Exam 200-301 topic 1 question 312 discussion

The correct option for this scenario would be D. Select WPA2 Policy Disable PMF Enable PSK. When configuring a WLAN to use a setup password for authentication instead of RADIUS servers, the following tasks must be performed: Select WPA2 Policy: The engineer should select WPA2 (Wi-Fi Protected Access II) as the security policy for the WLAN. WPA2 is a widely used security protocol that provides strong encryption and authentication for wireless networks. Disable PMF: PMF (Protected Management Frames) is a security feature that helps protect against certain types of attacks on wireless networks. However, it may cause compatibility issues with some client devices. Therefore, it should be disabled when using a setup password for authentication. Enable PSK: PSK (Pre-Shared Key) is a form of authentication that uses a shared password or passphrase to authenticate clients on the wireless network. When using a setup password for authentication, the engineer should enable PSK and set the shared password or passphrase.

It is not B, you cannot select both CCKM and PSK. Cisco is trying to throw us off with disabling PMFs, but D is the best answer.

D. Select WPA2 Policy Disable PMF Enable PSK Here's why: Selecting the WPA2 Policy ensures that the WLAN uses WPA2 for secure authentication. Disabling PMF (Protected Management Frames) is necessary if you're not using RADIUS or other advanced security mechanisms. Enabling PSK (Pre-Shared Key) allows the use of a setup password for authentication instead of RADIUS servers.

Better option would be - Enable WPA2 - Enable Pre-Shared Key - Enable FT PSK But as it's not an option, then we are choosing between the closest options B and D. Enable Cisco Centralized Key Management or Disable PMF? CCKM, Cisco Centralized Key Management - is another alternative to PSK, and there is nothing about PSK - https://community.cisco.com/t5/wireless-mobility-knowledge-base/what-is-cckm-and-how-does-it-affect-fast-and-secure-roaming/ta-p/3130421 So it means we disable PMF.

Well, in Packet Tracer, CCKM is greyed out in both WPA Policy and WPA2 Policy option under WPA+WPA2 Parameter selection. All the other Layer 2 Security options says "This feature is not supported in Packet Tracer". Soooo... Also, in WPA2 Policy, PMF is greyed out as well and the setting is fixed at Disabled. I'm picking D since WPA2 is newer than WPA.

D is correct

D is the correct answer. the "Configuring WLAN Security" section in the CCNA 200-301 official cert guide has the same example.

With WPA2 enabled, you NEED to select one of the encryption options. Therefore, B remains. Also: "when you configure your wireless LAN for CCKM fast secure roaming, EAP-enabled clients securely roam from one access point to another without the need to reauthenticate with the RADIUS server" So with CCKM (only with B option) you can bypass the RADIUS server entirely.

WPA2 should be used. It's more secure than WPA

A.dot1x = no B.CCKM + PSK = no go (atleast not on the devices i've seen in netacad course + PT) C.Possible but ONLY FT capable clients will be able to connect, non-FT will not which is very far from ideal. D. While disabling PMF is sub-optimal, at least you will not be denying non FT-capable clients/devices to connect.

using a wpa/wpa2 mixed mode is a high security risk https://www.speedguide.net/faq/wpa2-vs-wpa2wpa-mixed-mode-security-436#:~:text=WPA2%2FWPA%20mixed%20mode%20allows,for%20use%20by%20the%20client. basically clients can use either wpa and wpa2 to connect, which is a big no no for security. i think it's either B or D. Again all options are correct but i think B is more correct because it provide the most security, CCKM works with PSK correct me if i am wrong.

This is a badly written question and answer set. I ran this on my 5520, code version 8.10.130 A) Obviously wrong because it is dot1x B) Wrong because CCKM is not an option when using PSK. For the code version I'm running, CCKM disappears as soon as I select personal versus enterprise. C) WPA and WPA2 is allowable but not ideal. It also needs to have the FT enabled checked and the FT PSK box checked. On my code version, this is automatically done when I set FT to enable. D) While not ideal to disable PMF, it is possible. Strictly speaking, this question comes down to whether or not Cisco is expecting both FT boxes to be checked or not. I hope they aren't being this neurotic so I'm choosing C, despite D being the most asinine yet accurate.

A - Is not correct since they say RADIUS is not used and 802.1.x is to be used for authentication through RADIUS, TACACS; C- not correct you can not have WPA Policy and WPA2 policy at the same time; D-not correct,since it's not reccomandation to disable Pmf and especially if WPA2 is unable; Therefore B should be correct answer.

A is not the choice as 802.1x is an authentication protocol to allow access to networks with the use of a RADIUS server. C is not correct as FT PSK is used only for static configuration only . D is not correct as we shoul not disable PMF for security. So the correct answer is B

are you sure etidic? im confused

The answer is C