You are configuring remote access authentication for dial-up or VPN connections to a Windows 2000 Server. You plan to deploy smart cards so that users can authenticate using certificates stored on the cards. Which authentication method supports the use of smart cards in this Windows 2000 remote access scenario?

Introduction / Context:
Remote access in Windows 2000 Server uses several authentication protocols, including CHAP, MS-CHAP, SPAP and EAP. When you introduce smart cards, authentication is performed using certificates stored on the card and possibly client side cryptographic operations. Only certain protocols support this level of flexibility. Understanding which protocol is designed to carry smart card based methods is important for secure remote access design.

Given Data / Assumptions:

• Remote access is provided by Windows 2000 Server for dial up or VPN clients.
• Smart cards will be used for user authentication.
• Certificates and potentially EAP TLS based methods are part of the design.
• You must choose from CHAP, EAP, SPAP and MS-CHAP v2.

Concept / Approach:
Extensible Authentication Protocol (EAP) is a general framework that allows different authentication mechanisms to be plugged in, including certificate based and smart card based methods such as EAP TLS. CHAP and MS-CHAP are challenge response protocols built primarily around password based authentication. SPAP is a proprietary protocol for compatibility with Shiva equipment and is not designed for smart cards. Therefore, the protocol that supports smart card authentication in Windows 2000 remote access scenarios is EAP.

Step-by-Step Solution:
Step 1: Identify the requirement to support smart cards and certificates.Step 2: Recall that EAP is designed to support multiple authentication methods, including certificates through EAP TLS and smart cards.Step 3: Compare with CHAP, which relies on a shared secret password and does not have built in support for certificate based smart card authentication.Step 4: Note that MS-CHAP v2 enhances security over MS-CHAP but still is password based rather than certificate based.Step 5: Recognise that SPAP is meant for compatibility with certain remote access hardware and does not provide the smart card integration needed.Step 6: Conclude that EAP is the correct choice for smart card integration in Windows 2000 remote access.

Verification / Alternative check:
Configuration in Routing and Remote Access or in remote access policies clearly shows EAP as the option when you choose smart card or other certificate based methods. When you enable EAP TLS, the client and server exchange certificate information, and the smart card is used to store the user certificate and private key. This confirms that EAP is the protocol that supports smart cards in this context.

Why Other Options Are Wrong:
Encrypted authentication (CHAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) are both password based mechanisms that use challenge response exchanges; they do not support smart card certificate based authentication directly. Shiva Password Authentication Protocol (SPAP) is proprietary and does not provide the extensible framework required for smart card use. None of these alternatives meet the requirement described in the scenario.

Common Pitfalls:
A frequent misconception is that any protocol that is considered secure or uses encryption is automatically compatible with smart cards. In reality, smart card support requires a protocol that can carry certificate based authentication, which is exactly what EAP provides. Another pitfall is overlooking the additional configuration steps required for EAP TLS, such as deploying a public key infrastructure and issuing certificates to users and servers.

Final Answer:
The authentication method that supports smart cards in this scenario is Extensible Authentication Protocol (EAP).