You need to ensure that all VPN connection requests are authenticated and authorized by either Server2 or Server3

Your network contains an Active Directory domain.
You plan to implement a remote access solution that will contain three servers that run
Windows Server 2012. The servers will be configured as shown in the following table.

Server1 will support up to 200 concurrent VPN connections.
You need to ensure that all VPN connection requests are authenticated and authorized by
either Server2 or Server3. The solution must ensure that the VPN connections can be
authenticated if either Server2 or Server3 fails.
What should you do?

Your network contains an Active Directory domain.
You plan to implement a remote access solution that will contain three servers that run
Windows Server 2012. The servers will be configured as shown in the following table.

Server1 will support up to 200 concurrent VPN connections.
You need to ensure that all VPN connection requests are authenticated and authorized by
either Server2 or Server3. The solution must ensure that the VPN connections can be
authenticated if either Server2 or Server3 fails.
What should you do?

A.
On Server1, configure a RADIUS proxy. On Server2 and Server3, add a RADIUS client.

B.
On Server2 and Server3, add a RADIUS client. On Server1, modify the Authentication
settings.

C.
On Server1, configure a RADIUS proxy. Add Server2 and Server3 to a failover cluster.

D.
Add Server2 and Server3 to a Network Load Balancing (NLB) cluster. On Server1, modify
the Authentication settings.

Explanation:
http://technet.microsoft.com/en-us/library/cc754033.aspx

Show Hint

Leave a Reply 8

Your email address will not be published. Required fields are marked *

Chriss

Chriss

Correct answer: B

Explanation:
* A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.

* Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers–such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers–because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

Reply

jimilives

jimilives

Not sure on this one… B does not satisfy the criteria of authenticating if Server 2 or Server 3 fails.

D: (NLB cluster) would seem to satisfy this. If you have 2 Radius Clients, then that’s 2 Access Points for clients to come at but neither is aware of the other. So if Server 2 fails, and clients come to that for authentication all the time, how will they know to go to Server 3?

This article would suggest that a NLB cluster would be a good idea.

https://technet.microsoft.com/en-us/library/dd197433%28v=ws.10%29.aspx

Reply

Mark

Mark

Network Load Balancing is correct

Reply

Mark

Mark

I was wrong. Given answer is correct.

Configure your network access servers to send connection requests to multiple RADIUS servers. For example, if you have 20 wireless access points and two RADIUS servers, configure each access point to send connection requests to both RADIUS servers. You can load balance and provide failover at each network access server by configuring the access server to send connection requests to multiple RADIUS servers in a specified order of priority. This method of load balancing is usually best for small organizations that do not deploy a large number of RADIUS clients.
https://technet.microsoft.com/en-us/library/dd197433%28v=ws.10%29.aspx

Reply

Bill Gates

Bill Gates

My chosen / best fit answer : D

RADIUS clients do not process Access-Request messages by performing authentication, authorization, and accounting. Only RADIUS servers perform these functions.
Therefore :- Answers A & B are incorrect…

A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.

Therefore, Server 1 is a RADIUS Client
Servers 2 & 3 are RADIUS Servers, NOT clients

Once again, Answers A & B are incorrect…

In a VPN Scenario, the RRAS Server is the client, it is not a RADIUS Proxy…
This technically also means that C is incorrect also…

However, NLB ONLY Load Balances, it does not monitor services…it checks for a heartbeat, to see if the server is available from a networking perspective and does not check if the service is running. As such, it can still load balance, hence receive a request, even if the RADIUS service has stopped, therefore not replying / not authenticating – in my opinion, this does not meet the requirements…

As Server 2 & 3 have to be available, then this can be achieved by 2 & 3 being a Failover Cluster… Answer : C… but Server 1 is not a RADIUS Proxy…

Personally… the answer is a combination of C & D, because…

Server 1 needs to have its Authentication Settings changed, to reflect the Cluster Name of Server 2 & 3, Server 2 & 3 are a Failover Cluster…

As this is not an option, the nearest fit is Answer D…

Reply

OSA

OSA

B is correct.
It states “Add a Radius client (server1 implied) on server 2 & 3” , not “add server 2 & 3 as radius clients”.

Reply

puck

puck

Given answer is correct.

You add Server 1 as a RADIUS Client on the two RADIUS Servers (Server 2 and Server 3)- this means that Server 1 will use those two “remote” RADIUS servers for authentication.

If the connection between the two Remote RADIUS Client’s fails, the RRAS Server (Server 1, which hosts the VPN service) will perform the authentication.

Reply

puck

puck

Scratch that last sentence. Basically, both Server 2 and Server 3 will perform authentication. If one of those servers fails, the other server will authenticate in its stead.

Reply