Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Network Policy Server server role installed.
You need to allow connections that use 802.1x.
What should you create?
A.
A network policy that uses Microsoft Protected EAP (PEAP) authentication
B.
A network policy that uses EAP-MSCHAP v2 authentication
C.
A connection request policy that uses EAP-MSCHAP v2 authentication
D.
A connection request policy that uses MS-CHAP v2 authentication
Explanation:
802.1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:
EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as
certificates, smart cards, or credentials.
EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate-based
security environments, and it provides the strongest authentication and key determination
method.
EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2)
is a mutual authentication method that supports password-based user or computer
authentication.
PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of
other EAP authentication protocols.
Connection request policies are sets of conditions and settings that allow network
administrators to designate which Remote Authentication Dial-In User Service (RADIUS)
servers perform the authentication and authorization of connection requests that the server
running Network Policy Server (NPS) receives from RADIUS clients. Connection request
policies can be configured to designate which RADIUS servers are used for RADIUS
accounting.
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS
proxy, based on factors such as the following:
The time of day and day of the week
The realm name in the connection request
The type of connection being requested
The IP address of the RADIUS client
it’s A
https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-peap-mschapv2-authentication
There’s no mention of NAP being used so I think C is correct.
You don’t get it do you? That link talks about the fact that this authentication method defined in the connection request policy, is only used with 802.1x or VPN with NAP. Since NAP isn’t mentioned here and isn’t used, why would it be C?
Why C and not B?
This must be B? No mention of RADIUS for it be be C
NPS is Microsoft’s implementation of RADIUS. Third line states you have it.
Agree with Dude, must be B:
Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.
NPS as RADIUS points to C
I always guess wrong and have te recheck (?twice?) again (nope not twice, three times)
However with 802.1x users are not dialing into the server which connection request policy supports.
Answer is C
Authentication method set by connection request policies overrride authentication method set by network policy
https://msdn.microsoft.com/en-us/library/cc753603.aspx
“If you configure an authentication method in connection request policy that is less secure than the authentication method you configure in network policy, the more secure authentication method that you configure in network policy will be overridden. For example, if you have one network policy that requires the use of Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), which is a password-based authentication method for secure wireless, and you also configure a connection request policy to allow unauthenticated access, no clients are required to authenticate by using PEAP-MS-CHAP v2. In this example, all clients connecting to your network are granted unauthenticated access.”
EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication
The support that 802.1X provides for Extensible Authentication Protocol (EAP) types allows you to choose from several different authentication methods for wireless clients and servers.
https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
I read this question as “no bells and whistles” default/quick setup. In other words it appears to be just a basic configuration. While the question is lacking a lot of specificity, I have to go with the given answer of C.
http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/understanding-configuring-network-policy-access-services-server-2012-part2.html
https://msdn.microsoft.com/en-us/library/cc753603.aspx
This line removes the “network policy” answers despite them being processed locally. From the 2 connection request policies ms-chapv2 only doesn’t make sense, so C.
When you deploy Network Access Protection (NAP) by using the virtual private network (VPN) or 802.1X enforcement methods with Protected Extensible Authentication Protocol (PEAP) authentication, you must configure PEAP authentication in the connection request policy even when connection requests are processed locally.
“WHEN” you deploy “NAP” blah blah. Question does not mention that.
I think everyone is confused here because of either:
a) They think it must be Connection Request Policy because of what Robber quoted. However, this question does not mention NAP being used at all, so we can’t just assume this.
b) Authentication in Connection Request can override Network Policies. This is true, but we’re not told this is enabled either.
i think C
EAP-MSCHAP v2 supports wireless and it doesn’t require a cert. at the user end
the answers are WTF-like!
We had several of such projects (in conjunction with PKI) for customers and we always useed the default connection request policy and define “the magic” in the network policies. And we always used EAP-TLS and it definately works that way.
Furthermore, the explanation of this answer states that there are several options how to implement 802.1X. So what would be wrong for example with using PEAP stuff? EAP-MSCHAPv2 is less secure anyway, wtf…?!
so I’d go for A and using the default connection request policy
A might not work because they didn’t state PKI is deployed, so B is correct (connection request policies don’t work)
I took an online test 3 times using the training site e-careers (tech.e-careers.com), and only got it “right” after the 3rd try:
1st time – C – it was marked wrong
2nd time – B – it was marked wrong
3rd time – A – it was marked correct
Of course they could be wrong too.