CCNA Wireless Security Protocols Questions

30 questions · Wireless Security Protocols topic · All types, answers revealed

1
MCQeasy

A company's IT policy requires that all wireless traffic be encrypted using the strongest available protocol. A technician is configuring a new access point that supports WPA3-SAE, WPA2-PSK with AES, and WPA2-PSK with TKIP. Which configuration meets the policy?

A.WPA2-PSK with TKIP.
B.WPA2-PSK with AES.
C.WPA3-SAE.
D.A mixed mode of WPA2 and WPA3.
AnswerC

WPA3-SAE is the current strongest standard, offering improved security over WPA2.

Why this answer

WPA3-SAE is the strongest available wireless security protocol, providing forward secrecy and stronger authentication than WPA2. It is the correct choice for maximum security.

2
MCQmedium

A user reports that their corporate laptop can connect to the guest Wi-Fi network but not to the internal corporate network. Both networks use WPA2-Enterprise with 802.1X. The laptop works fine on other corporate networks. What is the most likely issue?

A.The laptop's wireless card is faulty.
B.The corporate network's RADIUS certificate has expired or is untrusted.
C.The corporate network is using a different SSID than expected.
D.The laptop's Wi-Fi profile is configured for WPA2-Personal instead of Enterprise.
AnswerB

Correct. Expired or untrusted certificates cause 802.1X authentication to fail, while the guest network (likely PSK) works fine.

Why this answer

WPA2-Enterprise uses RADIUS for authentication. A common issue is that the laptop's certificate for the corporate network has expired or is not trusted by the specific RADIUS server. Guest networks often use simpler authentication like PSK, which bypasses certificate requirements.

3
MCQeasy

A customer complains that their new smartphone connects to their home Wi-Fi but has no internet access. The router is configured with WPA2-PSK and a 64-character pre-shared key. Other devices work fine. What is the most likely cause?

A.The smartphone's Wi-Fi antenna is faulty.
B.The smartphone is using a wrong or mistyped Wi-Fi password.
C.The router's DHCP server has run out of IP addresses.
D.The smartphone's DNS settings are misconfigured.
AnswerB

Correct. A mistyped 64-character password would cause authentication failure, preventing internet access even though the device appears connected.

Why this answer

WPA2-PSK with a 64-character key is extremely long and easy to mistype. The smartphone likely has an incorrect password stored, so it authenticates to the router but fails to get an IP address because the router rejects the mismatched key during the 4-way handshake.

4
MCQhard

A technician is troubleshooting a wireless network where users report intermittent connectivity and slow speeds. The network uses WPA2-Enterprise with EAP-TLS and certificate-based authentication. The technician notices that the RADIUS server logs show frequent certificate validation failures. What is the most likely root cause?

A.The access point's firmware is outdated, causing packet loss.
B.The RADIUS server's certificate has expired.
C.Client devices have expired or untrusted certificates.
D.The wireless channel is overlapping with neighboring networks.
AnswerC

Correct. Expired client certificates cause intermittent authentication failures, leading to disconnects and reconnects.

Why this answer

EAP-TLS requires both the server and client to present valid certificates. If the client certificates are expired or not trusted by the RADIUS server, authentication will fail. This causes intermittent disconnects as clients attempt to reauthenticate.

5
MCQmedium

A company's security policy requires all wireless traffic to be encrypted with AES. A technician is configuring a new access point and sees the following options: WPA2-PSK (TKIP), WPA2-PSK (AES), WPA3-SAE, and WEP. Which option should the technician select?

A.WPA2-PSK (TKIP)
B.WPA2-PSK (AES)
C.WPA3-SAE
D.WEP
AnswerC

Correct. WPA3-SAE uses AES encryption and provides stronger security than WPA2, making it the best choice.

Why this answer

WPA3-SAE uses AES encryption by default and is the most secure option. It also provides forward secrecy and protection against offline dictionary attacks. The policy requires AES, and WPA3 meets that while being the latest standard.

6
MCQmedium

During a security audit, a technician discovers that a small office's wireless router is still using WPA-TKIP. The office has 20 devices, including some older smartphones that cannot support WPA2. What should the technician recommend to improve security without replacing all devices?

A.Keep WPA-TKIP but enable MAC address filtering to block unauthorized devices.
B.Upgrade the router to support WPA2 and configure it to use WPA2-PSK with AES encryption.
C.Change the SSID to something non-descript and disable SSID broadcast.
D.Switch to WPA3 and set up a separate guest network for older devices.
AnswerB

Correct. WPA2 with AES is secure and supported by almost all devices made after 2006, including most older smartphones.

Why this answer

WPA-TKIP is vulnerable and should be replaced. The best approach is to upgrade the router to support WPA2 and use WPA2-PSK with AES, which is backward-compatible with most devices. If some devices truly cannot support WPA2, they should be replaced or isolated.

7
MCQmedium

A technician is configuring a wireless network for a school that uses Chromebooks and iPads. The network must support fast roaming and prioritize security. The technician enables WPA2-Enterprise with 802.1X. What additional configuration is needed to ensure seamless roaming between access points?

A.Enable WPA3-SAE on all access points.
B.Configure all access points with the same SSID and passphrase.
C.Enable 802.11r (Fast Roaming) on the wireless controller.
D.Disable WPS on all access points.
AnswerC

802.11r reduces the time required for re-authentication during roaming.

Why this answer

Fast roaming (802.11r) allows clients to quickly re-authenticate when moving between access points, reducing latency. WPA2-Enterprise alone does not provide fast roaming; 802.11r must be enabled on the controller and access points.

8
MCQmedium

During a wireless site survey, a technician discovers that an employee has set up a personal wireless router in their cubicle, connected to the corporate network. This rogue access point is broadcasting an open SSID. Which security risk is most immediately concerning?

A.The rogue AP may cause radio frequency interference with the corporate WLAN.
B.The rogue AP provides an unencrypted entry point for attackers to access the corporate network.
C.The rogue AP will consume additional power from the corporate UPS.
D.The rogue AP's DHCP server may conflict with the corporate DHCP server.
AnswerB

An open SSID means no encryption or authentication, allowing anyone to connect and potentially launch attacks or access sensitive data.

Why this answer

An open rogue access point allows anyone within range to connect to the corporate network without authentication, bypassing all security controls. This is a severe security incident. The question tests knowledge of rogue AP risks and the importance of wireless security policies.

9
MCQmedium

A customer reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-PSK with AES encryption. The technician checks the router logs and sees repeated '4-way handshake timeout' errors. What is the most likely cause of this issue?

A.The laptop is using an outdated WEP encryption protocol.
B.The router's DHCP lease time is set too short.
C.The laptop is too far from the access point, causing intermittent signal loss.
D.The router is configured for WPA2-Enterprise instead of WPA2-PSK.
AnswerC

Weak signal can cause the 4-way handshake to time out, leading to disconnections.

Why this answer

The 4-way handshake timeout errors indicate that the laptop cannot complete the WPA2 authentication process, often due to signal interference or weak signal strength. While other options could cause connectivity issues, the specific handshake timeout points to a problem with the wireless signal or authentication process.

10
MCQmedium

A technician is setting up a guest Wi-Fi network in a coffee shop. The owner wants customers to be able to connect easily without entering a password, but still wants basic encryption to prevent eavesdropping. Which security configuration should the technician use?

A.Set up an open network with no encryption and a captive portal for terms of service.
B.Use WPA2-PSK with a simple password like 'coffee123'.
C.Enable WPA3-Enterprise with certificate-based authentication.
D.Use WEP with a shared key printed on a receipt.
AnswerA

An open network allows easy access without a password, and a captive portal can enforce acceptable use, but it does not encrypt traffic; this matches the owner's request for no password.

Why this answer

WPA3-Personal offers an 'Enhanced Open' mode (OWE) that provides encryption without a password, but WPA2-PSK with a simple password is more common. However, the scenario explicitly asks for 'no password' and 'basic encryption'. The correct answer is to use an open network with a captive portal, but that doesn't provide encryption.

The best compromise is to use WPA3-Enhanced Open (OWE) if supported, but since that may not be an option, the technician might use an open network with a captive portal. Among the options, the correct one is to use an open network with a captive portal for ease of access, but encryption is not provided. However, the question expects the technician to explain that an open network cannot provide encryption.

The correct answer is to use a captive portal on an open network, acknowledging the lack of encryption. This tests understanding of trade-offs between security and convenience.

11
MCQmedium

A technician is setting up a wireless network for a small office that handles sensitive client data. The office has a mix of modern laptops and a few legacy printers that only support WEP. What should the technician do to maintain security while keeping the printers functional?

A.Enable WEP on the main router and set a complex 128-bit key.
B.Replace the printers with modern ones that support WPA2.
C.Create a separate VLAN for the printers using WEP and a strong passphrase, and keep the main network on WPA2.
D.Set the router to mixed mode (WEP + WPA2) and use a single SSID.
AnswerC

Correct. This isolates the insecure WEP traffic to the printer VLAN, protecting the main network and sensitive data.

Why this answer

WEP is deprecated due to severe vulnerabilities. The best practice is to isolate legacy devices on a separate VLAN with WEP and use a strong passphrase, while the main network uses WPA2 or WPA3. This limits exposure of sensitive data.

12
MCQmedium

A company's IT policy requires that all wireless connections use certificate-based authentication to prevent unauthorized access. The network is currently using WPA2-PSK. Which configuration change is necessary to meet this policy?

A.Enable MAC address filtering on the access point.
B.Upgrade to WPA3-Personal.
C.Switch to WPA2-Enterprise and configure a RADIUS server.
D.Change the encryption from AES to TKIP.
AnswerC

WPA2-Enterprise supports 802.1X authentication, which can use certificates issued by a RADIUS server, meeting the policy requirement.

Why this answer

Certificate-based authentication is a feature of WPA2-Enterprise (802.1X), not WPA2-Personal. This requires a RADIUS server and PKI infrastructure. The question tests the understanding of the difference between Personal and Enterprise modes.

13
MCQhard

A network administrator is investigating a security incident where an attacker captured the 4-way handshake of a WPA2-PSK network and successfully cracked the passphrase. Which protocol change would most effectively prevent this type of attack in the future?

A.Switch to WPA2-Enterprise with 802.1X and a RADIUS server.
B.Increase the WPA2-PSK passphrase length to 63 characters.
C.Upgrade to WPA3-SAE.
D.Enable MAC address filtering on the access point.
AnswerC

Correct. WPA3-SAE uses SAE, which eliminates the possibility of offline dictionary attacks by design, making handshake capture useless.

Why this answer

WPA3-SAE uses Simultaneous Authentication of Equals (SAE), which provides forward secrecy. This means that even if an attacker captures the handshake, they cannot crack the passphrase offline because the handshake does not contain enough information to derive the key.

14
MCQeasy

A user reports that their smartphone cannot connect to the office Wi-Fi, but other devices can. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The technician checks the phone's settings and sees that it is configured for WPA2-PSK. What is the most likely reason for the connection failure?

A.The phone's Wi-Fi antenna is damaged.
B.The phone is using the wrong security protocol.
C.The router's SSID is hidden.
D.The phone's MAC address is filtered.
AnswerB

WPA2-PSK uses a shared key, while WPA2-Enterprise uses 802.1X authentication.

Why this answer

WPA2-Enterprise requires a username and password or certificate for authentication, not a pre-shared key. The phone's WPA2-PSK setting is incompatible with the network's authentication method.

15
MCQmedium

A user's laptop running Windows 10 Pro connects to the corporate Wi-Fi but cannot access internal resources. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The laptop's wireless profile is configured correctly. Other users in the same office can access resources. What is the most likely cause?

A.The laptop's wireless adapter is faulty.
B.The user's domain account is locked or the password has expired.
C.The access point is broadcasting on a congested channel.
D.The laptop has an incorrect IP address from DHCP.
AnswerB

PEAP-MSCHAPv2 uses domain credentials; an account issue would prevent successful authentication and network access.

Why this answer

In a WPA2-Enterprise environment, the user's domain credentials are used for authentication. If the account is locked or the password has expired, authentication will fail even though the wireless association succeeds. This tests understanding of enterprise authentication integration.

16
MCQhard

A security incident occurs where an attacker captures the 4-way handshake of a WPA2-PSK network and successfully cracks the passphrase offline. The technician is tasked with preventing this type of attack in the future. Which protocol should the technician implement?

A.WPA2-PSK with a longer passphrase.
B.WPA3-SAE.
C.WPA2-Enterprise with PEAP-MSCHAPv2.
D.WPA2-PSK with TKIP.
AnswerB

WPA3-SAE uses SAE, which is resistant to offline dictionary attacks, even if the handshake is captured.

Why this answer

WPA3-SAE uses Simultaneous Authentication of Equals (SAE), which provides forward secrecy and prevents offline dictionary attacks. WPA2-PSK is vulnerable to handshake capture and offline cracking.

17
MCQeasy

A small business owner reports that after upgrading their wireless router to a newer model, their older laptops running Windows 7 cannot connect to the Wi-Fi network. The new router is configured with WPA3-Personal. Which of the following is the most likely reason for the connectivity failure?

A.The router's SSID is hidden.
B.The laptops' wireless adapters do not support WPA3.
C.The router is broadcasting on a 5 GHz band only.
D.The laptops have incorrect DNS settings.
AnswerB

WPA3 is a newer security standard; older hardware and drivers often lack support, forcing a fallback to WPA2 or causing connection failures.

Why this answer

WPA3 is not supported on older operating systems like Windows 7, which only support up to WPA2. The correct solution is to either downgrade to WPA2 or update the wireless adapter drivers if possible. This question tests knowledge of backward compatibility between WPA2 and WPA3.

18
MCQhard

A network administrator is configuring a new wireless network for a hospital that requires the highest level of security for patient data. The network must support 802.1X authentication with smart cards. Which combination of security protocols and authentication methods should be used?

A.WPA2-PSK with PEAP-MSCHAPv2.
B.WPA3-Personal with SAE.
C.WPA2-Enterprise with EAP-TLS.
D.WPA3-Enterprise with EAP-TTLS.
AnswerC

WPA2-Enterprise supports 802.1X, and EAP-TLS uses certificates for mutual authentication, compatible with smart cards.

Why this answer

WPA2-Enterprise (or WPA3-Enterprise) with EAP-TLS provides certificate-based authentication, which can use smart cards. EAP-TLS is considered the most secure because it requires both client and server certificates. This tests knowledge of enterprise authentication methods and their security levels.

19
MCQmedium

A technician is configuring a new wireless network for a school. The network must support hundreds of student devices simultaneously and provide strong security. The school wants to use a single SSID with individual logins for students. Which security protocol should the technician choose?

A.WPA2-PSK with a long passphrase.
B.WPA2-Enterprise with 802.1X and RADIUS.
C.WPA3-Enterprise with 192-bit encryption.
D.WPA3-Personal with SAE.
AnswerC

Correct. WPA3-Enterprise provides individual authentication via 802.1X and uses 192-bit encryption, meeting the school's needs for security and scalability.

Why this answer

WPA3-Enterprise with 192-bit encryption is the most secure option for environments requiring individual authentication and high traffic. It provides stronger encryption and protection against dictionary attacks compared to WPA2-Enterprise.

20
MCQeasy

A technician is setting up a wireless network for a home office. The client is concerned about neighbors accessing their internet. The technician enables WPA2-PSK with a strong passphrase. Which additional step should the technician take to ensure the network is as secure as possible?

A.Enable WPS for easy device pairing.
B.Disable SSID broadcast.
C.Disable WPS on the router.
D.Enable MAC address filtering.
AnswerC

WPS is a common attack vector; disabling it forces attackers to crack the passphrase directly.

Why this answer

Disabling WPS prevents attackers from using brute-force attacks to guess the PIN and retrieve the passphrase. WPA2-PSK with a strong passphrase is secure, but WPS can bypass that security.

21
MCQeasy

A customer calls saying their home Wi-Fi network suddenly stopped working after they changed the router's security mode from WPA2-PSK to WPA2-Enterprise. All their devices previously connected fine. What is the most likely cause of the problem?

A.The router's firmware is outdated.
B.The devices do not support the new encryption cipher.
C.The router is now requiring a username and password from a RADIUS server, which the home network lacks.
D.The SSID was changed during the configuration.
AnswerC

WPA2-Enterprise relies on 802.1X authentication with a RADIUS server; home networks typically do not have this infrastructure, so devices cannot authenticate.

Why this answer

WPA2-Enterprise requires a RADIUS authentication server, which is not present in a typical home network. WPA2-PSK uses a pre-shared key, which is standard for home use. This question tests the understanding of the difference between Personal and Enterprise modes.

22
MCQeasy

A small business owner reports that after upgrading their wireless router to a newer model, several older laptops running Windows 7 can no longer connect to the Wi-Fi network. The new router is configured to use WPA3. What is the most likely reason for the connection failures?

A.The laptops have outdated wireless drivers that do not support WPA3.
B.The router's firewall is blocking the older laptops' MAC addresses.
C.The laptops are using an incompatible encryption cipher like TKIP.
D.The router's SSID is hidden, and the laptops cannot discover it.
AnswerA

Correct. Older Windows 7 laptops typically lack WPA3 support in both drivers and OS, making them unable to authenticate with a WPA3-only network.

Why this answer

WPA3 is the latest wireless security protocol, but it is not backward-compatible with older operating systems like Windows 7, which only support WPA2. The technician should configure the router to use WPA2/WPA3 mixed mode or WPA2 only to ensure compatibility with all devices.

23
MCQeasy

During a security audit at a law firm, the IT manager wants to ensure that all wireless communication is encrypted with the strongest available standard that is also compatible with their mix of Windows 10 laptops and iOS tablets. Which security protocol should you recommend?

A.WEP
B.WPA2-TKIP
C.WPA3-Personal
D.WPA2-Enterprise
AnswerC

WPA3-Personal provides the strongest security for a small office environment without a RADIUS server, and is backward compatible with WPA2 devices.

Why this answer

WPA3 is the latest Wi-Fi security standard, offering stronger encryption (GCMP-256) and improved authentication (SAE). It is backward compatible with WPA2 devices, making it suitable for mixed environments. This question tests knowledge of current wireless security standards and their compatibility.

24
MCQeasy

During a security audit, a technician discovers that a company's wireless network uses WEP encryption. The network has been in place for 10 years and still uses the original router. What is the most immediate security risk?

A.The router may not support modern encryption protocols.
B.WEP keys can be easily cracked using tools like Aircrack-ng.
C.The router's firmware is likely outdated and vulnerable to exploits.
D.WEP does not support WPA2-PSK, so clients must use a different protocol.
AnswerB

WEP's weak RC4 encryption allows attackers to capture packets and derive the key quickly.

Why this answer

WEP encryption is fundamentally flawed and can be cracked in minutes with readily available tools. This is the most pressing risk, as it allows attackers to decrypt traffic and potentially access the network.

25
MCQhard

A company's security policy mandates that all wireless traffic must be encrypted using a protocol that is resistant to KRACK attacks. The current network uses WPA2-PSK with AES. Which of the following upgrades should be implemented to meet this requirement?

A.Change the encryption from AES to TKIP.
B.Enable WPA2-Enterprise with 802.1X.
C.Upgrade to WPA3-Personal.
D.Implement MAC address filtering.
AnswerC

WPA3 uses SAE, which is resistant to KRACK attacks because it uses a different handshake process that prevents key reinstallation.

Why this answer

KRACK attacks exploit vulnerabilities in the WPA2 protocol's four-way handshake. WPA3 is designed to mitigate these attacks through the use of SAE (Simultaneous Authentication of Equals) and 256-bit encryption. This question tests knowledge of specific vulnerabilities and the corresponding protocol improvements.

26
MCQmedium

A user reports that their Windows 11 laptop can see the office Wi-Fi network but fails to connect, displaying 'Can't connect to this network'. Other users with the same laptop model connect without issues. The network uses WPA2-PSK with AES. What should you check first?

A.Update the wireless adapter driver.
B.Change the router's security protocol to WPA3.
C.Forget the network on the laptop and reconnect by entering the passphrase again.
D.Disable the firewall on the laptop.
AnswerC

This clears any incorrect saved credentials and allows the user to enter the correct passphrase, resolving authentication mismatches.

Why this answer

A mismatch in the saved passphrase is a common cause of connection failures when the network is visible. The correct answer is to forget the network and re-enter the correct passphrase. This tests troubleshooting skills for wireless authentication issues.

27
MCQmedium

A technician is configuring a wireless network for a new office. The network must support legacy devices that only support WPA-TKIP, but the technician also wants to maximize security for modern devices. Which configuration should the technician use?

A.Enable WPA3-SAE for all devices.
B.Use WPA2-PSK with TKIP encryption.
C.Configure the router for WPA2-PSK with AES and enable WPA-TKIP as a fallback.
D.Set up a separate SSID with WPA-TKIP for legacy devices and another SSID with WPA2-AES for modern devices.
AnswerD

This isolates legacy devices on a less secure network while allowing modern devices to use the stronger encryption.

Why this answer

WPA2-PSK with AES is the most secure option, but it is not backward compatible with WPA-TKIP devices. The technician must choose between compatibility and security; the best practice is to upgrade legacy devices or use a separate network for them.

28
MCQmedium

A user reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. Other users do not experience this issue. What is the most likely cause?

A.The laptop's wireless driver is outdated.
B.The RADIUS server is rejecting the laptop's certificate intermittently.
C.The office Wi-Fi channel is congested.
D.The laptop's power saving mode is turning off the Wi-Fi adapter.
AnswerB

Correct. Intermittent certificate rejection during reauthentication causes the laptop to disconnect and then reconnect after a new authentication attempt.

Why this answer

PEAP-MSCHAPv2 is prone to authentication timeouts if the RADIUS server is slow or if the client's certificate validation fails. This can cause periodic disconnects. The issue is specific to the client's configuration or certificate trust.

29
MCQhard

A technician is troubleshooting a wireless network where users report intermittent connectivity. The network uses WPA2-Enterprise with a RADIUS server. The technician notices that the RADIUS server logs show frequent authentication failures from one specific access point. What is the most likely cause?

A.The access point is using a different channel than the others.
B.The RADIUS server certificate has expired.
C.The access point's RADIUS shared secret is incorrect.
D.The clients are using WPA2-PSK instead of WPA2-Enterprise.
AnswerC

The shared secret is used for authentication between the AP and RADIUS server; a mismatch causes failures.

Why this answer

A mismatched pre-shared key or RADIUS secret between the access point and the RADIUS server will cause authentication failures. Other options like channel interference or encryption mismatch would not specifically show RADIUS authentication failures.

30
MCQmedium

A small business owner wants to replace their old wireless router because guests have been using the network to access inappropriate content. The owner wants to isolate guest traffic from the main business network and enforce content filtering. Which combination of wireless security and features should the technician recommend?

A.WPA3-Personal with MAC address filtering.
B.WPA2-PSK with a guest network enabled and content filtering via OpenDNS.
C.WPA2-Enterprise with a RADIUS server and no guest network.
D.WEP encryption with a hidden SSID.
AnswerB

A guest network isolates traffic, and DNS-based content filtering blocks inappropriate sites.

Why this answer

WPA2-PSK with a separate guest network and content filtering DNS provides both security and isolation. WPA3 is not yet widely supported on all devices, and MAC filtering is not effective for guest isolation.

Ready to test yourself?

Try a timed practice session using only Wireless Security Protocols questions.