Cisco
300-730 · Question #140
300-730 Question #140: Real Exam Question with Answer & Explanation
The correct answer is D: Define key-ids on the headend and create two XML profiles to match the administrator and user key-ids.. When using AnyConnect-EAP with IKEv2, key-ids are the mechanism used to differentiate between connection profiles so different authorization policies can be applied per group.
Question
A router is being configured for IKEv2 AnyConnect using AnyConnect-EAP. How would the administrator separate profiles for administrators and employees so that authorization differs when they connect?
Options
- ADefine group aliases on the headend and have the user pick the appropriate alias when they connect.
- BDefine group-urls on the headend and create two XML profiles to match the administrator and user group urls.
- CCreate a certificate map and match on the appropriate certificate fields.
- DDefine key-ids on the headend and create two XML profiles to match the administrator and user key-ids.
Explanation
When using AnyConnect-EAP with IKEv2, key-ids are the mechanism used to differentiate between connection profiles so different authorization policies can be applied per group.
Common mistakes.
- A. Group aliases are a feature specific to Cisco ASA SSLVPN tunnel groups, not a supported mechanism for IKEv2 AnyConnect-EAP profile selection on IOS routers.
- B. Group-URLs are used in ASA clientless and AnyConnect SSLVPN configurations to select tunnel groups, and are not applicable to IKEv2-based AnyConnect deployments on IOS.
- C. Certificate maps apply when clients authenticate with certificates; since AnyConnect-EAP is being used for authentication in this scenario, certificate fields are not available for profile matching.
Concept tested. IKEv2 AnyConnect-EAP key-id profile separation on IOS
Community Discussion
No community discussion yet for this question.