Module 7: Quiz – Authentication, Authorization, and Accounting (AAA) (Answers) Network Security

1. What is a feature of the TACACS+ protocol?

  • It combines authentication and authorization as one process.
  • It encrypts the entire body of the packet for more secure communications.
  • It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.
  • It utilizes UDP to provide more efficient packet transfer.

Explanation: TACACS+ has the following features:

  • separates authentication and authorization
  • encrypts all communication
  • uses TCP port 49

2. Which two protocols are used to provide server-based AAA authentication? (Choose two.)

  • SSH
  • SNMP
  • 802.1x

Explanation: Server-based AAA authentication uses an external TACACS or RADIUS authentication server to maintain a username and password database. When a client establishes a connection with an AAA enabled device, the device authenticates the client by querying the authentication servers.

3. Which functionality does ​the TACACS single-connection keyword provide to AAA services?

  • allows the use of differing keys between the TACACS+ server and the AAA client
  • enhances the performance of the TCP connection
  • maintains a single UDP connection for the life of the session
  • encrypts the data transfer between the TACACS+ server and the AAA client

Explanation: The single-connection keyword enhances TCP performance with TACACS+ by maintaining a single TCP connection for the life of the session. Without the single-connection keyword, a TCP connection is opened and closed per session.​

4. What are three access control security services? (Choose three.)

  • access
  • authorization
  • repudiation
  • availability
  • authentication
  • accounting

Explanation: This question refers to AAA authentication, authorization, and accountability.

5. What is the purpose of the network security accounting function?

  • to keep track of the actions of a user
  • to provide challenge and response questions
  • to require users to prove who they are
  • to determine which resources a user can access

Explanation: Authentication, authorization, and accounting are network services collectively known as AAA. Authentication requires users to prove who they are. Authorization determines which resources the user can access. Accounting keeps track of the actions of the user.

6. What does the TACACS+ protocol provide in a AAA deployment?

  • AAA connectivity via UDP
  • authorization on a per-user or per-group basis
  • password encryption without encrypting the packet
  • compatibility with previous TACACS protocols

Explanation: TACACS+ utilizes TCP port 49, provides authorization on a per-user or per-group basis, encrypts the entire packet, and does not provide compa​tibility with previous TACACS protocols.​

7. Which term describes the ability of a web server to keep a log of the users who access the server, as well as the length of time they use it?

  • accounting
  • authentication
  • assigning permissions
  • authorization

Explanation: Accounting records what users do and when they do it, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.

8. What is the first required task when configuring server-based AAA authentication?

  • Configure the IP address of the server.
  • Specify the type of server providing the authentication.
  • Configure the type of AAA authentication.
  • Enable AAA globally.

Explanation: When server-based AAA authentication is being configured, AAA must be globally enabled to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.

9. What is a characteristic of AAA accounting?

  • Accounting can only be enabled for network connections.
  • Users are not required to be authenticated before AAA accounting logs their activities on the network.
  • Accounting is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.
  • Possible triggers for the aaa accounting exec default command include start-stop and stop-only.

Explanation: AAA accounting enables usage tracking, such as dial-in access and EXEC shell session, to log the data gathered to a database, and to produce reports on the data gathered. Configuring AAA accounting with the keyword Start-Stop triggers the process of sending a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. AAA accounting is not limited to network connection activities. AAA accounting is in effect, if enabled, after a user successfully authenticated. Allowing and disallowing user access is the scope of AAA authorization.

10. When a method list for AAA authentication is being configured, what is the effect of the keyword local?

  • It uses the enable password for authentication.
  • It defaults to the vty line password for authentication.
  • The login succeeds, even if all methods return an error.
  • It accepts a locally configured username, regardless of case.

Explanation: In defining AAA authentication method list, one option is to use a preconfigured local database. There are two keywords, either of which enables local authentication via the preconfigured local database. The keyword local accepts a username regardless of case, and the keyword local-case is case-sensitive for both usernames and passwords.

11. Which statement describes a difference between RADIUS and TACACS+?

  • RADIUS separates authentication and authorization whereas TACACS+ combines them as one process.
  • RADIUS uses TCP whereas TACACS+ uses UDP.
  • RADIUS encrypts only the password whereas TACACS+ encrypts all communication.
  • RADIUS is supported by the Cisco Secure ACS software whereas TACACS+ is not.

Explanation: TACACS+ uses TCP, encrypts the entire packet (not just the password), and separates authentication and authorization into two distinct processes. Both protocols are supported by the Cisco Secure ACS software.

12. A user complains about not being able to gain access to a network device configured with AAA. How would the network administrator determine if login access for the user account is disabled?

  • Use the show aaa user command.
  • Use the show running-configuration command.
  • Use the show aaa sessions command.
  • Use the show aaa local user lockout command.

Explanation: The show aaa local user lockout command​​ provides an administrator with a list of the user accounts that are locked out and unable to be used for authentication. This command also provides the date and timestamp of the lockout occurrence.​

13. Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?

  • authorization
  • authentication
  • accounting
  • auditing

Explanation: One of the components in AAA is authorization. After a user is authenticated through AAA, authorization services determine which resources the user can access and which operations the user is allowed to perform.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x