CWNP Updated CWSP-208 Exam Questions and Answers by mae

After deploying a WIPS, an essential baseline activity is to classify all detected devices in the RF environment. These classifications allow the system to enforce security policies and detect policy violations. Classifications include:

Authorized (managed devices)

Rogue (unauthorized, possibly dangerous)

Neighbor (not part of your network but legitimate)

External or Ad hoc devices

Without this initial classification, WIPS cannot properly assess threats or trigger alarms.

WIPS systems often enforce policies based on MAC addresses and associated hardware fingerprints. If Joe uses a different wireless adapter than the one authorized, it may trigger a rogue device or unauthorized client alarm—even if it’s the same laptop. This behavior is common in environments with strict WIPS enforcement policies.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

The AKM (Authentication and Key Management) Suite List field within the RSN Information Element defines which authentication methods are supported by the AP. This field distinguishes between PSK (Pre-Shared Key) and Enterprise (802.1X) modes:

AKM Suite OUI 00-0F-AC:1 = WPA2-Personal (PSK)

AKM Suite OUI 00-0F-AC:2 = WPA2-Enterprise (802.1X)

By examining this field in Beacon or Probe Response frames, a protocol analyzer can determine the authentication method enforced by the BSS.