- Which statement about RADIUS security is true?
- A. It supports EAP authentication for connecting to wireless networks.*
- B. It provides encrypted multiprotocol support.
- C. Device-administration packets are encrypted in their entirety.
- D. It ensures that user activity is fully anonymous.
- Which condition indicates that service password-encryption is enabled?
Show (Hide) Explanation/ReferenceThe service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.
- A. The local username password is in clear text in the configuration.
- B. The enable secret is in clear text in the configuration.
- C. The local username password is encrypted in the configuration.*
- D. The enable secret is encrypted in the configuration.
- Which command can you enter to configure a local username with an encrypted password and EXEC mode user privileges?
Show (Hide) Explanation/ReferenceUsually we enter a command like this:
- A. Router(config)#username jdone privilege 1 password 7 08314D5D1A48*
- B. Router(config)#username jdone privilege 1 password 7 PASSWORD1
- C. Router(config)#username jdone privilege 15 password 0 08314D5D1A48
- D. Router(config)#username jdone privilege 15 password 0 PASSWORD1
username bill password westward
And the system display this command as follows:
username bill password 7 21398211
The encrypted version of the password is 21398211. The password was encrypted by the Cisco-defined encryption algorithm, as indicated by the “7”.
However, if you enter the following command: “username bill password 7 21398211”, the system determines that the password is already encrypted and performs no encryption. Instead, it displays the command exactly as you entered it.
- Which command sets and automatically encrypts the privileged enable mode password?
- A. enable password cisco
- B. secret enable cisco
- C. password enable cisco
- D. enable secret cisco*
- The enable secret command is used to secure access to which CLI mode?
- A. user EXEC mode
- B. global configuration mode
- C. privileged EXEC mode *
- D. auxiliary setup mode
- Refer to the exhibit. What is the result of setting the no login command?
Router#config t Router(config)#line vty 0 4 Router(config-line)#password c1sc0 Router(config-line)#no login
Show (Hide) Explanation/ReferenceThis configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).
- A. Telnet access is denied.
- B. Telnet access requires a new password at the first login.
- C. Telnet access requires a new password.
- D. no password is required for telnet access.*
- What is a difference between TACACS+ and RADIUS in AAA?
Show (Hide) Explanation/ReferenceTACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.
- A. Only TACACS+ allows for separate authentication.*
- B. Only RADIUS encrypts the entire access-request packet.
- C. Only RADIUS uses TCP.
- D. Only TACACS+ couples authentication and authorization.
Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.
- Which protocol authenticates connected devices before allowing them to access the LAN?
Show (Hide) Explanation/Reference802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.
- A. 802.1d
- B. 802.11
- C. 802.1w
- D. 802.1x*
- Which three options are benefits of using TACACS+ on a device? (Choose three)
Show (Hide) Explanation/ReferenceTACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.
- A. It ensures that user activity is untraceable.
- B. It provides a secure accounting facility on the device.
- C. device-administration packets are encrypted in their entirely.*
- D. It allows the user to remotely access devices from other vendors.
- E. It allows the users to be authenticated against a remote server.*
- F. It supports access-level authorization for commands.*
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.
TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.
By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout
- A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?
Show (Hide) Explanation/ReferenceThere are three authentication and authorization modes for 802.1x:
- A. Monitor mode*
- B. High-Security mode
- C. Low-impact mode
- D. Closed mode
+ Monitor mode
+ Low impact mode
+ High security mode
Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.
With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses
Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication host-mode multi-auth
For more information about each mode, please read this article: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html
- What should be part of a comprehensive network security plan?
Show (Hide) Explanation/ReferenceAll other answers are not recommended for a network security plan so only B is the correct answer.
- A. Allow users to develop their own approach to network security
- B. Physically secure network equipment from potential access by unauthorized individuals*
- C. Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
- D. Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
- E. Minimize network overhead by deactivating automatic antivirus client updates
- Which password types are encrypted?
Show (Hide) Explanation/ReferenceThe “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.
- A. SSH
- B. Telnet
- C. enable secret*
- D. enable password
Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.