Your company has a main office and 15 branch offices. The company has a single Active Directory
domain. All servers run Windows Server 2008 R2. You need to ensure that the VPN connections
between the main office and the branch offices meet the following requirements:
• All data must be encrypted by using end-to-end encryption.
• The VPN connection must use computer-level authentication.
• User names and passwords cannot be used for authentication.
What should you do?

A.
Configure an IPsec connection to use tunnel mode and preshared key authentication.

B.
Configure a PPTP connection to use version 2 of the MS-CHAP v2 authentication.

C.
Configure a L2TP/IPsec connection to use the EAP-TLS authentication.

D.
Configure a L2TP/IPsec connection to use version 2 of the MS-CHAP v2 authentication.

Explanation:
EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard, and is
wellsupported among wireless vendors. The security of the TLS protocol is strong, provided the user
understands potential warnings about false credentials. It uses PKI to secure communication to a
RADIUS authentication server or another type of authentication server. So even though EAP-TLS
provides excellent security, the overhead of client-side certificates may be its Achilles’ heel.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely
deployed, it is still considered one of the most secure EAP standards available and is universally
supported by all manufacturers of wireless LAN hardware and software. The requirement for a
client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication
strength and illustrates the classic convenience vs. security trade-off. A compromised password is
not enough to break into EAP-TLS enabled systems because the intruder still needs to have the
client-side private key. The highest security available is when client-side keys are housed in smart

cards.[4] This is because there is no way to steal a certificate’s corresponding private key from a
smart card without stealing the card itself. It is significantly more likely that the physical theft of a
smart card would be noticed (and the smart card immediately revoked) than a (typical) password
theft would be noticed. Up until April 2005, EAP-TLS was the only EAP type vendors needed to certify
for a WPA or WPA2 logo.[5] There are client and server implementations of EAP-TLS in 3Com, Apple,
Avaya, Brocade Communications, Cisco, Enterasys Networks, Foundry, HP, Juniper, and Microsoft,
and open source operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above,
Windows 2000 SP4 , Windows XP and above, Windows Mobile 2003 and above, and Windows CE 4.2