Exam 300-730 topic 1 question 107 discussion

To accomplish the goals of ensuring only corporate issued laptops and devices connect with the Cisco AnyConnect client, as well as providing remote remediation for stolen devices, it is recommended to use machine certificates for authentication. By installing and authenticating machine certificates on the devices, you can establish a secure connection between the client and the Cisco AnyConnect VPN gateway. This ensures that only devices with valid machine certificates issued by the corporate domain can connect to the VPN. Additionally, machine certificates provide a higher level of security and are applicable to multiple operating systems, including Windows, MacOS, and Linux. This allows for a consistent and unified approach across different platforms. By using machine certificates, if a corporate issued device is stolen or compromised, the certificate can be revoked or disabled remotely. This prevents unauthorized access to the VPN, enhancing security and mitigating potential risks.

Certificate on the machine is the best option here.

if rght answer is D then why admin of this site letting wrong answers show???

Machine certificates is the right solution. (D) DAP registry check (A) is wrong, there is no registry in Mac or Linux

Customers usually do double authentication using RADIUS or LDAP plus Machine Certificate, to make sure the certificate is signed and belongs to the domain.

A is answr

DAP will not revoke access to a stolen or lost PC. It only verifies that the system meets specific security requirements such as antivirus being installed. A machine certificate, however, can be revoked on the CA server that the VPN head end will validate against.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-dap.html#ID-2184-00000017