Exam N10-007 topic 1 question 580 discussion

EAP-TLS: EAP-TLS requires certificates on the 802.1X server and the clients. n 802.1X server can provide certificate-based authentication to increase the security of the authentication process. No need passwords

hmmm, Mac filtering is not possible on a wireless network.

I think the key is "least amount of effort", surely you have an inventory list of corporate devices and their mac addresses, so import that list into the mac filter and voilà!, then i go with D.

"EAP Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard that uses the Transport Layer Security (TLS) protocol, and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol. The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage."

But the question says the method employed must be the one involving "the least amount of effort" and it is a "corporate environment", suggesting that there may be a plethora of wireless devices that could potentially connect to the AP at any one time. Setting up MAC Address Filtering for all of these devices would be time-consuming, don't you think? EAP/TLS is more convenient, surely?

I'm torn between B and D. I mean, I guess D will definitely get the job done.