Exam SY0-501 topic 1 question 128 discussion

It is PEAP. They are both very similar but the key here is it mentions that the user must provide a username and password. EAP-TLS is auto authentication no need to provide user or password.

PEAP - Client(User) authenticates via user name and password - Server authenticates via CA. EAP-TLS authentication is automatic no user involvement needed.

The answer is PEAP Here Intel gives out a nice lil chart https://www.intel.com/content/www/us/en/support/articles/000006999/network-and-i-o/wireless.html A,B,C all use mutual authentication but PEAP is the only one that can use legacy password based protocols.

PEAP- creates a secure communication channel for transmitting certificate or login credantials. - Enables mutual authentication by requiring the server to prove its identity with the client. -Was a collaborative effort between Cisco, Microsoft, and RSA. EAP-TLS - A certificate is used in place of a password, making it practically impossible to crack.

https://www.interlinknetworks.com/app_notes/eap-peap.htm

A EAP-FAST Question says ” MUST support MUTUAL authentication of the wireless client and the authentication server BEFORE users provide credentials” – EAP-FAST uses symmetric keys to establish a mutually authenticated tunnel, then the client sends user name and password to authenticate. https://searchnetworking.techtarget.com/answer/What-is-EAP-FAST Not ( B ) because EAP-TLS only uses certificates (client and server both), no user credentials. Not ( C ) because with PEAP only the authentication server is required to provide a certificate – no mutual authentication. Not ( D ) EAP is not considered to be a wire protocol. Instead, it solely defines a message format

I think the answer is PEAP because the wireless network must also support authentication with usernames and passwords

PEAP authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS) session, over which the WLAN user, WLAN stations and the authentication server can authenticate themselves. Each station gets an individual encryption key. When used in conjunction with Temporal Key Integrity Protocol (TKIP), each key has a finite lifetime.

Information I have from Learning Tree course is that PEAP is an EAP form that sends MSCHAP credentials secured within a TLS envelope.

C. PEAP EAP by itself is only an authentication framework. PEAP (Protected Extensible Authentication Protocol) fully encapsulates EAP and is designed to work within a TLS (Transport Layer Security) tunnel that may be encrypted but is authenticated. The primary motivation behind the creation of PEAP was to help correct the deficiencies discovered within EAP since that protocol assumes that the communications channel is protected. As a result, when EAP messages are able to be discovered in the “clear” they do not provide the protection that was assumed when the protocol was originally authored. PEAP, EAP-TTLS, and EAP-TLS “protect” inner EAP authentication within SSL/TLS sessions.

"PEAP requires a certificate on the server, but not the client. A common implementation is with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)." That's from Gibson's book. So, is the question assuming that MSChap is being used with peap? Since PEAP by itself is just encapsulation method. Chap uses a three way handshake where the client and server challenge each other.. It also uses a password and username. The question doesn't mention anything about certificates they're probably talking about peap being used with MSCHAP v2. It looks like answer C is correct.

PEAP does not provide mutual authentication

Answer Is Peap and i have configired this before

Yes, I agree that is should be PEAP.

I remember somewhere I read that PEAP contains EAP-TLS, TTLS and one more that I forgot :-)

With EAP-TLS, both sides require a certificate. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate. PEAP is an encapsulation, is not a method, but you are almost right again. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. With EAP-TTLS, after the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. http://www.tech-faq.com/eap-leap-peap-and-eap-tls-and-eap-ttls.html ======= So, best answer would be EAP-TLS as this requires mutual authentication....So B.