CWNP CWSP-207 問題集

質問 1：
Which one of the following describes the correct hierarchy of 802.1X authentication key derivation?
A. After successful EAP authentication, the RADIUS server generates a PMK. A separate key, the MSK, is derived from the AAA key and is hashed with the PMK to create the PTK and GTK.
B. The PMK is generated from a successful mutual EAP authentication. When mutual authentication is not used, an MSK is created. Either of these two keys may be used to derive the temporal data encryption keys during the 4-way handshake.
C. The MSK is generated from the 802.1X/EAP authentication. The PMK is derived from the MSK. The PTK is derived from the PMK, and the keys used for actual data encryption are a part of the PTK.
D. If passphrase-based client authentication is used by the EAP type, the PMK is mapped directly from the user's passphrase. The PMK is then used during the 4-way handshake to create data encryption keys.
正解：C

質問 2：
You are configuring seven APs to prevent common security attacks. The APs are to be installed in a small business and to reduce costs, the company decided to install all consumer-grade wireless routers. The wireless routers will connect to a switch, which connects directly to the Internet connection providing 50 Mbps of Internet bandwidth that will be shared among 53 wireless clients and 17 wired clients.
To ensure the wireless network is as secure as possible from common attacks, what security measure can you implement given only the hardware referenced?
A. WPA-Enterprise
B. WPA2-Enterprise
C. WPA2-Personal
D. 802.1X/EAP-PEAP
正解：C

質問 3：
When TKIP is selected as the pairwise cipher suite, what frame types may be protected with data confidentiality? (Choose 2)
A. QoS Data
B. Control
C. Robust broadcast management
D. ACK
E. Data
F. Robust unicast management
正解：A,E

質問 4：
Given: In XYZ's small business, two autonomous 802.11ac APs and 12 client devices are in use with WPA2-Personal.
What statement about the WLAN security of this company is true?
A. An unauthorized WLAN user with a protocol analyzer can decode data frames of authorized users if he captures the BSSID, client MAC address, and a user's 4-Way Handshake.
B. A successful attack against all unicast traffic on the network would require a weak passphrase dictionary attack and the capture of the latest 4-Way Handshake for each client.
C. An unauthorized wireless client device cannot associate, but can eavesdrop on some data because WPA2-Personal does not encrypt multicast or broadcast traffic.
D. Intruders may obtain the passphrase with an offline dictionary attack and gain network access, but will be unable to decrypt the data traffic of other users.
E. Because WPA2-Personal uses Open System authentication followed by a 4-Way Handshake, hijacking attacks are easily performed.
正解：B

質問 5：
You are using a protocol analyzer for random checks of activity on the WLAN. In the process, you notice two different EAP authentication processes. One process (STA1) used seven EAP frames (excluding ACK frames) before the 4-way handshake and the other (STA2) used 11 EAP frames (excluding ACK frames) before the
4-way handshake.
Which statement explains why the frame exchange from one STA required more frames than the frame exchange from another STA when both authentications were successful? (Choose the single most probable answer given a stable WLAN.)
A. STA1 is a reassociation and STA2 is an initial association.
B. STA1 and STA2 are using different EAP types.
C. STA2 has retransmissions of EAP frames.
D. STA1 is a TSN, and STA2 is an RSN.
E. STA1 and STA2 are using different cipher suites.
正解：B

質問 6：
Given: You are installing 6 APs on the outside of your facility. They will be mounted at a height of 6 feet.
What must you do to implement these APs in a secure manner beyond the normal indoor AP implementations?
(Choose the single best answer.)
A. User external antennas.
B. Use internal antennas.
C. Ensure proper physical and environmental security using outdoor ruggedized APs or enclosures.
D. Power the APs using PoE.
正解：C

質問 7：
When using the 802.1X/EAP framework for authentication in 802.11 WLANs, why is the 802.1X Controlled Port still blocked after the 802.1X/EAP framework has completed successfully?
A. The 802.1X Controlled Port is blocked until Vender Specific Attributes (VSAs) are exchanged inside a RADIUS packet between the Authenticator and Authentication Server.
B. The 802.1X Controlled Port is always blocked, but the Uncontrolled Port opens after the EAP authentication process completes.
C. The 4-Way Handshake must be performed before the 802.1X Controlled Port changes to the unblocked state.
D. The 802.1X Controlled Port remains blocked until an IP address is requested and accepted by the Supplicant.
正解：C