Best EAP Method for Implementing 802.1x on a Wireless Network | Corporation XYZ | CCIE Wireless Exam

Best EAP Method for Implementing 802.1x on a Wireless Network

Question

Corporation XYZ just underwent a third-party security audit.

The auditors have required that the corporation implements 802.1x on its wireless network and disable all pre-shared key WLANs as soon as possible.

XYZ does not have an internal CA installed to provide server certificates today.

However, it wishes to implement an EAP method that requires clients to use server authentication in the future.

XYZ also needs an EAP method that will allow both Active Directory user authentication and time-based tokens.

What is the best EAP method for XYZ to implement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

To address the security audit findings, Corporation XYZ needs to implement 802.1x on its wireless network and disable all pre-shared key WLANs. In addition, the corporation needs to select an EAP method that supports both Active Directory user authentication and time-based tokens.

EAP stands for Extensible Authentication Protocol and is a framework for providing authentication and authorization for network access. There are several EAP methods available, and each method has its own strengths and weaknesses.

Option A: TTLS (Tunneled Transport Layer Security) TTLS is an EAP method that provides mutual authentication, but it requires a client-side certificate to provide server authentication. As XYZ does not have an internal CA installed to provide server certificates, this option may not be feasible.

Option B: PEAP (Protected Extensible Authentication Protocol) PEAP is an EAP method that supports password-based authentication, and it does not require a client-side certificate. It creates a secure TLS tunnel between the client and the authentication server, allowing authentication to take place within this encrypted tunnel. PEAP is a widely adopted EAP method and provides good security for wireless networks. This option could be a good fit for XYZ as it supports Active Directory user authentication and time-based tokens.

Option C: FAST (Flexible Authentication via Secure Tunneling) FAST is an EAP method that is designed to provide mutual authentication using a shared secret. It also supports stronger cryptographic methods such as SHA-256 and AES. However, FAST is not widely supported and may not be compatible with all authentication servers.

Option D: TLS (Transport Layer Security) TLS is a widely used security protocol that provides end-to-end encryption for network traffic. It can be used as an EAP method to provide mutual authentication between the client and server. However, TLS requires the use of client-side certificates for server authentication, which may not be feasible for XYZ without an internal CA.

In conclusion, PEAP would be the best EAP method for Corporation XYZ to implement as it supports password-based authentication, does not require a client-side certificate, and supports Active Directory user authentication and time-based tokens.