CCNA 200-125 Exam: Security Questions With Answers

  1. Which statement about RADIUS security is true?
    • A. It supports EAP authentication for connecting to wireless networks.*
    • B. It provides encrypted multiprotocol support.
    • C. Device-administration packets are encrypted in their entirety.
    • D. It ensures that user activity is fully anonymous.
  2. Which condition indicates that service password-encryption is enabled?
    • A. The local username password is in clear text in the configuration.
    • B. The enable secret is in clear text in the configuration.
    • C. The local username password is encrypted in the configuration.*
    • D. The enable secret is encrypted in the configuration.

    Show (Hide) Explanation/Reference
    The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.
  3. Which command can you enter to configure a local username with an encrypted password and EXEC mode user privileges?
    • A. Router(config)#username jdone privilege 1 password 7 08314D5D1A48*
    • B. Router(config)#username jdone privilege 1 password 7 PASSWORD1
    • C. Router(config)#username jdone privilege 15 password 0 08314D5D1A48
    • D. Router(config)#username jdone privilege 15 password 0 PASSWORD1

    Show (Hide) Explanation/Reference
    Usually we enter a command like this:

    username bill password westward

    And the system display this command as follows:

    username bill password 7 21398211

    The encrypted version of the password is 21398211. The password was encrypted by the Cisco-defined encryption algorithm, as indicated by the “7”.
    However, if you enter the following command: “username bill password 7 21398211”, the system determines that the password is already encrypted and performs no encryption. Instead, it displays the command exactly as you entered it.


  4. Which command sets and automatically encrypts the privileged enable mode password?
    • A. enable password cisco
    • B. secret enable cisco
    • C. password enable cisco
    • D. enable secret cisco*
  5. The enable secret command is used to secure access to which CLI mode?
    • A. user EXEC mode
    • B. global configuration mode
    • C. privileged EXEC mode *
    • D. auxiliary setup mode
  6. Refer to the exhibit. What is the result of setting the no login command?
    Router#config t
    Router(config)#line vty 0 4 
    Router(config-line)#password c1sc0
    Router(config-line)#no login
    • A. Telnet access is denied.
    • B. Telnet access requires a new password at the first login.
    • C. Telnet access requires a new password.
    • D. no password is required for telnet access.*

    Show (Hide) Explanation/Reference
    This configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).
  7. What is a difference between TACACS+ and RADIUS in AAA?
    • A. Only TACACS+ allows for separate authentication.*
    • B. Only RADIUS encrypts the entire access-request packet.
    • C. Only RADIUS uses TCP.
    • D. Only TACACS+ couples authentication and authorization.

    Show (Hide) Explanation/Reference
    TACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.

    Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.


  8. Which protocol authenticates connected devices before allowing them to access the LAN?
    • A. 802.1d
    • B. 802.11
    • C. 802.1w
    • D. 802.1x*

    Show (Hide) Explanation/Reference
    802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.
  9. Which three options are benefits of using TACACS+ on a device? (Choose three)
    • A. It ensures that user activity is untraceable.
    • B. It provides a secure accounting facility on the device.
    • C. device-administration packets are encrypted in their entirely.*
    • D. It allows the user to remotely access devices from other vendors.
    • E. It allows the users to be authenticated against a remote server.*
    • F. It supports access-level authorization for commands.*

    Show (Hide) Explanation/Reference
    TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.

    TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.

    TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.


    By default, there are three privilege levels on the router.
    + privilege level 1 = non-privileged (prompt is router>), the default level for logging in
    + privilege level 15 = privileged (prompt is router#), the level after going into enable mode
    + privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

  10. A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?
    • A. Monitor mode*
    • B. High-Security mode
    • C. Low-impact mode
    • D. Closed mode

    Show (Hide) Explanation/Reference
    There are three authentication and authorization modes for 802.1x:

    + Monitor mode
    + Low impact mode
    + High security mode

    Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

    With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
    + Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
    + Where these endpoints connected
    + Whether they are 802.1X capable or not
    + Whether they have valid credentials
    + In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

    Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
    sw(config-if)#authentication open
    sw(config-if)#authentication host-mode multi-auth

    For more information about each mode, please read this article:

  11. What should be part of a comprehensive network security plan?
    • A. Allow users to develop their own approach to network security
    • B. Physically secure network equipment from potential access by unauthorized individuals*
    • C. Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
    • D. Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
    • E. Minimize network overhead by deactivating automatic antivirus client updates

    Show (Hide) Explanation/Reference
    All other answers are not recommended for a network security plan so only B is the correct answer.
  12. Which password types are encrypted?
    • A. SSH
    • B. Telnet
    • C. enable secret*
    • D. enable password

    Show (Hide) Explanation/Reference
    The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.

    Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.

Related Articles

Inline Feedbacks
View all comments