Exam 350-701 topic 1 question 66 discussion

B: Configuring the IKEv2 Name Mangler Perform this task to specify the IKEv2 name mangler, which is used to derive a name for authorization requests and obtain AAA preshared keys. The name is derived from specified portions of different forms of remote IKE identities or the EAP identity. enable configure terminal crypto ikev2 name-mangler mangler-name dn {common-name | country | domain | locality | organization | organization-unit | state} eap {all | dn {common-name | country | domain | locality | organization | organization-unit | state} | prefix | suffix {delimiter {. | @ | \}}} email {all | domain | username} fqdn {all | domain | hostname} end dn = Derives the name from any of the noted fields in the remote identity of type DN common-name country domain locality organization organization-unit state https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16-10/sec-flex-vpn-xe-16-10-book/sec-cfg-flex-serv.html=

B. The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization policy.

B is correct

The correct answer is B. The "match identity certificate" command in the IKEv2 authorization policy is used to specify that the OU (Organizational Unit) attribute of the IKEv2 peer certificate should be used as the identity when matching the policy. The OU attribute is set to "MANGLER" in this case. So, when an IKEv2 peer with a certificate that has an OU attribute of "MANGLER" attempts to establish an IKEv2 SA, the router will use the OU attribute as the identity when matching the authorization policy. If the policy is a match, the SA will be established successfully.