802.1X

Correct Answer: Replace the MAC address filtering with an 802.1X compatible RADIUS server

IEEE 802.1X provides port-based network access control and is primarily used in Wi-Fi network security. To implement it, an organization would need an 802.1X compatible RADIUS server - Remote Authentication Dial-in User Service - to provide the necessary authentication and authorization. MAC address filtering is vulnerable as hackers can easily spoof the MAC addresses to gain unauthorized access. (Answer: Replace the MAC address filtering with an 802.1X compatible RADIUS server). The option of keeping MAC address filtering while introducing a RADIUS server is incorrect because the continued use of easily-spoofable MAC addresses does not provide the heightened level of security that 802.1X can provide The use of 802.1X compatible switches only, is an incomplete solution as the protocol also requires an authentication server, typically a RADIUS server, to provide appropriate authentications Lastly, replacing MAC address filtering with an 802.1X compatible firewall is incorrect as the primary purpose of 802.1X is not fulfilled by a firewall. While firewalls are crucial for network security, they primarily monitor and filter incoming and outgoing traffic based on pre-determined security rules and are not explicitly designed for user authentication and authorization like a RADIUS server.

Correct Answer: EAP-PEAP

EAP-PEAP (Extensible Authentication Protocol-Protected Extensible Authentication Protocol) is the best suited method for this scenario where user authentication with a username and password is required. EAP-PEAP provides a secure method of sending authentication information, including passwords, over wireless networks. It creates an encrypted SSL/TLS tunnel between the client and the authentication server, which protects the authentication process from eavesdropping. On the other hand, EAP-TLS (Transport Layer Security) and EAP-TTLS (Tunneled Transport Layer Security) use certificates for authentication which can be more complex to implement and manage. EAP-SIM (Subscriber Identity Module) is mainly used for authentication on GSM networks and relies on a SIM card for user identity, not suitable for a username and password scenario.

Correct Answer: End-user device

In the context of 802.1X network security, the supplicant is the end-user device. This is because the supplicant initiates the process of getting network access by sending a request to the authenticator, which is typically a switch or wireless access point. The authenticator then passes the request to the authentication server. Therefore, the authentication server cannot be a supplicant because it doesn't initiate the process but responds to the authentication requests. The gateway and the switch also cannot be supplicants as they act as intermediaries between the supplicant and authentication server.