Wireless Security

Here you will find answers to Wireless Security Questions

Question 1

Cisco Client Management Frame Protection is running on a mobility group with two controllers. Which two MFP requirements protect the network? (Choose two)

A. forces clients to authenticate, using a secure EAP method only
B. implements the validation of wireless management frames
C. requires CCXv5
D. requires the use of a non-broadcast SSID
E. requires CCXv4

 

Answer: B C

Explanation

In order to use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 with either TKIP or AES-CCMP.

When management frame validation is enabled, the AP validates every management frame that it receives from other APs in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID that belongs to an AP, which is configured to transmit MFP frames, it reports the discrepancy to the network management system.

(Reference: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml)

Question 2

When creating a wireless profile in the Cisco ADU and you have selected the WPA/WPA2/CCKM radio button option, what other decision must you make and then configure on this same screen?

A. the address and the server secret of the authentication device you will authenticate with
B. the encryption type
C. the EAP type to be used for authentication
D. the length and value of the pre-shared key
E. the SSID of the wireless client

 

Answer: C

Explanation

The ADU profile manager feature enables you to create and manage up to 16 profiles (saved configurations) for your client adapter. These profiles enable you to use your client adapter in different locations, each of which requires different configuration settings. For example, you may want to set up profiles for using your client adapter at the office, at home, and in public areas such as airports. After the profiles are created, you can easily switch between them without having to reconfigure your client adapter each time you enter a new location.

When selecting the WPA/WPA2/CCKM radio button option you have to select the EAP type to be used for authentication too.

Question 3

What three authentication methods are generally used in enterprise wireless networks? (Choose three)

A. AE
B. CCKM
C. EAP-FAST
D. EAP-TLS
E. PEAP
F. WEP

 

Answer: C D E

Explanation

LEAP is fundamentally weak because it provides zero resistance to offline dictionary attacks. As LEAP began to gain a massive foothold on the enterprise market, a superior form of EAP called EAP-TLS (Transport Layer Security) was readily available and was completely password cracking resistant because it didn’t rely on user passwords. EAP-TLS relied on digital certificates on both the Server and the Client end to facilitate mutual authentication and secure key exchange. Unfortunately, the need for a PKI (Public Key Infrastructure) deployment on the server end and the installed user base was too great a barrier for many organizations.

To solve the need for a PKI, FunkSoftware created Tunneled Transport Layer Security (EAP-TTLS) to ease the deployment requirements by producing a standard that only required digital certificates on the authentication server end. Digital certificates were no longer needed for the client end which posed the biggest deployment barrier of all.

Similarly Microsoft, Cisco and RSA collaborated and created their own “lite”version of EAP-TLS called PEAP which in principal was the same as EAP-TTLS and also alleviated the need for client side certificates.

But many organizations don’t want to deploy a digital certificate on their authentication server because of the $300/year price tag of a publicly trusted digital certificate nor do they want to build their own Certificate Authority server or chain of servers. So many organizations still used LEAP which is very insecure.

Cisco has responded to the threat of LEAP hacking and the reluctance of most of their customers to adopt PKI-based PEAP with their so-called “PKI-free”protocol EAP-FAST.

(Reference: http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-leap-authentication/6148551)

Question 4

A client is attached to the Cisco Unified Wireless network using controllers. When the client is using WPA2 and EAP authentication, where are the wireless encryption keys located during the active user session? (Choose two)

A. on the access point
B. on the RADIUS server
C. on the Cisco WCS
D. on the client
E. on the Cisco WLC

 

Answer: A D

Question 5

When choosing an EAP type for your Cisco ADU security profile, what must you ensure to authenticate successfully?

A. that the client and authentication server support the same encryption protocol
B. that the EAP type selected is known not to exchange any of its credentials in the clear
C. that the EAP type that you selected is supported by the authentication server
D. that the time set on the clocks for the wireless client and the authenticator are close to the same time
E. that WEP is not selected

 

Answer: C

Question 6

Which two attacks does Management Frame Protection help to mitigate? (Choose two)

A. Eavesdropping
B. Denial of Service
C. War Driving
D. Man-in-the-Middle

 

Answer: B D

 

Explanation

In 802.11, management frames such as authentication & de-authentication , association & dis-association , beacons, and probes are always unauthenticated and unencrypted. In other words, 802.11 management frames are always sent in an unsecured manner, unlike the data traffic, which are encrypted with protocols such as WPA, WPA2, or, at least, WEP, and so forth.

This allows an attacker to spoof a management frame from the AP to attack a client that is associated to an AP. With the spoofed management frames, an attacker can perform these actions:

* Run a Denial of Service (DOS) on the WLAN
* Attempt a Man in the Middle attack on the client when it reconnects
* Run an offline dictionary attack

Management Frame Protection overcomes these pitfalls when it authenticates 802.11 management frames exchanged in the wireless network infrastructure.

(Reference: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml)

Question 7

What security benefit is enabled by using Management Frame Protection?

A. Provides encryption of administrator sessions between a wireless client and a wireless LAN
B. Protects the network infrastructure from denial-of-service attacks that attempt to flood the network with associations and probes.
C. Prevents the formation of client ad hoc networks within the RF coverage domain.
D. Detects network reconnaissance probes, like those used by tools like NetStumbler, that attempt to discover the wireless network topology.

 

Answer: B

Question 8

The Cisco Secure Services Client suite comprises which three elements? (Choose three)

A. Cisco Secure Services Client
B. Cisco Secure Services Client Administration Utilities
C. Cisco Secure Services Client Auditor
D. Cisco Secure Services Client Desktop Configurator
E. Cisco Secure Services Client Log Packager
F. Cisco Secure Services Client Manager

 

Answer: A B E

Explanation

The Cisco Secure Services Client (SSC) is client software that provides 802.1x (Layer 2) user and device authentication for access to both wired and wireless networks.

There are three pieces of SSC software:

* The SSC itself (Cisco Secure Services Client): Client software that provides 802.1x user and device authentication for access to both wired and wireless networks.
* The Cisco Secure Services Client Administration Utilities: Allow you to create complex profiles.
* The Cisco Secure Services Client Log Packager: Connects system information for support. An administrator would create profiles using the Cisco Secure Services Client Administration Utilities, which then generate an XML file that can be deployed network-wide to all the client machines.

(Reference: CCNA Wireless Official Exam Certification Guide)

Question 9

John works as a network administrator for Web Perfect Inc. The company has a wireless LAN network. John has configured shared key authentication on a client. The client and the AP start exchanging the frames to enable authentication. Which of the following vulnerabilities may occur while the client and the AP exchange the challenge text over the wireless link?

A. Land attack
B. Vulnerability attack
C. DoS attack
D. Man-in-the-middle attack

 

Answer: D

Explanation

Man-in-the-middle attack relies on spoofing a management frame to deauthenticate or disassociate the client. The Management Frame Protection (MFP) mechanism can be used to counteract them.

Question 10

Which software is designed for both wired and wireless profile management and can access to Cisco Enterprise networks?

A. ACS
B. SSC
C. CSA
D. SSL

 

Answer: B

Explanation

The Cisco SSC is client software that provides IEEE 802.1X (Layer 2) user and device authentication, for access to both wired and wireless networks. The Cisco SSC manages user and device identity, and the network access protocols required for secure access. It works intelligently to make it simple for employees and guests to connect to a Cisco wired or wireless network.

(Reference: IUWNE Student Guide)