CompTIA CASP+ (CAS-003) — Question 60

A security administrator wants to implement two-factor authentication for network switches and routers. The solution should integrate with the company's RADIUS server, which is used for authentication to the network infrastructure devices. The security administrator implements the following:
✑ An HOTP service is installed on the RADIUS server.
✑ The RADIUS server is configured to require the HOTP service for authentication.
The configuration is successfully tested using a software supplicant and enforced across all network devices. Network administrators report they are unable to log onto the network devices because they are not being prompted for the second factor.
Which of the following should be implemented to BEST resolve the issue?

Answer options

• A. Replace the password requirement with the second factor. Network administrators will enter their username and then enter the token in place of their password in the password field.
• B. Configure the RADIUS server to accept the second factor appended to the password. Network administrators will enter a password followed by their token in the password field.
• C. Reconfigure network devices to prompt for username, password, and a token. Network administrators will enter their username and password, and then they will enter the token.
• D. Install a TOTP service on the RADIUS server in addition to the HOTP service. Use the HOTP on older devices that do not support two-factor authentication. Network administrators will use a web portal to log onto these devices.

Correct answer: B

Explanation

The correct answer is B because it allows the RADIUS server to accept the second factor as an extension of the password, enabling seamless integration into the existing authentication flow. Option A is incorrect as it removes the password requirement entirely, which is not suitable for most authentication scenarios. Option C does not align with the RADIUS server configuration as it requires a separate prompt for the token, which is not currently supported. Option D introduces unnecessary complexity by adding a TOTP service instead of directly resolving the issue with the existing HOTP service.