30 questions · Wireless Security Protocols topic · All types, answers revealed
Correct. Expired or untrusted certificates cause 802.1X authentication to fail, while the guest network (likely PSK) works fine.
A customer complains that their new smartphone connects to their home Wi-Fi but has no internet access. The router is configured with WPA2-PSK and a 64-character pre-shared key. Other devices work fine. What is the most likely cause?
Correct. A mistyped 64-character password would cause authentication failure, preventing internet access even though the device appears connected.
Why this answer
WPA2-PSK with a 64-character key is extremely long and easy to mistype. The smartphone likely has an incorrect password stored, so it authenticates to the router but fails to get an IP address because the router rejects the mismatched key during the 4-way handshake.
A technician is troubleshooting a wireless network where users report intermittent connectivity and slow speeds. The network uses WPA2-Enterprise with EAP-TLS and certificate-based authentication. The technician notices that the RADIUS server logs show frequent certificate validation failures. What is the most likely root cause?
Correct. Expired client certificates cause intermittent authentication failures, leading to disconnects and reconnects.
Correct. WPA3-SAE uses AES encryption and provides stronger security than WPA2, making it the best choice.
Why this answer
WPA3-SAE uses AES encryption by default and is the most secure option. It also provides forward secrecy and protection against offline dictionary attacks. The policy requires AES, and WPA3 meets that while being the latest standard.
During a security audit, a technician discovers that a small office's wireless router is still using WPA-TKIP. The office has 20 devices, including some older smartphones that cannot support WPA2. What should the technician recommend to improve security without replacing all devices?
Correct. WPA2 with AES is secure and supported by almost all devices made after 2006, including most older smartphones.
Why this answer
WPA-TKIP is vulnerable and should be replaced. The best approach is to upgrade the router to support WPA2 and use WPA2-PSK with AES, which is backward-compatible with most devices. If some devices truly cannot support WPA2, they should be replaced or isolated.
A technician is configuring a wireless network for a school that uses Chromebooks and iPads. The network must support fast roaming and prioritize security. The technician enables WPA2-Enterprise with 802.1X. What additional configuration is needed to ensure seamless roaming between access points?
802.11r reduces the time required for re-authentication during roaming.
Why this answer
Fast roaming (802.11r) allows clients to quickly re-authenticate when moving between access points, reducing latency. WPA2-Enterprise alone does not provide fast roaming; 802.11r must be enabled on the controller and access points.
During a wireless site survey, a technician discovers that an employee has set up a personal wireless router in their cubicle, connected to the corporate network. This rogue access point is broadcasting an open SSID. Which security risk is most immediately concerning?
An open SSID means no encryption or authentication, allowing anyone to connect and potentially launch attacks or access sensitive data.
Why this answer
An open rogue access point allows anyone within range to connect to the corporate network without authentication, bypassing all security controls. This is a severe security incident. The question tests knowledge of rogue AP risks and the importance of wireless security policies.
A customer reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-PSK with AES encryption. The technician checks the router logs and sees repeated '4-way handshake timeout' errors. What is the most likely cause of this issue?
Weak signal can cause the 4-way handshake to time out, leading to disconnections.
Why this answer
The 4-way handshake timeout errors indicate that the laptop cannot complete the WPA2 authentication process, often due to signal interference or weak signal strength. While other options could cause connectivity issues, the specific handshake timeout points to a problem with the wireless signal or authentication process.
A technician is setting up a guest Wi-Fi network in a coffee shop. The owner wants customers to be able to connect easily without entering a password, but still wants basic encryption to prevent eavesdropping. Which security configuration should the technician use?
An open network allows easy access without a password, and a captive portal can enforce acceptable use, but it does not encrypt traffic; this matches the owner's request for no password.
Why this answer
WPA3-Personal offers an 'Enhanced Open' mode (OWE) that provides encryption without a password, but WPA2-PSK with a simple password is more common. However, the scenario explicitly asks for 'no password' and 'basic encryption'. The correct answer is to use an open network with a captive portal, but that doesn't provide encryption.
The best compromise is to use WPA3-Enhanced Open (OWE) if supported, but since that may not be an option, the technician might use an open network with a captive portal. Among the options, the correct one is to use an open network with a captive portal for ease of access, but encryption is not provided. However, the question expects the technician to explain that an open network cannot provide encryption.
The correct answer is to use a captive portal on an open network, acknowledging the lack of encryption. This tests understanding of trade-offs between security and convenience.
A technician is setting up a wireless network for a small office that handles sensitive client data. The office has a mix of modern laptops and a few legacy printers that only support WEP. What should the technician do to maintain security while keeping the printers functional?
Correct. This isolates the insecure WEP traffic to the printer VLAN, protecting the main network and sensitive data.
A company's IT policy requires that all wireless connections use certificate-based authentication to prevent unauthorized access. The network is currently using WPA2-PSK. Which configuration change is necessary to meet this policy?
WPA2-Enterprise supports 802.1X authentication, which can use certificates issued by a RADIUS server, meeting the policy requirement.
A network administrator is investigating a security incident where an attacker captured the 4-way handshake of a WPA2-PSK network and successfully cracked the passphrase. Which protocol change would most effectively prevent this type of attack in the future?
Correct. WPA3-SAE uses SAE, which eliminates the possibility of offline dictionary attacks by design, making handshake capture useless.
Why this answer
WPA3-SAE uses Simultaneous Authentication of Equals (SAE), which provides forward secrecy. This means that even if an attacker captures the handshake, they cannot crack the passphrase offline because the handshake does not contain enough information to derive the key.
A user reports that their smartphone cannot connect to the office Wi-Fi, but other devices can. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The technician checks the phone's settings and sees that it is configured for WPA2-PSK. What is the most likely reason for the connection failure?
Why this answer
WPA2-Enterprise requires a username and password or certificate for authentication, not a pre-shared key. The phone's WPA2-PSK setting is incompatible with the network's authentication method.
A user's laptop running Windows 10 Pro connects to the corporate Wi-Fi but cannot access internal resources. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The laptop's wireless profile is configured correctly. Other users in the same office can access resources. What is the most likely cause?
PEAP-MSCHAPv2 uses domain credentials; an account issue would prevent successful authentication and network access.
Why this answer
In a WPA2-Enterprise environment, the user's domain credentials are used for authentication. If the account is locked or the password has expired, authentication will fail even though the wireless association succeeds. This tests understanding of enterprise authentication integration.
A security incident occurs where an attacker captures the 4-way handshake of a WPA2-PSK network and successfully cracks the passphrase offline. The technician is tasked with preventing this type of attack in the future. Which protocol should the technician implement?
WPA3-SAE uses SAE, which is resistant to offline dictionary attacks, even if the handshake is captured.
A small business owner reports that after upgrading their wireless router to a newer model, their older laptops running Windows 7 cannot connect to the Wi-Fi network. The new router is configured with WPA3-Personal. Which of the following is the most likely reason for the connectivity failure?
WPA3 is a newer security standard; older hardware and drivers often lack support, forcing a fallback to WPA2 or causing connection failures.
A network administrator is configuring a new wireless network for a hospital that requires the highest level of security for patient data. The network must support 802.1X authentication with smart cards. Which combination of security protocols and authentication methods should be used?
WPA2-Enterprise supports 802.1X, and EAP-TLS uses certificates for mutual authentication, compatible with smart cards.
Why this answer
A technician is configuring a new wireless network for a school. The network must support hundreds of student devices simultaneously and provide strong security. The school wants to use a single SSID with individual logins for students. Which security protocol should the technician choose?
Correct. WPA3-Enterprise provides individual authentication via 802.1X and uses 192-bit encryption, meeting the school's needs for security and scalability.
A technician is setting up a wireless network for a home office. The client is concerned about neighbors accessing their internet. The technician enables WPA2-PSK with a strong passphrase. Which additional step should the technician take to ensure the network is as secure as possible?
WPS is a common attack vector; disabling it forces attackers to crack the passphrase directly.
Why this answer
Disabling WPS prevents attackers from using brute-force attacks to guess the PIN and retrieve the passphrase. WPA2-PSK with a strong passphrase is secure, but WPS can bypass that security.
A customer calls saying their home Wi-Fi network suddenly stopped working after they changed the router's security mode from WPA2-PSK to WPA2-Enterprise. All their devices previously connected fine. What is the most likely cause of the problem?
WPA2-Enterprise relies on 802.1X authentication with a RADIUS server; home networks typically do not have this infrastructure, so devices cannot authenticate.
A small business owner reports that after upgrading their wireless router to a newer model, several older laptops running Windows 7 can no longer connect to the Wi-Fi network. The new router is configured to use WPA3. What is the most likely reason for the connection failures?
Correct. Older Windows 7 laptops typically lack WPA3 support in both drivers and OS, making them unable to authenticate with a WPA3-only network.
During a security audit at a law firm, the IT manager wants to ensure that all wireless communication is encrypted with the strongest available standard that is also compatible with their mix of Windows 10 laptops and iOS tablets. Which security protocol should you recommend?
WPA3-Personal provides the strongest security for a small office environment without a RADIUS server, and is backward compatible with WPA2 devices.
Why this answer
WPA3 is the latest Wi-Fi security standard, offering stronger encryption (GCMP-256) and improved authentication (SAE). It is backward compatible with WPA2 devices, making it suitable for mixed environments. This question tests knowledge of current wireless security standards and their compatibility.
During a security audit, a technician discovers that a company's wireless network uses WEP encryption. The network has been in place for 10 years and still uses the original router. What is the most immediate security risk?
WEP's weak RC4 encryption allows attackers to capture packets and derive the key quickly.
Why this answer
WEP encryption is fundamentally flawed and can be cracked in minutes with readily available tools. This is the most pressing risk, as it allows attackers to decrypt traffic and potentially access the network.
A company's security policy mandates that all wireless traffic must be encrypted using a protocol that is resistant to KRACK attacks. The current network uses WPA2-PSK with AES. Which of the following upgrades should be implemented to meet this requirement?
WPA3 uses SAE, which is resistant to KRACK attacks because it uses a different handshake process that prevents key reinstallation.
Why this answer
KRACK attacks exploit vulnerabilities in the WPA2 protocol's four-way handshake. WPA3 is designed to mitigate these attacks through the use of SAE (Simultaneous Authentication of Equals) and 256-bit encryption. This question tests knowledge of specific vulnerabilities and the corresponding protocol improvements.
A user reports that their Windows 11 laptop can see the office Wi-Fi network but fails to connect, displaying 'Can't connect to this network'. Other users with the same laptop model connect without issues. The network uses WPA2-PSK with AES. What should you check first?
This clears any incorrect saved credentials and allows the user to enter the correct passphrase, resolving authentication mismatches.
Why this answer
A mismatch in the saved passphrase is a common cause of connection failures when the network is visible. The correct answer is to forget the network and re-enter the correct passphrase. This tests troubleshooting skills for wireless authentication issues.
A technician is configuring a wireless network for a new office. The network must support legacy devices that only support WPA-TKIP, but the technician also wants to maximize security for modern devices. Which configuration should the technician use?
This isolates legacy devices on a less secure network while allowing modern devices to use the stronger encryption.
Why this answer
WPA2-PSK with AES is the most secure option, but it is not backward compatible with WPA-TKIP devices. The technician must choose between compatibility and security; the best practice is to upgrade legacy devices or use a separate network for them.
A user reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. Other users do not experience this issue. What is the most likely cause?
Correct. Intermittent certificate rejection during reauthentication causes the laptop to disconnect and then reconnect after a new authentication attempt.
Why this answer
PEAP-MSCHAPv2 is prone to authentication timeouts if the RADIUS server is slow or if the client's certificate validation fails. This can cause periodic disconnects. The issue is specific to the client's configuration or certificate trust.
A technician is troubleshooting a wireless network where users report intermittent connectivity. The network uses WPA2-Enterprise with a RADIUS server. The technician notices that the RADIUS server logs show frequent authentication failures from one specific access point. What is the most likely cause?
The shared secret is used for authentication between the AP and RADIUS server; a mismatch causes failures.
Why this answer
A mismatched pre-shared key or RADIUS secret between the access point and the RADIUS server will cause authentication failures. Other options like channel interference or encryption mismatch would not specifically show RADIUS authentication failures.
A small business owner wants to replace their old wireless router because guests have been using the network to access inappropriate content. The owner wants to isolate guest traffic from the main business network and enforce content filtering. Which combination of wireless security and features should the technician recommend?
A guest network isolates traffic, and DNS-based content filtering blocks inappropriate sites.
Ready to test yourself?
Try a timed practice session using only Wireless Security Protocols questions.