352-001 · Question #696
You have been asked to design a remote access VPN solution to support up to 2000 devices. You must ensure that only corporate assets are allowed to connect to the VPN, and users must authenticate to g
The correct answer is B. Deploy a SSL VPN solution E. Deploy a central authentication directory that users can be authenticated and authorized against. Combining SSL VPN with a central authentication directory satisfies all stated requirements - corporate device enforcement, role-based access, existing credentials, and device-independent user authentication.
Question
You have been asked to design a remote access VPN solution to support up to 2000 devices. You must ensure that only corporate assets are allowed to connect to the VPN, and users must authenticate to gain access based on their user role. Users must use a password that they are already using to access existing applications. A user may not always use the same device to access the VPN. Which two options combined meet the requirement? (Choose two.)
Options
- ADeploy certificates that are unique to each device
- BDeploy a SSL VPN solution
- CDeploy an IPsec VPN solution
- DUse local usernames and passwords on the VPN device
- EDeploy a central authentication directory that users can be authenticated and authorized against
- FDeploy certificates that are unique to each user
How the community answered
(30 responses)- A3% (1)
- B67% (20)
- C17% (5)
- D10% (3)
- F3% (1)
Why each option
Combining SSL VPN with a central authentication directory satisfies all stated requirements - corporate device enforcement, role-based access, existing credentials, and device-independent user authentication.
Device-unique certificates bind authentication to a specific enrolled device, which directly conflicts with the requirement that users may not always use the same device - users would be unable to authenticate from any corporate device that does not hold their expected certificate.
SSL VPN solutions such as Cisco AnyConnect support host-checking and posture assessment to verify that only corporate-managed endpoints can establish a tunnel, and they integrate natively with AAA infrastructure to apply role-based access policies for up to thousands of concurrent users.
IPsec VPN provides secure tunneling but is less suited for flexible remote access at scale because it requires per-device client configuration and lacks the built-in posture assessment and role-based policy enforcement capabilities that SSL VPN solutions offer.
Local usernames and passwords stored on the VPN device do not leverage existing corporate directory credentials, do not scale efficiently to 2000 users, and do not provide dynamic role-based authorization tied to group membership.
A central authentication directory such as Active Directory with RADIUS or LDAP allows users to authenticate with their existing corporate passwords, supports group-based role authorization, and is accessible from any corporate device the user happens to be using.
User-unique certificates allow portability across devices but do not enforce that the device itself is a corporate-managed asset, meaning a user could install their personal certificate on a non-corporate device and gain access.
Concept tested: SSL VPN with central AAA for scalable remote access design
Source: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Authentication-with-Microsoft.html
Topics
Community Discussion
No community discussion yet for this question.