Which of the following EAP methods requires digital certificates to be installed on the server but not on the
client? (Select the best answer.)
A.
EAPFAST
B.
EAPPEAP
C.
EAPTLS
D.
LEAP
Explanation:
Protected Extensible Authentication Protocol (PEAP) requires digital certificates to be installed on the server but
not on the client. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other later
variants of Extensible Authentication Protocol (EAP), such as EAPTransport Layer Security (EAPTLS), and
EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP clients can use alternative
authentication methods, such as onetime passwords (OTPs).
EAPTLS requires both a client and a server digital certificate. EAPTLS is an authentication protocol that can be
used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual
authentication to secure the authentication process. When EAPTLS is used, a digital certificate must be
installed on the authentication server and each client that must authenticate with the server. The digital
certificate used on clients and the server must be obtained from the same certificate authority (CA).
LEAP does not require either the server or the client to be configured with a digital certificate. When LEAP is
used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS)
server. The RADIUS server responds with a challenge response. If the challenge/response process is
successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is
validated, the client will connect to the network.
Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or
the client to be configured with a digital certificate. When EAPFAST is used, Protected Access Credentials
(PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases. The
first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a
digital credential that is used for authentication. A PAC can be manually configured on a client, in which case
phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel
between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the
client. If the client is authenticated, the client will be able to access the network.Cisco: Cisco Protected Extensible Authentication Protocol