SY0-501 Question #452: Real Exam Question with Answer & Explanation

Question

A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure?

Options

• AL2TP with MAC filtering
• BEAP-TTLS
• CWPA2-CCMP with PSK
• DRADIUS federation

Explanation

RADIUS Federation Explained

Why D is Correct: RADIUS federation allows organizations to authenticate devices at the network layer before granting access to a captive portal, enabling device-level authentication as a prerequisite step. It works by linking multiple RADIUS servers across different domains/organizations, allowing mobile devices to be verified against their home authentication servers prior to any user-facing login prompt appearing.

Why the Distractors Are Wrong:

• A (L2TP with MAC filtering): MAC filtering is easily spoofed and is not a reliable authentication mechanism; L2TP is a tunneling protocol, not a wireless authentication solution for this use case.
• B (EAP-TTLS): EAP-TTLS authenticates users via credentials inside a TLS tunnel, but it does not provide pre-portal device authentication as described - it's more of an 802.1X user authentication method.
• C (WPA2-CCMP with PSK): PSK (Pre-Shared Key) authenticates all devices with the same shared password, offering no individual device authentication capability before the captive portal.

Memory Tip: Think of RADIUS Federation as a Frontgate check - it verifies who the device is First, before the user ever sees a login page. "Federate before the gate!"

No community discussion yet for this question.