Which of the following EAP methods requires digital certificates to be installed on the server but not on the client? (Select the best answer.)
Protected Extensible Authentication Protocol (PEAP) requires digital certificates to be installed on the server but not on the client. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other later variants of Extensible Authentication Protocol (EAP), such as EAPTransport Layer Security (EAPTLS), and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP clients can use alternative authentication methods, such as onetime passwords (OTPs).
EAPTLS requires both a client and a server digital certificate. EAPTLS is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication process. When EAPTLS is used, a digital certificate must be installed on the authentication server and each client that must authenticate with the server. The digital certificate used on clients and the server must be obtained from the same certificate authority (CA).
LEAP does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the client will connect to the network.
Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or the client to be configured with a digital certificate. When EAPFAST is used, Protected Access Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network.