Module 5: Quiz – Assign Administrative Roles (Answers) Network Security

1. What must be done before any role-based CLI views can be created?

  • Assign multiple privilege levels.
  • Configure usernames and passwords.
  • Issue the aaa new-model command.
  • Create the secret password for the root user.

Explanation: There are five steps involved to create a view on a Cisco router.

1) AAA must be enabled.
2) The view must be created.
3) A secret password must be assigned to the view.
4) Commands must be assigned to the view.
5) View configuration mode must be exited.

2. Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)

  • Creating a user account that needs access to most but not all commands can be a tedious process.
  • Commands set on a higher privilege level are not available for lower privilege users.
  • The root user must be assigned to each privilege level that is defined.
  • It is required that all 16 privilege levels be defined, whether they are used or not.
  • There is no access control to specific interfaces on a router.
  • Views are required to define the CLI commands that each user can access.

Explanation: An administrator can create customized privilege levels and assign different commands to each level. However, this method of controlling he level of access to the router has limitations. Using privilege levels access to specific interfaces or ports cannot be controlled and availability of commands cannot be customized across levels.

3. Which two router commands can a user issue when granted privilege level 0? (Choose two.)

  • ping
  • disable
  • help
  • configure
  • show

Explanation: The privilege level 0 in Cisco IOS software is predefined for user-level access privileges. It is seldom used, but includes five commands: disableenableexithelp, and logout.

4. What does level 5 in the following enable secret global configuration mode command indicate?

Router(config)# enable secret level 5 csc5io
  • The enable secret password can only be set by individuals with privileges for EXEC level 5.
  • The enable secret password is hashed using SHA.
  • The enable secret password is hashed using MD5.
  • The enable secret password grants access to privileged EXEC level 5.

Explanation: There are two methods for assigning passwords to the different privilege levels:

  • To a user that is granted a specific privilege level, use the username name privilege level secret password global configuration mode command.
  • To the privilege level, use the enable secret level level password global configuration mode command.

5. What are three network enhancements achieved by implementing the Cisco IOS software role-based CLI access feature? (Choose three.)

  • fault tolerance
  • cost reduction
  • operational efficiency
  • scalability
  • security
  • availability

Explanation: Cisco IOS software role-based CLI access feature provides benefits for network functions including:

  • Security – Role-based CLI access enhances the security of the device by defining the set of CLI commands that are accessible by a specific user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.
  • Availability – Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel and minimizes downtime.
  • Operational Efficiency – Users only see the CLI commands applicable to the ports and CLI to which they have access. Therefore, the router appears to be less complex, and commands are easier to identify.

6. A network administrator wants to create a new view so that a user only has access to certain configuration commands. In role-based CLI, which view should the administrator use to create the new view?

  • superview
  • admin view
  • CLI view
  • root view

Explanation: In role-based CLI access implementation, a network administrator must be in root view to create a new role-based view, such as a CLI view or a superview.

7. A network administrator enters the command R1# enable view adminview. What is the purpose of this command?

  • to enter a superview named adminview
  • to enter a CLI view named adminview
  • to create a CLI view named adminview
  • to enter the root view

Explanation: The enable view privileged EXEC command is used to enter the root view. The optional view-name, in this case adminview, is used to enter a CLI view named adminview directly.

8. Which range of custom privilege levels can be configured on Cisco routers?

  • 0 through 15
  • 2 through 14
  • 1 through 15
  • 2 through 15
  • 1 through 16

Explanation: The privilege levels 2 -14 in Cisco IOS software may be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.

9. Which command will move the show interface command to privilege level 10?

  • router(config-if)# privilege exec level 10 show interface
  • router(config)# show interface level 10
  • router(config-if)# show interface level 10
  • router(config)# privilege exec level 10 show interface
  • router(config)# privilege level 10 show interface
  • router(config-if)# privilege level 10 show interface

Explanation: To configure a privilege level with specific commands, use the privilege exec level level [command].

10. What is the default privilege level of user accounts created on Cisco routers?

  • 0
  • 15
  • 1
  • 16

Explanation: There are 16 privilege levels that can be configured as part of the username command, ranging from 0 to 15. By default, if no level is specified, the account will have privilege level 1.

11. An administrator assigned a level of router access to the user ADMIN using the commands below.

Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10

Which two actions are permitted to the user ADMIN? (Choose two.)​

  • The user can issue the show version command.
  • The user can only execute the subcommands under the show ip route command.
  • The user can issue the ip route command.
  • The user can issue all commands because this privilege level can execute all Cisco IOS commands.
  • The user can execute all subcommands under the show ip interfaces command.

Explanation: Assigning a command such as show ip route to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. So, the show and the show ip commands are automatically set to the privilege level where show ip route is set, which is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Assigning the show ip route command allows the user to issue all show commands, such as show version.​

Related Articles

Inline Feedbacks
View all comments