CompTIA Security Plus Mock Test Q156

Matt, a systems security engineer, is determining which credential-type authentication to use within a planned 802.1x deployment. He is looking for a method that does not require a client certificate, has a server side certificate, and uses TLS tunnels for encryption. Which credential type authentication method BEST fits these requirements?

A. EAP-TLS
B. EAP-FAST
C. PEAP-CHAP
D. PEAP-MSCHAPv2

Correct Answer: D
Section: Network Security

Explanation:
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate.

Incorrect Answers:
A: Authenticated wireless access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer
certificates to authenticate wireless access clients. EAP-TLS does not use usernames and passwords for authentication.
B: EAP-FAST does not make use of TLS, but PAC (Protected Access Credentials).
C: CHAP intermittently authenticates the identity of the client via a three-way handshake.

References:
https://technet.microsoft.com/en-us/library/dd348500(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd348478(v=ws.10).aspx
http://www.techrepublic.com/article/ultimate-wireless-security-guide-a-primer-on-cisco-eap-fast-authentication/
http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol