Which EAP type requires the use of device certificates?
A. EAP-TLS
B. EAP-FAST
C. EAP-SSL
D. PEAP
E. LEAP
Correct Answer: A
Explanation/Reference:
Explanation:
With either EAP-TLS or PEAP with EAP-TLS, the server accepts the client’s authentication when the certificate meets the following requirements:
The client certificate is issued by an enterprise certification authority (CA), or it maps to a user account or to a computer account in the Active Directory directory service.
The user or the computer certificate on the client chains to a trusted root CA.
The user or the computer certificate on the client includes the Client Authentication purpose.
The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS) remote access policy.
The 802.1x client does not use registry-based certificates that are either smart-card certificates or certificates that are protected with a password. The Subject
Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
When clients use EAP-TLS or PEAP with EAP-TLS authentication, a list of all the installed certificates is displayed in the Certificates snap-in, with the following exceptions:
Wireless clients do not display registry-based certificates and smart card logon certificates.
Wireless clients and virtual private network (VPN) clients do not display certificates that are protected with a password. Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed. Reference: https://support.microsoft.com/en-in/kb/814394
Explanation/Reference:
Explanation:
With either EAP-TLS or PEAP with EAP-TLS, the server accepts the client’s authentication when the certificate meets the following requirements:
The client certificate is issued by an enterprise certification authority (CA), or it maps to a user account or to a computer account in the Active Directory directory service.
The user or the computer certificate on the client chains to a trusted root CA.
The user or the computer certificate on the client includes the Client Authentication purpose.
The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS) remote access policy.
The 802.1x client does not use registry-based certificates that are either smart-card certificates or certificates that are protected with a password. The Subject
Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
When clients use EAP-TLS or PEAP with EAP-TLS authentication, a list of all the installed certificates is displayed in the Certificates snap-in, with the following exceptions:
Wireless clients do not display registry-based certificates and smart card logon certificates.
Wireless clients and virtual private network (VPN) clients do not display certificates that are protected with a password. Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed. Reference: https://support.microsoft.com/en-in/kb/814394