nerdexam
Exams300-730Questions#113
Cisco

300-730 · Question #113

300-730 Question #113: Real Exam Question with Answer & Explanation

The correct answer is A: Use a DAP registry check on the system to determine the relationship with the corporate domain.. A DAP registry check verifies domain membership on the connecting endpoint, ensuring only corporate domain-joined devices can authenticate, and allows remote remediation by disabling the computer account in Active Directory.

Question

A company needs to ensure only corporate issued laptops and devices are allowed to connect with the Cisco AnyConnect client. The solution should be applicable to multiple operating systems, including Windows, macOS, and Linux, and should allow for remote remediation if a corporate issued device is stolen. Which solution should be used to accomplish these goals?

Options

  • AUse a DAP registry check on the system to determine the relationship with the corporate domain.
  • BUse a DAP file check on the system to determine the relationship with the corporate domain.
  • CInstall and authenticate user certificates on the corporate devices.
  • DInstall and authenticate machine certificates on the corporate devices.

Explanation

A DAP registry check verifies domain membership on the connecting endpoint, ensuring only corporate domain-joined devices can authenticate, and allows remote remediation by disabling the computer account in Active Directory.

Common mistakes.

  • B. A DAP file check only verifies the presence of a specific file on the endpoint, which an attacker controlling a stolen device could fabricate; it does not tie device identity to centrally managed domain membership and offers no reliable remote remediation path.
  • C. User certificates authenticate the individual user, not the device; a stolen corporate laptop could still satisfy a user certificate check if the certificate is present, meaning the device itself is not uniquely identified or blockable.
  • D. Machine certificates do authenticate the device and can be revoked, but certificate revocation depends on the client querying a CRL distribution point or OCSP responder and honoring the result, which may be delayed or bypassed; DAP domain checks integrate directly with Active Directory for immediate, centrally controlled access denial.

Concept tested. DAP registry check for corporate device identity in AnyConnect

Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-dap.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice