HP Exam HPE7-A02 Topic 12 Question 13 Discussion

To follow best security practices for 802.1X authentication settings in Windows domain clients:

Specify at least two server names under 'Connect to these servers':

Admins should explicitly list trusted RADIUS server names (e.g., radius.example.com) to prevent the client from connecting to unauthorized or rogue servers.

This mitigates man-in-the-middle (MITM) attacks where an attacker attempts to present their own RADIUS server.

Select the desired Trusted Root Certificate Authority and 'Don't prompt users':

Select the Trusted Root CA that issued the RADIUS server's certificate. This ensures clients validate the correct server certificate during the EAP-TLS/PEAP authentication process.

Enabling 'Don't prompt users' ensures end users are not confused or tricked into accepting certificates from untrusted servers.

Why the other options are incorrect:

Option C: Incorrect. Wildcards in server names (e.g., *.example.com) weaken security and allow broader matching, increasing the risk of rogue servers.

Option D: Incorrect. Clearing 'Use simple certificate selection' requires users to select certificates manually, which can lead to errors and usability issues. Simple certificate selection is recommended when properly configured.

Recommended Settings for Best Security Practices:

Server Validation: Specify the exact RADIUS server names in the 'Connect to these servers' field.

Root CA Validation: Ensure only the correct Trusted Root Certificate Authority is selected.

User Prompts: Enable 'Don't prompt users' to enforce automatic and secure authentication without user intervention.