Ensurepass

 

QUESTION 61

On which Cisco Configuration Professional screen do you enable AAA?

 

A.

AAA Summary

B.

AAA Servers and Groups

C.

Authentication Policies

D.

Authorization Policies

 

Correct Answer: A

Explanation:

Authentication/Authorization: These fields are visible when AAA is enabled on the router. AAA can be enabled by clicking Configure > Router > AAA > AAA Summary > Enable AAA.

Reference: Cisco Configuration Professional User Guide 2.5 PDF

 

 

QUESTION 62

Under which option do you create an AAA authentication policy in Cisco Configuration Professional?

 

A.

Authentication Policies

B.

Authentication Policies – Login

C.

AAA Servers and Groups

D.

AAA Summary

 

Correct Answer: B

Explanation:

To configure an authentication policy, go to Configure > Router > AAA > Authentication Policies > Login

Reference: Cisco Configuration Professional User Guide 2.5 PDF

 

 

QUESTION 63

Which three statements about TACACS+ are true? (Choose three.)

 

A.

TACACS+ uses TCP port 49.

B.

TACACS+ uses UDP ports 1645 and 1812.

C.

TACACS+ encrypts the entire packet.

D.

TACACS+ encrypts only the password in the Access-Request packet.

E.

TACACS+ is a Cisco proprietary technology.

F.

TACACS+ is an open standard.

 

Correct Answer: ACE

Explanation:

TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. Since TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users’ password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, and accounting are transmitted in clear text. Therefore it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.

Reference: http://en.wikipedia.org/wiki/TACACS

 

 

QUESTION 64

Which three statements about RADIUS are true? (Choose three.)

 

A.

RADIUS uses TCP port 49.

B.

RADIUS uses UDP ports 1645 or 1812.

C.

RADIUS encrypts the entire packet.

D.

RADIUS encrypts only the password in the Access-Request packet.

E.

RADIUS is a Cisco proprietary technology.

F.

RADIUS is an open standard.

 

Correct Answer: BDF

Explanation:

TACACS+ and RADIUS Protocol Comparison

Point of Comparison

TACACS+

RADIUS

Transmission Protocol

TCP–Connection-oriented transport-layer protocol, reliable full-duplex data transmission.

UDP–Connectionless transport-layer protocol, datagram exchange without acknowledgments or guaranteed delivery. UDP uses the IP to get a data unit (called a datagram) from one computer to another.

Ports Used

49

Authentication and Authorization: 1645 and 1812

Accounting: 1646 and 1813.

Encryption

Full packet-body encryption.

Encrypts only passwords up to 16 bytes.

AAA Architecture

Separate control of each service: authentication, authorization, and accounting.

Authentication and authorization combined as one service.

Intended Purpose

Device management.

User access control.

Open Standards

Developed by Cisco

Open standard

 

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/rad_tac_phase.html

 

 

QUESTION 65

Which network security framework is used to set up access control on Cisco Appliances?

 

A.

RADIUS

B.

AAA

C.

TACACS+

D.

NAS

 

Correct Answer: B

Explanation:

AAA is a security framework that can be used to set up access control on Cisco routers, switches, firewalls, and other network appliances. AAA provides the ability to control who is allowed to access network devices and what services the user should be allowed to access. AAA services are commonly used to control telnet or console access to network devices.

Reference: http://www.freeccnastudyguide.com/study-guides/ccna/ch8/aaa-security/

 

 

QUESTION 66

Which two protocols are used in a server-based AAA deployment? (Choose two.)

 

A.

RADIUS

B.

TACACS+

C.

HTTPS

D.

WCCP

E.

HTTP

 

Correct Answer: AB

Explanation:

Remote Security Database Standards Supported by Cisco

Several remote security database standards have been written to provide uniform access control for network equipment and users. A variety of applications have been developed as shareware and as commercial products to conform to the standards.

Cisco network equipment supports the three primary security server protocols: TACACS+, RADIUS, and Kerberos. TACACS+ and RADIUS are the predominant security server protocols used for AAA with network access servers, routers, and firewalls. These protocols are used to communicate access control information between the security server and the network equipment. Cisco has also developed the CiscoSecure ACS family of remote security databases to support the TACACS+ and RADIUS protocols.

Reference: http://www.ciscopress.com/articles/article.asp?p=25471&seqNum=6

 

 

QUESTION 67

Which Cisco IOS command will verify authentication between a router and a AAA server?

 

A.

debug aaa authentication

B.

test aaa group

C.

test aaa accounting

D.

aaa new-model

 

Correct Answer: B

Explanation:

To validate that the Cisco IOS device can access and securely communicate with the RADIUS server the “test aaa” exec mode command can be used:

 

switch#test aaa group radius user1 cisco new-code

User successfully authenticated

 

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

 

 

QUESTION 68

Which AAA feature can automate record keeping within a network?

 

A.

TACACS+

B.

authentication

C.

authorization

D.

accounting

 

Correct Answer: D

Explanation:

In AAA, accounting refers to the record-keeping and tracking of user activities on a computer network. For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.

Reference: http://www.techopedia.com/definition/24130/authentication-authorization-and-accounting-aaa

 

 

 

 

 

 

 

 

 

QUESTION 69

Refer to the exhibit. Which traffic is permitted by this ACL?

 

clip_image002

 

A.

TCP traffic sourced from any host in the 172.26.26.8/29 subnet on any port to host 192.168.1.2 port 80 or 443

B.

TCP traffic sourced from host 172.26.26.21 on port 80 or 443 to host 192.168.1.2 on any port

C.

any TCP traffic sourced from host 172.26.26.30 destined to host 192.168.1.1

D.

any TCP traffic sourced from host 172.26.26.20 to host 192.168.1.2

 

Correct Answer: C

Explanation:

www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

 

Extended ACLs

Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.

 

IP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} protocol source source-wildcard

destination destination-wildcard [precedence precedence]

[tos tos] [log|log-input] [time-range time-range-name]

 

ICMP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} icmp source source-wildcard

destination destination-wildcard

[icmp-type [icmp-code] |icmp-message]

[precedence precedence] [tos tos] [log|log-input]

[time-range time-range-name]

 

TCP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} tcp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]]

[established] [precedence precedence] [tos tos]

[log|log-input] [time-range time-range-name]

 

UDP

access-list access-list-number

[dynamic dynamic-name [timeout minutes]]

{deny|permit} udp source source-wildcard [operator [port]]

destination destination-wildcard [operator [port]]

[precedence precedence] [tos tos] [log|log-input]

[time-range time-range-name]

 

 

QUESTION 70

Refer to the exhibit. Which statement about this partial CLI configuration of an access control list is true?

 

clip_image004

 

A.

The access list accepts all traffic on the 10.0.0.0 subnets.

B.

All traffic from the 10.10.0.0 subnets is denied.

C.

Only traffic from 10.10.0.10 is allowed.

D.

This configuration is invalid. It should be configured as an extended ACL to permit the associated wildcard mask.

E.

From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other 10.0.0.0 subnets also is allowed.

F.

The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source.

 

Correct Answer: E

Explanation:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-acl-ov-gdl.html

 

The Order in Which You Enter Criteria Statements

Note that each additional criteria statement that you enter is appended to the end of the access list statements.

 

Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.

 

The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order in which the statements were created. After a match is found, no more criteria statements are checked.

 

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

 

Apply an Access Control List to an Interface

With some protocols, you can apply up to two access lists to an interface. one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.

 

If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

 

Note

Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.

The access list check is bypassed for locally generated packets, which are always outbound.

By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.