322 CCNA Wireless Official Exam Certification Guide
SSC Groups
In the SSC, connections are logically grouped with a name. You can create your own
groups,aswellasmoveconnectionsbetweengroups.Youcanalsoaddbasicwirelesscon-
nections (PSK-based), but not secured or wired connections.
Note: The user interface of SSC talks about profiles. For administrators, the Secure Ser-
vices Client Administration Utility (SSCAU) talks about networks.
A network can be a wireless connection, a home type like the ones created with the SSC, or
an enterprise type, based on individual authentication instead of a common passphrase. A
network can also be a wired connection.
The significance of this is that all profiles are networks, but at the same time a network can
be more than just an SSC profile.
SSCAU Overview
With the SSCAU, you can create new configuration profiles. The profile is saved as an
XML file and then can be deployed to devices in the network. You also can modify exist-
ing configuration profiles. Furthermore, you can process existing configuration profiles to
verify the profile’s policy logic, encrypt the credentials, and sign the file.
There are two ways to deploy the generated profiles:
■ To existing clients
■ Via an MSI that will also install the SSC
The Cisco Client Extension Program
The Cisco Client Extension (CCX) program is no-cost licensing of technology for use in
WLAN adapters and devices. This allows for the following:
■ Independent testing to ensure interoperability with the Cisco infrastructure’s latest
innovation
■ Marketing of compliant products by Cisco and product suppliers under the “Cisco
Compatible” brand
CCX for Wi-Fi RFID Tags allows vendors to have a common set of features. More informa-
tion on the Cisco Compatible Extension Program can be found at />web/partners/pr46/pr147/partners_pgm_concept_home.html.
18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 322
Chapter 16: Wireless Clients 323

Table 16-4 Key Topics for Chapter 16
Key Topic Item Description Page Number
Table 16-2 Comparison between WZC and ADU 307
Figure 16-12 Three options when installing the ADU 308
Figure 16-19 Profile management in ADU 312
Figure 16-20 Security options 313
Figure 16-21 WPA/WPA2/CCKM 314
Figure 16-22 WPA/WPA2 passphrase 314
Table 16-3 Security options comparison 314
Figure 16-24 Advanced statistics 316
Figure 16-26 CSSU display in dBm 318
Figure 16-28 ACAU interface 319
Exam Preparation Tasks
Review All the Key Topics
Review the most important topics from this chapter, denoted with the Key Topic icon.
Table 16-4 lists these key topics and the page number where each one can be found.
Complete the Tables and Lists from Memory
Print a copy of Appendix B, “Memory Tables” (found on the CD) or at least the section
for this chapter, and complete the tables and lists from memory. Appendix C, “Memory
Tables Answer Key,” also on the CD, includes completed tables and lists to check your
work.
Definition of Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
WZC, SSID, AirPort Extreme, NetworkManager, iwconfig, WPA, WPA2, ADU, ACAU,
802.1x, CSSU, CSSC, SSCAU, CCX
18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 323
Cisco Published 640-721 IUWNE Exam Topics
Covered in This Part
Describe WLAN fundamentals
■ Describe 802.11 authentication and encryption methods (Open, Shared, 802.1X,

EAP, TKIP, AES)
Implement basic WLAN Security
■ Describe the general framework of wireless security and security components
(authentication, encryption, MFP, IPS)
■ Describe and configure authentication methods (Guest, PSK, 802.1X, WPA/WPA2
with EAP-TLS, EAP-FAST, PEAP, LEAP)
■ Describe and configure encryption methods (WPA/WPA2 with TKIP, AES)
■ Describe and configure the different sources of authentication (PSK, EAP-local or -
external, Radius)
Operate basic WCS
■ Describe key features of WCS and Navigator (versions and licensing)
■ Install/upgrade WCS and configure basic administration parameters (ports, O/S ver-
sion, strong passwords, service vs. application)
■ Configure controllers and APs (using the Configuration tab not templates)
■ Configure and use maps in the WCS (add campus, building, floor, maps, position AP)
■ Use the WCS monitor tab and alarm summary to verify the WLAN operations
Conduct basic WLAN Maintenance and Troubleshooting
■ Identify basic WLAN troubleshooting methods for controllers, access points, and
clients methodologies
■ Describe basic RF deployment considerations related to site survey design of data
or VoWLAN applications, Common RF interference sources such as devices, build-
ing material, AP location Basic RF site survey design related to channel reuse, signal
strength, cell overlap
■ Describe the use of WLC show, debug and logging
■ Describe the use of the WCS client troubleshooting tool
■ Transfer WLC config and O/S using maintenance tools and commands
■ Describe and differentiate WLC WLAN management access methods (console port,
CLI, telnet, ssh, http, https, wired versus wireless management)
19_1587202115_part3.qxd 9/29/08 2:45 PM Page 324
Chapter 17 Securing the Wireless Network

Chapter 18 Enterprise Wireless Management with the WCS and
the Location Appliance
Chapter 19 Maintaining Wireless Networks
Chapter 20 Troubleshooting Wireless Networks
Part III: WLAN Maintenance and
Administration
19_1587202115_part3.qxd 9/29/08 2:45 PM Page 325
This chapter covers the following subjects:
Threats to Wireless Networks: Discusses
threats to wireless networks.
Simple Authentications: Looks at basic
wireless security.
Centralized Authentication: Shows how
centralized authentication works using various
EAP methods.
Authentication and Encryption: Describes WPA
and WPA2.
20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 326
CHAPTER 17
Securing the Wireless Network
Table 17-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section Questions
Threats to Wireless Networks 1–4
Simple Authentications 5–7
Centralized Authentication 8–12
Authentication and Encryption 13–14
It’s usually obvious that wireless networks can be less secure than wired networks. This
calls for a great deal of thought when you deploy a wireless network. What security do
you need? What security measures can you perform? What are the security capabilities
of your equipment? Should you authenticate users when they access the network? Should

you encrypt traffic over the wireless space? As you can see, there are many options to
think about. But let’s break this into small parts. First, who are your users? The answer will
be different for networks that allow guest access versus those that don’t. Second, how hid-
den do you need to make your users’ traffic? Again, this answer will differ depending on
the users. If you are offering guest access, encryption probably is not a big concern. If all
or even a portion of your users are internal, encryption probably is a concern. In this
chapter, you will learn about various methods of securing a wireless network. Some meth-
ods provide a way to identify the user. Others offer a way to hide user data. Still other
methods do both.
You should take the “Do I Know This Already?” quiz first. If you score 80 percent or
higher, you might want to skip to the section “Exam Preparation Tasks.” If you score be-
low 80 percent, you should review the entire chapter. Refer to Appendix A, “Answers to
the ‘Do I Know This Already?’ Quizzes,” to confirm your answers.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you determine your level of knowledge of this
chapter’s topics before you begin. Table 17-1 details the major topics discussed in this
chapter and their corresponding quiz questions.
20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 327
328 CCNA Wireless Official Exam Certification Guide
1. Threats to wireless networks include which of the following? (Choose all that apply.)
a. Rogue APs
b. Client misassociation
c. Unauthorized port access
d. Stateful inspection
2. Which of the following can be used to prevent misassociation attacks? (Choose all
that apply.)
a. Client MFP
b. Spoofing
c. Infrastructure MFP
d. Rogue-AP containment

3. Client MFP allows clients to perform what function?
a. Detect invalid clients
b. Detect invalid APs
c. Detect invalid controllers
d. Detect invalid SSIDs
4. To perform Client MFP, what version of CCX is required?
a. v1.x
b. v2.x
c. v5.x
d. v6.x
5. WEP uses which of the following encryption algorithms?
a. AES
b. TKIP
c. MD5
d. RC4
6. What key size should be selected to perform 128-bit WEP with a Windows client?
a. 40-bit
b. 104-bit
c. 128-bit
d. 192-bit
20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 328
Chapter 17: Securing the Wireless Network 329
7. How many bits does an IV add to a WEP key?
a. 24 bits
b. 48 bits
c. 188 bits
d. 8 bits
8. In centralized authentication, a certificate is used based on information from a
trusted third party. What information is
not

included in a certificate?
a. Username
b. Public key
c. Validity dates
d. Session keys
9. Central authentication uses which IEEE specification?
a. 802.11a
b. 802.1q
c. 802.1d
d. 802.1x
10. Which protocol is used for the authentication server?
a. RADIUS
b. Active Directory
c. LDAP
d. TACAC S+
11. Which EAP method uses certificates on both the client and the server?
a. EAP-FAST
b. EAP-MD5
c. EAP-TLS
d. PEAP
12. Which EAP method uses a PAC instead of certificates?
a. EAP-FAST
b. EAP-MD5
c. EAP-TLS
d. PEAP
20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 329
330 CCNA Wireless Official Exam Certification Guide
13. Which protocol requires the use of TKIP, but can optionally use AES?
a. WPA2
b. GTK

c. MS-CHAPv2
d. WPA
14. Which protocol mandates that AES must be supported but not TKIP?
a. WPA2
b. GTK
c. MS-CHAPv2
d. WPA
20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 330
Chapter 17: Securing the Wireless Network 331
Foundation Topics
Threats to Wireless Networks
Throughout this book, you have learned about the many threats to wireless networks. If
you really wanted to simplify the threats, you could think of it like this: You want legiti-
mate clients to connect to legitimate APs and access corporate resources. Some attacks
are formed from the perspective of an AP trying to gain information from clients. Other
attacks are from the perspective of getting illegitimate clients onto the network to use
corporate resources at no charge or to actually steal data or cause harm to the network.
These threats include the following:
■ Ad hoc networks
■ Rogue APs
■ Client misassociation
■ Wireless attacks
Ad Hoc Networks
An ad hoc network is a wireless network formed between two clients. The security risk in-
volves bypassing corporate security policies. An attacker could form an ad hoc network
with a trusted client, steal information, and even use it as a means of attacking the corpo-
rate network by bridging to the secure wired LAN.
Rogue APs
A rogue AP is not part of the corporate infrastructure. It could be an AP that’s been
brought in from home or an AP that’s in a neighboring network. A rogue AP is not always

bad. It could be an AP that’s part of the corporate domain yet still operating in au-
tonomous mode. Part of an administrator’s job is determining if the AP is supposed to be
there. Fortunately, you don’t have to do all the work yourself. A few functions of the AP’s
software can detect rogue APs and even indicate if they are on your network.
Something to consider when looking for rogue APs is what happens to clients that can
connect to those rogue APs. If a client connects to a rogue AP, it should be considered a
rogue client. The reason is that rogue APs typically are installed with default configura-
tions, meaning that any client that connects bypasses any corporate security policy. So
you do not know if the client is a corporate user or an attacker.
Client Misassociation
When a client connects to an AP, operating system utilities normally allow the client to
save the SSID. In the future, when that SSID is seen again, the client can create a connec-
tion automatically. There is a possibility that clients will be unaware of the connection. If
the SSID is being spoofed, the client could connect to a potentially unsafe network. Con-
sider the following scenario. An attacker learns the SSID of your corporate network. Us-
ing this information, he sends beacons advertising your SSID. A wireless station in the
20_1587202115_ch17.qxpI 9/29/08 2:43 PM Page 331