400-007 Question #174: Real Exam Question with Answer & Explanation

Question

Options

• AUse local usernames and passwords on the VPN device
• BDeploy a central authentication directory that users can be authenticated and authorized against
• CDeploy certificates that are unique to each user
• DDeploy an IPsec VPN solution
• EDeploy certificates that are unique to each device
• FDeploy a SSL VPN solution

Explanation

A central authentication directory paired with an SSL VPN satisfies all stated requirements - existing passwords, role-based authorization, scalability to 2000 users, and device flexibility.

Common mistakes.

• A. Local usernames and passwords on the VPN device do not integrate with existing application credentials, cannot scale to 2000 users without excessive administrative overhead, and provide no role-based authorization capability.
• C. User-unique certificates require distributing the certificate to every device the user might use, which conflicts with the requirement that users may not always connect from the same device, and they do not use the existing password infrastructure.
• D. IPsec VPN is optimized for site-to-site connectivity and relies primarily on device-level authentication mechanisms such as certificates or pre-shared keys rather than flexible user-role-based access tied to a central directory.
• E. Device-unique certificates would restrict connections to enrolled corporate assets but do not support the requirement that a user may use different devices, and they do not address role-based authorization or reuse of existing user passwords.

Concept tested. Remote access VPN design with centralized user authentication

Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-asdm-remote.html

No community discussion yet for this question.