Module 7

Question 1

is a technology that allows authentication and authorization of users based on user ID and password. ___ can be configured locally on networking devices or AAA servers can be used. Accounting can log details of user sessions for the purposes of billing or for visibility into user behavior.

Answer 1

AAA

Question 2

Network and administrative AAA security in the Cisco environment has three functional components:

Answer 2

Authentication - Users and administrators must prove their identity before accessing the network and network resources. Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods. For example: “I am user ‘student’ and I know the password to prove it.”

Authorization - After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. An example is “User ‘student’ can access host serverXYZ using SSH only.”

Accounting and auditing - Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. An example is “User ‘student’ accessed host serverXYZ using SSH for 15 minutes.”

Question 3

Cisco provides two common methods of implementing AAA services:

Answer 3

Local AAA Authentication -Local AAA uses a local database for authentication. This method is sometimes known as self-contained authentication. In this course, it will be referred to as local AAA authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database, as shown in the figure. This database is the same one that is required for establishing role-based CLI. Local AAA is ideal for small networks.

Server-Based AAA Authentication - With the server-based method, the router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS) for Windows, which is shown in the figure. The central AAA server contains the usernames and password for all users. The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server. When there are multiple routers and switches, server-based AAA is more appropriate because accounts can be administered from a central location rather than on individual devices.

Question 4

The client establishes a connection with the router.
The AAA router prompts the user for a username and password.
The router authenticates the username and password using the local database and the user is provided access to the network based on information in the local database.

Answer 4

Local AAA Authentication

Question 5

The client establishes a connection with the router.
The AAA router prompts the user for a username and password.
The router authenticates the username and password using a AAA server.
The user is provided access to the network based on information on the remote AAA server.

Answer 5

Server-Based AAA Authentication

Question 6

When a user has been authenticated, a session is established between the router and the server.
The router requests authorization from the AAA server for the client’s requested service.
The AAA server returns a PASS/FAIL for authorization.

Answer 6

AAA Authorization

Question 7

controls what users can and cannot do on the network after they are authenticated.

is automatic and does not require users to perform additional steps after authentication.

is implemented immediately after the user is authenticated.

Answer 7

Authorization

Question 8

collects and reports usage data. This data can be used for such purposes as auditing or billing. The collected data might include the start and stop connection times, the commands executed, the number of packets, and the number of bytes.

Answer 8

AAA Accounting

Question 9

When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process.
When the user finishes, a stop message is recorded and the accounting process ends.

Answer 9

AAA Accounting

Question 10

types of information that are collected by AAA accounting.

Answer 10

Network Accounting

Connection Accounting

EXEC Accounting

System Accounting

Command Accounting

Question 11

records what the user does.

Answer 11

Accounting

Question 12

uses a created set of attributes that describe the user’s rights and permissions on the network.

Answer 12

Authorization

Question 13

is used to determine the identity of a user prior to allowing access to the network.

Answer 13

Authentication

Question 14

collects and reports usage data so that it can be used for auditing or billing users.

Answer 14

Accounting

Question 15

proves the identity of users and administrators.

Answer 15

Authentication

Question 16

determines what a user can and can not do on the network.

Answer 16

Authorization

Question 17

controls the resources that a user can access and the operations that the user is allowed to perform.

Answer 17

Authorization

Question 18

can provide leverage against individuals who perform malicious actions.

Answer 18

Accounting

Question 19

controls who is permitted to access the network

Answer 19

Authentication

Question 20

Configure Local AAA Authentication

Answer 20

Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router.

R1(config)# username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd
R1(config)# username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

Step 2. Enable AAA globally on the router.

R1(config)# aaa new-model

Step 3. Configure AAA parameters on the router.

R1(config)# aaa authentication login default local-case

Step 4. Confirm and troubleshoot the AAA configuration.

Question 21

Authentication methods

Answer 21

Router(config)# aaa authentication login {default | list-name} method1…[ method4 ]

Question 22

This command secures AAA user accounts by locking out accounts that have excessive failed attempts.

Answer 22

aaa local authentication attempts max-fail

Router(config)# aaa local authentication attempts max-fail [number-of-unsuccessful-attempts]

Question 23

To display a list of all locked-out users, use the

Answer 23

show aaa local user lockout

R1# show aaa local user lockout

Question 24

To display the attributes that are collected for one AAA session, use the

to show the unique ID of a session

Answer 24

show aaa user

R1# show aaa sessions

Question 25

___ is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The architecture of _____ allows enterprises to gather real-time contextual information from networks, users, and devices.

Answer 25

Cisco Identity Services Engine (ISE)

Question 26

Several features of ISE are:

Answer 26

Asset Visibility - Provides visibility and control over who and what is on the network consistently, across wireless, wired, and VPN connections. Cisco ISE uses probes and device sensors to listen to the way devices connect to the network. The Cisco ISE profile database, which is extensive, then classifies the device. This gives the visibility and context that is required to grant the right level of network access..

Posture assessment – Determines if the device complies with device security policies before it connects to the network. It can determine if a device is clean of viruses and suspicious applications and can even make sure that a device’s antivirus software is up to date.

Segmentation - Cisco ISE uses contextual data about network devices and endpoints to facilitate network segmentation. Security group tags, access control lists, network access protocols, and policy sets that define authorization, access, and authentication, are some ways in which Cisco ISE enables secure network segmentation.

Guest management and secure wireless – Enables providing secure network access to visitors, contractors, consultants, and customers.
Threat Containment - If Cisco ISE detects threat or vulnerability attributes from an endpoint, adaptive network control policies are sent to dynamically change the access levels of the endpoint. After the threat or vulnerability is evaluated and addressed, the endpoint can be given back its original access policy.

Question 27

ISE provides context-aware identity management:

Answer 27

To determine whether users are accessing the network on an authorized, policy-compliant device

To establish user identity, location, and access history, which can be used for compliance and reporting

To assign services based on the assigned user role, group, and associated policy (job role, location, device type, etc.)

To grant authenticated users access to specific segments of the network, or specific applications and services, or both, based on authentication results

Question 28

Functionality

Separates AAA according to the AAA architecture, allowing modularity of the security server implementation

Answer 28

TACACS+

Question 29

Functionality

Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+

Answer 29

RADIUS

Question 30

Standard

Mostly Cisco supported

Answer 30

TACACS+

Question 31

Standard

Open/RFC standard

Answer 31

RADIUS

Question 32

Transport Protocol

TCP

Answer 32

TACACS+

Question 33

Transport Protocol

UDP

Answer 33

RADIUS

Question 34

CHAP

Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP)

Answer 34

TACACS+

Question 35

CHAP

Unidirectional challenge and response from the RADIUS security server to the RADIUS client

Answer 35

RADIUS

Question 36

Confidentiality

Entire packet encrypted

Answer 36

TACACS+

Question 37

Confidentiality

Password encrypted

Answer 37

RADIUS

Question 38

Customization

Provides authorization of router commands on a per-user or per-group basis

Answer 38

TACACS+

Question 39

Customization

Has no option to authorize router commands on a per-user or per-group basis

Answer 39

RADIUS

Question 40

Accounting

Limited

Answer 40

TACACS+

Question 41

Accounting

Extensive

Answer 41

RADIUS

Question 42

These are three critical factors for TACACS+:

Answer 42

Separates authentication and authorization

Encrypts all communication

Utilizes TCP port 49

Question 43

These are four critical factors for RADIUS:

Answer 43

Combines RADIUS authentication and authorization as one process

Encrypts only the password

Utilizes UDP

Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)

Question 44

RADIUS uses UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting.

Answer 44

True

Question 45

Steps to Configure Server-Based AAA Authentication

Answer 45

Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.

Step 2. Specify the server that will provide AAA services for the router. This can be a TACACS+ or RADIUS server.

Step 3. Configure the encryption key needed to encrypt the data transfer between the network device and AAA server.

Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.

R1(config)# aaa new-model
R1(config)#
R1(config)# tacacs server Server-T
R1(config-server-tacacs)# address ipv4 192.168.1.101
R1(config-server-tacacs)# single-connection
R1(config-server-tacacs)# key TACACS-Pa55w0rd
R1(config-server-tacacs)# exit
R1(config)#

Question 46

how to configure a Cisco router to access a AAA RADIUS server by completing the following:

Answer 46

Step 1. Create users on the RADIUS server.

Step 2. Set a secret key on the RADIUS server.

Step 3. Verify port 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port.

Step 4. Set up SSH on the router for remote access.

Step 5. Set up a local user on the router in case of RADIUS server failure.

Step 6. Enable AAA authentication on the router.

Step 7. Set AAA authentication login method lists.

Step 8. Enable the router to use the RADIUS server for authentication by configuring the following on the router:

RADIUS server name
RADIUS server IP address, authentication port 1812, and accounting port 1813
shared secret key
Step 9. Configure the console line and specify the AAA login authentication method list to use

Step 10. Configure the VTY lines for SSH and specify the AAA login authentication method list to use.

Step 11. Test and verify.

Question 47

The authorization type can specify the types of commands or services:

Answer 47

network - for network services such as PPP and SLIP

exec - for User EXEC terminal sessions

commands level - command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level

Question 48

The following three parameters are commonly used aaa accounting keywords:

Answer 48

network - Runs accounting for all network-related service requests, including PPP.

exec - Runs accounting for the EXEC shell session.

connection - Runs accounting on all outbound connections such as SSH and Telnet.

Question 49

Possible triggers include:

Answer 49

start-stop - Sends a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process.

stop-only - Sends a “stop” accounting record for all cases including authentication failures.

none - Disables accounting services on a line or interface.

Question 50

What is a feature of the TACACS+ protocol?

Answer 50

TACACS+ has the following features:
separates authentication and authorization
encrypts all communication
uses TCP port 49

Question 50

The ____ specifies what actions cause accounting records to be updated.

Answer 50

trigger

Question 51

Which two protocols are used to provide server-based AAA authentication? (Choose two.)

Answer 51

Server-based AAA authentication uses an external TACACS or RADIUS authentication server to maintain a username and password database. When a client establishes a connection with an AAA enabled device, the device authenticates the client by querying the authentication servers.

Question 52

Which functionality does ​the TACACS single-connection keyword provide to AAA services?

Answer 52

The single-connection keyword enhances TCP performance with TACACS+ by maintaining a single TCP connection for the life of the session. Without the single-connection keyword, a TCP connection is opened and closed per session.​

Question 53

What are three access control security services? (Choose three.)

Answer 53

This question refers to AAA authentication, authorization, and accountability.

Question 54

What is the purpose of the network security accounting function?

Answer 54

Authentication, authorization, and accounting are network services collectively known as AAA. Authentication requires users to prove who they are. Authorization determines which resources the user can access. Accounting keeps track of the actions of the user.

Question 55

What does the TACACS+ protocol provide in a AAA deployment?

Answer 55

TACACS+ utilizes TCP port 49, provides authorization on a per-user or per-group basis, encrypts the entire packet, and does not provide compa​tibility with previous TACACS protocols.​

Question 56

Which term describes the ability of a web server to keep a log of the users who access the server, as well as the length of time they use it?

Answer 56

Accounting records what users do and when they do it, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.

Question 57

What is the first required task when configuring server-based AAA authentication?

Answer 57

When server-based AAA authentication is being configured, AAA must be globally enabled to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.

Question 58

What is a characteristic of AAA accounting?

Answer 58

AAA accounting enables usage tracking, such as dial-in access and EXEC shell session, to log the data gathered to a database, and to produce reports on the data gathered. Configuring AAA accounting with the keyword Start-Stop triggers the process of sending a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. AAA accounting is not limited to network connection activities. AAA accounting is in effect, if enabled, after a user successfully authenticated. Allowing and disallowing user access is the scope of AAA authorization.

Question 59

When a method list for AAA authentication is being configured, what is the effect of the keyword local?

Answer 59

In defining AAA authentication method list, one option is to use a preconfigured local database. There are two keywords, either of which enables local authentication via the preconfigured local database. The keyword local accepts a username regardless of case, and the keyword local-case is case-sensitive for both usernames and passwords.

Question 60

Which statement describes a difference between RADIUS and TACACS+?

Answer 60

TACACS+ uses TCP, encrypts the entire packet (not just the password), and separates authentication and authorization into two distinct processes. Both protocols are supported by the Cisco Secure ACS software.

Question 61

A user complains about not being able to gain access to a network device configured with AAA. How would the network administrator determine if login access for the user account is disabled?

Answer 61

The show aaa local user lockout command​​ provides an administrator with a list of the user accounts that are locked out and unable to be used for authentication. This command also provides the date and timestamp of the lockout occurrence.​

Question 62

Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?

Answer 62

One of the components in AAA is authorization. After a user is authenticated through AAA, authorization services determine which resources the user can access and which operations the user is allowed to perform.