Exam 300-715 topic 1 question 80 discussion

Correct answer A and D sorry is in italian u can translate https://www.intel.it/content/www/it/it/support/articles/000006999/wireless/legacy-intel-wireless-products.html

EAP-TTLS is a secure protocol that provides strong encryption for the authentication process, but it does not inherently protect the access credentials from exposure during the 802.1X authentication process. EAP-TTLS requires an inner authentication method to be used in conjunction with it, such as PAP or MSCHAPv2, which can potentially expose the access credentials if they are not properly protected. On the other hand, PEAP and EAP-TLS are designed to protect the access credentials during the authentication process, making them more suitable for this specific requirement.

it's A and B, PEAP and EAP-TLS are the two methods not exposing credentials...

To prevent access credentials from being exposed during 802.1X authentication, it is essential to use protocols that support encryption and secure transport of credentials. PEAP (Protected Extensible Authentication Protocol): PEAP encapsulates EAP within a TLS (Transport Layer Security) tunnel, protecting the credentials during transmission. PEAP uses server-side certificates to establish a secure connection before the user credentials are sent, keeping them safe from exposure. EAP-TLS (Extensible Authentication Protocol-Transport Layer Security): EAP-TLS provides mutual authentication between the client and server using digital certificates. This protocol is highly secure, as it relies on certificate-based authentication rather than transmitting user credentials directly, protecting them from interception.

EAP-TLS and EAP-TTLS

PEAP, EAP-TLS

To ensure that access credentials are not exposed during the 802.1X authentication, the two protocols that should be configured are EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol). These protocols provide secure methods for transmitting authentication data between components without exposing sensitive information.

PEAP, EAP-TLS EAP-TTLS exposes the credentials.

A & D correct-- uses tunnel to protect user credentials

For me PEAP and EAP-TTLS are the correct answers. The reason is because both are Tunneled-EAP types, which means a tunnel is created between client and server prior to sending the credentials.

A - ISE help: Check this check box to enable PEAP authentication protocol and PEAP settings. The default inner method is MS-CHAPv2. D - EAP-TTLS suppots inner protocols e.g. EAP-MS-CHAPv2

A,D should be the right answers. https://www.intel.com/content/www/us/en/support/articles/000006999/wireless/legacy-intel-wireless-products.html Questions says credentials not to be exposed in other words tunneled which PEAP and TTLS provide. TLS does not use credentials, MD5 has the poorest security since the hash can be cracked and LEAP uses dynamically generated WEP keys for encryption.

Peap, EAP-TLS and EAP-TTLS are 3 choices of Tunneled EAP Types that encrypts the tunnel, so the crediantals are not exposed. But it is not possibele to geve 3 annser. So i think they mean what do you have to configure for this session. So you can only configre 1 Tunneled EAP Type (outer method) with 1 inner method. PEAP (outer) with EAP-TLS (inner) use certificates. EAP-TTLS (outer) with EAP-MD5 (inner) uses a message digest algorithm to hide the credentials in a hash The question was about credentials are not exposed. With certic=ficates, there are no credentials. So the correct answer has to be EAP-TTLS (outer) with EAP-MD5 (CD)

PEAP and EAP-TTLS are the only tunnelled protocols on the list. A certificate is in fact a valid form of credential.

Provided answer is correct Chapter 3 page 43 of the Cisco Official Guide explicitly states these two to be true

BIG problem with A & D is they are both OUTSIDE tunnels. Correct answer would have to be PEAP (outside) + EAP-TLS (inside) -OR- EAP-TTLS (outside) + EAP-MD5 (inside). With this said, according to Cisco Press ISE book the CORRECT ANSWER is A and B, which is PEAP + EAP-TLS. "Most popular and widely deployed EAP method in the world" according to book.

I think it should be A and D: This question is for non-certificate based authentication, ie, when user/pass is entered on a form. We already know that certificate-based authentication IS protected based on how PKI works. So this question can be worded as 'what protocol would you use to protect both RADIUS attributes User-Name and User-Password?' In this case, PEAP uses the server (ISE in this case) certificate public key to encrypt the attributes and send them over to ISE for authentication. Interestingly, it looks like PEAP only works with non-certificate credentials (as in "not supported", it can do it). Then there is EAP-TTLS: It happens that EAP-TLS can ONLY use PKI, the client device MUST have a certificate but this question is related to protecting both non-certificate attributes. EAP-TTLS works in a similar way to PEAP but adds certificate-as-a-credential support (just like EAP-TLS) while still encrypting non-certificate credentials. https://www.interlinknetworks.com/app_notes/eap-peap.htm (no, it is not a cisco site but it does provide an insight on the PEAP and EAP-TTLS view)