A network engineer is implementing a wireless network using Cisco wireless LAN controllers (WLCs) and lightweight access points (LAPs). They need to configure a WLAN (Wireless LAN) for employees that requires user authentication using 802.1X with RADIUS server integration, and also needs to encrypt wireless traffic using strong encryption. Which of the following WLAN security configurations on the WLC would best meet these requirements?
Correct Answer: D
Detailed Explanation: Analyzing WLAN Security Options: Let's evaluate each option in terms of authentication and encryption strength for an enterprise employee WLAN: A. Open System Authentication with WEP encryption. This is highly insecure and not suitable for any modern network, especially not for enterprise employees. Open System Authentication: "Open System" means no authentication is required to associate with the WLAN. Anyone can connect. WEP (Wired Equivalent Privacy) Encryption: WEP is an obsolete and severely flawed encryption protocol. It is easily cracked using readily available tools in minutes (or even seconds). WEP offers virtually no real security. Unacceptable Security: This option provides no real authentication and extremely weak, easily broken encryption. It is not appropriate for any security-conscious environment. B. WPA2 Personal (PSK) with AES encryption. This is better than WEP, but still not ideal for enterprise environments requiring strong authentication. WPA2 Personal (PSK - Pre-Shared Key): Uses a pre-shared key (password) that is the same for all users. Authentication is based on knowing this shared key. AES (Advanced Encryption Standard) Encryption: AES is a strong and modern encryption algorithm, providing good data confidentiality. PSK Limitations for Enterprise: PSK-based security has limitations for enterprise WLANs: Shared Key Management: Managing and securely distributing a shared key to all employees can be challenging. Key compromise is a risk. Lack of Individual User Authentication: PSK does not provide individual user authentication and auditing. All users use the same key, making it difficult to track user activities or revoke access for specific users. Less Secure than 802.1X for Enterprise: For enterprise security, 802.1X is generally preferred for stronger authentication and user-level access control. C. WPA2 Enterprise (802.1X) with TKIP encryption. This is better authentication but weaker encryption. WPA2 Enterprise (802.1X): Uses 802.1X port-based authentication, which provides strong, individual user authentication. It integrates with a RADIUS server (like Cisco ISE, Microsoft NPS, etc.) to authenticate users based on their credentials (e.g., Active Directory usernames and passwords, digital certificates). 802.1X is significantly more secure and manageable for enterprise authentication compared to PSK. TKIP (Temporal Key Integrity Protocol) Encryption: TKIP was designed as an interim encryption protocol to improve upon WEP, but it is considered weaker than AES. TKIP is susceptible to certain attacks and does not offer the same level of security as AES. TKIP is often associated with older WPA (WPA1) and while it can be used with WPA2 for backward compatibility in some scenarios, it's not the preferred encryption for WPA2 when strong security is needed. Compromise: Strong Auth, Weak Encryption: Option C offers strong authentication (802.1X) but uses weaker encryption (TKIP). It's better than WEP, but not optimal. D. WPA2 Enterprise (802.1X) with AES encryption. This is the best and most secure option for enterprise WLANs requiring strong authentication and encryption. WPA2 Enterprise (802.1X): Provides robust, centralized, and individual user authentication using 802.1X and RADIUS. AES (Advanced Encryption Standard) Encryption: Provides strong, modern encryption for wireless traffic confidentiality. Best Practices for Enterprise Security: WPA2 Enterprise with AES is the generally recommended and industry best practice for secure enterprise WLANs. It combines strong authentication with strong encryption, providing a robust security posture. Why Option D is Correct: Meets Both Requirements: Option D directly fulfills both requirements stated in the question: User Authentication using 802.1X with RADIUS: WPA2 Enterprise (802.1X) provides this. Strong Encryption: AES encryption provides strong data confidentiality. Enterprise Best Practice: WPA2 Enterprise with AES is the standard and recommended security configuration for enterprise-grade WLANs where security, authentication, and data protection are critical. Why Other Options are Incorrect: Option A (Open/WEP): Unacceptable security. Option B (WPA2 Personal/PSK): Weaker authentication for enterprise (shared key, no individual user control). AES encryption is good, but authentication is lacking for enterprise use cases. Option C (WPA2 Enterprise/TKIP): Strong authentication (802.1X), but weaker encryption (TKIP). Compromises on encryption strength. In Conclusion: For a secure enterprise WLAN requiring strong authentication and encryption, WPA2 Enterprise (802.1X) with AES encryption is the best and most appropriate configuration. It offers robust user authentication, centralized management via RADIUS, and strong data encryption, meeting modern security standards for enterprise wireless networks. Understanding the different WLAN security protocols (WEP, WPA, WPA2, WPA3) and authentication methods (PSK, 802.1X) is crucial for CCNA wireless topics and for designing secure wireless infrastructures. This question tests your ability to select the appropriate WLAN security configuration based on specific security requirements in an enterprise scenario.
This CCNA practice question helps students prepare for Cisco networking certification exams by testing knowledge of network fundamentals, routing, switching, and network security concepts.