nerdexam
Cisco

352-001 · Question #696

You have been asked to design a remote access VPN solution to support up to 2000 devices. You must ensure that only corporate assets are allowed to connect to the VPN, and users must authenticate to g

The correct answer is B. Deploy a SSL VPN solution E. Deploy a central authentication directory that users can be authenticated and authorized against. Combining SSL VPN with a central authentication directory satisfies all stated requirements - corporate device enforcement, role-based access, existing credentials, and device-independent user authentication.

Designing Security

Question

You have been asked to design a remote access VPN solution to support up to 2000 devices. You must ensure that only corporate assets are allowed to connect to the VPN, and users must authenticate to gain access based on their user role. Users must use a password that they are already using to access existing applications. A user may not always use the same device to access the VPN. Which two options combined meet the requirement? (Choose two.)

Options

  • ADeploy certificates that are unique to each device
  • BDeploy a SSL VPN solution
  • CDeploy an IPsec VPN solution
  • DUse local usernames and passwords on the VPN device
  • EDeploy a central authentication directory that users can be authenticated and authorized against
  • FDeploy certificates that are unique to each user

How the community answered

(30 responses)
  • A
    3% (1)
  • B
    67% (20)
  • C
    17% (5)
  • D
    10% (3)
  • F
    3% (1)

Why each option

Combining SSL VPN with a central authentication directory satisfies all stated requirements - corporate device enforcement, role-based access, existing credentials, and device-independent user authentication.

ADeploy certificates that are unique to each device

Device-unique certificates bind authentication to a specific enrolled device, which directly conflicts with the requirement that users may not always use the same device - users would be unable to authenticate from any corporate device that does not hold their expected certificate.

BDeploy a SSL VPN solutionCorrect

SSL VPN solutions such as Cisco AnyConnect support host-checking and posture assessment to verify that only corporate-managed endpoints can establish a tunnel, and they integrate natively with AAA infrastructure to apply role-based access policies for up to thousands of concurrent users.

CDeploy an IPsec VPN solution

IPsec VPN provides secure tunneling but is less suited for flexible remote access at scale because it requires per-device client configuration and lacks the built-in posture assessment and role-based policy enforcement capabilities that SSL VPN solutions offer.

DUse local usernames and passwords on the VPN device

Local usernames and passwords stored on the VPN device do not leverage existing corporate directory credentials, do not scale efficiently to 2000 users, and do not provide dynamic role-based authorization tied to group membership.

EDeploy a central authentication directory that users can be authenticated and authorized againstCorrect

A central authentication directory such as Active Directory with RADIUS or LDAP allows users to authenticate with their existing corporate passwords, supports group-based role authorization, and is accessible from any corporate device the user happens to be using.

FDeploy certificates that are unique to each user

User-unique certificates allow portability across devices but do not enforce that the device itself is a corporate-managed asset, meaning a user could install their personal certificate on a non-corporate device and gain access.

Concept tested: SSL VPN with central AAA for scalable remote access design

Source: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Authentication-with-Microsoft.html

Topics

#SSL VPN#remote access VPN#AAA#device certificates

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice