Exam MD-100 topic 4 question 4 discussion

VPN1 Protocols 1.Answer has to be revolve around what Tunnels support Mschapv2 authentication methods Tunnelling is automatic but the choice of using PAP, CHAP, or MSCHAPv2 applies only to PPTP, L2TP/IPsec, and SSTP tunnels; IKEv2 tunnels can only use EAP-MSCHAPv2 or certificates from my research. Microsoft PPTP VPN is using a weak algorithm (MS-CHAP v2) L2TP decides between PAP, CHAP, or MS-CHAPv2 authentication for users. SSTP accepts MSchapV2 on Microsoft win 10 vpns. Option 1 and 2 appear to be correct, therefore I would choose all 4 protocols but I cannot find anything to suggest that Microsoft vpns on win 10 machines can use Mschapv2 for an iEKv2 tunnel Accept option 4 (all protocols) 2.Only traffic for the corporate network Split-tunnelling is true. Corporate network goes through the vpn and internet access is routed from the local host.

Disagree with first answer since Tunnel Type is set to: Automatic – this should allow the host as being able to support all protocols for connection since the connection protocol was not predefined. Second answer is correct since the split tunnel: true means VPN traffic is split to the remote network (remote files, remote printers, RDP, etc.) while internet traffic will remain routed through the local host (opposite of full tunnel where all traffic tunnels through the remote connection, including internet)

all are supported: https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-connection-type

The Automatic option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure

I just tested this on Win10 v1809. Here are my results: All tunnel types (PPTP, L2TP with Machine Cert, L2TP with Pre-Shared Key, SSTP, IKEv2, and Auto) ALL support EAP. They also all support MS-CHAPv2, EXCEPT IKEv2 does NOT support it. Incidentally, you can only select MS-CHAPv2 if the user authentication type ("Type of sign-in info") is set to "User name and password". So IKEv2 is the only one that does NOT support MS-CHAPv2.

What would be the final answer and justification?

Q1 : All Protocol tested (from best to least secure : IKev2 - L2TP - SSPT -PPTP) because on Automatic (https://docs.microsoft.com/fr-fr/windows/security/identity-protection/vpn/vpn-connection-type) Q2 :Only intranet traffic

SSTP-> SSL Certifcate IKE-V2 -> Certificate Box 1 PPTP, L2TP/IPsec

I suspect they are going for all four since TunnelType it is set to Automatic (vs a specific tunnel type) https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection?view=win10-ps

can someone explain how to find the answer on this one?