CAS-005 Question #133: Real Exam Question with Answer & Explanation

Question

SIMULATION An IPSec solution is being deployed. The configuration files for both the VPN concentrator and the AAA server are shown in the diagram. Complete the configuration files to meet the following requirements: - The EAP method must use mutual certificate-based authentication (with issued client certificates). - The IKEv2 cipher suite must be configured to the MOST secure authenticated mode of operation. - The secret must contain at least one uppercase character, one lowercase character, one numeric character, and one special character, and it must meet a minimum length requirement of eight characters. INSTRUCTIONS Click on the AAA server and VPN concentrator to complete the configuration. Fill in the appropriate fields and make selections from the drop-down menus. If at any time you would like to bung back the initial state of the simulation, please click the Reset All button. Answer: VPN Concentrator Proposal: aes256gcm128 Server IP: 10.1.0.10 (this is the AAA server) Secret: Str0ng@Key (example that meets all character requirements) AAA Server Default EAP type: tls IP Address: 10.1.2.1 (this is the VPN concentrator) Secret: Str0ng@Key (must match the VPN concentrator)

Options

• taskComplete the configuration files for the VPN concentrator and the AAA server to meet the following requirements: the EAP method must use mutual certificate-based authentication (with issued client certificates); the IKEv2 cipher suite must be configured to the MOST secure authenticated mode of operation; and the secret must contain at least one uppercase, one lowercase, one numeric, and one special character, with a minimum length of eight characters.
• prerequisites

Explanation

IPSec VPN + AAA Server Configuration — Exam Explanation

Overall Goal

You're configuring a site-to-client VPN using IKEv2 (the key exchange protocol) with EAP-TLS (certificate-based user authentication) and RADIUS (the AAA protocol connecting the VPN concentrator to the auth server). The three requirements map directly to three distinct config decisions:

Step-by-Step Reasoning

Step 1 — Access the VPN concentrator first

The concentrator is the initiating side of the RADIUS relationship. Understanding its config first clarifies what the AAA server must mirror (especially the shared secret and server IP).

Step 2 — Set EAP proposal to tls

EAP has many subtypes. The requirement specifies mutual certificate-based authentication, meaning both the server and the client present certificates (not just the server as in PEAP/EAP-TTLS). Only EAP-TLS satisfies this — it requires issued client certificates, making it the most secure EAP method.

• If wrong (e.g., PEAP or EAP-MSCHAPv2): Client certificates are not required, so you'd have one-way authentication only — clients wouldn't be verified by certificate.

Step 3 — Set IKEv2 cipher suite to aes256gcm128

IKEv2 proposals define the encryption and integrity algorithm for the tunnel. aes256gcm128 means:

• AES-256 — maximum key length for AES
• GCM (Galois/Counter Mode) — an AEAD (Authenticated Encryption with Associated Data) cipher mode
• 128-bit ICV (integrity check value)

GCM is the "most secure authenticated mode" because it provides both encryption and integrity in a single operation without needing a separate HMAC. Other options like aes256-sha256 use separate integrity algorithms and are less efficient and less modern.

• If wrong (e.g., aes128-sha1): You'd be using weaker key length and a deprecated hash — SHA-1 is cryptographically broken. The exam expects you to recognize aes256gcm128 as the AEAD/GCM answer.

Step 4 — Set the shared secret with complexity

The secret in the eap-radius section is the RADIUS shared secret — a pre-shared key between the VPN concentrator (RADIUS client) and the AAA server (RADIUS server). This is not the user's password. It authenticates the two systems to each other.

Requirements: uppercase + lowercase + digit + special character + 8+ chars. Example: Str0ng@Key

• If wrong (e.g., password): RADIUS authentication fails entirely — the concentrator's requests will be rejected by the AAA server because the secrets don't match.

Step 5 — Set server IP to 10.1.0.10 (the AAA server)

The VPN concentrator must know where to forward authentication requests. 10.1.0.10 is the AAA/RADIUS server's address. This is direction-sensitive: the concentrator points to the AAA server, not to itself.

• If wrong (e.g., reversed IPs): RADIUS packets go nowhere, authentication times out.

Step 6 — Mirror config on the AAA server

On the AAA server side:

• Set default EAP type = tls — must match the method negotiated by the concentrator

• Set IP = 10.1.2.1 — the VPN concentrator's IP, identifying which RADIUS client is allowed to send requests

• Set secret = same value (e.g., Str0ng@Key) — RADIUS is symmetric; both sides must have the identical shared secret

• If mismatched: The RADIUS server rejects requests from the concentrator (wrong source IP or wrong secret = rejected).

What Goes Wrong Without Order/Completeness

• Secret mismatch (even one character different) = complete auth failure, no error message to the user
• Wrong EAP type on either side = EAP negotiation fails, tunnel never establishes
• Wrong server IP on concentrator = RADIUS packets lost, timeout
• Weaker cipher suite = you pass the config check but fail the "most secure" requirement on the exam

Memory Tip

"GCM goes both ways, TLS proves both parties, secrets must match both sides"

• GCM = authenticated encryption (the "most secure mode" answer is always the AEAD option)
• TLS = the only EAP type requiring client certs (mutual auth)
• Match = the RADIUS secret is symmetric — concentrator and AAA server must be identical

On any exam question asking for "most secure authenticated cipher," look for GCM or AEAD. For "mutual certificate auth," the answer is always EAP-TLS.

No community discussion yet for this question.