A network engineer is deploying a new WLAN and needs to ensure that client traffic is encrypted using AES with a pre-shared key. Which security configuration should be applied to the wireless SSID?
WPA2-PSK with AES meets the requirements.
Why this answer
WPA2-PSK with AES is the correct choice because the requirement specifies AES encryption with a pre-shared key. WPA2-PSK (Wi-Fi Protected Access 2 – Pre-Shared Key) mandates AES-CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) as the encryption protocol, providing strong, standards-compliant security for client traffic. This configuration directly satisfies the need for both AES encryption and PSK authentication.
Exam trap
Cisco often tests the distinction between encryption protocols (AES vs. TKIP) and authentication methods (PSK vs. Enterprise), so the trap here is that candidates may confuse WPA3-PSK as the only option for AES, overlooking that WPA2-PSK with AES is a valid and commonly deployed configuration that meets the same requirement.
How to eliminate wrong answers
Option B is wrong because WPA3-PSK uses AES encryption but introduces Simultaneous Authentication of Equals (SAE) instead of a traditional pre-shared key handshake; while it supports PSK, the question explicitly asks for a configuration that ensures AES with a pre-shared key, and WPA3-PSK is not the only or most direct answer given the options. Option C is wrong because WPA2-PSK with TKIP uses the RC4-based Temporal Key Integrity Protocol, not AES, which violates the requirement for AES encryption. Option D is wrong because WEP (Wired Equivalent Privacy) does not support AES; it uses RC4 encryption and is deprecated due to severe security vulnerabilities, making it incompatible with the AES requirement.