Wireless and Wired Corporate LAN Access with 802.1x: Meeting Requirements

Wireless and Wired Corporate LAN Access with 802.1x

Question

A company has these requirements for access to their wireless and wired corporate LANs using 802.1x: - Client devices that are corporate assets and have been joined to the Active Directory domain are allowed access.

- Personal devices must not be allowed access.

- Clients and access servers must be mutually authenticated.

Which solution meets these requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

The scenario presented in the question requires a solution that allows only corporate assets to access the network, prevents personal devices from accessing the network, and requires mutual authentication between clients and access servers.

The best solution that meets these requirements is option D, which is Protected Extensible Authentication Protocol/Microsoft Challenge Handshake Authentication Protocol Version 2 with machine authentication.

Here's why:

  • Protected Extensible Authentication Protocol (PEAP) is an authentication protocol that creates an encrypted TLS tunnel between the client and the authentication server. It's designed to protect against various attacks, including man-in-the-middle attacks, by providing strong authentication and encryption mechanisms.

  • Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a widely used authentication protocol that provides mutual authentication between the client and the authentication server.

  • Machine authentication refers to the process of authenticating the client device itself rather than a specific user. In this case, the client device must be a corporate asset that has been joined to the Active Directory domain.

By combining PEAP and MS-CHAP v2 with machine authentication, option D provides a solution that allows only corporate assets to access the network, prevents personal devices from accessing the network, and requires mutual authentication between clients and access servers.

Option A, which is PEAP/MS-CHAP v2 with user authentication, is not the best solution because it does not distinguish between corporate assets and personal devices. It only requires user authentication, which means that any user with valid credentials can access the network, regardless of whether the device is a corporate asset or a personal device.

Option B, which is Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) with machine authentication, is not the best solution because it does not require mutual authentication between the client and the authentication server. Mutual authentication is important because it helps prevent man-in-the-middle attacks.

Option C, which is EAP-TLS with user authentication, is not the best solution because it does not distinguish between corporate assets and personal devices. It only requires user authentication, which means that any user with valid credentials can access the network, regardless of whether the device is a corporate asset or a personal device.

Therefore, the best solution that meets the requirements presented in the question is option D.