CCNP Voice FAQ: Introducing 802.1x and Configuring Encryption and Authentication on Lightweight Access Points

CCNP Voice FAQ: Introducing 802.1x and Configuring Encryption and Authentication on Lightweight Access Points

Q1. Which of the following is not an issue or a weakness of initial WLAN security approaches?
A. Relying on SSID as a security measure

B. Relying on MAC filters

C. Overhead of mutual authentication between wireless clients and access control/authentication servers

D. Usage of static WEP

Answer: C

Q2. Which of the following is not considered a weakness of WEP?
A. With enough data captured, even with initialization vector used, the WEP key can be deducted.

B. WEP is vulnerable to dictionary attacks.

C. Because with basic WEP the wireless client does not authenticate the access point, the client can be victimized by rogue access points.

D. The WEP usage of certificates is not convenient for some customers.

Answer: D

Q3. Which of the following organizations developed LEAP to address the shortcomings of WEP?
A. Wi-Fi Alliance Group
B. Cisco
C. IEEE
D. Microsoft

Answer: B

Q4. Which of the following organizations developed WPA?
A. Wi-Fi Alliance Group
B. Cisco
C. IEEE
D. Microsoft

Answer: A

Q5. Which of the following is not a required component for 802.1x authentication?
A. External user database
B. Supplicant (EAP-capable client)
C. Authenticator (802.1x-capable access point)
D. Authentication server (EAP-capable RADIUS server)

Answer: A

Q6. Which of the following is not a LEAP feature?
A. Usage of PKI

B. Fast, secure roaming with Cisco or Cisco-compatible clients

C. True single login with an existing username and password using Windows NT/2000 Active Directory (or Domain)

D. Support for a wide range of operating systems (such as Microsoft, Macintosh, Linux, And DOS).

Answer: A

Q7. Which of the following is not an EAP-FAST feature?
A. Provides full support for 802.11i, 802.1x, TKIP, and AES

B. Supports Windows single sign-on for Cisco Aironet clients and Cisco-compatible clients

C. Uses certificates (PKI)

D. Supports password expiration or change (Microsoft password change)

Answer: C

Q8. Which of the following is an EAP-TLS feature?
A. It uses PKI.

B. Its supported clients include Microsoft Windows 2000, XP, and CE, plus non-Windows platforms with third-party supplicants such as Meetinghouse.

C. It permits a single logon to a Microsoft domain.

D. All of the above.

Answer: D

Q9. Which of the following is not true about PEAP?
A. It builds an encrypted tunnel in Phase 1.
B. Only the server authentication is performed using PKI certificate.
C. All PEAP varieties support single login.
D. Cisco Systems, Microsoft, and RSA Security developed PEAP.

Answer: C

Q10. When you use a web browser to access a WLC GUI to modify or configure the encryption and authentication settings of a wireless LAN, which item of the main toolbar should you click on first?
A. Security
B. Configure
C. WLAN
D. Management

Answer: C

Q11. What is a rogue access point, and what are its dangers?

Answer: Rogue access points impose threats to wireless LANs. A rogue access point is illegitimate; it has been installed without authorization. If an attacker installs a rogue access point and clients associate with it, the attacker can easily collect sensitive information such as keys, usernames, passwords, and MAC addresses. Unless the client has a way of authenticating the access point, a wireless LAN should have a method to detect rogue access points so that they can be removed. Furthermore, rogue access points are sometimes installed by attackers intending to interfere with the normal operations and effectively launch denial of service attacks.

Q12. Specify at least two weaknesses of basic 802.11 (WEP) security.

Answer: Following are the weaknesses of basic 802.11 (WEP) security:

  • A lack of mutual authentication makes WEP vulnerable to rogue access points.
  • Usage of static keys makes WEP vulnerable to dictionary attacks.
  • Even with use of initialization vector (IV), attackers can deduct WEP keys by capturing enough data.
  • Configuring clients with the static WEP keys is nonscalable.

Q13. Specify at least two benefits of LEAP over the basic 802.11 (WEP).

Answer: Following are the benefits of LEAP over the basic 802.11 (WEP):

  • Server-based authentication (leveraging 802.1x) using passwords, one-time tokens, public key infrastructure (PKI) certificates, or machine IDs
  • Usage of dynamic WEP keys (also called session keys) through reauthenticating the user periodically and negotiating a new WEP key each time (Cisco Key Integrity Protocol or CKIP)
  • Mutual authentication between the wireless client and the RADIUS server
  • Usage of Cisco Message Integrity Check (CMIC) to protect against inductive WEP attacks and replays

Q14. Specify at least one benefit and one drawback of WPA2 over WPA.

Answer: The main improvements of WPA2 to WPA are usage of Advanced Encryption Standard (AES)
for encryption and usage of Intrusion Detection System (IDS). However, WPA2 is more CPUintensive than WPA mostly because of the usage of AES; therefore, WPA2 usually requires a hardware upgrade.

Q15. Provide at least three important features and benefits of 802.1x/EAP.

Answer: The important features and benefits of 802.1x/EAP are as follows:

  • Usage of RADIUS server for AAA centralized authentication
  • Mutual authentication between the client and the authentication server
  • Ability to use 802.1x with multiple encryption algorithms, such as AES, WPA TKIP, and WEP
  • Without user intervention, the ability to use dynamic (instead of static) WEP keys
  • Support of roaming

Q16. What are the required components for 802.1x authentication?

Answer: The required components for 802.1x authentication are as follows:

  • EAP-capable client (the supplicant)
  • 802.1x-capable access point (the authenticator)
  • EAP-capable RADIUS server (the authentication server)

Q17. What is the role of EAP client supplicant?

Answer: The EAP-capable client requires an 802.1x-capable driver and an EAP supplicant. The supplicant might be provided with the client card, be native in the client operating system, or be obtained from the third-party software vendor. The EAP-capable wireless client (with the supplicant) sends authentication credentials to the authenticator.

Q18. Specify at least three of the main features and benefits of EAP-FAST.

Answer: Following are the main features and benefits of EAP-FAST:

  • Supports Windows single sign-on for Cisco Aironet clients and Cisco-compatible clients
  • Does not use certificates or require Public Key Infrastructure (PKI) support on client devices
  • Provides for a seamless migration from Cisco LEAP
  • Supports Windows 2000, Windows XP, and Windows CE operating systems
  • Provides full support for 802.11i, 802.1x, TKIP, and AES
  • Supports password expiration or change (Microsoft password change)

Q19. What are the three phases of EAP-FAST?

Answer: EAP-FAST has three phases:
Phase 0: Provision PAC
Phase 1: Establish secure tunnel
Phase 2: Client authentication

Q20. Provide at least two important features or facts about EAP-TLS.

Answer: The important features and facts about EAP-TLS are these:

  • EAP-TLS uses the Transport Layer Security (TLS) protocol.
  • EAP-TLS uses Public Key Infrastructure (PKI).
  • EAP-TLS is one of the original EAP authentication methods, and it is used in many environments.
  • The supported clients for EAP-TLS include Microsoft Windows 2000, XP, and CE, plus non-Windows platforms with third-party supplicants, such as Meetinghouse.
  • One of the advantages of Cisco and Microsoft implementation of EAP-TLS is that it is possible to tie the Microsoft credentials of the user to the certificate of that user in a Microsoft database, which permits a single logon to a Microsoft domain.

Q21. Provide at least two important features or facts about PEAP.

Answer: The important features and facts about PEAP are as follows:

  • PEAP was developed by Cisco Systems, Microsoft, and RSA Security to the IETF.
  • With PEAP, only the server authentication is performed using PKI certificate.
  • PEAP works in two phases. In Phase 1, server-side authentication is performed and an encrypted tunnel (TLS) is created. In Phase 2, the client is authenticated using either EAPGTC or EAP-MSCHAPv2 within the TLS tunnel.
  • PEAP-MSCHAPv2 supports single sign-on, but Cisco PEAP-GTC supplicant does not
    support single logon.

Q22. Specify at least two important features of WPA.

Answer: Following are the important features of WPA:
Authenticated key management—WPA performs authentication using either IEEE 802.1x or preshared key (PSK) prior to the key management phase.
Unicast and broadcast key management—After successful user authentication, message integrity and encryption keys are derived, distributed, validated, and stored on the client and the AP.
Utilization of TKIP and MIC—Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) are both elements of the WPA standard and they secure a system against WEP vulnerabilities such as intrusive attacks.
Initialization vector space expansion—WPA provides per-packet keying (PPK) via initialization vector (IV) hashing and broadcast key rotation. The IV is expanded from 24 bits (as in 802.11 WEP) to 48 bits.

Q23. What are the three key security features that the 802.11i standard has offered?

Answer: 802.11i has three key security features:

  • 802.1x authentication
  • Advanced Encryption Standard (AES) encryption algorithm
  • Key management (similar to WPA)

Q24. Provide at least two important features/facts about WPA2.

Answer: The important features/facts about WPA2 are as follows:

  • It uses 802.1x for authentication. (It also supports preshared keys.)
  • It uses a similar method of key distribution and key renewal to WPA.
  • It supports PKC.
  • It implements AES.
  • It uses IDS.

Q25. List at least three services that wireless IDS provides to address RF and standards-based vulnerabilities.

Answer: The services that wireless IDS provides to address RF and standards-based vulnerabilities are
as follows:

  • Detect, locate, and mitigate rogue devices.
  • Detect and manage RF interference.
  • Detect reconnaissance.
  • Detect management frames and hijacking attacks.
  • Enforce security configuration policies.
  • Perform forensic analysis and compliance reporting as complementary functions

Q26. What are the two modes of WPA and WPA2?

Answer: WPA and WPA2 have two modes: Enterprise mode and Personal mode. Each mode has encryption support and user authentication. Products that support both the preshared key (PSK) and the 802.1x authentication methods are given the term Enterprise mode. Enterprise mode is targeted at medium to large environments such as education and government departments. Products that only support PSK for authentication and require manual configuration of a preshared key on the access point and clients are given the term Personal mode. Personal mode is targeted at small business environments such as small office, home office (SOHO).

About the author

Scott

Leave a Comment