Difficulty: Medium
Correct Answer: A RADIUS authentication server such as a Network Access Server
Explanation:
Introduction / Context:
Enterprise wireless deployments often rely on 802.1X authentication with Extensible Authentication Protocol to provide strong user based access control. In such a solution, wireless access points act as authenticators, clients run supplicant software, and a central server performs the actual authentication and authorisation decision. Understanding the role of this central server is essential for designing and troubleshooting secure wireless networks and passing related certification questions.
Given Data / Assumptions:
Concept / Approach:
In 802.1X EAP architectures, three parties participate: the supplicant (client), the authenticator (access point or switch), and the authentication server. The authentication server is typically a Remote Authentication Dial In User Service server. Vendors often provide integrated solutions such as Cisco Identity Services Engine or Microsoft Network Policy Server, which act as RADIUS servers. The authenticator forwards Extensible Authentication Protocol messages inside RADIUS packets to the authentication server, which validates user credentials and returns accept or reject decisions. Therefore, the presence of a RADIUS authentication server on the wired network is mandatory for an enterprise EAP solution.
Step-by-Step Solution:
1. Recognise that enterprise Extensible Authentication Protocol relies on centralised authentication rather than local shared keys.
2. Identify the three roles in 802.1X: supplicant, authenticator, and authentication server.
3. The supplicant is software on the wireless client device.
4. The authenticator is typically the access point or a wireless controller that controls network port access.
5. The authentication server resides on the wired network and is usually implemented as a RADIUS server.
6. Therefore, a RADIUS authentication server is required to perform central authentication decisions in an enterprise EAP deployment.
Verification / Alternative check:
Vendor deployment guides for enterprise wireless networks consistently depict RADIUS servers in network diagrams for 802.1X deployments. When configuring a wireless Local Area Network controller, administrators must specify the IP address and shared secret of the RADIUS server. During authentication, packet captures show that EAP messages are encapsulated within RADIUS Access Request and Access Accept or Reject messages. This confirms that a central RADIUS server is a required component of such designs.
Why Other Options Are Wrong:
An additional Layer two switch dedicated to management traffic: While management switches may exist, they are not the device responsible for user authentication decisions in 802.1X.
A simple network hub that mirrors all wireless traffic: Hubs are legacy devices with no authentication intelligence. They cannot perform Extensible Authentication Protocol based authentication.
A standalone Dynamic Host Configuration Protocol server: Configuration servers assign IP addresses but do not authenticate users using 802.1X EAP methods.
A wireless repeater to extend coverage: Repeaters only extend radio coverage and do not perform centralised authentication or authorisation decisions.
Common Pitfalls:
Learners sometimes misinterpret the role of the access point and think it alone authenticates users. In enterprise designs, the access point primarily relays authentication messages to the central server. Another pitfall is to confuse directory services such as Active Directory with the RADIUS protocol. In practice, directory services often integrate with RADIUS servers, but the device that speaks the RADIUS protocol with the network infrastructure is the key element referred to in this type of question. Remember that 802.1X EAP equals supplicant plus authenticator plus RADIUS based authentication server.
Final Answer:
A RADIUS authentication server such as a Network Access Server
Discussion & Comments