Practice Q's - Dot1x Flashcards
You have executed the following commands on switchA:
What is the result of executing the given commands? (Choose two.)
A. Only the listed RADIUS server is used for authentication
B. 802.1X authentication is enabled on the Fa0/1 interface only
C. The key for the RADIUS server is firstKey111
D. AAA is not enabled on the switch
Answer: A,C
Explanation:
A default list is used for the RADIUS server for authentication and the key for the RADIUS server is firstKey111. A RADIUS server combines the authentication and authorization processes. Before you configure the RADIUS server, you should enable AAA by using the aaa new-model command in the global configuration mode. Then, you can specify the location of the RADIUS server and the key using the radius-server host command. In this case, the RADIUS server is located at the IP address 192.168.105.67 and requires the key firstKey111 as the encryption key. This key must be mutually agreed upon by the server and the clients.
The aaa authentication dot1x default group radius command creates a method list for 802.1X authentication. The default group radius keywords specify that the default method will be to use all listed RADIUS servers to authenticate clients. Since only one is listed, it will be the only one used.
It is incorrect to state that 802.1X authentication is enabled on the Fa0/1 interface only. The interface range Fa 0/1 - 11 and the dot1x port-control auto commands specify that 802.1X authentication is enabled on the interfaces Fa0/1 to Fa0/11.
It is incorrect to stat that AAA is not enabled on the switch. The aaa new-model command enables AAA globally on the switch.
What switch security configuration requires AAA to be configured on the switch?
A. VACL
B. 802.1x
C. Private VLAN
D. port security
Answer: B
Explanation:
802.1x requires AAA to be configured on the switch. 802.1x uses AAA authentication to control access to the port.
The overall steps required to configure a switch for 802.1x are:
(none)
Which protocol provides port-based access control and authentication?
A. 802.1X
B. 802.1W
C. 802.1P
D. 802.1Q
Answer: A
Explanation:
IEEE 802.1X provides port-based access control and authentication.
IEEE 802.1X is a client-server based access control model. If IEEE 802.1X is enabled on a switch interface, the interface is in an unauthorized state until it is authenticated. Until the station is authenticated, the only protocols allowed through switch ports are:
The supplicant PAE sends EAPOL packets that indicate its request for access through the switch to the LAN. The switch performs the authenticator role by processing the EAPOL packets from the port-attached supplicant PAE and forwarding an authentication request to the authentication server. The only supported authentication server is a Remote Access Dial-In User Server (RADIUS) server with EAP extensions. The authentication server checks the identity of the client (the supplicant PAE) and will either accept or reject the request. If the server accepts the request, the port is authorized and the switch will send and receive all frames. If it fails, only EAPOL packets will continue to be processed. Once the client is finished with the connection, an EAPOL logoff is issued, and the switch port once again becomes unauthorized.
Below is a sample configuration to enable 802.1X authentication and enable it on an interface:
- switch(config)# aaa new-model
- switch(config)# aaa authentication dot1x default group radius
- switch(config)# dot1x system-auth-control
- switch(config-if)# dot1x port-control auto
- 1w is the standard for Rapid Spanning Tree Protocol (RSTP). It is not related to port-based access control and authentication.
- 1P is a method for assigning priority to packets traversing a network. It is not related to port- based access control and authentication.
- 1Q describes VLAN tagging. It is not related to port-based access control and authentication.
