NSE4 Question #543: Real Exam Question with Answer & Explanation

Question

An administrator has configured a dialup IPsec VPN with XAuth. Which method statement best describes this scenario?

Options

• AOnly digital certificates will be accepted as an authentication method in phase 1.
• BDialup clients must provide a username and password for authentication.
• CPhase 1 negotiations will skip pre-shared key exchange.
• DDialup clients must provide their local ID during phase 2 negotiations.

Explanation

An IPsec dialup VPN configured with XAuth requires clients to provide an additional username and password for authentication, supplementing the standard Phase 1 authentication.

Common mistakes.

• A. XAuth is a supplementary authentication method and does not limit Phase 1 authentication exclusively to digital certificates; Phase 1 can still use pre-shared keys or certificates.
• C. XAuth enhances the authentication process but does not replace or cause Phase 1 negotiations to skip the essential pre-shared key or certificate exchange.
• D. Local ID is used for peer identification during Phase 1 negotiations, and its provision by dialup clients is not specifically a function of XAuth during Phase 2.

Concept tested. IPsec VPN XAuth functionality

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/fortios-handbook/381504/configuring-xauth-and-ipsec-for-forticlient-vpn-users

No community discussion yet for this question.