Check Real CWNP CWSP-208 Exam Question for Free (2026) [Q18-Q37]

Check Real CWNP CWSP-208 Exam Question for Free (2026)

Get Ready to Boost your Prepare for your CWSP-208 Exam with 122 Questions

CWNP CWSP-208 Exam Syllabus Topics:

Topic	Details
Topic 1	Vulnerabilities, Threats, and Attacks: This section of the exam evaluates a Network Infrastructure Engineer in identifying and mitigating vulnerabilities and threats within WLAN systems. Candidates are expected to use reliable information sources like CVE databases to assess risks, apply remediations, and implement quarantine protocols. The domain also focuses on detecting and responding to attacks such as eavesdropping and phishing. It includes penetration testing, log analysis, and using monitoring tools like SIEM systems or WIPS WIDS. Additionally, it covers risk analysis procedures, including asset management, risk ratings, and loss calculations to support the development of informed risk management plans.
Topic 2	Security Lifecycle Management: This section of the exam assesses the performance of a Network Infrastructure Engineer in overseeing the full security lifecycle—from identifying new technologies to ongoing monitoring and auditing. It examines the ability to assess risks associated with new WLAN implementations, apply suitable protections, and perform compliance checks using tools like SIEM. Candidates must also demonstrate effective change management, maintenance strategies, and the use of audit tools to detect vulnerabilities and generate insightful security reports. The evaluation includes tasks such as conducting user interviews, reviewing access controls, performing scans, and reporting findings in alignment with organizational objectives.
Topic 3	WLAN Security Design and Architecture: This part of the exam focuses on the abilities of a Wireless Security Analyst in selecting and deploying appropriate WLAN security solutions in line with established policies. It includes implementing authentication mechanisms like WPA2, WPA3, 802.1X EAP, and guest access strategies, as well as choosing the right encryption methods, such as AES or VPNs. The section further assesses knowledge of wireless monitoring systems, understanding of AKM processes, and the ability to set up wired security systems like VLANs, firewalls, and ACLs to support wireless infrastructures. Candidates are also tested on their ability to manage secure client onboarding, configure NAC, and implement roaming technologies such as 802.11r. The domain finishes by evaluating practices for protecting public networks, avoiding common configuration errors, and mitigating risks tied to weak security protocols.
Topic 4	Security Policy: This section of the exam measures the skills of a Wireless Security Analyst and covers how WLAN security requirements are defined and aligned with organizational needs. It emphasizes evaluating regulatory and technical policies, involving stakeholders, and reviewing infrastructure and client devices. It also assesses how well high-level security policies are written, approved, and maintained throughout their lifecycle, including training initiatives to ensure ongoing stakeholder awareness and compliance.

 

NEW QUESTION # 18
You have an AP implemented that functions only using 802.11-2012 standard methods for the WLAN communications on the RF side and implementing multiple SSIDs and profiles on the management side configured as follows:
1. SSID: Guest - VLAN 90 - Security: Open with captive portal authentication - 2 current clients
2. SSID: ABCData - VLAN 10 - Security: PEAPv0/EAP-MSCHAPv2 with AES-CCMP - 5 current clients
3. SSID: ABCVoice - VLAN 60 - Security: WPA2-Personal - 2 current clients Two client STAs are connected to ABCData and can access a media server that requires authentication at the Application Layer and is used to stream multicast video streams to the clients.
What client stations possess the keys that are necessary to decrypt the multicast data packets carrying these videos?

• A. All clients that are associated to the AP with a shared GTK, which includes ABCData and ABCVoice.
• B. All clients that are associated to the AP using the ABCData SSID
• C. All clients that are associated to the AP using any SSID
• D. Only the members of the executive team that are part of the multicast group configured on the media server

Answer: B

Explanation:
The GTK (Group Temporal Key) is used to encrypt multicast/broadcast traffic.
Each SSID has a unique GTK.
Only clients on the same SSID (ABCData) will receive and be able to decrypt multicast traffic encrypted with ABCData's GTK.
Incorrect:
A). Application-layer authentication does not affect GTK distribution.
C). Clients on other SSIDs (e.g., Guest, ABCVoice) have different GTKs and cannot decrypt ABCData's multicast traffic.
D). Each SSID uses a unique GTK; GTKs are not shared across SSIDs.
References:
CWSP-208 Study Guide, Chapter 3 (GTK Usage in Multicast)
IEEE 802.11i and CCMP Specifications

NEW QUESTION # 19
Given: A WLAN consultant has just finished installing a WLAN controller with 15 controller-based APs.
Two SSIDs with separate VLANs are configured for this network, and both VLANs are configured to use the same RADIUS server. The SSIDs are configured as follows:
SSID Blue - VLAN 10 - Lightweight EAP (LEAP) authentication - CCMP cipher suite SSID Red - VLAN 20 - PEAPv0/EAP-TLS authentication - TKIP cipher suite The consultant's computer can successfully authenticate and browse the Internet when using the Blue SSID.
The same computer cannot authenticate when using the Red SSID.
What is a possible cause of the problem?

• A. The Red VLAN does not use server certificate, but the client requires one.
• B. The client does not have a proper certificate installed for the tunneled authentication within the established TLS tunnel.
• C. The consultant does not have a valid Kerberos ID on the Blue VLAN.
• D. The TKIP cipher suite is not a valid option for PEAPv0 authentication.

Answer: B

Explanation:
PEAPv0/EAP-TLS is a tunneled EAP method that requires:
The server to present a certificate for TLS tunnel establishment.
The client to present a valid client certificate within the tunnel (in the case of EAP-TLS).
If the client does not have a valid X.509 certificate installed, authentication will fail.
Incorrect:
A). The server certificate is required for the TLS tunnel, and it is typically present; the issue here lies with the client cert.
B). TKIP is technically compatible with PEAPv0, although AES-CCMP is preferred.
D). Kerberos is unrelated to EAP authentication and VLAN use.
References:
CWSP-208 Study Guide, Chapter 4 (PEAP and EAP-TLS Authentication)
IEEE 802.1X and TLS Frameworks

NEW QUESTION # 20
Given: ABC Company secures their network with WPA2-Personal authentication and AES-CCMP encryption.
What part of the 802.11 frame is always protected from eavesdroppers by this type of security?

• A. All MPDU contents
• B. All PPDU contents
• C. All PSDU contents
• D. All MSDU contents

Answer: D

Explanation:
In WPA2-Personal with AES-CCMP:
The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.
This protects the actual application data (e.g., web content, email).
Frame headers (MAC headers) are not encrypted.
Incorrect:
B). MPDU includes MAC headers, which are not encrypted.
C). PPDU includes preamble and physical-layer components, which are never encrypted.
D). PSDU includes the MAC header and frame body; again, headers are not encrypted.
References:
CWSP-208 Study Guide, Chapter 3 (Frame Protection)
IEEE 802.11 Frame Structure Guide

NEW QUESTION # 21
When TKIP is selected as the pairwise cipher suite, what frame types may be protected with data confidentiality? (Choose 2)

• A. Robust unicast management
• B. Robust broadcast management
• C. ACK
• D. Control
• E. Data
• F. QoS Data

Answer: E,F

Explanation:
TKIP (Temporal Key Integrity Protocol) is a pairwise encryption method introduced with WPA to enhance WEP security. TKIP can protect:
D). Data frames: These are the core unicast data transmissions between clients and access points.
F). QoS Data frames: These are a subtype of data frames supporting 802.11e/WMM enhancements and are also protected under TKIP.
Incorrect:
A & B. TKIP does not support robust management frame protection. Management frame protection is handled by 802.11w with AES-CCMP and BIP.
C & E. Control frames and ACKs are never encrypted, as they need to be read by all stations regardless of encryption status.
References:
CWSP-208 Study Guide, Chapter 3 (Frame Types and Encryption)
IEEE 802.11i Standard

NEW QUESTION # 22
What statement accurately describes the functionality of the IEEE 802.1X standard?

• A. Port-based access control with EAP encapsulation over the LAN (EAPoL)
• B. Port-based access control with dynamic encryption key management and distribution
• C. Port-based access control with mandatory support of AES-CCMP encryption
• D. Port-based access control with support for authenticated-user VLANs only
• E. Port-based access control, which allows three frame types to traverse the uncontrolled port: EAP, DHCP, and DNS.

Answer: A

Explanation:
IEEE 802.1X is a port-based Network Access Control (PNAC) protocol that:
Provides authentication at the edge of the LAN (such as a wireless access point or switch port).
Encapsulates EAP messages over the LAN using the EAPoL (EAP over LAN) protocol.
This standard defines how devices are granted or denied access based on authentication status.
Incorrect:
B). Key management is part of 802.11i (not 802.1X directly).
C). VLAN assignment may occur, but it's not limited to authenticated-user VLANs.
D). AES-CCMP is a function of WPA2/802.11i, not 802.1X.
E). Only EAP is allowed over the uncontrolled port; DHCP/DNS pass only after authentication.
References:
CWSP-208 Study Guide, Chapter 4 (802.1X Framework)
IEEE 802.1X-2010 Standard

NEW QUESTION # 23
Given: One of the security risks introduced by WPA2-Personal is an attack conducted by an authorized network user who knows the passphrase. In order to decrypt other users' traffic, the attacker must obtain certain information from the 4-way handshake of the other users.
In addition to knowing the Pairwise Master Key (PMK) and the supplicant's address (SA), what other three inputs must be collected with a protocol analyzer to recreate encryption keys? (Choose 3)

• A. Authenticator address (BSSID)
• B. GTKSA
• C. Authenticator nonce
• D. Authentication Server nonce
• E. Supplicant nonce

Answer: A,C,E

Explanation:
To recreate the Pairwise Transient Key (PTK) during an offline attack on WPA2-Personal, the following components must be collected:
PMK (derived from the passphrase)
Supplicant MAC address (SA)
Authenticator MAC address (BSSID)
Supplicant Nonce (SNonce)
Authenticator Nonce (ANonce)
These values are used in the PTK derivation function:
PTK = PRF(PMK, "Pairwise key expansion", Min(AA, SPA) || Max(AA, SPA) || Min(ANonce, SNonce) || Max(ANonce, SNonce)) Incorrect:
D). GTKSA refers to the Group Temporal Key Security Association, unrelated to PTK derivation.
E). Authentication Server nonce is used in 802.1X-based Enterprise networks, not in WPA2-Personal.
References:
CWSP-208 Study Guide, Chapter 3 (WPA2-PSK Key Management)
IEEE 802.11i-2004 Standard
CWNP Learning Portal: WPA2 Handshake and PTK Derivation

NEW QUESTION # 24
Given: In a security penetration exercise, a WLAN consultant obtains the WEP key of XYZ Corporation's wireless network. Demonstrating the vulnerabilities of using WEP, the consultant uses a laptop running a software AP in an attempt to hijack the authorized user's connections. XYZ's legacy network is using 802.11 n APs with 802.11b, 11g, and 11n client devices.
With this setup, how can the consultant cause all of the authorized clients to establish Layer 2 connectivity with the software access point?

• A. If the consultant's software AP broadcasts Beacon frames that advertise 802.11g data rates that are faster rates than XYZ's current 802.11b data rates, all WLAN clients will reassociate to the faster AP.
• B. When the RF signal between the clients and the authorized AP is temporarily disrupted and the consultant's software AP is using the same SSID on a different channel than the authorized AP, the clients will reassociate to the software AP.
• C. All WLAN clients will reassociate to the consultant's software AP if the consultant's software AP provides the same SSID on any channel with a 10 dB SNR improvement over the authorized AP.
• D. A higher SSID priority value configured in the Beacon frames of the consultant's software AP will take priority over the SSID in the authorized AP, causing the clients to reassociate.

Answer: B

Explanation:
Clients seek connectivity when their connection is lost. If the attacker broadcasts a matching SSID on a different channel and the client is disconnected (via RF jamming or deauthentication), the client will often reassociate with the stronger signal or first-responding AP broadcasting the same SSID, even if it's rogue.
Incorrect:
A). SNR alone doesn't force reassociation-clients consider multiple factors.
B). SSID priority is not a standardized field influencing client behavior.
D). Clients won't reassociate based purely on advertised data rates unless connectivity is disrupted and other AP parameters are more attractive.
References:
CWSP-208 Study Guide, Chapter 5 (Hijacking and Evil Twin Attacks)
CWNP Roaming Behavior and Signal Loss Analysis
IEEE 802.11-2016 Standard (Association and Reassociation Behavior)

NEW QUESTION # 25
In what deployment scenarios would it be desirable to enable peer-to-peer traffic blocking?

• A. In corporate Voice over Wi-Fi networks with push-to-talk multicast capabilities
• B. At public hot-spots in which many clients use diverse applications
• C. In university environments using multicast video training sourced from professor's laptops
• D. In home networks in which file and printer sharing is enabled

Answer: B

Explanation:
Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.
B). In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.
Incorrect:
A). In home networks, peer-to-peer communication is often desired for file sharing.
C). Voice over Wi-Fi may rely on peer communication (e.g., multicast).
D). In university setups using multicast, peer-to-peer restrictions could hinder functionality.
References:
CWSP-208 Study Guide, Chapter 3 (Access Control and WLAN Policies)
CWNP WLAN Best Practices for Public Networks

NEW QUESTION # 26
Given: John Smith uses a coffee shop's Internet hot-spot (no authentication or encryption) to transfer funds between his checking and savings accounts at his bank's website. The bank's website uses the HTTPS protocol to protect sensitive account information. While John was using the hot-spot, a hacker was able to obtain John's bank account user ID and password and exploit this information.
What likely scenario could have allowed the hacker to obtain John's bank account user ID and password?

• A. The bank's web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.
• B. John's bank is using an expired X.509 certificate on their web server. The certificate is on John's Certificate Revocation List (CRL), causing the user ID and password to be sent unencrypted.
• C. John uses the same username and password for banking that he does for email. John used a POP3 email client at the wireless hot-spot to check his email, and the user ID and password were not encrypted.
• D. Before connecting to the bank's website, John's association to the AP was hijacked. The attacker intercepted the HTTPS public encryption key from the bank's web server and has decrypted John's login credentials in near real-time.
• E. John accessed his corporate network with his IPSec VPN software at the wireless hot-spot. An IPSec VPN only encrypts data, so the user ID and password were sent in clear text. John uses the same username and password for banking that he does for his IPSec VPN software.

Answer: C

Explanation:
In this scenario, although the bank's website uses HTTPS (which encrypts communications between John's browser and the bank's server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.
John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.
Here's how this aligns with CWSP knowledge domains:
* CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.
* CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.
* CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.
Other answer options and why they are incorrect:
* A & D are invalid because an expired or unsigned certificate may cause browser warnings but won't result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn't stated).
* C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint-including credentials.
* E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.
References:
CWSP-208 Study Guide, Chapters 3 (Security Policy) and 5 (Threats and Attacks) CWNP CWSP-208 Official Study Guide CWNP Exam Objectives - WLAN Authentication, Encryption, and VPNs CWNP Whitepapers on WLAN Security Practices

NEW QUESTION # 27
What wireless security protocol provides mutual authentication without using an X.509 certificate?

• A. EAP-MD5
• B. PEAPv0/EAP-MSCHAPv2
• C. PEAPv1/EAP-GTC
• D. EAP-TLS
• E. EAP-TTLS
• F. EAP-FAST

Answer: F

Explanation:
EAP-FAST (Flexible Authentication via Secure Tunneling) provides:
Mutual authentication using Protected Access Credentials (PACs).
Does not require X.509 certificates for either client or server (although optional for servers).
Is faster and easier to deploy in environments lacking a PKI.
Incorrect:
B). EAP-MD5 provides no mutual authentication.
C). EAP-TLS requires client and server certificates.
D). PEAPv0/EAP-MSCHAPv2 requires a server certificate.
E). EAP-TTLS requires a server certificate.
F). PEAPv1/EAP-GTC still requires a server certificate.
References:
CWSP-208 Study Guide, Chapter 4 (EAP Method Comparisons)
Cisco EAP-FAST Whitepaper
Wi-Fi Alliance EAP Interoperability Matrix

NEW QUESTION # 28
Given: Your network includes a controller-based WLAN architecture with centralized data forwarding. The AP builds an encrypted tunnel to the WLAN controller. The WLAN controller is uplinked to the network via a trunked 1 Gbps Ethernet port supporting all necessary VLANs for management, control, and client traffic.
What processes can be used to force an authenticated WLAN client's data traffic into a specific VLAN as it exits the WLAN controller interface onto the wired uplink? (Choose 3)

• A. Configure the WLAN controller with static SSID-to-VLAN mappings; the user will be assigned to a VLAN according to the SSID being used.
• B. On the Ethernet switch that connects to the AP, configure the switch port as an access port (not trunking) in the VLAN of supported clients.
• C. In the WLAN controller's local user database, create a static username-to-VLAN mapping on the WLAN controller to direct data traffic from a specific user to a designated VLAN.
• D. During 802.1X authentication, RADIUS sends a return list attribute to the WLAN controller assigning the user and all traffic to a specific VLAN.

Answer: A,C,D

Explanation:
Client VLAN assignment at the controller can be achieved through:
B). RADIUS attributes (e.g., Tunnel-Private-Group-ID) for dynamic VLAN assignment.
C). Static mappings in the WLAN controller's local user DB.
D). SSID-to-VLAN bindings assign traffic from specific SSIDs to specific VLANs.
Incorrect:
A). The AP connects to the controller over a tunneled link. VLAN configuration at the AP's Ethernet port does not impact client VLAN assignment in centralized forwarding mode.
References:
CWSP-208 Study Guide, Chapter 6 (Dynamic VLAN Assignment)
CWNP WLAN Controller Configuration Guides

NEW QUESTION # 29
What is one advantage of using EAP-TTLS instead of EAP-TLS as an authentication mechanism in an 802.11 WLAN?

• A. EAP-TTLS sends encrypted supplicant credentials to the authentication server, but EAP-TLS uses unencrypted user credentials.
• B. EAP-TTLS does not require the use of a certificate for each STA as authentication credentials, but EAP- TLS does.
• C. EAP-TTLS does not require an authentication server, but EAP-TLS does.
• D. EAP-TTLS supports client certificates, but EAP-TLS does not.

Answer: B

Explanation:
EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.
EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.
Incorrect:
A). EAP-TLS also encrypts credentials using TLS.
B). EAP-TLS supports client certificates (it's the core requirement).
C). Both EAP methods require an authentication server.
References:
CWSP-208 Study Guide, Chapter 4 (EAP Methods Comparison)
CWNP EAP-TTLS Deployment Guide

NEW QUESTION # 30
Given: The Marketing department's WLAN users need to reach their file and email server as well as the Internet, but should not have access to any other network resources.
What single WLAN security feature should be implemented to comply with these requirements?

• A. RADIUS policy accounting
• B. Mutual authentication
• C. Captive portal
• D. Group authentication
• E. Role-based access control

Answer: E

Explanation:
Role-Based Access Control (RBAC) allows administrators to define user roles and enforce network access permissions based on the user's identity. By implementing RBAC in the WLAN, you can:
Grant the Marketing group access only to the file/email server and the Internet Prevent access to other internal resources This single feature enables fine-grained restriction without needing multiple SSIDs or ACLs.
Other options don't provide the necessary flexibility:
A). Mutual authentication ensures secure identity verification but doesn't control network access scope B & D & E do not provide targeted resource-level access control References:
CWSP#207 Study Guide, Chapter 6 (Access Control Policy and RBAC)

NEW QUESTION # 31
ABC Company requires the ability to identify and quickly locate rogue devices. ABC has chosen an overlay WIPS solution with sensors that use dipole antennas to perform this task. Use your knowledge of location tracking techniques to answer the question.
In what ways can this 802.11-based WIPS platform determine the location of rogue laptops or APs? (Choose
3)

• A. Time Difference of Arrival (TDoA)
• B. RF Fingerprinting
• C. Trilateration of RSSI measurements
• D. GPS Positioning
• E. Angle of Arrival (AoA)

Answer: A,B,C

Explanation:
WIPS platforms with multiple sensors can locate rogue devices using:
A). TDoA: Measures the time difference a signal takes to reach multiple sensors; requires synchronized clocks.
C). Trilateration using RSSI: Estimates distance based on signal strength from three or more known sensor positions.
E). RF Fingerprinting: Matches received signals to known RF patterns in the environment for device positioning.
AoA requires directional antennas (not typical with dipoles), and GPS is used for locating mobile sensors or vehicles, not indoor rogues.
References:
CWSP-208 Study Guide, Chapter 7 - Location Tracking Techniques
CWNP CWSP-208 Objectives: "Rogue Device Location via RSSI, TDoA, and Fingerprinting"

NEW QUESTION # 32
Given: Mary has just finished troubleshooting an 802.11g network performance problem using a laptop-based WLAN protocol analyzer. The wireless network implements 802.1X/PEAP and the client devices are authenticating properly. When Mary disables the WLAN protocol analyzer, configures her laptop for PEAP authentication, and then tries to connect to the wireless network, she is unsuccessful. Before using the WLAN protocol analyzer, Mary's laptop connected to the network without any problems.
What statement indicates why Mary cannot access the network from her laptop computer?

• A. Mary's supplicant software is using PEAPv0/EAP-MSCHAPv2, and the access point is using PEAPv1
  /EAP-GTC.
• B. The nearby WIPS sensor categorized Mary's protocol analyzer adapter as a threat and is performing a deauthentication flood against her computer.
• C. The PEAP client's certificate was voided when the protocol analysis software assumed control of the wireless adapter.
• D. The protocol analyzer's network interface card (NIC) drivers are still loaded and do not support the version of PEAP being used.

Answer: D

Explanation:
Many protocol analyzers require special drivers or place the NIC into monitor/promiscuous mode. When used this way, the original driver stack may be altered or replaced. Afterward, if not correctly reloaded, the adapter may lack full 802.1X support or required encryption features. This is likely the case here - Mary's WLAN adapter is still under the control of or affected by the analyzer's NIC driver, which doesn't support PEAP properly.
References:
CWSP-208 Study Guide, Chapter 6 - Protocol Analysis Limitations and NIC Driver Issues CWNP CWSP-208 Objectives: "Troubleshooting WLAN Authentication and Driver Conflicts"

NEW QUESTION # 33
Given: A large enterprise is designing a secure, scalable, and manageable 802.11n WLAN that will support thousands of users. The enterprise will support both 802.1X/EAP-TTLS and PEAPv0/MSCHAPv2. Currently, the company is upgrading network servers as well and will replace their existing Microsoft IAS implementation with Microsoft NPS, querying Active Directory for user authentication.
For this organization, as they update their WLAN infrastructure, what WLAN controller feature will likely be least valuable?

• A. WIPS support and integration
• B. SNMPv3 support
• C. WPA2-Enterprise authentication/encryption
• D. 802.1Q VLAN trunking
• E. Internal RADIUS server

Answer: E

Explanation:
In a large enterprise:
A central RADIUS (like Microsoft NPS) connected to Active Directory is preferred for scalability and centralized policy control.
WLAN controller internal RADIUS servers are minimal and not scalable for thousands of users.
Incorrect:
A). WPA2-Enterprise is essential for strong security.
C). WIPS support is vital for intrusion detection/prevention.
D). VLAN trunking is needed for network segmentation.
E). SNMPv3 is important for secure device monitoring and management.
References:
CWSP-208 Study Guide, Chapter 6 (WLAN Controller Capabilities and Scalability) CWNP Enterprise WLAN Design

NEW QUESTION # 34
Given: You have implemented strong authentication and encryption mechanisms for your enterprise 802.11 WLAN using 802.1X/EAP with AES-CCMP.
For users connecting within the headquarters office, what other security solution will provide continuous monitoring of both clients and APs with 802.11-specific tracking?

• A. Wireless intrusion prevention system
• B. IPSec VPN client and server software
• C. Internet firewall software
• D. RADIUS proxy server
• E. WLAN endpoint agent software

Answer: A

Explanation:
In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.
References:
CWSP-208 Study Guide, Chapter 7 - Integrated WIPS Tradeoffs
CWNP CWSP-208 Objectives: "Integrated WIPS Behavior and Performance Impact"

NEW QUESTION # 35
Given: You support a coffee shop and have recently installed a free 802.11ac wireless hot-spot for the benefit of your customers. You want to minimize legal risk in the event that the hot-spot is used for illegal Internet activity.
What option specifies the best approach to minimize legal risk at this public hot-spot while maintaining an open venue for customer Internet access?

• A. Allow only trusted patrons to use the WLAN
• B. Require client STAs to have updated firewall and antivirus software
• C. Configure WPA2-Enterprise security on the access point
• D. Block TCP port 25 and 80 outbound on the Internet router
• E. Use a WIPS to monitor all traffic and deauthenticate malicious stations
• F. Implement a captive portal with an acceptable use disclaimer

Answer: F

Explanation:
In public hotspots like coffee shops, the best way to reduce legal risk is to require users to acknowledge an Acceptable Use Policy (AUP) via a captive portal before granting network access. This approach:
Provides a legally binding acknowledgment that users agree not to misuse or engage in criminal activity Maintains an open venue while limiting liability Other options, like using WPA2-Enterprise or blocking ports, are either impractical for public use or ineffective at reducing underlying legal exposure.

NEW QUESTION # 36
You are implementing an 802.11ac WLAN and a WIPS at the same time. You must choose between integrated and overlay WIPS solutions. Which of the following statements is true regarding integrated WIPS solutions?

• A. Integrated WIPS is always more expensive than overlay WIPS.
• B. Many integrated WIPS solutions that detect Voice over Wi-Fi traffic will cease scanning altogether to accommodate the latency sensitive client traffic.
• C. Integrated WIPS always perform better from a client throughput perspective because the same radio that performs the threat scanning also services the clients.
• D. Integrated WIPS use special sensors installed alongside the APs to scan for threats.

Answer: B

Explanation:
In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.
References:
CWSP-208 Study Guide, Chapter 7 - Integrated WIPS Tradeoffs
CWNP CWSP-208 Objectives: "Integrated WIPS Behavior and Performance Impact"

NEW QUESTION # 37
......

Use Free CWSP-208 Exam Questions that Stimulates Actual EXAM : https://pass4sure.practicedump.com/CWSP-208-exam-questions.html