CCNA Wireless Security Protocols Questions

30 questions · Wireless Security Protocols · All types, answers revealed

1
MCQeasy

A company's IT policy requires that all wireless traffic be encrypted using the strongest available protocol. A technician is configuring a new access point that supports WPA3-SAE, WPA2-PSK with AES, and WPA2-PSK with TKIP. Which configuration meets the policy?

A.WPA2-PSK with TKIP.
B.WPA2-PSK with AES.
C.WPA3-SAE.
D.A mixed mode of WPA2 and WPA3.
AnswerC

WPA3-SAE is the current strongest standard, offering improved security over WPA2.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) is the strongest available wireless encryption protocol among the options, as it replaces the pre-shared key (PSK) model with a more secure handshake that provides forward secrecy and is resistant to offline dictionary attacks. The IT policy requires the strongest available protocol, and WPA3-SAE is superior to both WPA2-PSK variants, making option C the correct choice.

Exam trap

A common misconception is that WPA2-PSK with AES is the strongest option because it uses the AES cipher, but the trap here is that the security of the authentication handshake (SAE vs. PSK) is more critical than the encryption cipher, and WPA3-SAE provides a fundamentally stronger authentication mechanism.

How to eliminate wrong answers

Option A is wrong because WPA2-PSK with TKIP uses the deprecated TKIP cipher, which is vulnerable to attacks like MIC key recovery and is not the strongest available protocol. Option B is wrong because although WPA2-PSK with AES (CCMP) is more secure than TKIP, it still uses the four-way handshake that is susceptible to offline dictionary attacks and lacks forward secrecy, making it weaker than WPA3-SAE. Option D is wrong because a mixed mode of WPA2 and WPA3 would allow clients to connect using WPA2, which is less secure than WPA3-SAE alone, and does not enforce the strongest encryption for all traffic as required by the policy.

2
MCQmedium

A user reports that their corporate laptop can connect to the guest Wi-Fi network but not to the internal corporate network. Both networks use WPA2-Enterprise with 802.1X. The laptop works fine on other corporate networks. What is the most likely issue?

A.The laptop's wireless card is faulty.
B.The corporate network's RADIUS certificate has expired or is untrusted.
C.The corporate network is using a different SSID than expected.
D.The laptop's Wi-Fi profile is configured for WPA2-Personal instead of Enterprise.
AnswerB

Correct. Expired or untrusted certificates cause 802.1X authentication to fail, while the guest network (likely PSK) works fine.

Why this answer

The laptop connects to guest Wi-Fi but not the corporate network, and works on other corporate networks, isolating the issue to the specific corporate network's RADIUS authentication. Since both networks use WPA2-Enterprise with 802.1X, the most likely cause is that the corporate network's RADIUS certificate has expired or is untrusted, causing the 802.1X EAP-TLS or PEAP handshake to fail. The guest network likely uses a different authentication method (e.g., PSK or a separate RADIUS server with a valid certificate), explaining why it works.

Exam trap

CompTIA often tests the distinction between association (Layer 2) and authentication (EAP/802.1X), trapping candidates who assume a connection failure is due to signal or hardware rather than certificate trust issues.

How to eliminate wrong answers

Option A is wrong because a faulty wireless card would affect connectivity to both the guest and corporate networks, not just the corporate one, and the laptop works fine on other corporate networks. Option C is wrong because a different SSID would prevent the laptop from even seeing or attempting to connect to the corporate network, yet the user reports a connection attempt that fails, implying the SSID is known and selected. Option D is wrong because if the profile were configured for WPA2-Personal instead of Enterprise, the laptop would fail to authenticate on any WPA2-Enterprise network, including the guest network (if it also uses 802.1X), and the laptop works on other corporate networks, ruling out a profile mismatch.

3
MCQeasy

A customer complains that their new smartphone connects to their home Wi-Fi but has no internet access. The router is configured with WPA2-PSK and a 64-character pre-shared key. Other devices work fine. What is the most likely cause?

A.The smartphone's Wi-Fi antenna is faulty.
B.The smartphone is using a wrong or mistyped Wi-Fi password.
C.The router's DHCP server has run out of IP addresses.
D.The smartphone's DNS settings are misconfigured.
AnswerB

Correct. A mistyped 64-character password would cause authentication failure, preventing internet access even though the device appears connected.

Why this answer

The most likely cause is a mistyped or incorrect Wi-Fi password. Since the smartphone connects to the Wi-Fi network (association and authentication succeed at Layer 2) but has no internet access, the device is likely using a wrong pre-shared key that still allows partial connectivity due to WPA2-PSK's four-way handshake behavior—if the key is incorrect, the handshake fails, but some implementations may show a 'connected' status without proper encryption. Other devices work fine, ruling out router-side issues like DHCP exhaustion or DNS misconfiguration.

Exam trap

Cisco often tests the distinction between 'connected to Wi-Fi' (Layer 2 association) and 'has internet access' (Layer 3 connectivity), trapping candidates who assume any connectivity issue must be DHCP or DNS related, when the root cause is often an authentication failure due to a mistyped password.

How to eliminate wrong answers

Option A is wrong because a faulty Wi-Fi antenna would prevent the smartphone from connecting to the Wi-Fi at all, not just block internet access. Option C is wrong because if the router's DHCP server had run out of IP addresses, the smartphone would fail to obtain an IP address and would not show a 'connected' status; other devices working fine also indicates DHCP is functional. Option D is wrong because DNS misconfiguration would still allow the smartphone to have internet access via IP addresses (e.g., pinging 8.8.8.8 would work), and the symptom is a complete lack of internet access, not just name resolution failure.

4
MCQhard

A technician is troubleshooting a wireless network where users report intermittent connectivity and slow speeds. The network uses WPA2-Enterprise with EAP-TLS and certificate-based authentication. The technician notices that the RADIUS server logs show frequent certificate validation failures. What is the most likely root cause?

A.The access point's firmware is outdated, causing packet loss.
B.The RADIUS server's certificate has expired.
C.Client devices have expired or untrusted certificates.
D.The wireless channel is overlapping with neighboring networks.
AnswerC

Correct. Expired client certificates cause intermittent authentication failures, leading to disconnects and reconnects.

Why this answer

The RADIUS server logs show frequent certificate validation failures, which directly points to an issue with the certificates presented by the clients during EAP-TLS authentication. In WPA2-Enterprise with EAP-TLS, both the server and client must present valid certificates; if client certificates are expired or untrusted, the RADIUS server will reject the authentication, causing intermittent connectivity and slow speeds as clients fail to re-authenticate or roam.

Exam trap

Cisco often tests the distinction between server-side and client-side certificate issues; the trap here is that candidates may assume the RADIUS server's certificate is the problem (Option B) because it is the central authentication point, but the logs specifically show 'validation failures' which in EAP-TLS typically refer to the client certificate failing validation by the server.

How to eliminate wrong answers

Option A is wrong because outdated access point firmware could cause packet loss or performance issues, but it would not produce certificate validation failures in the RADIUS server logs; certificate errors are specific to the authentication process. Option B is wrong because if the RADIUS server's certificate had expired, clients would fail to validate the server, and the logs would show server certificate errors, not frequent client certificate validation failures; the question states the logs show certificate validation failures, which are client-side. Option D is wrong because overlapping wireless channels cause interference, leading to slow speeds and disconnections, but they do not generate certificate validation failures in RADIUS logs; those logs are authentication-specific.

5
MCQmedium

A company's security policy requires all wireless traffic to be encrypted with AES. A technician is configuring a new access point and sees the following options: WPA2-PSK (TKIP), WPA2-PSK (AES), WPA3-SAE, and WEP. Which option should the technician select?

A.WPA2-PSK (TKIP)
B.WPA2-PSK (AES)
C.WPA3-SAE
D.WEP
AnswerC

Correct. WPA3-SAE uses AES encryption and provides stronger security than WPA2, making it the best choice.

Why this answer

C is correct because WPA3-SAE (Simultaneous Authentication of Equals) is the only option that uses AES encryption by default and meets the company's security policy requirement for AES encryption. WPA3-SAE replaces the pre-shared key (PSK) with a more secure handshake and mandates AES-CCMP or AES-GCMP, ensuring compliance with the policy.

Exam trap

CompTIA A+ often tests the misconception that WPA2-PSK (AES) is the best choice because it uses AES, but the trap here is that the question asks which option the technician should select, and WPA3-SAE is the most secure and modern protocol that also meets the AES requirement, making it the correct answer over the older WPA2 variant.

How to eliminate wrong answers

Option A is wrong because WPA2-PSK (TKIP) uses the TKIP encryption protocol, which is based on RC4 and does not use AES, violating the policy. Option B is wrong because although WPA2-PSK (AES) uses AES encryption, it is an older standard that lacks the security enhancements of WPA3, such as forward secrecy and protection against offline dictionary attacks, but more importantly, the question asks for the option that should be selected, and WPA3-SAE is the superior choice that also meets the AES requirement. Option D is wrong because WEP uses RC4 encryption and is completely insecure, with no support for AES, and is deprecated by all security standards.

6
MCQmedium

During a security audit, a technician discovers that a small office's wireless router is still using WPA-TKIP. The office has 20 devices, including some older smartphones that cannot support WPA2. What should the technician recommend to improve security without replacing all devices?

A.Keep WPA-TKIP but enable MAC address filtering to block unauthorized devices.
B.Upgrade the router to support WPA2 and configure it to use WPA2-PSK with AES encryption.
C.Change the SSID to something non-descript and disable SSID broadcast.
D.Switch to WPA3 and set up a separate guest network for older devices.
AnswerA

Correct. MAC address filtering adds a basic access control layer that is not present with WPA-TKIP alone, and it does not require replacing devices. Although it is weak, it is the only option that improves security without breaking connectivity for the older smartphones.

Why this answer

In this scenario, the older smartphones cannot support WPA2, so upgrading to WPA2-PSK (option B) would break connectivity for those devices. Option A (keeping WPA-TKIP but enabling MAC address filtering) is the only choice that maintains connectivity for all devices without replacement. While MAC filtering is a weak security measure that can be bypassed by MAC spoofing, it does add a layer of access control that was not present before.

This is a minimal improvement, and the technician should plan to replace the older devices or isolate them on a separate network as soon as feasible. Options C and D do not solve the core encryption weakness and either fail to improve security or would also break connectivity.

Exam trap

A common trap is to assume that upgrading to WPA2 is always an option, but the question explicitly states that older devices cannot support it. The candidate must carefully read the scenario and recognize that MAC filtering, while weak, is the only option that does not disrupt connectivity.

How to eliminate wrong answers

Option A is wrong because MAC address filtering can be trivially bypassed by sniffing allowed MAC addresses from the air and spoofing them, and it does nothing to fix the broken TKIP encryption. Option C is wrong because hiding the SSID and using a non-descript name provides no real security—the SSID is still broadcast in probe requests and can be discovered with tools like Kismet or Wireshark, and it does not address the weak TKIP encryption. Option D is wrong because WPA3 is not backward-compatible with devices that cannot even support WPA2; older smartphones that lack WPA2 support will not have the hardware or drivers for WPA3, so this would either fail to connect or require device replacement, which the question explicitly rules out.

7
MCQmedium

A technician is configuring a wireless network for a school that uses Chromebooks and iPads. The network must support fast roaming and prioritize security. The technician enables WPA2-Enterprise with 802.1X. What additional configuration is needed to ensure seamless roaming between access points?

A.Enable WPA3-SAE on all access points.
B.Configure all access points with the same SSID and passphrase.
C.Enable 802.11r (Fast Roaming) on the wireless controller.
D.Disable WPS on all access points.
AnswerC

802.11r reduces the time required for re-authentication during roaming.

Why this answer

Option C is correct because 802.11r (Fast Roaming) enables seamless key distribution between access points during client transitions, eliminating the need for full re-authentication with the RADIUS server. This is essential for devices like Chromebooks and iPads that move frequently across a school campus, ensuring low-latency roaming while maintaining WPA2-Enterprise security.

Exam trap

A common misconception in CompTIA A+ is that simply using the same SSID and passphrase (Option B) is sufficient for seamless roaming, but in WPA2-Enterprise, the passphrase is not used, and without 802.11r, clients must perform a full 802.1X re-authentication at each AP, causing noticeable delays.

How to eliminate wrong answers

Option A is wrong because WPA3-SAE is a different security protocol for personal networks, not enterprise; it does not integrate with 802.1X and does not address roaming optimization. Option B is wrong because while using the same SSID is necessary for roaming, a shared passphrase is irrelevant for WPA2-Enterprise, which uses per-user credentials via 802.1X, not a pre-shared key. Option D is wrong because disabling WPS improves security by preventing brute-force attacks on PIN-based authentication, but it has no effect on roaming performance or seamless handoff between access points.

8
MCQmedium

During a wireless site survey, a technician discovers that an employee has set up a personal wireless router in their cubicle, connected to the corporate network. This rogue access point is broadcasting an open SSID. Which security risk is most immediately concerning?

A.The rogue AP may cause radio frequency interference with the corporate WLAN.
B.The rogue AP provides an unencrypted entry point for attackers to access the corporate network.
C.The rogue AP will consume additional power from the corporate UPS.
D.The rogue AP's DHCP server may conflict with the corporate DHCP server.
AnswerB

An open SSID means no encryption or authentication, allowing anyone to connect and potentially launch attacks or access sensitive data.

Why this answer

The most immediate security risk of a rogue access point broadcasting an open SSID is that it provides an unencrypted entry point into the corporate network. Any attacker within range can associate with the open SSID and, because the AP is connected to the corporate LAN, gain direct access to internal resources without authentication or encryption, bypassing perimeter security controls.

Exam trap

Cisco often tests the distinction between operational nuisances (interference, DHCP conflicts, power draw) and actual security threats, so the trap here is that candidates may focus on the technical annoyance of a rogue AP rather than the critical security implication of an unencrypted entry point.

How to eliminate wrong answers

Option A is wrong because while a rogue AP can cause RF interference, that is a performance issue, not a security risk, and the question specifically asks about the most immediately concerning security risk. Option C is wrong because power consumption from a single small AP is negligible and does not represent a meaningful security threat. Option D is wrong because a DHCP conflict is a network configuration problem that can cause connectivity issues, but it is not a security vulnerability; the open SSID allowing unauthorized network access is far more critical.

9
MCQmedium

A customer reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-PSK with AES encryption. The technician checks the router logs and sees repeated '4-way handshake timeout' errors. What is the most likely cause of this issue?

A.The laptop is using an outdated WEP encryption protocol.
B.The router's DHCP lease time is set too short.
C.The laptop is too far from the access point, causing intermittent signal loss.
D.The router is configured for WPA2-Enterprise instead of WPA2-PSK.
AnswerC

Weak signal can cause the 4-way handshake to time out, leading to disconnections.

Why this answer

The '4-way handshake timeout' error indicates that the laptop and access point are failing to complete the WPA2 authentication handshake. Intermittent signal loss due to distance causes packets (including EAPOL frames used in the handshake) to be dropped, leading to repeated timeouts and disconnections. WPA2-PSK with AES is not the issue; the physical layer is the bottleneck.

Exam trap

CompTIA A+ often tests the distinction between Layer 2 authentication failures (4-way handshake) and Layer 3 IP configuration issues (DHCP), so candidates mistakenly choose DHCP lease time when they see 'timeout' in the error.

How to eliminate wrong answers

Option A is wrong because the network uses WPA2-PSK with AES, so the laptop cannot be using WEP; WEP is an outdated protocol that would not even associate with a WPA2 network. Option B is wrong because a short DHCP lease time would cause IP address renewal issues, not 4-way handshake timeouts; the handshake occurs at Layer 2 before DHCP is involved. Option D is wrong because the router logs show WPA2-PSK is in use (the customer reports it), and WPA2-Enterprise would require 802.1X authentication (e.g., RADIUS), not cause a PSK handshake timeout.

10
MCQmedium

A technician is setting up a guest Wi-Fi network in a coffee shop. The owner wants customers to be able to connect easily without entering a password, but still wants basic encryption to prevent eavesdropping. Which security configuration should the technician use?

A.Set up an open network with no encryption and a captive portal for terms of service.
B.Use WPA2-PSK with a simple password like 'coffee123'.
C.Enable WPA3-Enterprise with certificate-based authentication.
D.Use WEP with a shared key printed on a receipt.
AnswerA

An open network allows easy access without a password, and a captive portal can enforce acceptable use, but it does not encrypt traffic; this matches the owner's request for no password.

Why this answer

Option A is correct because an open network with a captive portal allows customers to connect without a password while still providing a layer of control (terms of service acceptance). However, it does not provide encryption, so the owner's desire for 'basic encryption' is not actually met by this configuration. The question contains a contradiction: the owner wants no password but also wants encryption.

In practice, an open network with a captive portal is the only option that allows password-free connectivity, but it offers no encryption, leaving traffic vulnerable to eavesdropping.

Exam trap

Cisco often tests the misconception that a captive portal provides encryption, when in fact it only provides authentication/authorization at the application layer, leaving the wireless link unencrypted.

How to eliminate wrong answers

Option B is wrong because WPA2-PSK requires a pre-shared key (password) to connect, which contradicts the requirement that customers connect without entering a password. Option C is wrong because WPA3-Enterprise with certificate-based authentication requires complex setup and user certificates, which is far beyond a simple coffee shop guest network and also requires authentication credentials. Option D is wrong because WEP is an obsolete, easily cracked encryption protocol that still requires a shared key (password) to connect, and it provides no real security against eavesdropping.

11
MCQmedium

A technician is setting up a wireless network for a small office that handles sensitive client data. The office has a mix of modern laptops and a few legacy printers that only support WEP. What should the technician do to maintain security while keeping the printers functional?

A.Enable WEP on the main router and set a complex 128-bit key.
B.Replace the printers with modern ones that support WPA2.
C.Create a separate VLAN for the printers using WEP and a strong passphrase, and keep the main network on WPA2.
D.Set the router to mixed mode (WEP + WPA2) and use a single SSID.
AnswerC

Correct. This isolates the insecure WEP traffic to the printer VLAN, protecting the main network and sensitive data.

Why this answer

Option C is correct because it isolates the insecure WEP-based printers on a separate VLAN, preventing their weak encryption from compromising the main network which uses WPA2. This allows the legacy printers to remain functional while sensitive client data on the main network is protected by the stronger WPA2 protocol.

Exam trap

The trap here is that candidates often think mixed mode (WEP + WPA2) is a valid compromise, but CompTIA A+ tests the understanding that mixed mode on a single SSID downgrades security for all devices, whereas VLAN segmentation isolates the weak protocol without affecting the secure network.

How to eliminate wrong answers

Option A is wrong because WEP is fundamentally broken and can be cracked in minutes using tools like aircrack-ng, regardless of key length; a complex 128-bit key does not fix the underlying RC4 cipher weaknesses. Option B is wrong because replacing functional printers is an unnecessary cost and not a network configuration solution; the question asks how to maintain security while keeping the printers functional. Option D is wrong because mixed mode (WEP + WPA2) on a single SSID forces all clients to use the lowest common denominator security, allowing attackers to downgrade modern clients to WEP and compromise the entire network.

12
MCQmedium

A company's IT policy requires that all wireless connections use certificate-based authentication to prevent unauthorized access. The network is currently using WPA2-PSK. Which configuration change is necessary to meet this policy?

A.Enable MAC address filtering on the access point.
B.Upgrade to WPA3-Personal.
C.Switch to WPA2-Enterprise and configure a RADIUS server.
D.Change the encryption from AES to TKIP.
AnswerC

WPA2-Enterprise supports 802.1X authentication, which can use certificates issued by a RADIUS server, meeting the policy requirement.

Why this answer

Option C is correct because the policy requires certificate-based authentication, which is a feature of WPA2-Enterprise (802.1X). WPA2-Enterprise uses a RADIUS server to validate certificates and authenticate users individually, replacing the pre-shared key (PSK) model. This meets the requirement for certificate-based authentication to prevent unauthorized access.

Exam trap

Cisco often tests the distinction between Personal and Enterprise modes, where candidates mistakenly think upgrading to WPA3-Personal (Option B) adds certificate support, but only the Enterprise mode with a RADIUS server enables certificate-based authentication.

How to eliminate wrong answers

Option A is wrong because MAC address filtering is not a form of authentication and can be easily spoofed; it does not use certificates. Option B is wrong because WPA3-Personal still uses a shared passphrase (SAE handshake), not certificate-based authentication; it is the Personal mode, not Enterprise. Option D is wrong because changing encryption from AES to TKIP would weaken security and does not introduce certificate-based authentication; TKIP is deprecated and not compatible with 802.1X in this context.

13
MCQhard

A network administrator is investigating a security incident where an attacker captured the 4-way handshake of a WPA2-PSK network and successfully cracked the passphrase. Which protocol change would most effectively prevent this type of attack in the future?

A.Switch to WPA2-Enterprise with 802.1X and a RADIUS server.
B.Increase the WPA2-PSK passphrase length to 63 characters.
C.Upgrade to WPA3-SAE.
D.Enable MAC address filtering on the access point.
AnswerC

Correct. WPA3-SAE uses SAE, which eliminates the possibility of offline dictionary attacks by design, making handshake capture useless.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) replaces the WPA2-PSK 4-way handshake with a protocol that uses a Diffie-Hellman key exchange, making it resistant to offline dictionary attacks. Even if an attacker captures the SAE handshake, they cannot crack the passphrase offline because the key exchange provides forward secrecy and prevents brute-force attempts without interacting with the network.

Exam trap

Cisco often tests the misconception that simply strengthening WPA2-PSK (e.g., longer passphrase) or adding MAC filtering is sufficient, when the core vulnerability is the offline-crackable 4-way handshake itself, which only WPA3-SAE fundamentally addresses.

How to eliminate wrong answers

Option A is wrong because switching to WPA2-Enterprise with 802.1X and a RADIUS server still uses the same 4-way handshake for key derivation; the handshake can still be captured and, if the RADIUS server uses a weak password or certificate, offline attacks remain possible. Option B is wrong because increasing the WPA2-PSK passphrase length to 63 characters only makes cracking harder but does not change the fundamental vulnerability: the 4-way handshake can still be captured and subjected to offline dictionary or brute-force attacks given enough time and resources. Option D is wrong because MAC address filtering is a trivial security measure that can be easily bypassed by spoofing an allowed MAC address; it does not prevent handshake capture or cracking of the passphrase.

14
MCQeasy

A user reports that their smartphone cannot connect to the office Wi-Fi, but other devices can. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The technician checks the phone's settings and sees that it is configured for WPA2-PSK. What is the most likely reason for the connection failure?

A.The phone's Wi-Fi antenna is damaged.
B.The phone is using the wrong security protocol.
C.The router's SSID is hidden.
D.The phone's MAC address is filtered.
AnswerB

WPA2-PSK uses a shared key, while WPA2-Enterprise uses 802.1X authentication.

Why this answer

The phone is configured for WPA2-PSK (Pre-Shared Key), but the office network uses WPA2-Enterprise with PEAP-MSCHAPv2. WPA2-Enterprise requires 802.1X authentication with a RADIUS server, using EAP methods like PEAP-MSCHAPv2, while WPA2-PSK uses a single shared passphrase. The mismatch in security protocols prevents the phone from completing the 4-way handshake, causing the connection failure.

Exam trap

CompTIA often tests the distinction between WPA2-PSK and WPA2-Enterprise, trapping candidates who assume all WPA2 configurations are interchangeable or that the issue is a simple connectivity problem like a hidden SSID or MAC filter.

How to eliminate wrong answers

Option A is wrong because a damaged Wi-Fi antenna would prevent connection to any network, not just this specific one, and other devices are connecting successfully. Option C is wrong because a hidden SSID does not affect the security protocol negotiation; the phone would still attempt to connect using the wrong protocol (WPA2-PSK) and fail. Option D is wrong because MAC address filtering would block the phone regardless of the security protocol setting, and the issue is specifically a protocol mismatch, not a MAC-based block.

15
MCQmedium

A user's laptop running Windows 10 Pro connects to the corporate Wi-Fi but cannot access internal resources. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The laptop's wireless profile is configured correctly. Other users in the same office can access resources. What is the most likely cause?

A.The laptop's wireless adapter is faulty.
B.The user's domain account is locked or the password has expired.
C.The access point is broadcasting on a congested channel.
D.The laptop has an incorrect IP address from DHCP.
AnswerB

PEAP-MSCHAPv2 uses domain credentials; an account issue would prevent successful authentication and network access.

Why this answer

The user can connect to Wi-Fi but cannot access internal resources, and other users are unaffected. Since the wireless profile is correct and WPA2-Enterprise uses PEAP-MSCHAPv2 for authentication, the most likely cause is that the user's domain account is locked or the password has expired. This would prevent successful authentication against the RADIUS server, blocking access to internal resources even though the client associates with the access point.

Exam trap

Cisco often tests the distinction between Layer 2 association and Layer 3 authentication; the trap here is that candidates assume a successful Wi-Fi connection implies full network access, overlooking that WPA2-Enterprise requires valid domain credentials for RADIUS-based authentication to grant access to internal resources.

How to eliminate wrong answers

Option A is wrong because a faulty wireless adapter would typically prevent association or cause intermittent connectivity, not allow a successful connection to the Wi-Fi network while blocking internal resource access. Option C is wrong because a congested channel would affect all users in the area, not just one user, and would manifest as poor performance or disconnections, not a complete inability to access internal resources. Option D is wrong because an incorrect IP address from DHCP would prevent network communication entirely, but the user can connect to the Wi-Fi and likely obtain an IP address; the issue is at the authentication layer, not the IP layer.

16
MCQhard

A security incident occurs where an attacker captures the 4-way handshake of a WPA2-PSK network and successfully cracks the passphrase offline. The technician is tasked with preventing this type of attack in the future. Which protocol should the technician implement?

A.WPA2-PSK with a longer passphrase.
B.WPA3-SAE.
C.WPA2-Enterprise with PEAP-MSCHAPv2.
D.WPA2-PSK with TKIP.
AnswerB

WPA3-SAE uses SAE, which is resistant to offline dictionary attacks, even if the handshake is captured.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) replaces the pre-shared key (PSK) model with a password-authenticated key exchange that is resistant to offline dictionary attacks. Unlike WPA2-PSK, which transmits a hash of the password in the 4-way handshake that can be captured and cracked offline, SAE uses a zero-knowledge proof protocol that prevents an attacker from deriving the password from captured handshake data, even if they have the full handshake.

Exam trap

A common misconception is that simply increasing passphrase length or switching to enterprise authentication prevents offline cracking of the 4-way handshake, when in fact only a protocol change to SAE (WPA3) eliminates the offline dictionary attack vector.

How to eliminate wrong answers

Option A is wrong because simply lengthening the WPA2-PSK passphrase does not change the underlying protocol vulnerability; the 4-way handshake still transmits a hash that can be captured and cracked offline with sufficient time and resources, making it a mitigation, not a prevention. Option C is wrong because WPA2-Enterprise with PEAP-MSCHAPv2 still uses the same 4-way handshake for the wireless encryption key exchange, and while the authentication is server-based, the handshake itself remains vulnerable to offline cracking if the attacker captures it and the MSCHAPv2 challenge/response is weak. Option D is wrong because WPA2-PSK with TKIP is actually less secure than WPA2-PSK with AES; TKIP is deprecated and vulnerable to multiple attacks, and it does nothing to prevent offline dictionary attacks on the 4-way handshake.

17
MCQeasy

A small business owner reports that after upgrading their wireless router to a newer model, their older laptops running Windows 7 cannot connect to the Wi-Fi network. The new router is configured with WPA3-Personal. Which of the following is the most likely reason for the connectivity failure?

A.The router's SSID is hidden.
B.The laptops' wireless adapters do not support WPA3.
C.The router is broadcasting on a 5 GHz band only.
D.The laptops have incorrect DNS settings.
AnswerB

WPA3 is a newer security standard; older hardware and drivers often lack support, forcing a fallback to WPA2 or causing connection failures.

Why this answer

WPA3-Personal is a newer wireless security protocol that requires hardware support in the wireless adapter. Older laptops running Windows 7 typically have legacy wireless adapters that only support WPA2 or earlier protocols. Since the router is configured to use WPA3 only, the laptops' adapters cannot negotiate a connection, resulting in failure.

Exam trap

CompTIA often tests the misconception that older Windows 7 laptops can connect to any Wi-Fi network as long as they have the password, but the trap here is that WPA3 requires both hardware and driver-level support, which legacy adapters lack.

How to eliminate wrong answers

Option A is wrong because a hidden SSID does not prevent connection; clients can still connect if they know the SSID and have compatible security settings. Option C is wrong because even if the router broadcasts only on 5 GHz, many older Windows 7 laptops support 5 GHz if they have dual-band adapters; the primary issue is the security protocol mismatch, not the frequency band. Option D is wrong because incorrect DNS settings would prevent name resolution but not the initial Wi-Fi association and authentication; the laptops cannot even connect to the network, indicating a lower-layer issue.

18
MCQhard

A network administrator is configuring a new wireless network for a hospital that requires the highest level of security for patient data. The network must support 802.1X authentication with smart cards. Which combination of security protocols and authentication methods should be used?

A.WPA2-PSK with PEAP-MSCHAPv2.
B.WPA3-Personal with SAE.
C.WPA2-Enterprise with EAP-TLS.
D.WPA3-Enterprise with EAP-TTLS.
AnswerC

WPA2-Enterprise supports 802.1X, and EAP-TLS uses certificates for mutual authentication, compatible with smart cards.

Why this answer

Option C is correct because WPA2-Enterprise with EAP-TLS provides the highest level of security for a hospital network requiring 802.1X authentication with smart cards. EAP-TLS uses mutual authentication via digital certificates (which can be stored on smart cards), eliminating the risk of credential theft or man-in-the-middle attacks. WPA2-Enterprise is the appropriate underlying encryption framework for this scenario, as it supports the required 802.1X/EAP integration.

Exam trap

The trap here is that candidates often assume WPA3 is always more secure than WPA2, but for enterprise 802.1X with smart cards, WPA2-Enterprise with EAP-TLS is the correct and fully supported combination, while WPA3-Enterprise with EAP-TTLS does not enforce client certificate authentication.

How to eliminate wrong answers

Option A is wrong because WPA2-PSK uses a pre-shared key, which does not support 802.1X authentication or smart cards; PEAP-MSCHAPv2 relies on passwords, not certificates, and is vulnerable to brute-force attacks. Option B is wrong because WPA3-Personal with SAE is designed for password-based authentication in home/small office networks, not for 802.1X enterprise authentication with smart cards. Option D is wrong because while WPA3-Enterprise supports 802.1X, EAP-TTLS typically uses a server-side certificate only and tunnels password-based inner methods (e.g., MSCHAPv2), which does not meet the requirement for smart card (certificate-based) authentication; EAP-TLS is the standard for client certificate authentication.

19
MCQmedium

A technician is configuring a new wireless network for a school. The network must support hundreds of student devices simultaneously and provide strong security. The school wants to use a single SSID with individual logins for students. Which security protocol should the technician choose?

A.WPA2-PSK with a long passphrase.
B.WPA2-Enterprise with 802.1X and RADIUS.
C.WPA3-Enterprise with 192-bit encryption.
D.WPA3-Personal with SAE.
AnswerC

Correct. WPA3-Enterprise provides individual authentication via 802.1X and uses 192-bit encryption, meeting the school's needs for security and scalability.

Why this answer

WPA3-Enterprise with 192-bit encryption is the correct choice because it provides the strongest security for a large-scale deployment with individual logins. It uses 802.1X authentication with a RADIUS server, supporting unique credentials for each student, and mandates 192-bit minimum-strength security suite (CNSA Suite) for encryption, offering enhanced protection against brute-force and dictionary attacks compared to WPA2-Enterprise.

Exam trap

CompTIA A+ emphasizes the distinction between 'Enterprise' and 'Personal' modes. The trap here is that candidates see 'WPA2-Enterprise with 802.1X and RADIUS' and assume it is sufficient for high-security individual logins, overlooking that WPA3-Enterprise with 192-bit encryption is the only option that combines individual authentication with the strongest mandated encryption suite.

How to eliminate wrong answers

Option A is wrong because WPA2-PSK uses a pre-shared key that is shared among all users, making it impossible to provide individual logins and vulnerable to passphrase cracking if the key is compromised. Option B is wrong because while WPA2-Enterprise with 802.1X and RADIUS supports individual logins, it relies on older encryption (CCMP/AES) and is susceptible to KRACK attacks and dictionary attacks on weak EAP methods; it does not mandate the 192-bit security suite required for the highest security. Option D is wrong because WPA3-Personal with SAE (Simultaneous Authentication of Equals) provides strong password-based authentication but still uses a single shared password for the SSID, not individual logins for each student.

20
MCQeasy

A technician is setting up a wireless network for a home office. The client is concerned about neighbors accessing their internet. The technician enables WPA2-PSK with a strong passphrase. Which additional step should the technician take to ensure the network is as secure as possible?

A.Enable WPS for easy device pairing.
B.Disable SSID broadcast.
C.Disable WPS on the router.
D.Enable MAC address filtering.
AnswerC

WPS is a common attack vector; disabling it forces attackers to crack the passphrase directly.

Why this answer

WPA2-PSK with a strong passphrase already provides robust encryption, but WPS (Wi-Fi Protected Setup) introduces a significant vulnerability. WPS allows devices to connect via an 8-digit PIN, which can be brute-forced in a matter of hours using tools like Reaver, exposing the network to unauthorized access. Disabling WPS eliminates this attack vector, making the network as secure as possible.

Exam trap

CompTIA often tests the misconception that hiding the SSID or using MAC filtering provides meaningful security, when in reality the WPS vulnerability is a far more critical and exploitable flaw that must be addressed first.

How to eliminate wrong answers

Option A is wrong because enabling WPS, even for convenience, creates a backdoor that bypasses the strong WPA2-PSK passphrase; the WPS PIN can be brute-forced offline, compromising the network. Option B is wrong because disabling SSID broadcast only hides the network name from casual scans, but it does not prevent determined attackers from discovering it using packet sniffers (e.g., Wireshark) or tools like Kismet, and it can actually cause connectivity issues for legitimate clients. Option D is wrong because MAC address filtering is a weak security measure; MAC addresses can be easily spoofed using tools like SMAC or by modifying the network adapter settings, so it provides no real protection against a skilled attacker.

21
MCQeasy

A customer calls saying their home Wi-Fi network suddenly stopped working after they changed the router's security mode from WPA2-PSK to WPA2-Enterprise. All their devices previously connected fine. What is the most likely cause of the problem?

A.The router's firmware is outdated.
B.The devices do not support the new encryption cipher.
C.The router is now requiring a username and password from a RADIUS server, which the home network lacks.
D.The SSID was changed during the configuration.
AnswerC

WPA2-Enterprise relies on 802.1X authentication with a RADIUS server; home networks typically do not have this infrastructure, so devices cannot authenticate.

Why this answer

WPA2-Enterprise uses 802.1X authentication, which requires a RADIUS server to validate credentials (username and password). Home routers typically lack a built-in RADIUS server, so after changing to WPA2-Enterprise, the router cannot authenticate any client, causing all devices to fail to connect. The previous WPA2-PSK mode used a simple pre-shared key, which worked without any external server.

Exam trap

In the CompTIA A+ exam, it's important to distinguish between WPA2-PSK (pre-shared key, no server) and WPA2-Enterprise (requires a RADIUS/AAA server). The trap here is that candidates may assume all WPA2 modes work identically or blame encryption cipher support instead of the missing authentication infrastructure.

How to eliminate wrong answers

Option A is wrong because an outdated firmware would not cause a sudden failure immediately after changing the security mode; the issue is directly tied to the authentication method change, not firmware version. Option B is wrong because WPA2-Enterprise can use the same encryption ciphers (AES/CCMP) as WPA2-PSK; device support for the cipher is not the problem—the problem is the missing authentication server. Option D is wrong because the SSID was not changed according to the question; the customer only changed the security mode, and an SSID change would cause devices to not see the network, not fail authentication.

22
MCQeasy

A small business owner reports that after upgrading their wireless router to a newer model, several older laptops running Windows 7 can no longer connect to the Wi-Fi network. The new router is configured to use WPA3. What is the most likely reason for the connection failures?

A.The laptops have outdated wireless drivers that do not support WPA3.
B.The router's firewall is blocking the older laptops' MAC addresses.
C.The laptops are using an incompatible encryption cipher like TKIP.
D.The router's SSID is hidden, and the laptops cannot discover it.
AnswerA

Correct. Older Windows 7 laptops typically lack WPA3 support in both drivers and OS, making them unable to authenticate with a WPA3-only network.

Why this answer

WPA3 is a newer security protocol that requires both the router and the client device to support it. Older laptops running Windows 7 typically have wireless network adapters and drivers that were designed before WPA3 was standardized (2018), so they only support WPA2 or earlier protocols. Without updated drivers that include WPA3 support, these laptops cannot authenticate with the router, causing the connection failures.

Exam trap

Cisco often tests the misconception that encryption ciphers (like TKIP) are the primary cause of incompatibility, when in fact the core issue is the security protocol version (WPA3 vs. WPA2) and the driver's lack of support for the new authentication handshake.

How to eliminate wrong answers

Option B is wrong because MAC address filtering is a separate feature from security protocol support; if the router's firewall were blocking MAC addresses, the laptops would not even see the network or would be explicitly denied, but the issue is specifically about authentication after the upgrade to WPA3. Option C is wrong because TKIP is an encryption cipher used with WPA and WPA2, not WPA3; WPA3 uses AES-CCMP or GCMP-256, and while older laptops might use TKIP with WPA2, the core incompatibility here is the protocol version itself, not the cipher. Option D is wrong because a hidden SSID does not prevent a client from connecting if the SSID is manually entered; the problem is the authentication handshake failure due to WPA3 incompatibility, not network discovery.

23
MCQeasy

During a security audit at a law firm, the IT manager wants to ensure that all wireless communication is encrypted with the strongest available standard that is also compatible with their mix of Windows 10 laptops and iOS tablets. Which security protocol should you recommend?

A.WEP
B.WPA2-TKIP
C.WPA3-Personal
D.WPA2-Enterprise
AnswerC

WPA3-Personal provides the strongest security for a small office environment without a RADIUS server, and is backward compatible with WPA2 devices.

Why this answer

WPA3-Personal is the strongest available wireless encryption standard and is backward-compatible with WPA2 devices, making it suitable for a mixed environment of Windows 10 laptops and iOS tablets. It introduces Simultaneous Authentication of Equals (SAE) to replace the Pre-Shared Key (PSK) exchange, providing robust protection against offline dictionary attacks. Both Windows 10 and iOS fully support WPA3, ensuring compatibility without sacrificing security.

Exam trap

CompTIA often tests the misconception that WPA2-Enterprise is always stronger than WPA3-Personal, but the question specifies 'strongest available standard' and 'compatible with a mix of Windows 10 laptops and iOS tablets,' which points to WPA3-Personal as the correct choice because it offers superior encryption without requiring enterprise infrastructure.

How to eliminate wrong answers

Option A is wrong because WEP (Wired Equivalent Privacy) uses a static RC4 encryption key that can be cracked in minutes with readily available tools, offering no real security. Option B is wrong because WPA2-TKIP (Temporal Key Integrity Protocol) is a legacy mode that is deprecated and vulnerable to attacks like MIC key recovery; it is not the strongest available standard. Option D is wrong because WPA2-Enterprise, while secure, requires a RADIUS authentication server and is not necessary for a law firm's mixed client environment where WPA3-Personal provides stronger encryption with simpler deployment.

24
MCQeasy

During a security audit, a technician discovers that a company's wireless network uses WEP encryption. The network has been in place for 10 years and still uses the original router. What is the most immediate security risk?

A.The router may not support modern encryption protocols.
B.WEP keys can be easily cracked using tools like Aircrack-ng.
C.The router's firmware is likely outdated and vulnerable to exploits.
D.WEP does not support WPA2-PSK, so clients must use a different protocol.
AnswerB

WEP's weak RC4 encryption allows attackers to capture packets and derive the key quickly.

Why this answer

WEP encryption is fundamentally flawed because it uses the RC4 cipher with a weak initialization vector (IV) that is transmitted in plaintext. Tools like Aircrack-ng can capture enough IVs (typically 20,000–40,000) to derive the WEP key within minutes, regardless of key length. This makes the network trivially vulnerable to unauthorized access and data decryption, which is the most immediate and exploitable risk.

Exam trap

CompTIA often tests the distinction between a hardware limitation (e.g., outdated firmware or lack of protocol support) and a protocol-level cryptographic weakness, where candidates may incorrectly choose a less direct risk instead of the immediate, proven exploitability of WEP.

How to eliminate wrong answers

Option A is wrong because while the router may not support modern protocols, that is a limitation of the hardware, not an immediate security risk—the immediate risk is that WEP itself is broken. Option C is wrong because outdated firmware is a potential vulnerability, but it is not as immediate or certain as the guaranteed cryptographic weakness of WEP, which can be exploited without any firmware bugs. Option D is wrong because WEP does not need to support WPA2-PSK; clients can connect using WEP, and the issue is that WEP is insecure, not that it lacks compatibility with a different protocol.

25
MCQhard

A company's security policy mandates that all wireless traffic must be encrypted using a protocol that is resistant to KRACK attacks. The current network uses WPA2-PSK with AES. Which of the following upgrades should be implemented to meet this requirement?

A.Change the encryption from AES to TKIP.
B.Enable WPA2-Enterprise with 802.1X.
C.Upgrade to WPA3-Personal.
D.Implement MAC address filtering.
AnswerC

WPA3 uses SAE, which is resistant to KRACK attacks because it uses a different handshake process that prevents key reinstallation.

Why this answer

WPA3-Personal replaces the Pre-Shared Key (PSK) handshake with Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks and the KRACK vulnerability that exploits the 4-way handshake in WPA2. Since the policy requires encryption resistant to KRACK attacks, upgrading to WPA3-Personal directly addresses this requirement.

Exam trap

Cisco often tests the misconception that changing authentication methods (e.g., from PSK to 802.1X) fixes protocol-level vulnerabilities like KRACK, when in fact the underlying handshake protocol (WPA2) remains the same and still vulnerable.

How to eliminate wrong answers

Option A is wrong because TKIP is an older, less secure encryption protocol that is also vulnerable to KRACK attacks and is deprecated in favor of AES. Option B is wrong because WPA2-Enterprise with 802.1X still uses the same WPA2 4-way handshake, which is susceptible to KRACK attacks; it changes authentication but not the underlying handshake vulnerability. Option D is wrong because MAC address filtering is a basic access control mechanism that does not encrypt traffic and provides no protection against KRACK or any encryption-based attack.

26
MCQmedium

A user reports that their Windows 11 laptop can see the office Wi-Fi network but fails to connect, displaying 'Can't connect to this network'. Other users with the same laptop model connect without issues. The network uses WPA2-PSK with AES. What should you check first?

A.Update the wireless adapter driver.
B.Change the router's security protocol to WPA3.
C.Forget the network on the laptop and reconnect by entering the passphrase again.
D.Disable the firewall on the laptop.
AnswerC

This clears any incorrect saved credentials and allows the user to enter the correct passphrase, resolving authentication mismatches.

Why this answer

A mismatch in the saved passphrase is a common cause of connection failures when the network is visible. The correct answer is to forget the network and re-enter the correct passphrase. This tests troubleshooting skills for wireless authentication issues.

27
MCQmedium

A technician is configuring a wireless network for a new office. The network must support legacy devices that only support WPA-TKIP, but the technician also wants to maximize security for modern devices. Which configuration should the technician use?

A.Enable WPA3-SAE for all devices.
B.Use WPA2-PSK with TKIP encryption.
C.Configure the router for WPA2-PSK with AES and enable WPA-TKIP as a fallback.
D.Set up a separate SSID with WPA-TKIP for legacy devices and another SSID with WPA2-AES for modern devices.
AnswerD

This isolates legacy devices on a less secure network while allowing modern devices to use the stronger encryption.

Why this answer

Option D is correct because it isolates legacy WPA-TKIP devices on a separate SSID, preventing the weaker TKIP encryption from compromising the security of modern devices. Modern devices can then connect to a second SSID using WPA2-AES, which provides strong encryption (CCMP) and is not vulnerable to TKIP-specific attacks like Michael MIC exhaustion. This approach satisfies both requirements without forcing all devices onto a single, less secure configuration.

Exam trap

CompTIA often tests the misconception that a mixed-mode SSID (WPA2 with TKIP fallback) is a safe compromise, when in fact it can force all clients to use weaker encryption or cause performance degradation, making separate SSIDs the correct approach for legacy support without compromising modern security.

How to eliminate wrong answers

Option A is wrong because WPA3-SAE is not backward compatible with WPA-TKIP legacy devices; those devices would be unable to connect at all. Option B is wrong because using WPA2-PSK with TKIP encryption forces all devices to use the weaker TKIP protocol, which is deprecated and vulnerable to attacks, and does not maximize security for modern devices. Option C is wrong because configuring WPA2-PSK with AES and enabling WPA-TKIP as a fallback typically forces the router to support a mixed mode (WPA2/WPA mixed) that allows TKIP connections on the same SSID, which can downgrade security for all clients due to TKIP's known weaknesses and the potential for compatibility issues with 802.11n and higher data rates.

28
MCQmedium

A user reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. Other users do not experience this issue. What is the most likely cause?

A.The laptop's wireless driver is outdated.
B.The RADIUS server is rejecting the laptop's certificate intermittently.
C.The office Wi-Fi channel is congested.
D.The laptop's power saving mode is turning off the Wi-Fi adapter.
AnswerA

An outdated wireless driver can cause intermittent connectivity issues, such as frequent disconnects and reconnects, on a single device.

Why this answer

The most likely cause is an outdated or incompatible wireless driver. This can cause intermittent connectivity issues on a single device. Other users are unaffected, and since the network uses WPA2-Enterprise with PEAP-MSCHAPv2, which relies on username/password authentication, the RADIUS server does not reject client certificates.

Channel congestion would affect multiple users, and power saving mode typically turns off the adapter after inactivity, not causing frequent reconnects.

Exam trap

Candidates may incorrectly attribute a single-user issue to server-side authentication problems, but in this case the RADIUS server does not use client certificates in PEAP-MSCHAPv2, so the correct cause is a local driver issue.

How to eliminate wrong answers

Option A is wrong because an outdated wireless driver would typically cause persistent connectivity issues, frequent drops without automatic reconnection, or driver crashes, not a pattern of disconnection and reconnection every few seconds that only affects one user. Option C is wrong because channel congestion would affect all users in the same area, not just one laptop, and would manifest as slow speeds or intermittent connectivity for everyone, not a specific reconnection pattern. Option D is wrong because power saving mode turning off the Wi-Fi adapter would cause the laptop to disconnect and not reconnect automatically for several seconds, and this behavior would be consistent and not intermittent; moreover, power saving features typically do not cause a reconnection after a few seconds without user intervention.

29
MCQhard

A technician is troubleshooting a wireless network where users report intermittent connectivity. The network uses WPA2-Enterprise with a RADIUS server. The technician notices that the RADIUS server logs show frequent authentication failures from one specific access point. What is the most likely cause?

A.The access point is using a different channel than the others.
B.The RADIUS server certificate has expired.
C.The access point's RADIUS shared secret is incorrect.
D.The clients are using WPA2-PSK instead of WPA2-Enterprise.
AnswerC

The shared secret is used for authentication between the AP and RADIUS server; a mismatch causes failures.

Why this answer

The RADIUS shared secret is a pre-shared key configured on both the access point and the RADIUS server to authenticate the AP itself. If the secret on the specific AP does not match the server's configuration, the server will reject authentication requests from that AP, causing intermittent connectivity for clients associated with it. The logs showing frequent authentication failures from one AP point directly to a mismatch in this shared secret.

Exam trap

CompTIA often tests the distinction between client-side authentication failures (e.g., wrong PSK or certificate) and infrastructure-side authentication failures (e.g., RADIUS shared secret mismatch), and the trap here is that candidates may confuse a RADIUS server certificate issue with a per-AP shared secret problem, not realizing that a certificate expiry would affect all APs uniformly.

How to eliminate wrong answers

Option A is wrong because using a different channel affects RF interference and throughput, not RADIUS authentication; the RADIUS server logs would not show authentication failures due to channel differences. Option B is wrong because an expired RADIUS server certificate would cause authentication failures for all access points, not just one specific AP, and the error would typically appear as a certificate validation failure rather than a shared secret mismatch. Option D is wrong because if clients were using WPA2-PSK instead of WPA2-Enterprise, the AP would not forward authentication requests to the RADIUS server at all, so the server logs would not show authentication failures from that AP.

30
MCQmedium

A small business owner wants to replace their old wireless router because guests have been using the network to access inappropriate content. The owner wants to isolate guest traffic from the main business network and enforce content filtering. Which combination of wireless security and features should the technician recommend?

A.WPA3-Personal with MAC address filtering.
B.WPA2-PSK with a guest network enabled and content filtering via OpenDNS.
C.WPA2-Enterprise with a RADIUS server and no guest network.
D.WEP encryption with a hidden SSID.
AnswerB

A guest network isolates traffic, and DNS-based content filtering blocks inappropriate sites.

Why this answer

Option B is correct because WPA2-PSK with a guest network creates a separate VLAN or subnet that isolates guest traffic from the main business network, preventing guests from accessing internal resources. Content filtering via OpenDNS provides DNS-level filtering to block inappropriate content without requiring additional hardware, addressing both isolation and content control requirements.

Exam trap

The trap here is that candidates often choose WPA3-Personal or WPA2-Enterprise thinking stronger encryption equals better security, but the question specifically requires guest isolation and content filtering, which are features of a guest network and DNS-level filtering, not of the authentication protocol itself.

How to eliminate wrong answers

Option A is wrong because WPA3-Personal uses a shared passphrase and does not inherently isolate guest traffic; MAC address filtering is easily bypassed by spoofing and does not enforce content filtering. Option C is wrong because WPA2-Enterprise with a RADIUS server provides strong authentication but does not include a guest network, so guest traffic would still mix with the main network, and it lacks content filtering capabilities. Option D is wrong because WEP encryption is deprecated and easily cracked within minutes using tools like aircrack-ng; hiding the SSID only prevents casual discovery but does not isolate traffic or filter content.

Ready to test yourself?

Try a timed practice session using only Wireless Security Protocols questions.