Your network contains an Active Directory domain.
You plan to implement a remote access solution that will contain three servers that run
Windows Server 2012. The servers will be configured as shown in the following table.
Server1 will support up to 200 concurrent VPN connections.
You need to ensure that all VPN connection requests are authenticated and authorized by
either Server2 or Server3. The solution must ensure that the VPN connections can be
authenticated if either Server2 or Server3 fails.
What should you do?
A.
On Server1, configure a RADIUS proxy. On Server2 and Server3, add a RADIUS client.
B.
On Server2 and Server3, add a RADIUS client. On Server1, modify the Authentication
settings.
C.
On Server1, configure a RADIUS proxy. Add Server2 and Server3 to a failover cluster.
D.
Add Server2 and Server3 to a Network Load Balancing (NLB) cluster. On Server1, modify
the Authentication settings.
Explanation:
http://technet.microsoft.com/en-us/library/cc754033.aspx
Correct answer: B
Explanation:
* A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.
* Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers–such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers–because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
0
0
Not sure on this one… B does not satisfy the criteria of authenticating if Server 2 or Server 3 fails.
D: (NLB cluster) would seem to satisfy this. If you have 2 Radius Clients, then that’s 2 Access Points for clients to come at but neither is aware of the other. So if Server 2 fails, and clients come to that for authentication all the time, how will they know to go to Server 3?
This article would suggest that a NLB cluster would be a good idea.
https://technet.microsoft.com/en-us/library/dd197433%28v=ws.10%29.aspx
0
0
Network Load Balancing is correct
0
0
I was wrong. Given answer is correct.
Configure your network access servers to send connection requests to multiple RADIUS servers. For example, if you have 20 wireless access points and two RADIUS servers, configure each access point to send connection requests to both RADIUS servers. You can load balance and provide failover at each network access server by configuring the access server to send connection requests to multiple RADIUS servers in a specified order of priority. This method of load balancing is usually best for small organizations that do not deploy a large number of RADIUS clients.
https://technet.microsoft.com/en-us/library/dd197433%28v=ws.10%29.aspx
0
0
My chosen / best fit answer : D
RADIUS clients do not process Access-Request messages by performing authentication, authorization, and accounting. Only RADIUS servers perform these functions.
Therefore :- Answers A & B are incorrect…
A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.
Therefore, Server 1 is a RADIUS Client
Servers 2 & 3 are RADIUS Servers, NOT clients
Once again, Answers A & B are incorrect…
In a VPN Scenario, the RRAS Server is the client, it is not a RADIUS Proxy…
This technically also means that C is incorrect also…
However, NLB ONLY Load Balances, it does not monitor services…it checks for a heartbeat, to see if the server is available from a networking perspective and does not check if the service is running. As such, it can still load balance, hence receive a request, even if the RADIUS service has stopped, therefore not replying / not authenticating – in my opinion, this does not meet the requirements…
As Server 2 & 3 have to be available, then this can be achieved by 2 & 3 being a Failover Cluster… Answer : C… but Server 1 is not a RADIUS Proxy…
Personally… the answer is a combination of C & D, because…
Server 1 needs to have its Authentication Settings changed, to reflect the Cluster Name of Server 2 & 3, Server 2 & 3 are a Failover Cluster…
As this is not an option, the nearest fit is Answer D…
0
0
B is correct.
It states “Add a Radius client (server1 implied) on server 2 & 3” , not “add server 2 & 3 as radius clients”.
1
0
Given answer is correct.
You add Server 1 as a RADIUS Client on the two RADIUS Servers (Server 2 and Server 3)- this means that Server 1 will use those two “remote” RADIUS servers for authentication.
If the connection between the two Remote RADIUS Client’s fails, the RRAS Server (Server 1, which hosts the VPN service) will perform the authentication.
1
0
Scratch that last sentence. Basically, both Server 2 and Server 3 will perform authentication. If one of those servers fails, the other server will authenticate in its stead.
0
0
Given answer is correct.
“On Server2 and Server3, add a RADIUS client…”
-this prepares both of these authentication providers to expect authentication requests from ‘server 1’, the VPN server which will receive and forward the requests.
“On Server1, modify the Authentication settings.”
-here you specify Server1 and Server2 as authentication providers in an order of precedence, if the first server cannot be reached the second is queried.
2
0
Agree with 3deviant.
Simplest way is to add a radius client (Server 1) to Server 2 & 3.
Server 1 VPN Auth settings can point to more than 1 Radius server (auth provider).
VPN with NLB is also valid. But creating and managing a cluster is an overhead.
0
0