CompTIA CNX-001 Exam - Topic 3 Question 20 Discussion

Actual exam question for CompTIA's CNX-001 exam

Question #: 20
Topic #: 3

A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements:

Authentication should be provided through the customer's SAML identity provider.

Access should not be allowed from countries where the business does not operate.

Secondary authentication should be added to the workflow to allow for passkeys.

Changes to the user's device posture and hygiene should require reauthentication into the network.

Access to the network should only be allowed to originate from corporate-owned devices.

Which of the following solutions should the MSP recommend to meet the requirements?

AEnforce certificate-based authentication.
Permit unauthenticated remote connectivity only from corporate IP addresses.
Enable geofencing.
Use cookie-based session tokens that do not expire for remembering user log-ins.
Increase RADIUS server timeouts.

BEnforce posture assessment only during the initial network log-on.
Implement RADIUS for SSO.
Restrict access from all non-U.S. IP addresses.
Configure a BYOD access policy.
Disable auditing for remote access.

CChain the existing identity provider to a new SAML.
Require the use of time-based one-time passcode hardware tokens.
Enable debug logging on the VPN clients by default.
Disconnect users from the network only if their IP address changes.

DConfigure geolocation settings to block certain IP addresses.
Enforce MFA.
Federate the solution via SSO.
Enable continuous access policies on the WireGuard tunnel.
Create a trusted endpoints policy.

Show Suggested Answer

Suggested Answer: D

Federate the solution via SSO ensures authentication is handled by the customer's SAML identity provider.

Enforce MFA supports secondary authentication with passkeys.

Configure geolocation settings to block certain IP addresses prevents access from unauthorized countries.

Enable continuous access policies on the WireGuard tunnel forces re-authentication whenever device posture or hygiene changes.

Create a trusted endpoints policy restricts access to corporate-owned devices only.

by Rosendo at Jun 01, 2026, 11:39 PM

Limited Time Offer

25%

Off

Get Premium CNX-001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!