What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Domain 3: Security Architecture9 min read

How to Solve Wireless Security PBQs on Security+

Wireless security PBQs test your ability to configure secure WiFi networks, select appropriate authentication methods, and identify wireless threats. This guide teaches you how to implement enterprise-grade wireless security.

Try a Free PBQ

Interactive simulation — no account required

What Is a Wireless Security PBQ?

Wireless security PBQs present you with WiFi configuration scenarios and ask you to select the correct security settings, identify vulnerable configurations, or detect wireless attacks. You'll work with settings like encryption protocols, authentication methods, and network segmentation.

These questions test whether you understand the practical differences between wireless security options. You might be asked to:

Select the correct encryption protocol for a given security requirement
Configure enterprise authentication using 802.1X and RADIUS
Identify insecure wireless configurations that need remediation
Detect rogue access points or evil twin attacks from network data
Segment guest WiFi from corporate networks appropriately

WPA3 is the Standard

For the Security+ exam, WPA3 is the recommended encryption standard. WPA2 is acceptable when WPA3 isn't available. WEP and WPA (original) are always wrong answers for new deployments—they have known vulnerabilities and should never be selected.

The 4-Step Method for Wireless Security PBQs

When configuring wireless security, work through these decisions:

Identify the use case. Is this a home network, small business, or enterprise? Home/small business uses pre-shared keys (PSK). Enterprise uses 802.1X with individual user authentication. The scale determines the authentication method.

Select the encryption protocol. WPA3 if available, WPA2 if not. WPA3-Enterprise for corporate networks, WPA3-Personal for small deployments. Never WEP or original WPA.

Configure authentication. PSK (pre-shared key) means everyone uses the same password—simple but less secure. 802.1X/RADIUS means each user authenticates individually—more complex but better for organizations.

Apply network segmentation. Guest networks should be isolated from internal networks. IoT devices should be on their own VLAN. Corporate devices on the trusted wireless segment.

Wireless Security Protocols

Know the differences between these protocols—the exam frequently tests them:

WPA3-Enterprise

192-bit encryption, individual user authentication via 802.1X. Strongest option for organizations.

Use: Corporate networks with RADIUS infrastructure

WPA3-Personal

SAE (Simultaneous Authentication of Equals) replaces PSK. Resistant to offline dictionary attacks.

Use: Home networks, small offices without RADIUS

WPA2-Enterprise

AES encryption with 802.1X authentication. Still acceptable when WPA3 isn't supported.

Use: Legacy devices that don't support WPA3

WPA2-Personal (PSK)

AES encryption with shared password. Vulnerable if PSK is weak or leaked.

Use: Home networks (minimum acceptable security)

Walkthrough: Configuring Enterprise WiFi

A company wants to secure their corporate wireless network. Employees should authenticate with their domain credentials. Guest WiFi should be separate. Here's the correct configuration:

Wireless Network Configuration

Configure security settings for each SSID

CORP-SECUREENTERPRISE

Corporate network for employees with domain authentication

SecurityWPA3-Enterprise

Auth802.1X / RADIUS

EAP MethodPEAP-MSCHAPv2

VLAN10 (Corporate)

CertificateServer cert required

AccessFull internal access

✓ Individual user authentication enables immediate revocation

✓ Certificate validation prevents evil twin attacks

GUEST-WIFIGUEST

Isolated guest network with captive portal

SecurityWPA3-Personal

AuthCaptive Portal (ToS)

PasswordRotating daily

VLAN99 (Guest - Isolated)

BandwidthRate limited

AccessInternet only

Complete network isolation from corporate resources

Captive portal provides legal protection and logging

Enterprise (802.1X)

Guest (Isolated)

Personal (PSK)

Analysis

Corporate SSID uses WPA3-Enterprise: Each employee authenticates with their own credentials. If someone leaves, their access is revoked immediately without changing a shared password.

802.1X with RADIUS: The access point forwards credentials to a RADIUS server, which validates against Active Directory. Centralized authentication and accounting.

PEAP-MSCHAPv2: This EAP (Extensible Authentication Protocol) method works with Windows domain credentials. The outer PEAP tunnel encrypts the MSCHAPv2 exchange.

Guest SSID on separate VLAN: Guest traffic is completely isolated from corporate traffic. Even if a guest device is compromised, it can't reach internal systems.

Captive portal: Guests must accept terms of service before accessing the internet. Provides legal protection and logging.

Practice Wireless Configuration

Configure secure WiFi settings in interactive scenarios.

Try a Free PBQ

Wireless Attacks to Recognize

The exam tests your ability to identify these wireless threats:

Evil Twin — Attacker creates an access point with the same SSID as a legitimate network. Victims connect thinking it's the real network, and the attacker intercepts their traffic. Defense: 802.1X authentication validates the RADIUS server certificate.

Rogue Access Point — Unauthorized AP connected to the corporate network, often by an employee wanting better coverage. Creates an uncontrolled entry point. Defense: Wireless IDS, network access control, regular site surveys.

Deauthentication Attack — Attacker sends forged deauth frames to disconnect clients from the legitimate AP, forcing them to reconnect (possibly to an evil twin). Defense: WPA3 includes Protected Management Frames (PMF).

Jamming — Radio interference preventing wireless communication. Can be intentional attack or accidental (microwave ovens, Bluetooth). Defense: Spectrum analysis, channel hopping, physical security.

War Driving — Attacker drives around scanning for vulnerable networks. Looking for WEP, open networks, or weak passwords. Defense: Strong encryption, hidden SSID (minimal benefit), regular audits.

Wireless Security Best Practices

Apply these principles when answering wireless PBQs:

Use WPA3 wherever possible — It's more resistant to attacks than WPA2, especially for personal (PSK) mode.
Enterprise networks need 802.1X — Shared passwords don't scale. Individual authentication provides accountability and easy revocation.
Segment with VLANs — Corporate, guest, and IoT devices should be on separate network segments.
Validate server certificates — Clients should verify the RADIUS server's identity to prevent evil twin attacks.
Disable legacy protocols — Turn off WEP, WPA, and TKIP support. They're exploitable.
Hide SSID has minimal value — It's trivial to detect hidden networks. Don't rely on it for security.
Implement WIDS/WIPS — Wireless intrusion detection/prevention systems detect rogues and attacks.
Regular site surveys — Physical audits find rogue access points and coverage gaps.

Frequently Asked Questions

What is a wireless security PBQ on the Security+ exam?

A wireless security PBQ asks you to configure WiFi settings, select appropriate encryption protocols, or identify wireless vulnerabilities. You might configure WPA3-Enterprise with 802.1X, segment guest networks, or identify an evil twin attack from provided data.

What is the difference between WPA2 and WPA3?

WPA3 provides stronger encryption (192-bit in Enterprise mode) and replaces PSK with SAE (Simultaneous Authentication of Equals), which resists offline dictionary attacks. WPA3 also includes Protected Management Frames to prevent deauthentication attacks. WPA3 is the current recommended standard.

What is 802.1X?

802.1X is a network access control protocol that authenticates devices before allowing network access. For wireless, it means each user authenticates individually (usually via RADIUS server) rather than everyone sharing one password. This provides better security and accountability for enterprise networks.

What is an evil twin attack?

An evil twin is a malicious access point configured to look like a legitimate network (same SSID, similar settings). Victims connect thinking it's the real network, and the attacker can intercept their traffic. 802.1X with certificate validation prevents this by verifying the authentication server's identity.

Other PBQ Types

Firewall Configuration Log Analysis Network Diagrams PKI & Certificates

Practice What You've Learned

Apply these concepts with an interactive Wireless Security simulation.

Try a Free PBQ →