nerdexam
Cisco

350-401 · Question #809

An engineer is configuring RADIUS-Based Authentication with EAP MS-CHAPv2 is configured on a client device. Which outer method protocol must be configured on the ISE to support this authentication typ

The correct answer is D. PEAP. Explanation PEAP (Protected Extensible Authentication Protocol) is the correct outer method because it creates an encrypted TLS tunnel that wraps around the inner authentication method (MS-CHAPv2), protecting those credentials as they traverse the network - this PEAP + MS-CHAPv2

Submitted by satoshi_tk· Mar 6, 2026Security

Question

An engineer is configuring RADIUS-Based Authentication with EAP MS-CHAPv2 is configured on a client device. Which outer method protocol must be configured on the ISE to support this authentication type?

Options

  • AEAP-TLS
  • BEAP-FAST
  • CLDAP
  • DPEAP

How the community answered

(38 responses)
  • A
    3% (1)
  • C
    3% (1)
  • D
    95% (36)

Explanation

Explanation

PEAP (Protected Extensible Authentication Protocol) is the correct outer method because it creates an encrypted TLS tunnel that wraps around the inner authentication method (MS-CHAPv2), protecting those credentials as they traverse the network - this PEAP + MS-CHAPv2 pairing is one of the most common enterprise wireless authentication combinations supported by Cisco ISE.

Why the distractors are wrong:

  • EAP-TLS (A) uses mutual certificate-based authentication and does not use MS-CHAPv2 as an inner method - it replaces passwords with digital certificates entirely.
  • EAP-FAST (B) can technically tunnel MS-CHAPv2, but it uses a Protected Access Credential (PAC) rather than a TLS certificate for the outer tunnel, and is not the standard pairing associated with MS-CHAPv2 in most ISE deployments.
  • LDAP (C) is a directory lookup protocol used for identity source queries, not an EAP outer method - it cannot function as a tunneling protocol for EAP authentication.

Memory Tip: Think "PEAP = Protection Envelope Around Password" - PEAP shields MS-CHAPv2 (a password-based method) inside a secure outer tunnel, which is exactly what you need when passwords are involved.

Topics

#EAP Protocols#RADIUS Authentication#Network Access Control#Cisco ISE

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice