Exam 300-430 topic 1 question 99 discussion

A. Use the user password that is configured on the server. Explanation: PEAP Authentication Failure: PEAP (Protected Extensible Authentication Protocol) uses a server certificate to establish a secure TLS tunnel, but the actual user authentication is performed using credentials (username and password) stored in the RADIUS server's internal database. If the RADIUS server sends an Access-Reject message, it indicates that the user credentials provided by the client do not match those configured on the server. Root Cause: The most common reason for an Access-Reject message during PEAP authentication is an incorrect username or password. The client may be providing credentials that do not match those stored in the RADIUS server's internal database. Solution: Ensure that the client is using the correct username and password as configured on the RADIUS server. This will resolve the authentication failure.

PEAP is a Tunnel Method that only validates the Server certificate. Since the question mentions "the server is sending an Access-Reject message", it is understood the Server certificate has been validated successfully (therefore B is incorrect). The question does not explicitly mention what Inner Method is being used, however it mentions the "internal database of a RADIUS server" is being used for Authentication, this means Username and Password are configured locally on the RADIUS server, since certificates are not supported with Internal Database (therefore C and D are incorrect). In this case, some clients are using the wrong user password, and they need to use the password that have been configured on the server to solve the issue.

Here is a quote from the Cisco documentation: If PEAP authentication is failing and the server is sending an Access-Reject message, it is likely that the client certificate is not valid or does not match the user account. To resolve the issue, you can update the client certificate to match the user account. You can do this by using a certificate enrollment system or by manually installing the client certificate on the client device.

RADIUS wont send an access reject if the certs are invalid if using PEAP mschapv2

The server is not trusting the client, not the other way around. Hence D.

Disabling the Server Certificate check will work (B), but then you are not using PEAP, you are back to LEAP, and you have removed all the security benefits of that cert. You need to reload the server certifcate onto the clients that are failing. Choice D.