nerdexam
Cisco

350-701 · Question #271

Refer to the exhibit. When configuring a remote access VPN solution terminating on the Cisco ASA, an administrator would like to utilize an external token authentication mechanism in conjunction with

The correct answer is B. Method. This question asks which Cisco ASA VPN configuration item must be modified to combine external token authentication with AAA machine certificate authentication.

Submitted by ravi_2018· Mar 30, 2026MISSING: Official Exam Domains list not provided

Question

Refer to the exhibit. When configuring a remote access VPN solution terminating on the Cisco ASA, an administrator would like to utilize an external token authentication mechanism in conjunction with AAA authentication using machine certificates. Which configuration item must be modified to allow this?

Exhibit

350-701 question #271 exhibit

Options

  • AGroup Policy
  • BMethod
  • CSAML Server
  • DDHCP Servers

How the community answered

(59 responses)
  • A
    5% (3)
  • B
    71% (42)
  • C
    15% (9)
  • D
    8% (5)

Why each option

This question asks which Cisco ASA VPN configuration item must be modified to combine external token authentication with AAA machine certificate authentication.

AGroup Policy

Group Policy defines user attributes and access rights *after* authentication, such as authorized networks, split tunneling, or DNS servers, but it does not define the primary authentication method itself.

BMethodCorrect

On a Cisco ASA, the 'Method' or 'Authentication Method' configuration setting within a tunnel group or connection profile is used to define the sequence and types of authentication mechanisms for VPN users. To utilize both external token authentication and AAA authentication with machine certificates, the administrator must configure this method to combine these two authentication types in the desired order.

CSAML Server

SAML Server refers to configuring a Security Assertion Markup Language identity provider. While SAML can be an authentication protocol, configuring the SAML server itself is about *which* server to use, not the specific sequence of multiple authentication methods (like token + certificate) on the ASA.

DDHCP Servers

DHCP Servers are used for assigning IP addresses to VPN clients *after* they have successfully authenticated and established a VPN connection; they are not involved in the authentication process itself.

Concept tested: Cisco ASA VPN authentication methods

Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-remote-access.html

Topics

#Cisco ASA VPN#AAA Authentication#Token Authentication

Community Discussion

No community discussion yet for this question.

Full 350-701 Practice