This scenario describes anenterprise VPN setup that requires machine authenticationbefore a user logs in. The best explanation for this requirement is that theVPN client selects the appropriate certificate automaticallybased on the key extension in the machine certificate.
Understanding the Key Extension Requirement:
PKI (Public Key Infrastructure)issues machine certificates that include specific key usages such asClient AuthenticationorIPSec IKE Intermediate.
Key usage extensionsdefine how a certificate can be used, ensuring that onlyvalid certificates are selected by the VPN client.
Why Option B is Correct:
The VPNautomaticallyselects the correct machine certificate with the appropriate key extension.
The process occurswithout user intervention, ensuring seamless VPN authentication before login.
Why Other Options Are Incorrect:
A (MFA requirement):Certificates used in this scenario are for machine authentication, not user MFA. MFA typically involves user credentials plus a second factor (like OTPs or biometrics), which isnot applicable here.
C (Wi-Fi connectivity before login):This refers topre-logon networking, which is a separate concept where devices authenticate to a Wi-Fi network before login, usually via 802.1X EAP-TLS. However, this question specifically mentions VPN authentication, not Wi-Fi authentication.
D (SSL VPN with certificates):While SSL VPNs do use certificates,this scenario involves machine certificates issued by an internal PKI, which are commonly used inIPSec VPNs, not SSL VPNs.
[Reference:, CompTIA SecurityX CAS-005 Official Study Guide: Section onMachine Certificate Authentication in VPNs, NIST SP 800-53: Guidelines on authentication mechanisms, RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, , , , , ]
