Question 36

Show Answer

The correct answer is B.

OBJ-3.6: EAP Transport Layer Security (EAP-TLS) is the strongest type of authentication used in EAP. EAP-TLS establishes an encrypted TLS tunnel between the client and the server using public key certificates for both the server and the client for mutual authentication. The client will normally use digital certificates located on a smart card or a certificate installed on the client device in the TPM for their portion of the authentication for additional security. Protected Extensible Authentication Protocol (PEAP) uses an encrypted TLS tunnel between the client and the server, but it only utilizes a server-side public key certificate making it prone to password guessing and on-path attacks. PEAP only supports the use of EAP-MSCHAP or EAP-GTC (Generic Token Card) for client authentication. EAP Tunneled Transport Layer Security (EAP-TTLS) uses a server-side certificate to establish a protected tunnel through which the user’s authentication credentials are transmitted to the authentication server. EAP-TTLS can use any inner authentication protocol, including PAP, CHAP, MSCHAP, or GTC, whereas PEAP can only use EAP-MSCHAP and EAP-GTC. EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) creates a protected tunnel without using a digital certificate and then passes the user’s authentication credentials through the tunnel to the authentication server. Instead of relying on a digital certificate, the client is issued a Protected Access Credential (PAC) based on the server’s master key, but then this PAC must be securely distributed to the user’s client before utilizing EAP-FAST.

Hide Answer