300-415 Question #453: Real Exam Question with Answer & Explanation

Question

Options

• AImage showing "Add VPN Group" with "VPN_Group_10", "Enable User Group access" checked, and "netadmin" as the User Group.
• BImage showing "Add VPN Group" with "VPN_Group_10", "Enable User Group access" checked, and "operator" as the User Group.
• CImage showing "Add VPN Group" with "New_Group", "Enable User Group access" checked, and an empty User Group field.
• DImage showing "Add VPN Group" with "VPN_Group_10", "Enable User Group access" checked, and "admin" as the User Group.
• EImage showing "Add VPN Group" with "VPN_Group_10", "Enable User Group access" unchecked.

Explanation

Restricting SD-WAN Manager access by VPN group and user requires creating a VPN group with 'Enable User Group access' checked and assigning a specific authorized user group such as 'netadmin'.

Common mistakes.

• B. The 'operator' user group has read-only or limited operational access and is not the correct role for administering VPN group-based access restrictions in this context.
• C. Leaving the User Group field empty produces an incomplete configuration that does not associate any users with the VPN group, so no user-level access restriction is actually enforced.
• D. The 'admin' user group has unrestricted system-wide access and assigning it to a VPN group does not meaningfully restrict access - it defeats the purpose of the segmented policy.
• E. With 'Enable User Group access' unchecked, the VPN group configuration ignores user group membership entirely, leaving user-level access restrictions disabled.

Concept tested. SD-WAN Manager VPN group role-based access control configuration

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/rbac.html

No community discussion yet for this question.