CCNA Security Chapter 3 Exam v2

Last Updated on by

Implementing Network Security ( Version 2.0) – CCNAS Chapter 3 Exam Answers 2019 Full 100%

  1. Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?

    • accessibility
    • accounting
    • auditing
    • authentication
    • authorization
      Explanation:

      One of the components in AAA is authorization. After a user is authenticated through AAA, authorization services determine which resources the user can access and which operations the user is allowed to perform.

  2. Why is authentication with AAA preferred over a local database method?

    • It uses less network bandwidth.
    • It requires a login and password combination on the console, vty lines, and aux ports.​
    • It provides a fallback authentication method if the administrator forgets the username or password.
    • It specifies a different password for each line or port.
      Explanation:

      The local database method of authentication does not provide a fallback authentication method if an administrator forgets the username or password. Password recovery will be the only option. When authentication with AAA is used, a fallback method can be configured to allow an administrator to use one of many possible backup authentication methods.

  3. Which authentication method stores usernames and passwords in the router and is ideal for small networks?

    • local AAA
    • local AAA over RADIUS
    • local AAA over TACACS+
    • server-based AAA
    • server-based AAA over RADIUS
    • server-based AAA over TACACS+
      Explanation:

      In a small network with a few network devices, AAA authentication can be implemented with the local database and with usernames and passwords stored on the network devices. Authentication using the TACACS+ or RADIUS protocol will require dedicated ACS servers although this authentication solution scales well in a large network.

  4. Which component of AAA allows an administrator to track individuals who access network resources and any changes that are made to those resources?

    • accessibility
    • accounting
    • authentication
    • authorization
      Explanation:

      One of the components in AAA is accounting. After a user is authenticated through AAA, AAA servers keep a detailed log of exactly what actions the authenticated user takes on the device.

  5. Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information that is presented, which two statements describe the result of AAA authentication operation? (Choose two.)

    Implementing Network Security ( Version 2.0) – CCNAS Chapter 3 Exam Answers 2019 01

    Implementing Network Security ( Version 2.0) – CCNAS Chapter 3 Exam Answers 2019 01

    • The locked-out user failed authentication.
    • The locked-out user is locked out for 10 minutes by default.
    • The locked-out user stays locked out until the interface is shut down then re-enabled.
    • The locked-out user should have used the username admin and password Str0ngPa55w0rd.
    • The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.
      Explanation:

      The aaa local authentication attempts max-fail <number-of-unsuccessful-attempts> command secures AAA user accounts by locking out accounts that have too many failed attempts. After the <number-of-unsuccessful-attempts> condition is reached, the user account is locked. The user account in effect stays locked out until the status is cleared by an administrator.
  6. A user complains about being locked out of a device after too many unsuccessful AAA login attempts. What could be used by the network administrator to provide a secure authentication access method without locking a user out of a device?

    • Use the none keyword when configuring the authentication method list.
    • Use the aaa local authentication attempts max-fail global configuration mode command with a higher number of acceptable failures.
    • Use the login delay command for authentication attempts.
    • Use the login local command for authenticating user access.
      Explanation:

      The login delay command introduces a delay between failed login attempts without locking the account​. This provides a user with unlimited attempts at accessing a device without causing the user account to become locked and thus requiring administrator intervention.​
  7. A user complains about not being able to gain access to a network device configured with AAA. How would the network administrator determine if login access for the user account is disabled?

    • Use the show aaa user command.
    • Use the show aaa sessions command​.
    • Use the show aaa local user lockout command​.
    • Use the show running-configuration command​.
      Explanation:

      The show aaa local user lockout command​​ provides an administrator with a list of the user accounts that are locked out and unable to be used for authentication. This command also provides the date and timestamp of the lockout occurrence.​
  8. When a method list for AAA authentication is being configured, what is the effect of the keyword local?

    • It accepts a locally configured username, regardless of case.
    • It defaults to the vty line password for authentication.
    • The login succeeds, even if all methods return an error.
    • It uses the enable password for authentication.
      Explanation:

      In defining AAA authentication method list, one option is to use a preconfigured local database. There are two keywords, either of which enables local authentication via the preconfigured local database. The keyword local accepts a username regardless of case, and the keyword local-case is case-sensitive for both usernames and passwords.
  9. Which solution supports AAA for both RADIUS and TACACS+ servers?

    • Implement a local database.
    • Implement both a local database and Cisco Secure Access Control System (ACS).
    • Implement Cisco Secure Access Control System (ACS) only.
    • RADIUS and TACACS+ servers cannot be supported by a single solution.
      Explanation:

      Cisco Secure Access Control System (ACS) supports both TACACS+ and RADIUS servers. Local databases do not use these servers.​

  10. What difference exists when using Windows Server as an AAA server, rather than Cisco Secure ACS?

    • Windows Server requires more Cisco IOS commands to configure.
    • Windows Server only supports AAA using TACACS.
    • Windows Server uses its own Active Directory (AD) controller for authentication and authorization.
    • Windows Server cannot be used as an AAA server.
      Explanation:

      The Cisco IOS configuration is the same whether communicating with a Windows AAA server or any other RADIUS server. ​

  11. What is a characteristic of TACACS+?

    • TACACS+ is an open IETF standard.
    • TACACS+ is backward compatible with TACACS and XTACACS.
    • TACACS+ provides authorization of router commands on a per-user or per-group basis.
    • TACACS+ uses UDP port 1645 or 1812 for authentication, and UDP port 1646 or 1813 for accounting.
      Explanation:

      The TACACS+ protocol provides flexibility in AAA services. For example, using TACACS+, administrators can select authorization policies to be applied on a per-user or per-group basis.

  12. Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)

    • separate authentication and authorization processes
    • password encryption
    • utilization of transport layer protocols
    • SIP support
    • 802.1X support
      Explanation:

      Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports separation of authentication and authorization processes, while RADIUS combines authentication and authorization as one process. RADIUS supports remote access technology, such as 802.1x and SIP; TACACS+ does not.

  13. Which server-based authentication protocol would be best for an organization that wants to apply authorization policies on a per-group basis?

    • ACS
    • SSH
    • RADIUS
    • TACACS+
      Explanation:

      TACACS+ is considered to be more secure than RADIUS because all TACACS+ traffic is encrypted instead of just the user password when using RADIUS.

  14. Refer to the exhibit. Which statement describes the configuration of the ports for Server1?

    Implementing Network Security ( Version 2.0) – CCNAS Chapter 3 Exam Answers 2019 02

    Implementing Network Security ( Version 2.0) – CCNAS Chapter 3 Exam Answers 2019 02

    • The configuration is using the default ports for a Cisco router.
    • The configuration of the ports requires 1812 be used for the authentication and the authorization ports.
    • The configuration will not be active until it is saved and Rtr1 is rebooted.
    • The ports configured for Server1 on the router must be identical to those configured on the RADIUS server.
      Explanation:

      Cisco routers, by default, use port 1645 for the authentication and port 1646 for the accounting. In the configuration output, the configuration of the RADIUS authentication and authorization ports must match on both router Rtr1 and Server1.

  15. True or False?

    The single-connection keyword prevents the configuration of multiple TACACS+ servers on a AAA-enabled router.

    • true
    • false
      Explanation:

      The single-connection keyword enhances TCP performance by maintaining a single TCP connection for the entire duration of a session. The keyword does not prevent the configuration of multiple TACACS+ servers.
  16. Why would a network administrator include a local username configuration, when the AAA-enabled router is also configured to authenticate using several ACS servers?

    • The local username database will provide a backup for authentication in the event the ACS servers become unreachable.
    • A local username database is required when configuring authentication using ACS servers.
    • Without a local username database, the router will require successful authentication with each ACS server.
    • Because ACS servers only support remote user access, local users can only authenticate using a local username database.
      Explanation:

      The local username database can serve as a backup method for authentication if no ACS servers are available.
  17. Which debug command is used to focus on the status of a TCP connection when using TACACS+ for authentication?

    • debug aaa authentication
    • debug tacacs accounting
    • debug tacacs events
    • debug tacacs
      Explanation:

      The debug tacacs events command displays the opening and closing of a TCP connection to a TACACS+ server, the bytes that are read and written over the connection, and the TCP status of the connection.
  18. Which characteristic is an important aspect of authorization in an AAA-enabled network device?

    • A user must be identified before network access is granted.
    • User actions are recorded for use in audits and troubleshooting events.
    • User access is restricted to certain services.
    • The authorization feature enhances network performance.
      Explanation:

      Authorization is the ability to control user access to specific services. Authentication is used to verify the identity of the user. The accounting feature logs user actions once the user is authenticated and authorized.
  19. What is the result of entering the aaa accounting network command on a router?

    • The router outputs accounting data for all outbound connections such as SSH and Telnet.
    • The router collects and reports usage data related to network-related service requests.
    • The router outputs accounting data for all EXEC shell sessions.
    • The router provides data for only internal service requests.
      Explanation:

      The three parameters that can be used with aaa accounting are:

      • network– runs accounting for all network-related service requests, including PPP
      • exec– runs accounting for all the EXEC shell session
      • connection – runs accounting on all outbound connections such as SSH and Telnet​ ​
  20. What is a characteristic of AAA accounting?

    • Accounting can only be enabled for network connections.
    • Users are not required to be authenticated before AAA accounting logs their activities on the network.
    • Possible triggers for the aaa accounting exec default command include start-stop and stop-only.
    • Accounting is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.
      Explanation:

      AAA accounting enables usage tracking, such as dial-in access and EXEC shell session, to log the data gathered to a database, and to produce reports on the data gathered. Configuring AAA accounting with the keyword Start-Stop triggers the process of sending a “start” accounting notice at the beginning of a process and a “stop” accounting notice at the end of a process. AAA accounting is not limited to network connection activities. AAA accounting is in effect, if enabled, after a user successfully authenticated. Allowing and disallowing user access is the scope of AAA authorization.

  21. When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client?

    • the switch that the client is connected to
    • the authentication server
    • the supplicant
    • the router that is serving as the default gateway
      Explanation:

      The devices involved in the 802.1X authentication process are as follows:The supplicant, which is the client that is requesting network access
      The authenticator, which is the switch that the client is connecting and that is actually controlling physical network access
      The authentication server, which performs the actual authentication

  22. What device is considered a supplicant during the 802.1X authentication process?

    • the client that is requesting authentication
    • the switch that is controlling network access
    • the authentication server that is performing client authentication
    • the router that is serving as the default gateway
      Explanation:

      The devices involved in the 802.1X authentication process are as follows:The supplicant, which is the client that is requesting network access
      The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access
      The authentication server, which performs the actual authentication

  23. What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?

    • RADIUS
    • TACACS+
    • SSH
    • MD5
      Explanation:

      Encapsulation of EAP data between the authenticator and the authentication server is performed using RADIUS.