issue is not firmware-related but configuration-based.

D

The specific factual error: WPA3-Enterprise is not appropriate without a RADIUS server, and DHCP for management can lead to unreliable access.

23
PBQhard

You are connected to WLC-1 via SSH. A new SSID 'CorpSecure' must be configured for 5 GHz clients using WPA3-Personal. However, after creation, clients can see the SSID but fail to associate. Review the WLC configuration and fix the issue so that clients can successfully associate and obtain an IP address from VLAN 100 (subnet 10.0.100.0/24).

Network Topology
G0/0192.168.1.10/24G0/110.0.0.1/30G0/210.0.100.1/24SwitchManagementWLC-1Upstream RouterClient VLAN 100

Hints

  • Check the current security settings on the WLAN; they are using WPA2, not WPA3.
  • The radio policy is not set — clients may try to connect on 2.4 GHz, but the SSID should be 5 GHz only.
  • Ensure the WLAN is enabled after changes.
A.Change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, set the radio policy to 5 GHz, and ensure the WLAN is mapped to the dynamic interface for VLAN 100.
B.Change the WLAN security to WPA2-Personal, enable TKIP encryption, and set the radio policy to 5 GHz.
C.Change the WLAN security to WPA3-Personal, enable AES-CCMP, but leave the radio policy as 'All' (both 2.4 GHz and 5 GHz).
D.Change the WLAN security to WPA3-Personal, enable AES-CCMP, set the radio policy to 5 GHz, but do not enable the WLAN after changes.
AnswerA
solution
! WLC-1
config wlan security wpa3 1 enable
config wlan security wpa3 psk 1 set ascii CorpSecurePass123
config wlan radio-policy 1 5ghz
config wlan enable 1
config wlan security wpa3 ciphers 1 aes-ccmp

Why this answer

The SSID was configured with WPA2 instead of WPA3. The WLC also had no radio policy set for 5 GHz only. To fix, change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, and set the radio policy to 5 GHz.

Additionally, ensure the WLAN is mapped to the appropriate dynamic interface for VLAN 100, not the management interface, and that client VLAN 100 is reachable. The commands to modify the WLAN are: config wlan security wpa3 1 enable, config wlan security wpa3 psk ascii CorpSecurePass123 1, config wlan radio policy 802.11a-only 1, and config wlan enable 1.

Exam trap

Students often forget to change the radio policy from 'All' to a specific band, or they confuse WPA2 with WPA3. Also, they may overlook enabling the WLAN after configuration. Ensure you understand the specific requirements for WPA3 and the need to match the radio policy to the client band.

Why the other options are wrong

B

The specific factual error is that WPA2-Personal with TKIP does not meet the WPA3-Personal requirement; WPA3 mandates AES-CCMP.

C

The specific factual error is that the radio policy must be set to 5 GHz only, not 'All', to restrict access to 5 GHz clients.

D

The specific factual error is that the WLAN remains disabled, so clients cannot associate even if other settings are correct.

24
MCQhard

A wireless site reports that users can connect to the SSID, but performance drops sharply around the conference area whenever the room fills up. Based on the exhibit, what is the most likely cause?

A.Adjacent-channel interference caused by overlapping 2.4 GHz channels
B.A DHCP exhaustion problem on the WLAN
C.An authentication mismatch between the APs and clients
D.A missing default route on the wireless controller
AnswerA

Channel 3 overlaps with both 1 and 6, which is a common performance problem.

Why this answer

The 2.4 GHz radios are using overlapping channels. In 2.4 GHz, the standard non-overlapping channels are 1, 6, and 11 in many regulatory domains. Using channels 1, 3, and 6 creates adjacent-channel interference, which hurts throughput especially in dense client areas.

Exam trap

A common exam trap is to confuse wireless connectivity issues caused by RF interference with DHCP or authentication problems. Because users can connect to the SSID, candidates might incorrectly suspect DHCP exhaustion or authentication mismatches. However, DHCP exhaustion prevents clients from obtaining IP addresses, not causing throughput drops.

Similarly, authentication mismatches prevent connection entirely. Another trap is to blame routing issues like a missing default route on the wireless controller, which affects network reachability but not local wireless signal quality. The key is to recognize that overlapping 2.4 GHz channels cause adjacent-channel interference, which degrades performance even when clients connect successfully.

Why the other options are wrong

B

Incorrect. DHCP exhaustion would prevent some clients from obtaining IP addresses, but it does not cause RF interference or a sharp drop in wireless throughput. Since users can connect, DHCP exhaustion is unlikely.

C

Incorrect. An authentication mismatch would prevent clients from connecting to the SSID. Since users can connect, authentication is working properly and is not the cause of performance degradation.

D

Incorrect. A missing default route on the wireless controller affects upstream network connectivity but does not cause local RF interference or throughput drops in the wireless environment.

25
MCQmedium

Exhibit: Users report that they can see the corporate SSID but fail authentication immediately after entering credentials. Guest wireless works on the same access point. Which issue is most likely?

A.The AP is using the wrong channel width
B.The RADIUS or AAA server is unreachable for the enterprise WLAN
C.The corporate SSID has a mismatched RADIUS shared secret
D.The SSID must be configured as hidden
AnswerB

WPA2-Enterprise depends on AAA communication for user authentication.

Why this answer

When clients can see the SSID and associate at Layer 2 but fail right after entering credentials, a broken 802.1X or RADIUS path is a common cause. RF coverage is clearly not the main problem because the SSID is visible and guest service works.

Exam trap

Be careful not to confuse visibility and connectivity issues with authentication problems. The SSID is visible, so focus on authentication-related configurations.

Why the other options are wrong

A

The AP using the wrong channel width would not cause immediate authentication failures; it typically affects connectivity or performance rather than authentication processes. Since the guest wireless works, the channel width is likely not the issue.

C

A mismatched RADIUS shared secret would cause authentication failures, but guest wireless works on the same access point, indicating the AP itself is functional; the more likely cause is that the RADIUS server is completely unreachable, not just a shared secret mismatch.

D

Configuring the SSID as hidden would not cause immediate authentication failures; users would simply not see the SSID unless they manually entered it. The issue described involves users seeing the SSID but failing authentication, indicating a problem beyond SSID visibility.

26
MCQhard

A user reports that the corporate SSID is visible and accepts the correct password, but the client always lands in a quarantined remediation network. Which troubleshooting area is strongest?

A.Post-authentication policy, role, or VLAN assignment logic
B.Whether the SSID is hidden instead of broadcast
C.Whether the AP uplink uses PPP encapsulation
D.Whether OSPF designated routers are elected correctly
AnswerA

This is correct because the symptom points to how the authenticated client is being classified after joining.

Why this answer

The strongest troubleshooting area is post-authentication policy or role assignment. The client already sees the SSID and successfully authenticates, so the problem is not RF visibility or password failure. Landing in a remediation network indicates a policy decision after authentication, such as a mismatched VLAN assignment or client role.

Option B (hidden SSID) is irrelevant because the SSID is visible. Option C (PPP encapsulation) does not affect post-authentication network placement. Option D (OSPF DR election) is unrelated to client VLAN assignment.

Exam trap

Don't confuse initial connectivity problems with post-authentication issues. Focus on what happens after the connection is established.

Why the other options are wrong

B

A hidden SSID would prevent the SSID from appearing, but the user reports the SSID is visible, so this does not match the symptom.

C

PPP encapsulation on an AP uplink concerns Layer 2 framing, not the post-authentication VLAN or policy assignment that causes quarantine.

D

OSPF designated router election occurs at Layer 3 within routing, while the issue is about client VLAN placement after authentication, which is a Layer 2 access-control function.

27
Drag & Drophard

Drag and drop the following steps into the correct order to configure a new WLAN on a Cisco WLC using IOS-XE CLI, including WPA3-Personal security, and to complete a wireless client association with DHCP.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The configuration order follows the Cisco IOS-XE WLC CLI: first enter global config, create the WLAN profile, set security (WPA3-Personal/SAE), enable the WLAN, then the client associates and gets an IP via DHCP.

Exam trap

Be careful with the order of operations: you must create the WLAN profile first, then configure security, then enable the WLAN. Also, remember that DHCP IP assignment occurs after the client associates, not before.

28
Multi-Selectmedium

Which TWO statements correctly describe differences between 802.11ac (Wi-Fi 5) and 802.11ax (Wi-Fi 6)?

Select 2 answers
A.802.11ac uses OFDMA, while 802.11ax uses only OFDM.
B.802.11ax supports 1024-QAM modulation, whereas 802.11ac supports up to 256-QAM.
C.Both 802.11ac and 802.11ax operate exclusively in the 5 GHz band.
D.802.11ax operates in both the 2.4 GHz and 5 GHz bands, while 802.11ac operates only in the 5 GHz band.
E.802.11ac introduces target wake time (TWT) for improved power saving, but 802.11ax does not support it.
AnswersB, D

802.11ax supports 1024-QAM for higher data rates; 802.11ac maximum is 256-QAM.

Why this answer

Options B and D are correct. 802.11ax (Wi-Fi 6) introduces 1024-QAM for higher data rates (B), while 802.11ac maxes at 256-QAM. Additionally, 802.11ax supports both 2.4 GHz and 5 GHz bands, whereas 802.11ac is limited to 5 GHz only (D). Option A is incorrect because it reverses the roles: 802.11ac uses OFDM, and 802.11ax uses OFDMA.

Option C is incorrect because 802.11ax also operates in 2.4 GHz. Option E is incorrect because Target Wake Time (TWT) is introduced in 802.11ax, not 802.11ac.

Exam trap

Cisco often tests the misconception that 802.11ac also uses OFDMA or that both standards operate in the same frequency bands, so candidates must remember that OFDMA is exclusive to 802.11ax and that 802.11ac is 5 GHz only.

Why the other options are wrong

A

This statement reverses the technologies: 802.11ac uses OFDM, and 802.11ax uses OFDMA.

C

802.11ax adds 2.4 GHz support for backward compatibility and better range.

E

TWT is a feature of 802.11ax, not 802.11ac.

29
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a WPA3 SSID on a Cisco WLC and complete a wireless client association.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The steps follow the standard WLC configuration sequence: create the WLAN, set WPA3-Personal security, enable it, then the client associates and gets an IP.

Exam trap

The trap is that candidates may think security can be configured after enabling the WLAN, or that client IP assignment occurs before association. Remember: always configure all settings before enabling the WLAN, and client DHCP occurs after association.

30
Multi-Selectmedium

Which statement correctly describes a feature of WPA3 security in wireless LANs?

Select 1 answer
A.WPA3 uses TKIP encryption for backward compatibility with legacy devices.
B.WPA3 introduces Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks.
C.WPA3 relies solely on 802.1X/EAP authentication for both personal and enterprise modes.
D.WPA3 mandates the use of GCMP-256 encryption for enhanced security.
E.WPA3 makes Protected Management Frames (PMF) optional to support older clients.
AnswersB

SAE replaces WPA2's PSK handshake, providing a secure key exchange that prevents attackers from cracking the password offline.

Why this answer

Option B is correct. WPA3 introduces Simultaneous Authentication of Equals (SAE), which uses a Dragonfly key exchange to resist offline dictionary attacks and provide forward secrecy. Option A is wrong because WPA3 does not use or support TKIP encryption; it mandates AES.

Option C is wrong because WPA3-Personal uses SAE, not 802.1X/EAP. Option D is wrong because GCMP-256 is only mandatory in the optional WPA3-Enterprise 192-bit security mode, not across all WPA3 deployments; standard WPA3-Personal uses AES-GCMP with 128-bit keys. Option E is wrong because WPA3 requires Protected Management Frames (PMF) by default, unlike WPA2.

Exam trap

Many candidates incorrectly assume WPA3 universally uses GCMP-256 encryption, confusing the optional enterprise mode with the baseline WPA3-Personal requirement.

Why the other options are wrong

A

WPA3 mandates AES encryption and does not include TKIP for any compatibility; TKIP was deprecated in WPA2.

C

WPA3-Personal uses SAE, not 802.1X/EAP; only WPA3-Enterprise relies on 802.1X.

D

GCMP-256 is only mandated in the optional WPA3-Enterprise 192-bit mode; standard WPA3 uses GCMP with 128-bit keys.

E

Protected Management Frames (PMF) are required, not optional, in WPA3 to mitigate management frame attacks.

31
MCQeasy

An AP broadcasts the correct SSID, but many clients on one floor experience poor performance while the same SSID works well on another floor. Which category of issue is most strongly suggested first?

A.A radio-frequency or local wireless environment issue on that floor
B.The SSID name must be misspelled only on that floor
C.BGP autonomous system mismatch
D.IPv6 loopback addressing on the clients
AnswerA

This is correct because the problem is location-specific while the SSID itself works elsewhere.

Why this answer

The issue is location-specific, with performance problems only on one floor. This strongly suggests a local radio frequency (RF) or wireless environment issue such as interference, signal attenuation, or channel congestion on that floor. The SSID is correctly broadcast because clients on other floors connect successfully, so option B (misspelling) is not plausible.

Options C and D are unrelated to wireless performance: BGP is a routing protocol not used in basic WLAN deployments, and IPv6 loopback addressing does not affect client connectivity or throughput. Therefore, the most direct and likely first suspect is an RF or environmental issue on that specific floor.

Exam trap

Avoid assuming that SSID issues are always configuration-related; consider environmental factors when performance issues are location-specific.

Why the other options are wrong

B

An SSID misspelling would prevent all clients from seeing the SSID, but since clients on other floors connect successfully, this cannot be the issue.

C

BGP autonomous system mismatch is a routing protocol concept unrelated to wireless LAN performance issues and would not cause performance problems on a single floor.

D

IPv6 loopback addressing is a configuration detail that does not impact wireless client performance or connectivity in a local-area network context.

32
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure WPA3-Personal on a WLC, associate a wireless client, and complete the 802.11 authentication and DHCP process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first configure the WLAN with WPA3-Personal on the WLC, then the client completes 802.11 authentication (open system authentication followed by the SAE handshake), next the client associates with the AP, and finally the client obtains an IP address via DHCP. Option B correctly follows this sequence, while option A incorrectly reverses authentication and association, option C places WLAN configuration after client association, and option D erroneously performs DHCP before any wireless steps.

Exam trap

Watch out for the order of 802.11 authentication and DHCP. Many candidates mistakenly place DHCP before authentication, but authentication is a layer 2 process that must complete before the client can obtain an IP address.

33
PBQhard

You are troubleshooting a wireless client association failure on a Cisco WLC. A client reports it can see the SSID 'GuestNet' but fails to connect, while another client using the same SSID connects fine. You must check the WLC configuration, identify the cause, and fix it so that both clients can associate successfully.

Network Topology
AP-1WLCClient-1

Hints

  • Check if the failing client supports WPA3. Legacy clients may only support WPA2.
  • WPA3 Transition Mode allows a WLAN to accept both WPA2 and WPA3 clients.
  • PMF (Protected Management Frames) set to 'Required' will reject clients that do not support it.
A.Change the WLAN security to WPA2-PSK only and disable PMF.
B.Enable WPA3 Transition Mode and set PMF to Optional.
C.Disable PMF on the WLAN and keep WPA3 enabled.
D.Change the WLAN to use WPA2-PSK with PMF Required.
AnswerB
solution
! WLC
config wlan 2
no security wpa3 pmf required
security wpa3 pmf optional
security wpa3 transition-mode enable
end

Why this answer

The client that cannot associate is likely a legacy client that does not support WPA3. The WLAN 'GuestNet' has WPA3 enabled with 'PMF Required', which forces all clients to support WPA3 and PMF. To fix this, enable WPA3 Transition Mode (which allows both WPA2 and WPA3 clients) and set PMF to Optional.

This will allow the older client to associate using WPA2 while newer clients can use WPA3.

Exam trap

The key trap is confusing PMF settings with authentication protocols. PMF Required is only valid with WPA3, and disabling PMF alone does not fix the protocol mismatch. Always consider that WPA3 Transition Mode is the feature designed to support mixed environments.

Why the other options are wrong

A

The specific factual error: Disabling PMF entirely is not necessary; PMF can be set to Optional to allow both PMF-capable and non-PMF clients.

C

The specific factual error: Disabling PMF alone does not allow a WPA2-only client to associate with a WPA3-only WLAN; the WLAN must also support WPA2.

D

The specific factual error: PMF Required is only supported with WPA3; WPA2 only supports PMF Optional. Additionally, this configuration would not support WPA3 clients.

34
MCQmedium

A controller-based WLAN is deployed across multiple floors. Users can associate to the SSID on both floors, but their experience improves when moving between APs compared with a poorly designed standalone deployment. Which wireless concept is most closely related to that client movement experience?

A.Roaming between access points
B.NetFlow export
D.Route summarization
AnswerA

This is correct because the question is about client movement between AP coverage areas.

Why this answer

The concept most closely related is roaming between access points. In practical terms, client mobility experience depends on how smoothly a device can move from one AP coverage area to another while staying on the WLAN. Controller-based designs often help manage this more consistently than fragmented independent configurations.

The key point is that the question is about movement between APs while remaining on the wireless network, not about VLAN trunks or routing protocol neighbors.

Exam trap

Be careful not to confuse network performance improvements like channel bonding with client mobility improvements like roaming.

Why the other options are wrong

B

NetFlow export is related to network traffic analysis and monitoring, not directly to client movement or experience between access points in a WLAN. It does not address the seamless connectivity aspect of roaming.

C

DHCP snooping is a security feature that helps prevent unauthorized DHCP servers from distributing IP addresses on a network. It does not directly relate to the user experience of roaming between access points in a WLAN deployment.

D

Route summarization is a technique used in routing protocols to reduce the size of routing tables by aggregating multiple routes into a single route. It does not pertain to client movement or wireless connectivity between access points.

35
Multi-Selecthard

A technician reports that users on a guest wireless SSID can reach the internet but can also browse internal file shares, which should be blocked. Which two design actions most directly address that issue?

Select 2 answers
A.Place guest clients in a separate VLAN or VRF from internal users
B.Apply ACL policy that denies guest access to internal subnets while permitting internet access
C.Increase the AP transmit power
D.Disable DHCP on the guest WLAN
AnswersA, B

Segmentation is the core control that isolates guest traffic from corporate resources.

Why this answer

Guest access should be isolated through segmentation and policy enforcement. Separate broadcast domains and ACLs are the practical way to allow internet-only access.

Exam trap

A common exam trap is to confuse wireless coverage or connectivity settings with security controls. For example, disabling DHCP on the guest WLAN might seem like a way to block guest access to internal resources, but it actually prevents guests from obtaining IP addresses, breaking their internet connectivity rather than isolating internal file shares. Similarly, increasing AP transmit power affects signal reach but does nothing to separate guest traffic from internal users.

The trap is to overlook the necessity of logical segmentation and explicit ACL policies, which are the correct mechanisms to enforce access restrictions in Cisco wireless networks.

Why the other options are wrong

C

Incorrect. Increasing AP transmit power only affects wireless coverage and does not provide any mechanism to isolate guest traffic or block access to internal resources.

D

Incorrect. Disabling DHCP on the guest WLAN disrupts guest connectivity by preventing IP address assignment and does not effectively isolate guest traffic from internal networks.

36
MCQhard

A user joins the employee SSID successfully and can browse internal resources, but VoIP over Wi-Fi calls fail only while roaming between floors. Which troubleshooting area is the strongest first focus?

A.Roaming behavior and RF transition quality between AP coverage areas
B.Whether the SSID name is spelled correctly
C.Whether the branch router has PPP enabled
D.Whether the user has a static default route on the phone
AnswerA

This is correct because the symptom appears specifically during movement between coverage zones.

Why this answer

The strongest first focus is roaming and RF transition behavior between AP coverage areas. In practical terms, the user already proved that general WLAN access and internal reachability are working. The failure happens during movement and affects a time-sensitive application. That points to mobility-related behavior rather than basic SSID visibility or simple IP addressing.

This is a realistic wireless troubleshooting item because it narrows the fault domain from the symptom pattern instead of restarting from the basics.

Exam trap

Avoid assuming basic connectivity issues when the problem is specific to roaming and affects a time-sensitive application.

Why the other options are wrong

B

This option is wrong because the spelling of the SSID does not affect the ability to roam between access points; the user is already connected to the SSID and can access internal resources.

C

This option is wrong because PPP (Point-to-Point Protocol) is not directly related to VoIP performance or roaming issues; it primarily pertains to WAN connections rather than local Wi-Fi network transitions.

D

This option is wrong because the issue described pertains to roaming and VoIP call quality, which is unrelated to static routing configurations on the user's phone. A static default route would not directly impact the ability to maintain VoIP calls while transitioning between access points.

37
MCQhard

A host on a guest WLAN can browse the Internet but cannot reach internal corporate resources, while employees on another SSID can. Which statement best explains why that can be a correct design outcome?

A.Because guest and employee WLANs can intentionally have different trust levels and access policies.
B.Because guest WLANs cannot use IP routing at all.
C.Because the guest WLAN is assigned to a different VLAN that uses a different IP subnet, and inter-VLAN routing is inherently disabled for security reasons.
D.Because the guest WLAN uses a different SSID that automatically triggers firewall rules that only permit HTTP/HTTPS traffic.
AnswerA

This is correct because guest isolation is often an intentional design goal.

Why this answer

The correct answer is A because guest wireless networks are intentionally isolated from corporate resources through separate trust levels and access policies. Option B is incorrect because guest WLANs can use IP routing, but routing policies restrict which destinations are reachable. Option C is incorrect because inter-VLAN routing is not inherently disabled; it is a design choice to restrict routing between VLANs.

Option D is incorrect because SSIDs themselves do not trigger firewall rules; it is the VLAN or group assignment that determines the applied policy.

Exam trap

A frequent exam trap is to interpret guest WLAN isolation as a misconfiguration, rather than an intentional policy enforcement. Candidates may also incorrectly attribute the restriction to technical limitations like routing being inherently disabled or SSIDs triggering firewall rules.

Why the other options are wrong

B

Guest WLANs can use IP routing; they are just restricted by policy.

C

Inter-VLAN routing is not inherently disabled; it is a configurable policy.

D

SSIDs do not automatically trigger firewall rules; the assigned VLAN determines the policy.

38
MCQhard

Clients can join the Guest SSID and authenticate successfully, but they never receive an IP address. The DHCP scope for the guest network exists on the server. Based on the exhibit, what is the most likely cause?

A.The AP trunk is not allowing VLAN 300.
B.The DHCP server must use TCP instead of UDP.
C.The SSID name must match the DHCP pool name.
D.The AP should be configured as an access port for VLAN 1.
AnswerA

That prevents guest client traffic from reaching the proper VLAN.

Why this answer

The Guest SSID is mapped to VLAN 300, but the switch trunk toward the AP allows only VLANs 10,20,30. Client traffic for the guest WLAN never reaches the correct VLAN upstream, so DHCP requests for that WLAN fail. Authentication can still succeed depending on how the WLAN is designed.

Exam trap

A common exam trap is to incorrectly assume that DHCP issues stem from the DHCP server configuration or protocol errors, such as believing DHCP must use TCP instead of UDP. Another tempting mistake is thinking the SSID name must match the DHCP pool name, which is false because DHCP scopes are based on VLAN subnets, not SSID naming. Additionally, some candidates mistakenly configure the access point port as an access port on VLAN 1, which prevents multiple VLANs from passing and breaks guest VLAN connectivity.

These traps distract from the core issue of VLAN trunk misconfiguration preventing DHCP traffic.

Why the other options are wrong

B

Incorrect. DHCP uses UDP, not TCP. Changing the protocol to TCP is not valid and would cause DHCP to fail entirely, which is not the issue here since clients authenticate successfully.

C

Incorrect. DHCP scopes are tied to VLAN subnets, not SSID names. The SSID name does not need to match the DHCP pool name for clients to receive IP addresses.

D

Incorrect. Configuring the AP port as an access port on VLAN 1 restricts traffic to a single VLAN. Since multiple SSIDs typically map to different VLANs, the port must be a trunk to carry all VLANs, including VLAN 300 for the guest SSID.

39
MCQhard

A network administrator has recently upgraded the corporate wireless LAN to support 802.11ax (Wi-Fi 6) and is using WPA3-Enterprise with a central WLC. Several users with new 802.11ax laptops report that they can connect to the SSID, but after a few minutes their connections drop and then re-establish, while legacy 802.11ac clients work without issues. Which action will resolve this problem?

A.Downgrade the WLAN security to WPA2-Enterprise for backward compatibility.
B.Enable Protected Management Frames (PMF) as Required on the WLAN.
C.Disable OFDMA and MU-MIMO on the WLC for the affected APs.
D.Adjust the 5 GHz channel width from 80 MHz to 40 MHz to avoid interference.
AnswerB

WPA3 and 802.11ax require PMF. Setting PMF to Required ensures that the AP and clients use encrypted management frames, preventing disconnections due to failed PMF negotiation or unprotected robust security network associations.

Why this answer

WPA3-Enterprise requires Protected Management Frames (PMF) to be set to 'Required' on the WLC. When PMF is not enabled or set to 'Optional', 802.11ax clients using WPA3 may experience intermittent disconnects because management frame protection is mandatory for WPA3 operation. Legacy 802.11ac clients using WPA2 do not require PMF, so they remain unaffected.

Exam trap

Cisco often tests the misconception that Wi-Fi 6 issues are caused by physical layer features like OFDMA or channel width, when the actual problem is a mandatory security configuration mismatch (PMF) between WPA3 and the WLC.

Why the other options are wrong

A

Downgrading to WPA2 is a common workaround when WPA3-related features aren't correctly configured, but it's not the correct solution for PMF-related disconnections.

C

Disabling Wi-Fi 6 features does not resolve authentication or management frame protection issues; this misconception stems from blaming new features for instability.

D

Changing channel width addresses co-channel interference and throughput, not authentication or management frame protection issues.

40
MCQhard

A client can join a secure employee SSID, but traffic is consistently placed into a guest-style restricted path. Which area should be investigated first?

A.The policy, role, or VLAN mapping applied after successful authentication.
B.Whether the client can see the SSID at all.
C.Whether the RADIUS server is returning a guest VLAN attribute.
D.Whether OSPF area 0 is configured on the client.
AnswerA

This is correct because the symptom points to wrong post-authentication placement.

Why this answer

The strongest first area to investigate is the mapping between the authenticated user or WLAN and the policy or VLAN that is applied afterward. In practical terms, the client is joining successfully, so the issue is not basic RF visibility or initial authentication. The clue is that the wrong access policy is being applied after the join process.

This is a highly realistic wireless policy troubleshooting scenario because the failure happens after successful connectivity setup.

Exam trap

Avoid assuming connectivity issues are always RF-related; consider post-authentication processes like VLAN assignment.

Why the other options are wrong

B

This option is wrong because the question already states that the client can join the secure SSID, indicating that the SSID is visible and accessible. Therefore, checking visibility is unnecessary.

C

While a misconfigured RADIUS server could cause this symptom, the question asks which area should be investigated first; checking the policy mapping applied after authentication is a more direct and likely cause.

D

This option is wrong because OSPF area 0 configuration pertains to routing protocols and network topology, which does not directly affect the client's access to the SSID or its traffic path after authentication.

41
PBQhard

You are connected to a Cisco 9800 WLC (WLC1) via its management interface. A wireless client reports association failures with SSID 'CorpNet'. The client uses WPA3-Personal, but the WLAN is configured for WPA2. Additionally, the SSID is hidden and the client is on the wrong VLAN (VLAN 20 instead of VLAN 100). Fix these issues so the client can associate successfully with WPA3, on VLAN 100, and with the SSID broadcast enabled.

Network Topology
192.168.100.2/24networkWLC1AP

Hints

  • Check the WLAN security settings: WPA3 requires 'security wpa wpa3' and removal of 'wpa2'.
  • The SSID is hidden; use 'broadcast-ssid' under the WLAN configuration.
  • The policy tag assigns VLAN 20; change it to VLAN 100 to match client requirements.
A.Enable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
B.Enable SSID broadcast, change security to WPA2-PSK, and assign VLAN 20 in the policy tag.
C.Disable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
D.Enable SSID broadcast, change security to WPA3-Enterprise, and assign VLAN 100 in the policy tag.
AnswerA
solution
! WLC1
configure terminal
wlan CorpNet 1 CorpNet
broadcast-ssid
no security wpa wpa2
security wpa wpa3
security wpa psk set-ccmp 0 7 1234567890
exit
wireless tag policy default-policy
vlan 100
end
write memory

Why this answer

The WLAN was configured for WPA2-PSK with a hidden SSID, and the policy tag assigned VLAN 20 instead of VLAN 100. To fix: (1) Enable SSID broadcast with 'broadcast-ssid'. (2) Change security to WPA3-Personal by removing WPA2 and enabling WPA3 with 'security wpa wpa3' and 'security wpa psk set-ccmp'. (3) Assign VLAN 100 in the policy tag with 'vlan 100'. The client should then associate.

Exam trap

Be careful to distinguish between WPA2 and WPA3, and between Personal (PSK) and Enterprise (802.1X). Also, remember that a hidden SSID must be broadcast for clients to discover it, and VLAN assignment is done in the policy tag, not the SSID configuration.

Why the other options are wrong

B

The specific factual error is that the client uses WPA3-Personal, so changing to WPA2-PSK does not meet the requirement. Also, VLAN 20 is the wrong VLAN.

C

The specific factual error is that the SSID is currently hidden and the client cannot see it; enabling broadcast is required, not disabling.

D

The specific factual error is that WPA3-Personal uses a pre-shared key, while WPA3-Enterprise requires 802.1X authentication. The client is configured for Personal mode.

42
Drag & Drophard

Drag and drop the following steps into the correct order to configure a WLAN for WPA3-Enterprise on a Cisco WLC and sequence a wireless client association process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The configuration creates the WLAN with WPA3-Enterprise security, enables it, then the client associates and completes 802.1X authentication before getting an IP.

Exam trap

Do not confuse the order of 802.1X authentication and DHCP. In WPA3-Enterprise, the client must authenticate before obtaining an IP address. Also, remember that a WLAN must be created before it can be enabled, and it must be enabled before clients can associate.

43
MCQhard

An administrator deploys a new WLAN on a Cisco 9800 WLC using WPA3-Personal (SAE) with AES encryption. A single 802.11ax laptop running Windows 10 fails to connect, displaying an authentication timeout despite entering the correct passphrase. Other clients, including legacy 802.11ac devices, connect without issue.

A.The WLC’s WLAN is misconfigured for WPA3-Enterprise, and the laptop lacks a supplicant for 802.1X authentication.
B.The laptop’s wireless adapter does not support Protected Management Frames, which are mandatory for WPA3-Personal.
C.The WLC has disabled 802.11ax OFDMA on the 5 GHz band, preventing the 802.11ax laptop from associating.
D.The laptop’s driver is configured for 160 MHz channel width, which is incompatible with the WLC’s channel plan, causing authentication to fail.
AnswerB

PMF is a prerequisite for WPA3. If the client cannot negotiate PMF, the SAE authentication will time out. This explains why only that laptop fails, even though it supports 802.11ax.

Why this answer

WPA3-Personal (SAE) mandates the use of Protected Management Frames (PMF) as defined in IEEE 802.11w. If the laptop's wireless adapter or driver does not support PMF, it cannot complete the SAE handshake, resulting in an authentication timeout. Legacy 802.11ac clients can connect because they are using WPA2, which does not require PMF.

Exam trap

Cisco often tests the mandatory dependency of Protected Management Frames (802.11w) for WPA3-Personal, leading candidates to incorrectly attribute the failure to channel width or OFDMA incompatibility.

Why the other options are wrong

A

Misidentifying the WLAN security type: WPA3-Personal does not require an enterprise supplicant, so this is not the cause.

C

Confusing radio resource management with connection establishment: OFDMA settings do not block initial association, only data transmission efficiency.

D

Misattributing connection failures to channel bandwidth settings; these are negotiated after successful association and do not impact the 802.11 authentication and association phases.

44
MCQhard

A user reports that a laptop can connect to the correct SSID but repeatedly fails authentication when joining the WLAN. Which category of issue is most strongly indicated?

A.A security or authentication mismatch related to WLAN access
B.A missing OSPF router ID on the access point
C.A routed-port mismatch on the switch uplink
D.A DHCP relay problem on the client
AnswerA

This is correct because the client can discover the SSID but fails when authentication should succeed.

Why this answer

The strongest indication is a wireless security or authentication mismatch rather than a pure RF coverage problem. In practical terms, the laptop can already see and attempt to join the correct SSID, which means discovery is working. Repeated authentication failure points more directly to credentials, security settings, or authentication-policy alignment than to channel or signal absence.

This question is about recognizing the stage of failure. The client is finding the WLAN, but it is not being accepted onto it.

Exam trap

A common exam trap is selecting options related to routing protocols or DHCP relay issues when a client fails to authenticate on a WLAN. Candidates may incorrectly assume that IP configuration problems or routing mismatches cause authentication failures. However, authentication occurs before IP assignment, so DHCP or OSPF issues cannot cause repeated authentication failures.

This trap distracts from the correct focus on wireless security settings and credentials, which are the root cause when a client sees the SSID but cannot authenticate.

Why the other options are wrong

B

Incorrect. OSPF router IDs are relevant to routing protocols and do not affect wireless client authentication or SSID association processes.

C

Incorrect. Routed-port mismatches on switch uplinks affect wired network traffic forwarding but do not cause wireless authentication failures at the client level.

D

Incorrect. DHCP relay problems affect IP address assignment after authentication; since the client fails authentication repeatedly, DHCP issues are not the cause.

Ready to test yourself?

Try a timed practice session using only Wireless Security questions.