CISSP · Question #1207
When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP) network, which of the following authentication types is the MOST secure?
The correct answer is A. EAP-Transport Layer Security (TLS). EAP-TLS is considered the most secure EAP authentication method because it requires mutual certificate-based authentication for both the client and the server, eliminating reliance on passwords entirely.
Question
When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP) network, which of the following authentication types is the MOST secure?
Options
- AEAP-Transport Layer Security (TLS)
- BEAP-Flexible Authentication via Secure Tunneling
- CEAP-Tunneled Transport Layer Security (TLS)
- DEAP-Protected Extensible Authentication Protocol (PEAP)
How the community answered
(46 responses)- A87% (40)
- B4% (2)
- C2% (1)
- D7% (3)
Why each option
EAP-TLS is considered the most secure EAP authentication method because it requires mutual certificate-based authentication for both the client and the server, eliminating reliance on passwords entirely.
EAP-TLS requires both the client and the authentication server to present valid X.509 digital certificates, enabling mutual authentication without any password exchange. This certificate-based mutual authentication eliminates credential theft risks and is widely recognized as the gold standard for EAP security in enterprise and VoIP environments. No tunneling is required because the certificates themselves provide the strongest form of identity verification available.
EAP-FAST (Flexible Authentication via Secure Tunneling) uses a Protected Access Credential (PAC) instead of certificates, making it less secure than EAP-TLS because PAC provisioning can be vulnerable to attacks if done in-band without server certificate validation.
EAP-TTLS creates an encrypted TLS tunnel using only a server-side certificate and then passes inner authentication credentials (often passwords) through that tunnel, meaning client-side certificates are not required, making it weaker than EAP-TLS's mutual certificate authentication.
EAP-PEAP also uses only a server-side certificate to establish a protected tunnel and relies on inner authentication methods like MS-CHAPv2 for client credentials, making it less secure than EAP-TLS because the client identity is not verified via a certificate.
Concept tested: EAP authentication methods security comparison in networks
Source: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access
Topics
Community Discussion
No community discussion yet for this question.