Which of the following is true regarding the EAPFAST authentication process? (Select the best answer.)
- A digital certificate is required only on the client.
- A digital certificate is required only on the server.
- Digital certificates are required on both the client and the server.
- Digital certificates are not required on the client or the server.
Digital certificates are not required on the client or the server during the Extensible Authentication Protocol (EAP)Flexible Authentication via Secure Tunneling (FAST) authentication process? instead, EAPFAST uses Protected Access Credentials (PACs). EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and wireless links. The EAPFAST authentication process consists of three phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able to access the network.
Other EAP methods exist that do rely on digital certificates for authentication. For example, EAPTransport Layer Security (TLS) requires both a client and a server digital certificate, whereas Protected EAP (PEAP) requires only servers to be configured with digital certificates. With PEAP, clients can use alternative authentication methods, such as onetime passwords (OTPs).
Similar to EAPFAST, Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate. When LEAP is used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS server is validated, the client will connect to the network.