What is a weakness introduced into the WLAN environment when WPA2-Personal is used for security?
Correct Answer: C
The weakness introduced into WLAN environment when WPA2-Personal is used for security is that PMK Pairwise Master Key (PMK) is a key that is derived from PSK Pre-shared Key (PSK) is a key that is shared between two parties before communication begins, which are both fixed. This means that all users who know PSK can generate PMK without any authentication process. This also means that if PSK or PMK are compromised by an attacker, they can be used to decrypt all traffic encrypted with PTK Pairwise Temporal Key (PTK) is a key that is derived from PMK, ANonce AuthenticatorNonce (ANonce) is a random number generated by an authenticator (a device that controls access to network resources, such as an AP), SNonce Supplicant Nonce (SNonce) is a random number generated by supplicant (a device that wants to access network resources, such as an STA), AA Authenticator Address (AA) is MAC address of authenticator, SA Supplicant Address (SA) is MAC address of supplicant using Pseudo- Random Function (PRF). PTK consists of four subkeys: KCK Key Confirmation Key (KCK) is used for message integrity check, KEK Key Encryption Key (KEK) is used for encryption key distribution, TK Temporal Key (TK) is used for data encryption, MIC Message Integrity Code (MIC) key. . The other options are not weaknesses because: - It uses X 509 certificates generated by a Certification Authority: This option is false because WPA2- Personal does not use X 509 certificates or Certification Authority for authentication. X 509 certificates and Certification Authority are used in WPA2-Enterprise mode, which uses 802.1X and EAP Extensible Authentication Protocol (EAP) is an authentication framework that provides support for multiple authentication methods, such as passwords, certificates, tokens, or biometrics. EAP is used in wireless networks and point-to-point connections to provide secure authentication between a supplicant (a device that wants to access the network) and an authentication server (a device that verifies the credentials of the supplicant). for user authentication with a RADIUS server Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. - The Pairwise Temporal Key (PTK) is specific to each session: This option is false because PTK being specific to each session is not a weakness but a strength of WPA2-Personal. PTK being specific to each session means that it changes periodically during communication based on time or number of packets transmitted. This prevents replay attacks and increases security of data encryption. - It does not use the WPA 4-Way Handshake: This option is false because WPA2-Personal does use the WPA 4-Way Handshake for key negotiation. The WPA 4-Way Handshake is a process that allows the station and the access point to exchange ANonce and SNonce and derive PTK from PMK. The WPA 4- Way Handshake also allows the station and the access point to verify each other's PMK and confirm the installation of PTK. References: https://en.wikipedia.org/wiki/Wi- Fi_Protected_Access#WPA_key_hierarchy_and_management https://www.cwnp.com/wp- content/uploads/pdf/WPA2.pdf
Question 77
What is the function of a Virtual Switching Framework (VSF) in Aruba networking equipment?
Correct Answer: C
Question 78
Match the appropriate QoS concept with its definition.
Correct Answer:
Question 79
A network technician is testing a new SSID for a branch office. They are able to connect, get an IP address, and resolve DNS names. However, they are not able to browse the internet. On the existing SSID at the branch, connectivity to the internet works as expected on the same VLAN as the new SSID. The wireless client should have received a new role to allow internet access. What should the network technician verify to ensure both SSIDs function in a similar way?
Correct Answer: D
When a network technician encounters an issue where a new SSID does not allow internet access despite successful connectivity and DNS resolution, they should verify the firewall policies associated with the new SSID. The firewall policies must include rules that permit traffic to and from the internet and should be correctly ordered to ensure that they are applied as intended. Since the existing SSID functions correctly, comparing the firewall rules between the two can be a useful method of troubleshooting.
Question 80
What capabilities are included in Aruba's ClearPass Policy Manager? (Choose two)
