Examice

Exam nse7_zta-72 All QuestionsBrowse all questions from this exam

Go to Exam

Question 20

Refer to the exhibit.

User student is not able to log in to SSL VPN.

Given the output showing a real-time debug, which statement describes the login failure?

Unable to verify chain of trust for the peer certificate.

CN does not match the user peer configuration.

student is not part of the usergroup SSL_VPN_Users.

Client certificate has expired.

Correct Answer: B

The problem lies in the mismatch of the CN in the certificate subject. The output indicates that the CN 'student' does not match the expected configuration, resulting in the failure to verify the user's identity during the SSL VPN login process.

Discussion

lil_pc1972

FortiClient validates certificates using the following industry standards: The domain or FQDN that FortiClient is connecting to, matches the domain to which the certificate is issued. The validation process correctly handles wildcards in the domain name in the certificate. The validation process considers both the CN in the subject or the SAN. The certificate expiry date is in the future. The certificate has not expired. The certificate issuer or the root certificate in the certificate chain is from a publicly trusted CA. Trusted CAs are read from the operating system.

d567468Option: B

The certificate subject CN "student" fails to match the user peer configuration, leading to the login failure.