Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server server role installed.
You need to allow connections that use 802.1x.
What should you create?
A.
A network policy that uses Microsoft Protected EAP (PEAP) authentication
B.
A network policy that uses EAP-MSCHAP v2 authentication
C.
A connection request policy that uses EAP-MSCHAP v2 authentication
D.
A connection request policy that uses MS-CHAP v2 authentication
Explanation:
802.1X uses EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication methods:
EAP (Extensible Authentication Protocol) uses an arbitrary authentication method, such as certificates, smart
cards, or credentials.
EAP-TLS (EAP-Transport Layer Security) is an EAP type that is used in certificate-based security environments,
and it provides the strongest authentication and key determination method.EAP-MS-CHAP v2 (EAP-Microsoft Challenge Handshake Authentication Protocol version 2) is a mutual
authentication method that supports password-based user or computer authentication.
PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP
authentication protocols.
Connection request policies are sets of conditions and settings that allow network administrators to designate
which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and
authorization of connection requests that the server running Network Policy Server (NPS) receives from
RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for
RADIUS accounting.
With connection request policies, you can use NPS as a RADIUS server or as a RADIUS proxy, based on factors
such as the following:
The time of day and day of the week
The realm name in the connection request
The type of connection being requested
The IP address of the RADIUS client
B. Connection request policies are used only to forward authentication requests.
the answers are WTF-like!
We had several of such projects (in conjunction with PKI) for customers and we always useed the default connection request policy and define “the magic” in the network policies. And we always used EAP-TLS and it definately works that way.
Furthermore, the explanation of this answer states that there are several options how to implement 802.1X. So what would be wrong for example with using PEAP stuff? EAP-MSCHAPv2 is less secure anyway, wtf…?!
otherwise the question does not state a PKI is in use, so at first sight B and C look quite OK. Answer C has the advantage that it overrides all authentication settings defined in network policies…
You only need to allow connections that use 802.1x, not block every other. To do that you just need to create a network policy as the default Connection Request Policy is enough.
I forgot you cannot set the authentication type in Connection Request Policies
B is OK…
At first i thought that B was the right answer, but then i wanted to make sure if there wasn’t a way for connection request policies to override network policies when it comes to 802.1x connections and when i was searching i found that, when you’re configuring a connection request policy when you get to the window “Specify Authentication Methods”, you can select the option “Override network policy authentication methods”. Even if you ignore that step at first, after you create the cnonnection request, you can always go to the properties of the connection request policy you just created and select the “Settings” tab, you also have that option under “Authentication Methods”.
So in this case i think microsoft want us to choose answer C, since when you use the wizard to create 802.1x by default it creates a network policy and a connection request policy.
“since when you use the wizard to create 802.1x by default it creates a network policy and a connection request policy.”
Correct that wizard will ask you authentication method if u choose whatever PEAP/EAP it will configured in the Network Policy. So why bother overriding that in Connection Policy again? I would stick to the simply way. B
While Connection Request Policies does not contain “Authentication Type” or “Allowed EAP Types” under the Conditions tab, but you can still set the Authentication Method under Settings, to override the Network Policy.
You can add EAP with MS-CHAP-V2 in there, so that should do it anyway? The only thing it says there is “For VPN and 802.1x connections with ‘NAP’, you must configure PEAP authentication here”. Not sure if this is override setting is to be used with NAP specifically or not.
http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
To muddy the waters even further, you get this:
After you run the Configure 802.1X wizard, the following policies are created:
– One connection request policy
– One network policy
https://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
But also straight from Microsoft:
Connection request policies are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients.
So I have to go with B as the correct answer here.
C is correct.
If you open up NPS and click on connection request policy the following description is provided:
“For NAP VPN or 802.1x, you must configure PEAP authentication in connection request policy.”
The configuration is done on the Settings tab of the policy. Check it out.
Hey guys,
It looks like kingces is right.
This is right from the horse’s mouth:
https://msdn.microsoft.com/en-us/library/cc753603.aspx
Labeled under **Important
Answer provided is correct. C.
Problem is, we are not told if this is using NAP or not.
C
robber says:
July 14, 2015 at 9:59 pm
https://msdn.microsoft.com/en-us/library/cc753603.aspx
This line removes the “network policy” answers despite them being processed locally. From the 2 connection request policies ms-chapv2 only doesn’t make sense, so C.
When you deploy Network Access Protection (NAP) by using the virtual private network (VPN) or 802.1X enforcement methods with Protected Extensible Authentication Protocol (PEAP) authentication, you must configure PEAP authentication in the connection request policy even when connection requests are processed locally.
The authentication method is only defined in the connection request policy, when using 802.1x or VPN with NAP. For that situation, PEAP authentication is required. However, the question does not talk about NAP at all – run through the RADIUS for 802.1x connections in NPS, and it’s quite clear to see that the authentication method is defined in the network policy.
Answer is B – EAP-MSCHAPv2
But is the connection request policy Authentication Method specific to NAP only? Can’t it still be used normally, to override Network Policy authentication?
This is the great Microsoft question of 2016.
The war of B vs C.
Even after reading everyone’s responses and testing myself, i am still fucking confused.
In the end, it doesnt matter. If i end up getting this question on my test later on this week, i will just punch my monitor and walk away.
Kidding, But pretty sure the answer is B.
For everyone saying C, i understand you can override network policies by changing the advanced settings of the CRPs, but again, NAP isnt mentioned anywhere here. We cant assume all of this is running behind the question. As much as Microsoft wants us to think critically for all these questions, this is a little too much.
Safe answer is B, but somehow the answer can still be C.