Question 1
How do you define the authentication method that will be used with AAA?
A. With a method list
B. With the method command
C. With the method aaa command
D. With a method statement
Answer: A
Explanation
A method list is a sequential list of authentication methods to query to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.
When you first enable AAA, there is a default method list named default, which is automatically applied to all interfaces and lines, but which has no authentication methods defined. To configure AAA authentication, you must first either define a list of authentication methods for the default method, or configure your own named method lists and apply them to interfaces or lines. For flexibility, you can apply different method lists to different interfaces and lines. If an interface or line has a nondefault method list applied to it, that method overrides the default method list.
(Reference: Implementing Cisco IOS Network Security – Self Study)
Question 2
What is the objective of the aaa authentication login console-in local command?
A. It specifies the login authorization method list named console-in using the local RADIUS username-password database
B. It specifies the login authorization method list named console-in using the local username-password database on the router
C. It specifies the login authentication method list named console-in using the local user database on the router
D. It specifies the login authentication list named console-in using the local username- password database on the router
Answer: C
Question 3
Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level?
A. aaa authentication enable default local
B. aaa authentication enable level
C. aaa authentication enable method default
D. aaa authentication enable default
Answer: D
Question 4
Which two ports are used with RADIUS authentication and authorization? (Choose two)
A. TCP port 2002
B. UDP port 2000
C. UDP port 1645
D. UDP port 1812
Answer: C D
Question 5
Which two statements about configuring the Cisco ACS server to perform router command authorization are true? (Choose two)
A. In the ACS User Group setup screen, use the Shell Command Authorization Set options to configure which commands and command arguments to permit or deny.
B. From the ACS Interface Configuration screen, select RADIUS (Cisco IOS/PIX 6.0), and then enable the Shell (exec) option on the RADIUS Services screen.
C. When adding the router as an AAA client on the Cisco ACS server, choose the TACACS+ (Cisco IOS) protocol.
D. Configure the Cisco ACS server to forward authentication of users to an external user databases, like Windows Database.
Answer: A C
Question 6
What should be enabled before any user views can be created during role-based CLI configuration?
A. usernames and passwords
B. secret password for the root user
C. aaa new-model command
D. multiple privilege levels
Answer: C
Question 7
For the following statements, which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)?
A. It is restricted in size to only three segments
B. It requires the implementation of IKE
C. It relies on an underlying Public Key Infrastructure (PKI)
D. It requires the use of netBT as the network protocol
Answer: C
Explanation
FCAP relies on an underlying public key infrastructure (PKI) to provide enterprise-class security. By using PKI, often present in more security-conscious organizations, as a foundational element, along with a certificate-based protocol, FCAP provides numerous advantages. Central among these are strong authentication and management data integrity.
For some organizations, the complexities associated with a PKI can be daunting. This is the only significant argument against FCAP.
(Reference: CCNA Security Official Exam Certification Guide)
Question 8
1 | Has no option to authorize router commands |
2 | Encrypts the entire packet |
3 | Combines authentication and authorization functions |
4 | Uses TCP port 49 |
A. TACACS+ – 1 and 3
RADIUS – 2 and 4
B. TACACS+ – 2 and 4
RADIUS – 1 and 3
C. TACACS+ – 1 and 4
RADIUS – 2 and 3
D. TACACS+ – 2 and 3
RADIUS – 1 and 4
Answer: B
Question 9
Which statement is correct regarding the aaa configurations based on the exhibit provided?
R(config)# username admin privilege level 15 secret hardtOcRackPw R(config)# aaa new-model R(config)# aaa authentication login default tacacs+ R(config)# aaa authentication login test tacacs+ local R(config)# line vty 0 4 R(config-line)# login authentication test R(config-line)# line con 0 R(config-line)# end |
A. The authentication method list used by the console port is named test
B. The authentication method list used by the vty port is named test
C. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database
D. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router
Answer: B
Question 10
Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router?
A. aaa accounting connection start-stop tacacs+
B. aaa accounting network start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
D. aaa accounting system start-stop tacacs+
Answer: C
Question 11
For the following items ,which one can be used to authenticate the IPsec peers during IKE Phase 1?
A. XAUTH
B. pre-shared key
C. integrity check value
D. Diffie-Hellman Nonce
Answer: B
Explanation
Internet Key Exchange (IKE) executes the following phases:
+ IKE Phase 1: Two IPsec peers perform the initial negotiation of SAs. Phase 1 generates an Internet Security
Association and Key Management Protocol (ISAKMP) SA, used for management traffic. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, Aggressive Mode does not.
+ IKE Phase 2: SAs are negotiated by the IKE process ISAKMP on behalf of other services, such as IPsec, that need
encryption key material for operation. IKE Phase 2 is used to build IPsec SAs, which are for passing end-user data.
Additional service negotiations occur in IKE Phase 1, DPD, Mode Config, and so on.
Question 12
Which statement is true about a certificate authority (CA)?
A. A trusted third party responsible for signing the private keys of entities in a PKIbased system
B. A trusted third party responsible for signing the public keys of entities in a PKIbased system
C. An entity responsible for registering the private key encryption used in a PKI
D. An agency responsible for granting and revoking public-private key pairs
Answer: B
Question 13
In computer security, AAA commonly stands for “authentication, authorization and accounting”. Which three of the following are common examples of AAA implementation on Cisco routers? (Choose three)
A. authenticating remote users who are accessing the corporate LAN through IPSec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. securing the router by locking down all unused services
D. performing router commands authorization using TACACS+
Answer: A B D
Question 14
When configuring AAA login authentication on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can log in to the router in case the external AAA server fails?
A. Group RADIUS
B. Group TACACS+
C. Local
D. Krb5
E. Enable
F. If-authenticated
Answer: C E
Explanation
If you are working with multiple authentication methods, it is a best practice to have either local or enable authentication as the final method to recover from a severed link to the chosen method server.
Notice:
+ “Local authentication”: login authentication method list named console-in using the local username-password database on the router (command: aaa authentication login console-in local)
+ “Enable authentication”: specify a default login authentication method list using the enable password (command: aaa authentication login default enable)