Exam 70-298 Highlighters Index | 517
How IAS works (a simplified scenario)
1. When a remote VPN user connects directly to RRAS server, the RRAS server
(acting as a RADIUS client) forwards the request to the IAS server.
2. The IAS server checks the user’s credentials on the domain controller, and
checks to see whether the user is allowed to connect remotely. The IAS server
must be part of the RAS and IAS Servers group to be able to query the DC.
3. RADIUS Remote Access Policy (just like RRAS policy) is evaluated against
the user, and the user is allowed or denied.
4. IAS sends acceptance or denial of user authentication to RRAS server.
Securing Wireless Networks
This subsection is a summary of highlights from the “Securing Wireless
Networks” section in the Exam 70-298 Study Guide.
• 802.1x is a newer networking security standard covering wireless authentica-
tion. 802.1x VPN tunnels are considered secure, especially compared to leg-
acy WEP wireless protection. EAP and PEAP VPNs are part of the 802.1x
• Infrastructure Mode is when a WAP is a terminating network device designed
to support multiple wireless nodes at once (much like a wired hub), and often
interfaces the wireless network to the wired network.
• Ad-hoc Mode WAPs are peer-to-peer connections. Usually every computer
that has a wireless network card can act as an Ad-hoc Mode WAP. Windows
XP Pro clients will often connect to Ad-hoc Mode WAPs, even though most
users only intend to connect to Infrastructure Mode WAPs. A secure wireless
client should only connect to Infrastructure Mode WAPs.
Wired Equivalent Privacy (WEP)
• WEP is an older, legacy wireless VPN encryption protocol that was found to
be very flawed. It is considered to be an insecure VPN protocol, but is better
than using wireless networking without any encryption.
Wi-Fi Protected Access (WPA)
• WPA and WPA2 are two newer, more secure wireless VPN protocols
designed to replace the weaker WEP. WPA2 is part of the 802.11i standard
and is considered very secure. WPA2 is better than WPA; eventually, WPA
will go away completely.
• Service Set Identifiers (SSID), or Extended Service Set Identifiers (ESSID) are
labels used to identify wireless networks. The SSID normally is frequently
broadcast so wireless nodes can locate WAPs.