Exam SY0-601 topic 1 question 337 discussion

EAP-FAST authenticates by means of a PAC (Protected Access Credential) which can be managed dynamically by the authentication server. EAP-TLS, EAP-TTLS, PEAP are cert based. The question states the company is moving away from client and server side certificates.

B EAP-FAST EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) does not require server-side or client-side digital certificates, making it a popular EAP method for organizations that do not want to deploy and manage digital certificates. Instead of certificates, EAP-FAST uses a shared secret to establish a secure tunnel for authentication, which can be easier to manage and deploy than digital certificates. EAP-FAST can detect rogue access points. This is accomplished through the use of mutual authentication, where both the client and the authentication server validate each other's identity before establishing a secure tunnel for transmitting user authentication credentials. Rogue access points that are not part of the secure network infrastructure will not be able to pass this mutual authentication and will be detected by the EAP-FAST solution.

Answer A. PEAP EAP-FAST While it also avoids client-side certificates, it has a less robust mutual authentication process and was deprecated in 2013 due to security concerns.

I choose B. EAP-FAST Question says they are "moving aware from client/ server-side certificates" & they want "the EAP solution to be able to detect rouge access points": A. PEAP - uses certificates B. EAP-FAST - does not use certificates & can detect rogue APs C. EAP-TLS -uses certificates D. EAP-TTLS - does not have the ability to detect rogue APs but does not require the use of certificates (according to the study guide this is usually implemented for compatibility concerns because it provides support for less secure authentication mechanisms)

In summary, both EAP-TTLS and EAP-FAST can be suitable choices for moving away from client-side and server-side certificates. If rogue access point detection is a critical requirement, EAP-TTLS would be the more appropriate option. However, if that specific requirement is not a priority, EAP-FAST can still be a valid choice. The final decision should be based on the organization's specific needs and priorities. per chat gpt

Ganymede/Mack279 have great responses

https://www.intel.co.uk/content/www/uk/en/support/articles/000006999/wireless/legacy-intel-wireless-products.html#:~:text=Unlike%20EAP%2DTLS%2C%20EAP%2D,certificate%20to%20achieve%20mutual%20authentication.

EAP-FAST does not need a digital Cert

EAP-FAST detects all APs on the network by scanning all channels. EAP-TTLS will only detect if client / server cert validation is used. Otherwise, they are susceptible to rouge AP attacks just like PEAP.

D. EAP-TTLS

Another very strange question. I believe A, B AND D all have the capability of detecting rogue access points... The only obviously incorrect answer is C. I dont know what to answer here.

According to Intel.ca TLS-FAST can detect Rogue devices, so the answer should be B https://www.intel.ca/content/www/ca/en/support/articles/000046714/wireless/legacy-intel-wireless-products.html

Answer should be D. With EAP-TTLS, the certificate is an EAP method that supports the detection of rogue access points. EAP-TTLS provides a secure encrypted tunnel between the client and the authentication server, which allows the authentication server to verify the identity of the client and detect rogue access points. EAP-TTLS is often used in enterprise environments where the security of the wireless network is a concern, and the detection of rogue access points is important for maintaining network security. PEAP (Protected Extensible Authentication Protocol), EAP-FAST (Flexible Authentication via Secure Tunneling) and EAP-TLS (Transport Layer Security) do not provide the ability to detect rogue access points. They are focused on providing secure authentication between the client and the server, but do not specifically address the detection of rogue access points.

Should the answer be C? EAP-TLS