Ensurepass

 

 

QUESTION 51

Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)

 

A.

authenticating remote users who are accessing the corporate LAN through IPsec VPN connections

B.

authenticating administrator access to the router console port, auxiliary port, and vty ports

C.

implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates

D.

tracking Cisco NetFlow accounting statistics

E.

securing the router by locking down all unused services

F.

performing router commands authorization using TACACS+

 

Correct Answer: ABF

Explanation:

http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.html

 

Need for AAA Services

Security for user access to the network and the ability to dynamically define a user’s profile to gain access to network resources has a legacy dating back to asynchronous dial access. AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of a router or access server.

 

Authentication identifies a user; authorization determines what that user can do; and accounting monitors the network usage time for billing purposes.

AAA information is typically stored in an external database or remote server such as RADIUS or TACACS+.

The information can also be stored locally on the access server or router. Remote security servers, such as RADIUS and TACACS+, assign users specific privileges by associating attribute- value (AV) pairs, which define the access rights with the appropriate user. All authorization methods must be defined through AAA.

 

 

 

 

 

 

 

QUESTION 52

When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.)

 

A.

group RADIUS

B.

group TACACS+

C.

local

D.

krb5

E.

enable

F.

if-authenticated

 

Correct Answer: CE

Explanation:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html

 

TACACS+ Authentication Examples

The following example shows how to configure TACACS+ as the security protocol for PPP authentication:

aaa new-model

aaa authentication ppp test group tacacs+ local

tacacs-server host 10.1.2.3

tacacs-server key goaway

interface serial 0

ppp authentication chap pap test

The lines in the preceding sample configuration are defined as follows:

The aaa new-model command enables the AAA security services.

The aaa authentication command defines a method list, “test,” to be used on serial interfaces running PPP.

The keyword group tacacs+ means that authentication will be done through TACACS+. If TACACS+ returns an ERROR of some sort during authentication, the keyword local indicates that authentication will be attempted using the local database on the network access server.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml

Authentication Start to configure TAC+ on the router.

Enter enable mode and type configure terminal before the command set. This command syntax ensures that you are not locked out of the router initially, providing the tac_plus_executable is not running:

!— Turn on TAC+.

aaa new-model

enable password whatever

!— These are lists of authentication methods.

!— “linmethod”, “vtymethod”, “conmethod”, and

!— so on are names of lists, and the methods

!— listed on the same lines are the methods

!— in the order to be tried. As used here, if

!— authentication fails due to the

!— tac_plus_executable not being started, the

!— enable password is accepted because

!— it is in each list.

!

aaa authentication login linmethod tacacs+ enable

aaa authentication login vtymethod tacacs+ enable

aaa authentication login conmethod tacacs+ enable

 

 

QUESTION 53

Which two characteristics of the TACACS+ protocol are true? (Choose two.)

 

A.

uses UDP ports 1645 or 1812

B.

separates AAA functions

C.

encrypts the body of every packet

D.

offers extensive accounting capabilities

E.

is an open RFC standard protocol

 

Correct Answer: BC

Explanation:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

 

Packet Encryption

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.

TACACS+ encrypts the entire body of the packet but lea
ves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.

Authentication and Authorization RADIUS combines authentication and authorization. The access- accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

 

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

 

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 54

Refer to the exhibit. Which statement about this output is true?

 

clip_image002

 

A.

The user logged into the router with the incorrect username and password.

B.

The login failed because there was no default enable password.

C.

The login failed because the password entered was incorrect.

D.

The user logged in and was given privilege level 15.

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/dbfaaa.html

 

debug aaa authentication

To display information on AAA/Terminal Access Controller Access Control System Plus (TACACS+) authentication, use the debug aaa authentication privileged EXEC command. To disable debugging command, use the no form of the command.

debug aaa authentication

no debug aaa authentication

The following is sample output from the debug aaa authentication command. A single EXEC login that uses the “default” method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently.

 

Router# debug aaa authentication

6:50:12: AAA/AUTHEN: create_user user=” ruser=” port=’tty19′ rem_addr=’172.31.60.15′ authen_type=1 service=1 priv=1

6:50:12: AAA/AUTHEN/START (0): port=’tty19′ list=” action=LOGIN service=LOGIN

6:50:12: AAA/AUTHEN/START (0): using “default” list

6:50:12: AAA/AUTHEN/START (50996740): Method=TACACS+

6:50:12: TAC+ (50996740): received authen response status = GETUSER

6:50:12: AAA/AUTHEN (50996740): status = GETUSER

6:50:15: AAA/AUTHEN/CONT (50996740): continue_login

6:50:15: AAA/AUTHEN (50996740): status = GETUSER

6:50:15: AAA/AUTHEN (50996740): Method=TACACS+

6:50:15: TAC+: send AUTHEN/CONT packet

6:50:15: TAC+ (50996740): received authen response status = GETPASS

6:50:15: AAA/AUTHEN (50996740): status = GETPASS

6:50:20: AAA/AUTHEN/CONT (50996740): continue_login

6:50:20: AAA/AUTHEN (50996740): status = GETPASS

6:50:20: AAA/AUTHEN (50996740): Method=TACACS+

6:50:20: TAC+: send AUTHEN/CONT packet

6:50:20: TAC+ (50996740): received authen response status = PASS

6:50:20: AAA/AUTHEN (50996740): status = PASS

 

 

QUESTION 55

Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router?

 

A.

aaa accounting network start-stop tacacs+

B.

aaa accounting system start-stop tacacs+

C.

aaa accounting exec start-stop tacacs+

D.

aaa accounting connection start-stop tacacs+

E.

aaa accounting commands 15 start-stop tacacs+

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html

 

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode or template configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name

| guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group- name}

no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | listname

| guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group- name} exec

Runs accounting for the EXEC shell session.

start-stop

Sends a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. The “start” accounting record is sent in the background. The requested user process begins regardless of whether the “start” accounting notice was received by the accounting server.

 

 

QUESTION 56

Which option is a characteristic of the RADIUS protocol?

 

A.

uses TCP

B.

offers multiprotocol support

C.

combines authentication and authorization in one process

D.

supports bi-directional challenge

 

Correct Answer: C

Explanation:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

 

Authentication and Authorization

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

 

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

 

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

 

 

QUESTION 57

Refer to the below. Which statement about this debug output is true?

 

clip_image004

A.

The requesting authentication request came from username GETUSER.

B.

The TACACS+ authentication request came from a valid user.

C.

The TACACS+ authentication request passed, but for some reason the user’s connection was closed immediately.

D.

The initiating connection request was being spoofed by a different source address.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/dbfser.html

 

debug tacacs

To display information associated with the TACACS, use the debug tacacs privileged EXEC command. The no form of this command disables debugging output.

debug tacacs

no debug tacacs

The following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:

 

Router# debug tacacs

14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.1
5 using source 10.116.0.79

14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START)

14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.15

14:00:09: TAC+ (383258052): received authen response status = GETUSER

14:00:10: TAC+: send AUTHEN/CONT packet

14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT)

14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.15

14:00:10: TAC+ (383258052): received authen response status = GETPASS

14:00:14: TAC+: send AUTHEN/CONT packet

14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT)

14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.15

14:00:14: TAC+ (383258052): received authen response status = PASS

14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 58

DRAG DROP

clip_image006

 

Correct Answer:

clip_image008

 

Explanation:

Reference: TACACS+ and RADIUS Comparison

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_packet_encry

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 59

DRAG DROP

clip_image010

 

Correct Answer:

clip_image012

 

 

QUESTION 60

Refer to the exhibit. Which statement about the aaa configurations is true?

 

clip_image014

 

A.

The authentication method list used by the console port is named test.

B.

The authentication method list used by the vty port is named test.

C.

If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router.

D.

If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database.

E.

The local database is checked first when authenticating console and vty access to the router.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a 0080204528.shtml

Configure AAA Authentication for Login

To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. AAA services must also be configured.

 

Configuration Procedure

In this example, the router is configured to retrieve users’ passwords from a TACACS+ server when users attempt to connect to the router.

 

From the privileged EXEC (or “enable”) prompt, enter configuration mode and enter the commands to configure the router to use AAA services for authentication:

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#aaa new-model

router(config)#aaa authentication login my-auth-list tacacs+

router(config)#tacacs-server host 192.168.1.101

router(config)#tacacs-server key letmein

Switch to line configuration mode using the following commands. Notice that the prompt changes to reflect the current mode.

router(config)#line 1 8

router(config-line)#

Configure password checking at login.

router(config-line)#login authentication my-auth-list

Exit configuration mode.

router(config-line)#end

router#

%SYS-5-CONFIG_I: Configured from console by console

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

 

Comments are closed.