HPE7-A02 Exam - Topic 12 Question 13 Discussion

Actual exam question for HP's HPE7-A02 exam

Question #: 13
Topic #: 12

The exhibit shows the 802.1X-related settings for Windows domain clients. What should admins change to make the settings follow best security practices?

ASpecify at least two server names under the 'Connect to these servers' field.

BSelect the desired Trusted Root Certificate Authority and select the check box next to 'Don't prompt users.'

CUnder the 'Connect to these servers' field, use a wildcard in the server name.

DClear the check box for using simple certificate selection and select the desired certificate manually.

Show Suggested Answer

Suggested Answer: A

To follow best security practices for 802.1X authentication settings in Windows domain clients:

Specify at least two server names under 'Connect to these servers':

Admins should explicitly list trusted RADIUS server names (e.g., radius.example.com) to prevent the client from connecting to unauthorized or rogue servers.

This mitigates man-in-the-middle (MITM) attacks where an attacker attempts to present their own RADIUS server.

Select the desired Trusted Root Certificate Authority and 'Don't prompt users':

Select the Trusted Root CA that issued the RADIUS server's certificate. This ensures clients validate the correct server certificate during the EAP-TLS/PEAP authentication process.

Enabling 'Don't prompt users' ensures end users are not confused or tricked into accepting certificates from untrusted servers.

Why the other options are incorrect:

Option C: Incorrect. Wildcards in server names (e.g., *.example.com) weaken security and allow broader matching, increasing the risk of rogue servers.

Option D: Incorrect. Clearing 'Use simple certificate selection' requires users to select certificates manually, which can lead to errors and usability issues. Simple certificate selection is recommended when properly configured.

Recommended Settings for Best Security Practices:

Server Validation: Specify the exact RADIUS server names in the 'Connect to these servers' field.

Root CA Validation: Ensure only the correct Trusted Root Certificate Authority is selected.

User Prompts: Enable 'Don't prompt users' to enforce automatic and secure authentication without user intervention.

by Hari at May 14, 2025, 02:19 AM

Limited Time Offer

25%

Off

Get Premium HPE7-A02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Merissa

2 months ago

Wait, are we really supposed to manually select certificates? That seems odd!

upvoted 0 times

...

Kate

3 months ago

D seems like a hassle, but might be necessary for security.

upvoted 0 times

...

Ahmed

3 months ago

C sounds risky, wildcards can open up vulnerabilities.

upvoted 0 times

...

Joanne

3 months ago

I disagree, B could lead to security risks if users aren't prompted.

upvoted 0 times

...

Rosalind

3 months ago

A is definitely the way to go, more server names mean better redundancy.

upvoted 0 times

...

Vanna

3 months ago

I recall that manual certificate selection is generally more secure, so option D might be the right move here.

upvoted 0 times

...

Lennie

4 months ago

I feel like using a wildcard in server names could lead to vulnerabilities, so I would probably avoid option C.

upvoted 0 times

...

Dominque

4 months ago

I'm not entirely sure, but I remember something about not prompting users for certificates being a security risk. Maybe option B isn't the best choice?

upvoted 0 times

...

Broderick

4 months ago

I think we discussed the importance of specifying multiple server names for redundancy, so I might lean towards option A.

upvoted 0 times

...

Helga

4 months ago

Okay, let me think this through. Specifying multiple server names and using a wildcard don't seem like the best security approaches. I think the manual certificate selection in option D might be the most secure choice.

upvoted 0 times

...

Loreta

4 months ago

Option B seems like the way to go - specifying the Trusted Root Certificate Authority and not prompting users is a good security practice. I'll double-check the other options, but this one looks solid.

upvoted 0 times

...

Andrew

5 months ago

Hmm, I'm a bit unsure about this one. The settings seem complex, and I want to make sure I understand the implications of each option before selecting an answer.

upvoted 0 times

...

Joanna

5 months ago

This looks like a straightforward 802.1X security configuration question. I'll carefully review the options and think through the best security practices.

upvoted 0 times

...

German

8 months ago

I think both options are valid. It depends on the specific security requirements of the network.

upvoted 0 times

...

Ezekiel

8 months ago

Ah, the good old 802.1X settings. Brings back memories of the time I accidentally connected to the wrong server and ended up in the IT department's doghouse. Option B it is!

upvoted 0 times

Bettyann

7 months ago

Definitely, selecting the Trusted Root Certificate Authority is important.

upvoted 0 times

...

Asha

8 months ago

I agree, option B is the way to go for best security practices.

upvoted 0 times

...

Malcolm

8 months ago

I'm not sure about that. I think we should specify at least two server names under 'Connect to these servers.'

upvoted 0 times

...

Dorian

9 months ago

Hmm, Option D seems like the safest bet. No more simple certificate selection for me, I want to manually pick my certificate and feel in control.

upvoted 0 times

Martha

8 months ago

User 3: I think it's important to have control over which certificate is being used for authentication.

upvoted 0 times

...

Mable

8 months ago

User 2: Yeah, I always prefer manually selecting my certificate for added security.

upvoted 0 times

...

Hildred

8 months ago

User 1: I agree, Option D sounds like the most secure choice.

upvoted 0 times

...

Agustin

9 months ago

I agree with Sol. That sounds like the best security practice.

upvoted 0 times

...

Bo

9 months ago

I'm feeling a bit wild today, so I'm gonna go with option C. Using a wildcard in the server name? Now that's what I call living on the edge!

upvoted 0 times

...

Sol

9 months ago

I think we should select the desired Trusted Root Certificate Authority and check 'Don't prompt users.'

upvoted 0 times

...

Harley

9 months ago

Option B looks good to me. Selecting the desired Trusted Root Certificate Authority and not prompting users seems like the way to go for best security practices.

upvoted 0 times

Sherita

8 months ago

User 2: Yeah, selecting the Trusted Root Certificate Authority and not prompting users is important.

upvoted 0 times

...

Celeste

8 months ago

User 1: I agree, option B seems like the best choice for security.

upvoted 0 times

...