You need to ensure that smart card users are able to connect to RAS1 by using a dial-up connection

Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You
configure RAS1 to use the Routing and Remote Access Services (RRAS). The company’s remote
access policy allows members of the Domain Users group to dial in to RAS1. The company issues
smart cards to all employees. You need to ensure that smart card users are able to connect to RAS1
by using a dial-up connection. What should you do?

Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You
configure RAS1 to use the Routing and Remote Access Services (RRAS). The company’s remote
access policy allows members of the Domain Users group to dial in to RAS1. The company issues
smart cards to all employees. You need to ensure that smart card users are able to connect to RAS1
by using a dial-up connection. What should you do?

A.
Install the Network Policy Server (NPS) server role on RAS1.

B.
Create a remote access policy that requires users to authenticate by using SPAP.

C.
Create a remote access policy that requires users to authenticate by using EAP-TLS.

D.
Create a remote access policy that requires users to authenticate by using MS-CHAP v2.

Explanation:
EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard, and is
wellsupported among wireless vendors. The security of the TLS protocol is strong, provided the user
understands potential warnings about false credentials. It uses PKI to secure communication to a
RADIUS authentication server or another type of authentication server. So even though EAP-TLS
provides excellent security, the overhead of client-side certificates may be its Achilles’ heel.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely
deployed, it is still considered one of the most secure EAP standards available and is universally
supported by all manufacturers of wireless LAN hardware and software. The requirement for a
client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication
strength and illustrates the classic convenience vs. security trade-off. A compromised password is
not enough to break into EAP-TLS enabled systems because the intruder still needs to have the
client-side private key. The highest security available is when client-side keys are housed in smart
cards.[4] This is because there is no way to steal a certificate’s corresponding private key from a
smart card without stealing the card itself. It is significantly more likely that the physical theft of a
smart card would be noticed (and the smart card immediately revoked) than a (typical) password
theft would be noticed. Up until April 2005, EAP-TLS was the only EAP type vendors needed to certify
for a WPA or WPA2 logo.[5] There are client and server implementations of EAP-TLS in 3Com, Apple,
Avaya, Brocade Communications, Cisco, Enterasys Networks, Foundry, HP, Juniper, and Microsoft,
and open source operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above,
Windows 2000 SP4 , Windows XP and above, Windows Mobile 2003 and above, and Windows CE 4.2



Leave a Reply 0

Your email address will not be published. Required fields are marked *