Chapter 20: Quiz – Authenticating Wireless Clients (Answers) CCNPv8 ENCOR

Explanation: Encapsulation of EAP data between the authenticator and the authentication server is performed using RADIUS.

Explanation: A good way to remember wireless security standards is to consider how they evolved from WEP to WPA, then to WPA2. Each evolution increased security measures.

Explanation: The devices involved in the 802.1X authentication process are as follows:

• The supplicant, which is the client that is requesting network access
• The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access
• The authentication server, which performs the actual authentication

Explanation: Network mode is not an authentication mode, it refers to WLAN standards for 802.11a/b/g/n/ac/ad and the ability for access points to operate in mixed mode to support different standards, but it is not an authentication mode. Open authentication is a null authentication mode because wireless connectivity is granted to any wireless device. This authentication is used where security is not a concern. Passive mode is not an authentication mode, it refers to the open advertisement of the SSID, standards, and security settings by an access point. Shared-key authentication uses a pre-shared key between the client and the access point.

Explanation: WPA2 is the Wi-Fi alliance version of 802.11i, the industry standard for authentication. Neither WEP nor WPA possess the level of authentication provided by WPA2. AES aligns with WPA2 as an encryption standard, and is stronger than TKIP or RC4. PSK refers to pre-shared passwords, an authentication method that can be used by either WPA or WPA2. EAP is intended for use with enterprise networks which use a RADIUS server.

Explanation: WPA2 Enterprise relies on an external RADIUS server to authenticate clients when they attempt to connect. WEP and WPA/WPA2 Personal both use a pre-shared key that the clients must know in order to authenticate.

Explanation: The devices involved in the 802.1X authentication process are as follows:

• The supplicant, which is the client that is requesting network access
• The authenticator, which is the switch that the client is connecting and that is actually controlling physical network access
• The authentication server, which performs the actual authentication

Explanation: Wireless communications are inherently insecuer and require encryption to protect the data being transmitted. The Wi-Fi Alliance developed WPA and WPA2 as protocols to secure wireless networks. WPA is the older of the two protocols and considered vulnerable to hacking attacks, and therefore WPA2 is recommended.

Explanation: Remote Authentication Dial-In User Service (RADIUS) is a protocol and server software that provides user-based authentication for an organization. When a WLAN is configured to use a RADIUS server, users will enter username and password credentials that are verified by the RADIUS server before allowing to the WLAN.

Explanation: It is never safe to connect to an open (unsecured) wireless network (especially in a public area) unless the network is being used to create a VPN connection to a remote network.

Explanation: The Extensible Authentication Protocol (EAP) for wireless networks supports multiple authentication mechanisms. The authentication methods must match between the supplicant and the authentication server.

Explanation: WebAuth requires the user to use a web browser and read information or accept policies before being granted access to the network.

Explanation: Open Authentication requires no other mechanism. The wireless client must simply send an 802.11 authentication request to the AP.

Explanation: Open Authentication cannot be used with authentication methods based on PSK, EAP, or 802.1x, because they are mutually exclusive. It can be used with WebAuth to allow wireless clients to easily connect and view or authenticate through a web page.

Explanation: The same key must be configured on all client devices that will need to connect to the WLAN. In addition, the key must be configured on all APs and WLCs where the WLAN will exist. These keys are not normally unique to each wireless client unless the identity PSK feature is used in conjunction with ISE. PSK-based authentication does not require a RADIUS server.

Explanation: The WPA, WPA2, and WPA3 personal modes all use Pre-Shared Key authentication.

Explanation: Each successive WPA version is considered to be more secure than its predecessor. Therefore, WPA3 is the most secure due to its new and more complex features.

Explanation: The personal modes of all WPA versions use Pre-Shared Key authentication.

Explanation: EAP works in conjunction with 802.1x in WPA enterprise mode.

Explanation: A controller becomes an authenticator in the 802.1x process.

Explanation: The supplicant is located on the wireless client. The WLC becomes the authenticator, and the RADIUS server is the authentication server (AS).

Explanation: WebAuth authentication can display policies and require interaction from the end user, provided that the user opens a web browser after attempting to connect to the WLAN. WebAuth can integrate with the other authentication methods, but it is the only one that can display the policy and receive the users’ acceptance.