Which protocol requires a digital certificate on the server and a password on the client?

The correct choice is associated with EAP-TTLS, which stands for Extensible Authentication Protocol - Tunneled Transport Layer Security. This protocol is designed specifically for scenarios where a digital certificate is used on the server side to establish a secure tunnel, while client-side authentication can rely on simpler methods, such as a password.

The use of a digital certificate on the server ensures that the client establishes a secure connection with a trusted server, which is critical for preventing man-in-the-middle attacks. The password on the client side provides a simpler, yet effective authentication method that doesn’t necessitate a client-side certificate, making it more user-friendly. This combination of robust server-side security with a password-based client authentication is ideal for environments that may not require the complexity of full certificate authentication for every client.

The other options represent different methods of authentication. For instance, EAP-FAST is focused on implementing Protection Against Eavesdropping without necessarily using a digital certificate on the client side. EAP-MD5 utilizes a simple username/password method without security features like encryption, and Kerberos is a network authentication protocol that uses tickets and requires secret-key cryptography, rather than certificates. Thus, EAP-TTLS stands out with its unique combination of server-side certificates