By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, install and configure wireless security settings. Topics: - Wi-Fi Protected Access Version 2 (WPA2) - Wi-Fi Protected Access Version 3 (WPA3) - Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) - Simultaneous Authentication of Equals (SAE) - Extensible Authentication Protocol (EAP) - Protected EAP (PEAP) - EAP Flexible Authentication via Secure Tunneling (EAP-FAST) - EAP-Transport Layer Security (EAP-TLS) - EAP Tunneled Transport Layer Security (EAP-TTLS) - IEEE 802.1X - Remote Authentication Dial-In User Service (RADIUS) - pre-shared key (PSK) - Wi-Fi Protected Setup (WPS) - captive portal - site survey - heat map - Wi-Fi analyzer Access Methods As wireless technology has become nearly ubiquitous, the focus on wireless security has increased. Many improvements have been made over the years, in particular in terms of preventing unauthorized access to wireless networks. It is important to understand how access is provided to authorized clients, while ensuring that those who are not authorized are not allowed. Authentication to wireless networks is typically accomplished through one of the following methods: - Open authentication - Shared authentication - Extensible Authentication Protocol (EAP) authentication Although it is not as common as it once was, the simplest option for many wireless networks is to forgo authentication and use an open network. An open network does not provide encryption; it does not even require a password to connect. In fact, an open network does not attempt to provide any security at all. Users simply select the network name or the service set identifier (SSID) for the network. Open configuration is not recommended. Some open networks first require the user to connect through a captive portal, which is a web page that is launched first when connecting through a network. It usually requires some type of interaction before the user is allowed access to other networking or Internet sites. Open networks might use captive portals for advertising or to provide terms of use for the connecting user. Such portals are common in public places such as airports and coffee shops. The user simply clicks Accept, views an advertisement, provides an email address, or performs some other required action. The network then grants access to the user and no longer holds the user captive to the portal. Shared authentication uses a pre-shared key (PSK). Essentially, the key on the wireless access device is the same key that each user can use to connect to the network. Extensible Authentication Protocol (EAP) is commonly used in larger organizations. The authentication process is a bit more involved because an authentication server is required. EAP is an extension of Point-to-Point Protocol (PPP) and allows for flexibility in authentication, including authentication methods beyond just a username and a password. Instead of using PPP, however, the IEEE 802.1X standard defines using EAP over both wired Ethernet and wireless networks. EAP is a challenge/response protocol that can be run over secured transport mechanisms. It is a flexible authentication technology and can be used with smart cards, one-time passwords, and public key encryption. EAP also provides support for public certificates that are deployed using auto-enrollment or smart cards. These security improvements enable access control to Ethernet networks in public places such as malls and airports. Wireless Cryptographic Protocols To properly manage the risk of wireless networks and prevent unauthorized access, you must understand the wireless cryptographic protocols available. Organizations of all sizes—even home users—need to be aware of the available technologies. The industry has done a lot to help make technology simple and easy to use, but it has also introduced vulnerable technologies to make the setup and configuration of wireless clients mindlessly simple. Consider, for example, Wi-Fi Protected Setup (WPS), originally known as Wi-Fi Simple Config. WPS is an extension of the wireless standards whose purpose was to simplify for end users the process of establishing secure wireless home networks. As Wi-Fi devices entered the mainstream, setup was initially complex. Consequently, users often ran with default configurations, leaving their wireless networks wide open and easy to exploit. WPS was introduced as a better option.
WPS provides two certified modes of operation. The first requires the user to enter a PIN code when connecting devices. The second method requires the user to simply push a button on the AP and connect the wireless device. In 2011, however, a major security vulnerability was exposed; in fact, the vulnerability was so severe that the solution was to turn off WPS capabilities altogether. It turned out that the user’s PIN could be recovered through brute-force attack in as few as 11,000 guesses, or within several hours. In some cases, disabling WPS was not even enough to prevent such attacks, and a firmware upgrade was required to completely disable the feature. Wi-Fi Protected Setup should not be used. At a minimum, it should be disabled. Since WPS was determined to be insecure, several protocols have been developed to protect wireless networks. The primary goals of these cryptographic protocols are to protect the authentication and connection process and to also ensure the confidentiality of data sent through the air. Four common protocols have worked to achieve these goals: - Wired Equivalent Privacy (WEP): This original wireless encryption standard should not be used today, but it still occasionally is. Its goal was to provide security on par with that of wired networks, but WEP has many known security issues. It was superseded in 2003 by WPA. - Wi-Fi Protected Access (WPA): WPA was developed in response to security concerns over WEP. WPA is implemented using a couple different options for encryption. - Wi-Fi Protected Access Version 2 (WPA2): WPA2 further improved on WPA. Since 2006, it has been required for Wi-Fi-certified devices. WPA2 introduced the use of Advanced Encryption Standard (AES) for encryption. - Wi-Fi Protected Access Version 3 (WPA3): WPA3 added more features and strengths to the widely adopted WPA2 protocol. Specifically, WPA3 maintains strong cryptographic algorithms while improving key exchange. The Wi-Fi Alliance is a consortium of companies that has a major impact on wireless technologies. It contributes to the standards process and is responsible for certifying wireless devices. The alliance coined the term Wi-Fi and still claims it as a registered trademark. Wired Equivalent Privacy (WEP) WEP is the most basic form of encryption that can be used on IEEE 802.11-based wireless networks to ensure that data sent between a wireless client and its access point remains private. Originally, wireless networks were typically based on the IEEE 802.11 standard, which had serious data transmission security shortcomings. When this standard was put into place, the 802.11 committee adopted the WEP cryptographic protocol. To understand WEP’s shortcomings, you need to know how it operates. WEP uses a stream cipher called RC4 for encryption. RC4 uses a shared secret key to generate a long sequence of bytes from a generator. This stream is then used to produce the encrypted ciphertext. Early 802.11b networks used 40-bit encryption because of government restrictions. However, hackers can crack a 40-bit key in a few hours. Breaking RC4 encryption is much easier if an attacker can isolate a second instance of encryption with a single key. In other words, the weakness is that the same keys are used repeatedly. IEEE 802.11 is the family of standards for wireless networks maintained by the Institute of Electrical and Electronics Engineers (IEEE). Wi-Fi Protected Access (WPA) Much like WEP, Wi-Fi Protected Access (WPA) includes a method to encrypt wireless traffic between wireless clients and wireless access points. WPA has been included in 802.11-based products since WEP was deprecated in 2004. WPA includes a strategy for restricting network access and encrypting network traffic based on a shared key. The Wi-Fi Alliance developed WPA to replace WEP after security flaws were found in WEP. WPA protects networks by incorporating a set of enhanced security features. WPA-protected networks require users to enter a passkey to access the wireless network. WPA has two different modes: - WPA-Personal: Known also as WPA-PSK (Pre-Shared Key), WPA-Personal requires a password consisting of 8 to 63 characters. All devices on the wireless network must use this password. - WPA-Enterprise: Known also as WPA-802.1X mode, WPA-Enterprise requires security certificates and uses an authentication server from which the keys can be distributed. WPA-Personal and WPA-Enterprise target different users and are applicable to both WPA and WPA2. WPA-Personal is designed for home and small office use; it uses a pre-shared key and does not require a separate authentication server. WPA-Enterprise, in contrast, is better suited for larger organizations because it provides increased security. This comes with a trade-off, of course. WPA-Enterprise requires a Remote Authentication Dial-In User Service (RADIUS) authentication server, which demands additional effort for setup and maintenance. Remember that WPA2 and WPA3 provide greater protection than WPA and WEP. Furthermore, WEP has been deprecated and is no longer considered secure. Temporal Key Integrity Protocol WPA adopted the Temporal Key Integrity Protocol (TKIP). Based on RC4, TKIP was designed to overcome many limitations of WEP and delivered huge improvements in message integrity and confidentiality. TKIP uses a unique key with each packet, unlike WEP, which used the same key. In addition, TKIP provides a more robust method of doing integrity checks to prevent man-in-the-middle attacks. WPA with TKIP is a huge improvement over WEP, but TKIP has been deprecated since 2012 and is no longer considered secure. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol With the introduction of WPA2, TKIP was essentially replaced with Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), based on the Advanced Encryption Standard (AES) encryption cipher. While CCMP is more resource-intensive than TKIP, it supports much longer keys and more advanced security for data confidentiality, user authentication, and user access control. CCMP is based on the AES encryption algorithm and provides significant security improvements over TKIP. WPA is usually associated with TKIP, and WPA2 is typically linked to AES, but this pairing isn’t necessary. Wi-Fi Protected Access Version 2 (WPA2) Wi-Fi Protected Access Version 2 (WPA2), based on the IEEE 802.11i standard, provides government-grade security by implementing the AES block cipher encryption algorithm and 802.11-based authentication. WPA2 incorporates stricter security standards than WPA and is configurable in either the PSK or Enterprise mode. As with WPA, two versions of WPA2 exist: WPA2-Personal and WPA2-Enterprise. WPA2-Personal protects unauthorized network access via a password. WPA2-Enterprise verifies network users through a server. WPA2 is backward compatible with WPA and supports strong encryption and authentication for both infrastructure and ad-hoc networks. Additionally, as in WPA, WPA2 supports CCMP based on both AES and TKIP. Wi-Fi Protected Access Version 3 (WPA3) Wi-Fi Protected Access Version 3 (WPA3) was developed to replace WPA2. Like WPA2, WPA3 includes both Personal and Enterprise versions. WPA3 maintains equivalent cryptographic strength through the required use of 192-bit AES for the Enterprise version and optional 192-bit AES for the Personal version. With the Personal edition, key exchange is improved with WPA3. WPA2 uses pre-shared keys. WPA3 helps prevent offline password attacks by using Simultaneous Authentication of Equals (SAE), which allows users to choose easier-to-remember passwords and, through forward secrecy, does not compromise traffic that has already been transmitted even if the password becomes compromised. Authentication Protocols Four protocols are used with EAP and provide authentication for wireless networks:
Comparing EAP Authentication Protocols
- EAP-Transport Layer Security (EAP-TLS) - Protected EAP (PEAP) - EAP Tunneled Transport Layer Security (EAP-TTLS) - EAP Flexible Authentication via Secure Tunneling (EAP-FAST) EAP-Transport Layer Security (EAP-TLS) uses certificate-based mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server. EAP messages are encapsulated into 802.1X packets and are marked as EAP over LAN (EAPoL). After the client sends a connection request to a wireless access point, the authenticator marks all initial communication with the client as unauthorized. Only EAPoL messages are accepted while in this mode. All other types of communication are blocked until credentials are verified with an authentication server. Upon receiving an EAPoL request from a client, the wireless access point requests logon credentials and passes them to an authentication server. RADIUS is usually employed for authentication purposes; however, 802.1X does not make it mandatory. RADIUS federation allows a user’s valid authentication to be shared across trusted entities. This trust must be established beforehand, and the RADIUS server makes assertions about the user identity and other attributes. This enables users to seamlessly roam across different wireless networks without having to reauthenticate with unique credentials of another entity. Know that RADIUS federation allows a user’s valid authentication to be shared across trusted entities. Protected EAP (PEAP) provides several additional benefits over EAP-TLS, including an encrypted authentication channel, dynamic keying material from TLS, a fast reconnect capability using cached session keys, and server authentication that guards against unauthorized access points. PEAP offers a means of protecting another EAP method within a TLS tunnel. PEAP is thus basically a secure wrapper around EAP; it is essential in preventing attacks on password-based EAP methods. As part of PEAP negotiation, the client establishes a TLS session with a RADIUS server.
Using a TLS session as part of PEAP serves several purposes: - The client can authenticate the RADIUS server; that is, the client establishes the session only with a server that holds a certificate trusted by the client. - It protects the authentication protocol from packet snooping. - Negotiation of the TLS session generates a key that the client and RADIUS server can use to establish common master keys. These keys then derive the keys used to encrypt the WLAN traffic.
Secured within the PEAP channel, the client authenticates itself to the RADIUS server using EAP. During this exchange, the traffic within the TLS tunnel is visible only to the client and the RADIUS server; it is never exposed to the wireless AP. EAP Tunneled Transport Layer Security (EAP-TTLS) is similar to PEAP but further builds on TLS. With an established secure tunnel, the server authenticates the client using authentication attributes within the TLS wrapper. EAP Flexible Authentication via Secure Tunneling (EAP-FAST) is a proposed replacement to the Lightweight Extensible Authentication Protocol (LEAP), which for years has been known to contain vulnerabilities. The goal of EAP-FAST is to provide a replacement that is also lightweight but secure. EAP-FAST also works like PEAP but does not require client or server certificates. Instead, it uses a Protected Access Credential (PAC), which is essentially a shared secret between the client and the authentication server to establish a tunnel in which authentication is then performed. For many organizations that don’t want to manage certificates, EAP-FAST might be an ideal alternative to LEAP. Each protocol is developed and backed by specific vendors. An organization’s choice of vendors might dictate the choice of solution. Organizations also need to consider their appetite for managing a certificate infrastructure and deploying certificates. Not having to worry about certificates greatly reduces the burden for many. EAP-TLS requires client and server certificates for mutual authentication. Both PEAP and EAP-TTLS eliminate the requirement to deploy client certificates. EAP-FAST does not require any certificates. Wireless Access Installations No network is complete without wireless access points. Most businesses provide wireless access for both employees and guests. With this expected convenience come security implications that must be addressed to keep the network safe from vulnerabilities and attacks. This section covers basic access point types, configurations, and preventive measures an organization can implement to mitigate risk and reduce its attack surface. Wireless local area network (WLAN) controllers are physical devices that communicate with each access point (AP) simultaneously. A centralized access controller (AC) is capable of providing management, configuration, encryption, and policy settings for WLAN access points. A controller-based WLAN design acts as a switch for wireless traffic and provides thin APs with configuration settings. Some ACs perform firewall, VPN, IDS/IPS, and monitoring functions. The level of control and management options an AC needs to provide depend on the type of access points the organization implements. Three main types of wireless access points exist: - Fat: Fat wireless access points are also sometimes called intelligent access points because they are all-inclusive: They contain everything needed to manage wireless clients, such as ACLs, quality of service (QoS) functions, VLAN support, and band steering. Fat APs can be used as standalone access points and do not need an AC. However, this capability makes them expensive because they are built on powerful hardware and require complex software. - Fit: A fit AP is a scaled-down version of a fat AP and uses an AC for control and management functions. - Thin: A thin access point is nothing more than a radio and antenna controlled by a wireless switch. Thin access points are sometimes called intelligent antennas. In some instances, APs do not perform WLAN encryption; they merely transmit or receive the encrypted wireless frames. A thin AP has minimal functionality, and a controller is required. Thin APs are simple and do not require complex hardware or software. A fat access point is also known as an intelligent or standalone access point. A thin access point is also known as an intelligent antenna and is managed by a WLAN controller. Antenna Types, Placement, and Power When designing wireless networks, it is important to configure antenna types, placement, and power output for maximum coverage and minimum interference. Four basic types of antennas are commonly used in 802.11 wireless networking applications: parabolic grid, Yagi, dipole, and vertical. Wireless antennas are either omnidirectional or directional. An omnidirectional antenna provides a 360-degree radial pattern to provide the widest possible signal coverage. An example of an omnidirectional antenna is the type of antenna commonly found on an AP. Directional antennas concentrate the wireless signal in a specific direction, limiting the coverage area. An example of a directional antenna is a Yagi antenna. The need or use determines the type of antenna required. When an organization wants to connect one building to another building, for example, a directional antenna is used. If an organization is adding Wi-Fi internally to an office building or a warehouse, an omnidirectional antenna is used. If an organization wants to install Wi-Fi in an outdoor campus environment, a combination of the two antennas is used. APs with factory-default omnidirectional antennas cover an area that is roughly circular and is affected by RF obstacles such as walls. When using this type of antenna, common practice is to place APs in central locations or divide an office into quadrants. Many APs use multiple-input, multiple-output (MIMO) or multiuser multiple-input, multiple-output (MU-MIMO) antennas. A MIMO antenna takes advantage of multipath signal reflections. Ideally, you should locate an AP as close as possible to an antenna. The farther the signal has to travel across the cabling between the AP and the antenna, the more signal loss occurs. Loss is an important factor when deploying a wireless network, especially at higher power levels. Loss occurs as a result of the signal traveling between the wireless base unit and the antenna. APs that require external antennas need additional consideration. You need to configure the antennas properly, consider what role the AP serves (AP or bridge), and consider where the antennas are placed. When an antenna is mounted on the outside of the building or when the interface between the wired network and the transceiver is placed in a corner, it locates the network signal in an area where it can easily be intercepted. Antenna placement should not be used as a security mechanism. Professional site surveys for wireless network installations and proper AP placement are sometimes used to address coverage area and security concerns. Up-front planning takes time and effort but can pay off in the long run, especially for large WLANs. Site surveys use Wi-Fi analyzers and other wireless analyzers to understand and map out the wireless infrastructure. One output is a wireless heat map, which provides a visual method for understanding coverage and signal strength. Figure 20.1 shows an example heat map of an office floor plan. In this example, the map indicates a strong signal near the placement of the wireless access point, and the signal fades toward the outside edges. These heat maps can help understand where signal interference may be an issue because of doors, building materials, microwaves, and neighboring wireless networks. An example of a wireless coverage heat map Site surveys and heat maps provide the following benefits: - Identify dead zones where there is no wireless coverage - Identify trouble areas to help eliminate slows speeds and poor performance - Automate wireless network evaluation - Help adequately build out an efficient network Physical placement and transmit power adjustments can make it harder for intruders to stay connected to your APs—but never count on physical placement alone to stop attackers. One of the principal requirements for wireless communication is that the transmitted wave must reach the receiver with ample power to allow the receiver to distinguish the wave from the background noise. An antenna that is too strong raises security concerns. Strong omnidirectional Wi-Fi signals are radiated to a greater distance into neighboring areas, where the signals can be readily detected and viewed. Minimizing transmission power reduces the chances of data leaks. Companies such as Cisco and Nortel have implemented dynamic power controls in their products. The system dynamically adjusts the power output of individual access points to accommodate changing network conditions, helping ensure predictable wireless performance and availability. Reducing the energy consumption of wireless communication devices is an important issue in WLANs. Know the mechanisms that prevent interference and increase capacity. Transmit power control is a mechanism that minimizes the unwanted interference between different wireless networks. Adaptive transmit power control in 802.11 WLANs on a per-link basis helps increase network capacity and improves the battery life of Wi-Fi-enabled mobile devices. Band direction and selection are also important parts of wireless access control management. The 2.4-GHz band used for older standards such as 802.11a/b/g is crowded and subject to both interference from other wireless devices and co-channel overlays from other access points because of the limited number (three) of nonoverlapping channels. Standards such as 802.11n and 802.11ac use the 5-GHz band, which offers 23 nonoverlapping 20-MHz channels. The newest standard, 802.11ax (Wi-Fi 6), will eventually succeed the previous standards. 802.11ax will work over both the 2.4-GHz and 5-GHz bands and will also work with the 6-GHz band. 802.11ax will provide a number of performance benefits, including the capability to avoid interference with other nearby networks. Cisco wireless LAN controllers can be configured for load balancing through band direction and band selection. Band direction allows client radios capable of operating on both 2.4-GHz and 5-GHz bands to move to a 5-GHz access point for faster throughput of network transfers. In a Cisco AP, clients receive a 2.4-GHz probe response and attempt to associate with the AP before receiving a 5-GHz probe response. Band selection works by delaying client 2.4-GHz radio probe responses, causing the client to be directed toward the 5-GHz channels. 802.11n can use 2.4 GHz or 5 GHz. The main purpose of band selection is to help the 802.11n-capable dual-band clients select 5-GHz access points. Band selection can cause roaming delays and dropped calls, so it is not recommended on voice-enabled WLANs. MAC Filter Most wireless network routers and access points can filter devices based on their MAC addresses. A MAC address is a unique identifier for network adapters. MAC filtering is a security access control method in which the MAC address is used to determine access to the network. When MAC address filtering is used, only the devices with MAC addresses configured in the wireless router or access point are allowed to connect. MAC filtering permits and denies network access through the use of blacklists and whitelists. A blacklist is a list of MAC addresses that are denied access. A whitelist is a list of MAC addresses that are allowed access. MAC addresses give a wireless network some additional protection, but they can be spoofed. An attacker can potentially capture details about a MAC address from the network and pretend to be that device in order to connect to the network. MAC filtering can be circumvented by scanning a valid MAC using a tool such as airodump-ng or Aircrack-ng Suite and then spoofing one’s own MAC address into a validated MAC address. When an attacker knows a MAC address that is not in the blacklist or is in the whitelist, MAC filtering is almost useless. Disabling SSID Broadcast A service set identifier (SSID) is used to identify a wireless access point on a network. The SSID is transmitted so that wireless stations searching for a network connection can find it. By default, SSID broadcast is enabled. When you disable this feature, the SSID configured in the client must match the SSID of the AP; otherwise, the client cannot connect to the AP. Having SSID broadcast enabled essentially makes your AP visible to any device searching for a wireless connection. To improve the security of your network, change the SSIDs on your APs. Using the default SSID poses a security risk even if the AP is not broadcasting it. When changing default SSIDs, do not change them to reflect your company’s main names, divisions, products, or address. Using such guessable SSIDs would make you an easy target for attacks such as war driving, war flying, and war chalking. With war driving, a person in a moving vehicle searches for Wi-Fi wireless networks using a portable computer or another mobile device. War flying is similar but involves the use of aircraft or drone technology. War chalking involves drawing symbols in public places to advertise open Wi-Fi networks. Keep in mind that if an SSID name is enticing enough, it might attract hackers. Turning off SSID broadcast does not effectively protect a network from attacks. Tools such as Kismet enable non-broadcasting networks to be discovered almost as easily as broadcasting networks. From a security standpoint, securing a wireless network using protocols that are designed specifically to address wireless network threats is better than disabling SSID broadcast. Turning off SSID broadcast does not effectively protect a network from attacks. It is much better to secure a wireless network using protocols that are designed specifically to address wireless network threats than to disable SSID broadcast. Quiz: 1. A member of your team made changes to the configuration of the wireless network. Existing devices are still able to connect to the network, but you are unable to find the network to connect to when trying to deploy a new laptop. What change did the team member most likely make? A. Disabled MAC filtering B. Disabled SSID broadcasting C. Enabled MAC filtering D. Enabled SSID broadcasting 2. Your users are all connected to a wireless access point using WPA2-PSK. Your manager wants you to confirm what cryptographic standard is being used. Which of the following is most likely? A. AES B. DES C. MD5 D. WEP 3. As you are deploying wireless authentication protocols, a request comes up to eliminate the need for client certificates. Which of the following requires a client certificate? A. EAP-TLS B. PEAP C. EAP-TTLS D. EAP-FAST 4. Your organization is conducting a wireless site survey for proper AP placement. Which of the following provides a visual method for understanding the coverage and signal strength and may help with this process? A. MAC filtering B. Yagi C. MU-MIMO D. Heat map 5. You want your users’ valid authentication information to be shared across trusted entities so the users can seamlessly roam across different wireless networks without having to reauthenticate. Which of the following can allow this? A. RADIUS federation B. WPA3 C. CCMP D. Captive portal Answer 1: B. The team member most likely disabled SSID broadcasting, as the network name can no longer be seen from the wireless clients. The network is still there, and existing clients can still connect as they have already been configured; however, the name of the network doesn’t show. As a result, answer D is incorrect. Answers A and C are incorrect. MAC filtering would specifically deny the clients specified from joining, but they would still see the network name if SSID broadcasting were enabled. Answer 2: A. The correct answer is AES. WPA2 introduced the use of Advanced Encryption Standard (AES) for encryption. Answer B is incorrect as DES is a deprecated algorithm. Answer C is incorrect as MD5 is a hashing algorithm. Answer D is incorrect as WEP is the original wireless encryption mechanism but is rarely used today due various security issues. Answer 3: A. EAP-TLS requires a client certificate and provides the strongest security of the protocols listed here. PEAP, EAP-TTLS, and EAP-FAST do not require client certificates, so Answers B, C, and D are incorrect. Answer 4: D. Site surveys use Wi-Fi and other wireless analyzers to understand and map out the wireless infrastructure. One output is a wireless heat map, which provides a visual method for understanding coverage and signal strength. Answer A is incorrect because MAC filtering is a security access control method in which the MAC address is used to determine access to the network. Answers B and C are incorrect because a Yagi antenna is an example of a directional antenna, and multiuser multiple-input, multiple-output (MU-MIMO) antennas take advantage of multipath signal reflections. Answer 5: A. RADIUS federation allows a user’s valid authentication to be shared across trusted entities. This enables users to seamlessly roam across different wireless networks without having to reauthenticate with the unique credentials of another entity. Answer B is incorrect because WPA3 is the latest Wi-Fi specification and offers greater wireless security for Wi-Fi-certified WPA3 devices. Answer C is incorrect. Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) is based on the AES encryption algorithm and provides significant security improvements over TKIP. Answer D is incorrect because captive portals are common in public places such as airports and coffee shops. The user simply clicks Accept, views an advertisement, provides an email address, or performs some other required action. The network then grants access to the user and no longer holds the user captive to the portal.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.