- Home
- Networking
- CWSP-205
51.
What is the difference between the inner and outer identity?
- A.Only the authentication server provides its credentials in the outer identity response.
- B.The inner identity is only for authentication server credentials provided to the supplicant.
- C.The inner identity must correspond to the outer identity for realm-based authentications.
- D.The outer identity is in plain text; the inner identity is securely transmitted inside a TLS tunnel.
- E.The outer identity is only for authentication server credentials provided to the supplicant.
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Unlike EAP-MD5 and EAP-LEAP, which have only one supplicant identity, EAP methods that use tunneled authentication have two supplicant identities. These two supplicant identities are often called the outer identity and the inner identity. The outer identity is a bogus username, and the inner identity is the actual username of the supplicant. The outer identity is seen in clear text outside the encrypted TLS tunnel, whereas the inner identity is protected within the TLS tunnel. |
52.
How does a RADIUS server communicate with an authenticator? (Choose all that apply.)
- A.UDP ports 1812 and 1813
- B.TCP ports 1645 and 1646
- C.Encrypted TLS tunnel
- D.Encrypted IPsec tunnel
- E.RADIUS IP packets
- F.EAPOL frames
- Answer & Explanation
- Report
Answer : [A, E]
Explanation :
Explanation :
| The RADIUS protocol uses UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting. These ports were officially assigned by the Internet Assigned Number Authority (IANA). However, prior to IANA allocation of UDP ports 1812 and 1813, the UDP ports of 1645 and 1646 (authentication and accounting, respectively) were used as the default ports by many RADIUS server vendors. TCP is not used. All Layer 2 EAP traffic sent between the RADIUS server and the authenticator is encapsulated in RADIUS IP packets. The encrypted TLS tunnel communications are between the supplicant and the authentication server. IPsec is not used. |
53.
In a point-to-point bridge environment where 802.1X/EAP is used for bridge authentication,
what device in the network acts as the 802.1X supplicant?
- A.Nonroot bridge
- B.WLAN controller
- C.Root bridge
- D.RADIUS server
- E.Layer 3 core switch
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| The root bridge would be the authenticator, and the nonroot bridge would be the supplicant if 802.1X/EAP security is used in a WLAN bridged network. |
54.
Which Layer 2 protocol is used for authentication in an 802.1X framework?
- A.PAP
- B.MS-CHAPv2
- C.EAP
- D.CHAP
- E.MS-CHAP
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| The supplicant, authenticator, and authentication server work together to provide the framework for 802.1X port-based access control, and an authentication protocol is needed to assist in the authentication process. The Extensible Authentication Protocol (EAP) is used to provide user authentication. The other protocols are all legacy protocols. |
55.
Which of these types of EAP offers support for legacy authentication protocols within the
inner TLS tunnel to validate supplicant credentials?
- A.EAP-TLS
- B.EAP-TTLS.
- C.EAP-FAST
- D.EAP-PEAPv0
- E.EAP-PEAPv1
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| All of these EAP protocols create a TLS tunnel to protect the supplicant credentials. However, only EAP-TTLS offers support for legacy authentication protocols within the TLS tunnel. EAP-TTLS supports the legacy methods of PAP, CHAP, MS-CHAP, and MS-CHAPv2. EAP-TTLS also supports the use of EAP protocols as the inner authentication method. EAP-PEAP only supports EAP protocols for inner authentication, while EAP-TTLS supports just about anything for inner authentication. EAP-FAST only supports the use of EAP-GTC within the TLS tunnel. |
|
|
||||||||||||||||||||||||||||
