nerdexam
ExamsCAS-001Questions#460
CompTIA

CAS-001 · Question #460

CAS-001 Question #460: Real Exam Question with Answer & Explanation

The correct answer is A: The transport layer between the RADIUS servers should be secured. The design correctly protects the wireless segment using WPA2 Enterprise with PEAP (which creates an encrypted TLS tunnel between the client and the access point). However, RADIUS is a UDP-based protocol, and while a shared secret protects the password field, it does not fully en

Question

Two universities are making their 802.11n wireless networks available to the other university's students. The infrastructure will pass the student's credentials back to the home school for authentication via the Internet. The requirements are: - Mutual authentication of clients and authentication server - The design should not limit connection speeds - Authentication must be delegated to the home school - No passwords should be sent unencrypted The following design was implemented: - WPA2 Enterprise using EAP-PEAP-MSCHAPv2 will be used for wireless security - RADIUS proxy servers will be used to forward authentication requests to the home school - The RADIUS servers will have certificates from a common public certificate authority - A strong shared secret will be used for RADIUS server authentication Which of the following security considerations should be added to the design?

Options

  • AThe transport layer between the RADIUS servers should be secured
  • BWPA Enterprise should be used to decrease the network overhead
  • CThe RADIUS servers should have local accounts for the visiting students
  • DStudents should be given certificates to use for authentication to the network

Explanation

The design correctly protects the wireless segment using WPA2 Enterprise with PEAP (which creates an encrypted TLS tunnel between the client and the access point). However, RADIUS is a UDP-based protocol, and while a shared secret protects the password field, it does not fully encrypt or authenticate all RADIUS traffic. When RADIUS authentication requests are forwarded between universities over the public Internet, the transport is vulnerable to eavesdropping and manipulation. The fix is to secure the RADIUS-to-RADIUS transport layer using IPsec or RadSec (RADIUS over TLS). Option B is wrong - WPA (not Enterprise) would reduce security, not improve it, and would limit speeds. Option C is wrong - local accounts would break federated authentication back to the home school. Option D (client certificates) would improve security but is not the identified gap in this design.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice