You are deploying an 802.1X solution and must determine what would happen if clients are unable to re-authenticate to the RADIUS server.
In this scenario, which configuration would provide access to the network if the supplicant is already authenticated?
If clients are unable to re-authenticate to the RADIUS server, the 'sustain' configuration allows already authenticated supplicants to maintain their network access while blocking new, unauthenticated devices. This ensures that there is no disruption for users who are already validated, providing continuous access to the network under these conditions.
D is correct, Sustain. "Server fail fallback allows you to specify one of four actions to be taken toward end devices awaiting authentication when the server is timed out: Permit: authentication, allowing traffic to flow from the end device through the interface as if the end device were successfully authenticated by the RADIUS server. Deny: authentication, preventing traffic from flowing from the end device through the interface. This is the default. Move: the end device to a specified VLAN. (The VLAN must already exist on the router.) Sustain: authenticated end devices that already have LAN access and deny unauthenticated end devices. If the RADIUS servers time out during reauthentication, previously authenticated end devices are reauthenticated and new users are denied LAN access. https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/concept/802-1x-pnac-divert-authentication-understanding-mx-series.html
https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/concept/802-1x-pnac-divert-authentication-understanding-mx-series.html
D is correct
D Sustain
If the RADIUS authentication servers become unavailable or inaccessible the server fail fallback is triggered. By default, the deny option is configured under server-fail, which force fails the supplicant authentication. However, there are other options that you can configure as actions to be taken for end devices awaiting authentication when the server times out. server-fail (bridge-domain bridge-domain | deny | permit | use-cache | vlan-name vlan-name) - deny—Force the supplicant authentication to fail. No traffic will flow through the interface. - permit—Force the supplicant authentication to succeed. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server. - use-cache—Force the supplicant authentication to succeed only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected.
Permit authentication, allowing traffic to flow from the end device through the interface as if the end device were successfully authenticated by the RADIUS server. Deny authentication, preventing traffic from flowing from the end device through the interface. This is the default. Move the end device to a specified VLAN. (The VLAN must already exist on the router.) Sustain authenticated end devices that already have LAN access and deny unauthenticated end devices. If the RADIUS servers time out during reauthentication, previously authenticated end devices are reauthenticated and new users are denied LAN access.
should be D