nerdexam
ExamsCAS-003Questions#677
CompTIA

CAS-003 · Question #677

CAS-003 Question #677: Real Exam Question with Answer & Explanation

The correct answer is A: In the RADIUS server, the proxy rule has not specified the NAS-Port-Type attribute that should be. The RADIUS proxy rule must filter on the NAS-Port-Type attribute to distinguish VPN from WiFi authentication requests so that only VPN traffic is forwarded to the MFA solution.

Question

A company uses AD and RADIUS to authenticate VPN and WiFi connections. The Chief Information Security Officer (CISO) initiates a project to extend a third-party MFA solution to VPN. During the pilot phase, VPN users successfully get an MFA challenge, however they also get the challenge when connecting to WiFi which is not desirable. Which of the following BEST explains why users are getting the MFA challenge when using WiFi?

Options

  • AIn the RADIUS server, the proxy rule has not specified the NAS-Port-Type attribute that should be
  • BIn the firewall, in the AAA configuration the IP address of the third-party MFA solution needs to be
  • CIn the third-party MFA solution authentication properties need to be configured to recognize WiFi
  • DIn the WiFi configuration authentication needs to be changed to WPA2 Enterprise using EAP-TLS

Explanation

The RADIUS proxy rule must filter on the NAS-Port-Type attribute to distinguish VPN from WiFi authentication requests so that only VPN traffic is forwarded to the MFA solution.

Common mistakes.

  • B. The firewall AAA configuration governs access to the RADIUS server itself, not the internal proxy logic that routes authentication requests to different backends based on connection type.
  • C. Configuring the MFA solution to recognize WiFi would still allow WiFi requests to reach the MFA system rather than preventing them from being proxied in the first place.
  • D. Switching WiFi to WPA2 Enterprise with EAP-TLS changes the authentication method to certificate-based but does not modify the RADIUS proxy routing logic that triggers MFA challenges.

Concept tested. RADIUS proxy policy filtering using NAS-Port-Type attribute

Reference. https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice