CCDE: Cisco Certified Design Expert (Practical) — Question 194

An IT service provider is upgrading network infrastructure to comply with PCI security standards. The network team finds that 802.1X and VPN authentication based on locally-significant certificates are not available on some legacy phones.

Which workaround solution meets the requirement?

Answer options

• A. Enable phone VPN authentication based on end-user username and password
• B. Replace legacy phones with new phones because the legacy phones will lose trust if the certificate is renewed
• C. Temporarily allow fallback to TLS 1.0 when using certificates and then upgrade the software on legacy phones
• D. Use authentication-based clear text password with no EAP-MD5 on the legacy phones

Correct answer: A

Explanation

Option A is correct because enabling VPN authentication with user credentials allows legacy phones to authenticate without relying on unsupported certificate-based methods. The other options either require replacing hardware, which may not be feasible, or involve insecure practices, such as allowing outdated TLS versions or using clear text passwords, which do not comply with PCI standards.