ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An enterprise is deploying several hundred Windows 11 laptops, each equipped with TPM 2.0. The network team wants to ensure that only company-owned laptops can obtain access to the wired 802.1X LAN, even if an attacker learns a valid employee username and password. The solution must require little or no user interaction after initial enrollment. Which device authentication method BEST meets these goals?
Enable MAC address filtering on access switches and allow only the NIC addresses of corporate laptops.
Implement PEAP authentication that requires users to enter their Active Directory credentials when connecting to the wired network.
Use EAP-TLS with machine certificates whose private keys are stored in each laptop's TPM, validated by the RADIUS server during 802.1X authentication.
Assign every switch port to a restricted guest VLAN unless the first connected MAC address remains unchanged for the session.
EAP-TLS performs mutual authentication between the endpoint and the RADIUS server by using X.509 certificates. When each laptop is provisioned with a machine certificate whose private key is protected by the onboard TPM, the device-not just the user-must prove possession of that key before any network access is granted. After the certificate is installed, the process is transparent to the user, satisfying the minimal-interaction requirement.
MAC address filtering and port-based guest VLAN controls rely on MAC addresses, which are easily spoofed and impose significant administrative overhead. PEAP still authenticates only the user's credentials, so a stolen password would allow an attacker to connect from an unmanaged device. Therefore, certificate-based EAP-TLS backed by the TPM is the most secure and practical way to enforce device-level authentication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is EAP-TLS and why is it used in device authentication?
Open an interactive chat with Bash
What role does TPM play in securing machine certificates in this scenario?
Open an interactive chat with Bash
Why are MAC address filtering and PEAP less effective compared to EAP-TLS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .