ITNW - Chapter 06 & 07
An NPS connection request policy must include at least one condition. These conditions must be met by the connecting device. Multiple conditions can be used for each connection request policy. Which of the following are available conditions? (Select two.)
Day and time restrictions Username
You would like to implement DirectAccess on our corporate network. Which of the following is not an infrastructure requirement for using DirectAccess?
Network access for files server role
You are the network administrator for your company. The Network Policy Server (NPS) is installed on our Windows 2016 server, and it is configured as a RADIUs server. You have decided that it would be best if you used NPS accounting. Which are valid options for storing the NPS log files? (Select two.)
SQL logging Text logging
Which of the following are NPS and RADIUS template types? (Select four.)
Shared secrets RADIUS clients Remote RADIUS servers IP filters
What tools help you minimize your workload and avoid errors when configuring RADIUS servers and clients?
Templates
A shared secret should include random uppercase and lowercase letters, numbers from 0 to 9, and symbols such as !, &, and @, as well as be a minimum length of 22 characters. What is the maximum length of a shared secret?
128 characters
You manage Windows 8 and Windows 10 notebooks that are joined to the mydomain.com Active Directory domain. Because these notebook computers are frequently taken on sales visits to client sites, you have decided to implement DirectAccess on your network. You run the setup for DirectAccess on the DA1 server with the following configuration: • End-to-end authentication with a smart card required for authentication. • Root certificate from ca1.mydomain.com. • The security group name DirectAccessGroup. • The Network Location service running on the DirectAccess server. You need to configure the client computers for the DirectAccess connection. What should you do?
Add the computer account for each client computer to the DirectAccessGroup security group.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. The main office contains a server named RRAS1. You are in the process of configuring RRAS1 to support DirectAccess connections. You need to configure RRAS1 to allow IPv6 connectivity for the clients to RRAS1 for the purpose of DirectAccess. What should you do?
Configure Windows Firewall with Advanced Security to allow ICMPv6 Echo Requests.
You manage a remote access solution for your network. Currently, you have 10 remote access servers named RA1 through RA10. A single RADIus server named RA11 holds all network policies for all remote access servers. Due to some recent changes, you decide to add a second RADIUS server, RA12, to your solution. Remote access connections should be directed to either RA11 or RA12 based on the characteristics of the connection. You decide to configure the RA13 server as a RADIUS proxy. Connection requests from RA1 through RA10 will be sent to RA13. All requests will then be forwarded to RA11 to RA12 based on the characteristics of the connection. Which of the following steps will be part of your configuration on RA13? (Select three. Each choice is a required part of the solution.)
Configure connection request policies. Configure RA1 through RA10 as RADIUS clients to RA13. Configure RADIUs server groups.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. You need to provide access to remote clients who belong to the Remote group. You install the Network Policy Server (NPS) on a server named VPN1 ith the Routing and Remote Access role service. You configure VPN1 to act as a VPN server and add all of the user accounts to the Remote group. You configure a server named RADIUS1 with the NPS role. You configure VPN1 to be a RADIUS client of RADIUS1. You need to configure RADIUS1 to process authentication requests from VPN1. What should you do?
Create a connection request policy.
You decide to export your NPS configuration via PowerShell. Which cmdlet would you use to export the configuration?
Export-NpsConfiguration -Path C:\NPS_configurations\ config.xml
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. You have a server named VPN1 that is configured to accept VPN connections from remote clients. VPN1 is configured as a RADIUS client of a server named RADIUS1. Management decides to implement remote access auditing. You need to track when each user is connected via remote access and how long the connection lasts. What should you do?
Install a RADIUS accounting server on RADIUS1.
You have purchased a new laptop that runs Windows 10. You want to use DirectAccess to connect the computer to your corporate intranet from home. Your home network is connected to the internet with a single public IP address and NAT. Firewalls between your network and the intranet allow only HTTP and HTTPS traffic. What should you do to configure the laptop for the DirectAccess connection?
Obtain a computer certificate for the laptop.
You manage the remote access solution for your network. Currently, you have two remote access servers, RA1 and RA2, with an additional server, RA3, configured as a RADIUS server. You need to configure RA1 and RA2 to forward authentication requests to RA3. What should you do?
On RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication.
A RADIUS server can be configured to provide centralized accounting, sometimes referred to as NPS logging. Which of the following is the preferred method for configuring logging and accounting for RADIUS?
The Accounting Configuration wizard available from within the Network Policy Server console.
Which of the following are considered to RADIUS clients? (Select two.)
VPN servers Wireless access points
You are the network administrator. The network consists of a single domain. All servers run Windows Server 2016. All the clients run Windows 10. The main office contains a server named RRAS1, which is configured to provide DirectAccess connectivity for clients. A group named DirectAccess clients is enabled for DirectAccess. Users complain that they are unable to connect to the internal network using DirectAccess. You need to ensure that the users can connect to RRAS1 using DirectAccess. What should you do?
In Active Directory users and Computers, add users' computer accounts computers to the DirectAccess clients group.
You are asked by your supervisor to export NPS configuration from a server. Your supervisor contacts you and tells you it is missing the log files. What must you do to provide your supervisor with the NPS log files?
Import the NPS configurations, then manually configure SQL Server Logging on the target machine.
Which of the following best describes a network policy?
A set of conditions, constraints, and settings used to authorize which remote users and computers can or can connect to a network.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. The network has one main office located in Dallas. All of the switches in Dallas are managed switches. You have decided to implement 802.1x authentication on the switches in Dallas. You configure the switches as RADIUS clients and issue computer certificates to the Network Policy Server (NPS) server and the client computers using a stand-alone root Certification Authority (CA) named CA1. You create an 802.3 wired policy on the NPS server requiring PEAP-MS-CHAP v2 authentication. After you implement the 802.3 wired policy, clients complain that they can connect to the network. You need to ensure that clients can connect to the network using 802.1x authentication with the minimum amount of administrative effort.
Add the certificate for CA1 to the Trusted Root Certification Authorities store on the client computers.
With RADIUS, network managers can centrally manage connection authentication, authorization, and accounting (sometimes referred to as AAA) for many types of network access, such as VPN or wireless access points. Which of the following best describes authorization?
Allows users to use specific network services or connect to specific network resources.
Which of the following features are used by clients and provided by the RADIUS server? (Select three.)
Authentication, Accounting, Authorization
You are the network administrator for westsim.com. The network consists of a single domain named westsim.com. All servers run Windows Server 2016. All the clients run Windows 8 or Windows 10. The main office contains a server named RRAS1 that has been configured to provide DirectAccess connectivity for clients. Clients complain that when they connect via DirectAccess, they are not able to resolve intranet names. What should you do?
Check for westsim.com in the Name Resolution Policy Table.
Your company has recently added a traveling sales force. To allow salesman access to the network while traveling, you install two additional servers. You configure the servers (REM1 and REM2) as remote access servers to accept incoming calls from remote clients. You configure the network access policies on each server. The solution is working fine, but you find that you must make constant changes to the remote access policies. You install the Network Policy and Access series role on a third server (REM3). You configure network access policies on REM3. Following the installation, you verify that all clients can connect to REM1 and REm2. Then you delete the custom network policies on both servers. Now, no clients can make a remote access connection. What should you do?
Configure REM1 and REM2 as REM3's RADIUS clients.
You are in charge of installing a remote access solution for your network. You decide you need a total of four remote access servers to all remote clients. Because remote clients connect to any of the four servers, you decide that each remote access server must enforce the exact same policies. You anticipate that the policies will change frequently.
Configure one of the remote access servers as a RADIUS server and all other servers as RADIUS clients. Configure network access policies on the RADIUS server.
You have a laptop computer that runs Windows 10. The computer is a member of a domain. You want to use DirectAccess to access application servers on your corporate intranet. Application servers are currently running Windows Server 2008. You need to implement a solution that accomplishes the following: • All communications sent to the private network server over the internet are encrypted. • Client computers authenticate with application servers on the intranet. • Following authentication, traffic on the intranet is not encrypted. What should you do? (Select two. Each choice is a required part of the solution).
Configure selected server access (modified end-to-edge) Upgrade application servers to Windows Server 2008 R2 or newer.
You manage the remote access solution for your network. Currently, you have 10 remote access servers named RA1 through RA10. A single RADIUS server named RA11 holds all network policies for all remote access servers. Due to some recent changes, you decide to add two more RADIUS servers, RA12 and RA13, to your solution Remote access authentication should be directed to either of the three servers so that requests are load balanced between them. You add RA14 to configure it as a RADIUS proxy. You configure RA1 through RA10 as RADIUS clients to RA14. Authentication requests will be received by RA14, then directed to one of the three RADIUS servers. How should you complete the configuration of RA14? (Select two. Each choice is a required part of the solution.)
Create a dingle RADIUS server group with RA11, RA12, and RA13 as members of the group. Create a single connection request policy.
You have a laptop that runs Windows 10. You want to use the laptop to connect to your corporate intranet while you are at home or traveling. Your solution should meet the following requirements: • The computer should connect automatically to the intranet without user initiation. • All communications between your laptop and the intranet should be encrypted. • the connection should allow for remote management of the computer from the corporate intranet. • Internet traffic should be directed to internet servers without going through servers at the corporate network. • The solution should work through firewalls where only HTTP and HTTPS are permitted. Which feature should you implement?
DirectAccess
You are the network administrator. The network consists of a single domain. All servers run Windows Server 2016. All the clients run Windows 10. DirectAccess has been configured on your network and all remote users are using DirectAccess to connect to the network. However, the remote users are complaining that their internet connections are slow when they browse the web. What should you do?
Disable force tunneling
Network Policy Server (NPS) configurations include RADIUS clients and servers, policies, and accounting data. To reduce the time required to configure a new NPS server, the entire NPS configuration can be exported from one NPS server and then imported on another NPS server. While exporting NPS configurations, which of the following are true? (Select two.)
Exported NPS configurations will contain shared secrets. NPS configurations are an xml file.
You have purchased a new laptop that runs Windows 10. You want to use DirectAccess to connect the laptop to your corporate intranet. You will use Group Policy to enforce DirectAccess settings on the client. What should you do to configure the laptop for the DirectAccess connection?
Join the computer to a domain.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. There is one main office located in Chicago. The main office is protected from the internet by a perimeter network. A server named VPN1 located in the perimeter network provides VPN remote access for external clients. A server named NPS1 has the Network Policy Security (NPS) role installed and provides RADIUS services for VPN1. NPS1 is located in the perimeter network and is configured to use Active Directory for authentication requests. There are three domain controllers on the internal network. A new company policy requires that the firewall between the internal network and the perimeter network be configured to allow traffic only between specific IP addresses. The amount of internal servers that can be contacted from the perimeter network must be kept to a minimum. You need to configure remote access to minimize the number of servers on the internal network that can be contacted by servers on the perimeter network. Your solution should not impact the availability of remote access services.
Move NPS1 to the internal network and implement a RADIUS proxy in the perimeter network.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. There is a single main office located in New York. A perimeter network separates the main office from the internet. Corporate policy requires that all servers be isolated from the internet. No external clients may directly access internal resources unless the connection is secure. External connections to servers located in the perimeter network are permitted. You plan to implement DirectAccess to support encrypted connections from remote clients to the internal network. A server named RRAS1 will provide DirectAccess connections for the clients. The DirectAccess clients will use IP-HTTPS connections. Certificates for the DirectAccess clients and servers will be issued by an Enterprise root CA named CA1. You need to configure to support DirectAccess clients.
Publish the CA1 Certificate Revocation List (CRL) on a server in the perimeter network.