Chapter 4: Authentication, Authorization, Accounting (AAA) and Identity Management
All of these options are correct.
802.1X uses which of the following protocols? EAPoL EAP RADIUS All of these options are correct.
All of these options are correct.
Access control lists classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following? Layer 2 protocol information such as EtherTypes Layer 3 header information such as source and destination IP addresses Layer 4 header information such as source and destination TCP or UDP ports All of these options are correct.
Implicit deny Need to know
An authorization policy should always implement which of the following concepts? (Select all that apply.) Implicit deny Need to know Access control debugging logs Access control filter logs
D. Forest
In SSO a(n) _____ is a collection of domains managed by a centralized system. A. Federation Provider B. Domain C. Factor D. Forest
802.1X
Network access devices (such as network switches and wireless access points) can use an IEEE protocol that when enabled, will allow traffic on the port only after the device has been authenticated and authorized. Which of the following is an IEEE standard that is used to implement port-based access control? 802.11ac 802.1Q 802.1X pxGrid
UDP port 1813
RADIUS accounting runs over what protocol and port? UDP port 1812 UDP port 1813 UDP port 1645 None of these options is correct.
A. 2
Security Group Tags (SGTs) are embedded within Layer _____ . A. 2 B. 4 C. 3 D. 5
Cisco Common Classification Policy Language (C3PL)
The _________________ is a structured replacement for feature-specific configuration commands. This concept allows you to create traffic policies based on events, conditions, and actions. Cisco Common Classification Policy Language (C3PL) Cisco Policy Mapping Cisco TrustSec None of these options is correct.
All of these options are correct. in addition: Monitoring and Troubleshooting Node (MNT) Secondary MNT Node (S-MNT)
Which of the following are Cisco ISE distributed node types? Primary Administration Node (PAN) Secondary Administration Node (SAN) Policy Service Node (PSN) All of these options are correct.
All of these options are correct.
Which of the following are TACACS+ exchange packets used during the authentication process? START REPLY CONTINUE All of these options are correct. None of these options is correct.
All of these options are correct.
Which of the following are examples of some of the more popular policy attributes supported by Cisco ISE? Active Directory group membership and Active Directory user-based attributes Time and date Location of the user Access method (MAB, 802.1X, wired, wireless, and so on) None of these options is correct. All of these options are correct.
SAML
Which of the following are technologies used in SSO implementations? SAML OpenID Connect Microsoft Account All of these options are correct.
aaa new-model
Which of the following commands enables AAA services on a Cisco router? aaa new-model aaa authentication enable aaa authentication model aaa enable console
An authorization model
Which of the following defines how access rights and permission are granted? Examples of that model include object capability, security labels, and ACLs. A mandatory access control model An authorization model An authentication model An accounting model
Authentication by knowledge
Which of the following describes the type of authentication where the user provides a secret that is only known by him or her? Authentication by password Authentication by knowledge Personal identification number (PIN) code Authentication by characteristics
BeyondCorp
Which of the following is a security model created by Google that is similar to the zero-trust concept? BeyondCorp TrustSec pxGrid Duo
One-time passcode (OTP)
Which of the following is a set of characteristics that can be used to prove a subject's identity one time and one time only? One-time passcode (OTP) Out-of-band (OOB) Biometrics None of these answers is correct.
Supplicant
Which of the following is an entity that seeks to be authenticated by an authenticator (switch, wireless access point, and so on)? This entity could use software such as the Cisco AnyConnect Secure Mobility Client. PAN PSN Supplicant None of these options is correct.
SAML (Security Assertion Markup Language)
Which of the following is an open standard for exchanging authentication and authorization data between identity providers, and is used in many single sign-on (SSO) implementations? SAML OAuth 2.0 OpenConnectID DUO Security
B. time
Which of the following is not one of the three factors of authentication? A. knowledge B. time C. characteristics D. possession
Ethical hackers use the same methods but strive to do no harm.
Which of the following is one primary difference between a malicious hacker and an ethical hacker? Malicious hackers use different tools and techniques than ethical hackers use. Malicious hackers are more advanced than ethical hackers because they can use any technique to attack a system or network. Ethical hackers obtain permission before bringing down servers or stealing credit card databases. Ethical hackers use the same methods but strive to do no harm.
To authorize only a single MAC address per port
Which of the following is the default behavior of an 802.1X-enabled port? To authorize only a single MAC address per port To authorize only a single IP address per port To perform MAC auth bypass only if the MAC is registered to ISE To authenticate only a single host that has an identity certificate
Accounting
Which of the following is the process of auditing and monitoring what a user does once a specific resource is accessed? CoA Authorization Accounting TACACS+ auditing
SSO implementations use delegation to call external APIs to authenticate and authorize users. Delegation is used to make sure that applications and services do not store passwords and user information on-premises.
Which of the following is true about delegation in SSO implementations? (Select all that apply.) SSO implementations use delegation to call external APIs to authenticate and authorize users. Delegation is used to make sure that applications and services do not store passwords and user information on-premises. Delegation uses multifactor authentication to provide identity services to other servers in the environment. pxGrid can be used for delegation between a PSN and PAN.
pxGrid
Which of the following provides a cross-platform integration capability between security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform? pxGrid 802.1X TrustSec SGTs
All of these options are correct.
Which of the following statements are true about discretionary access controls (DACs)? Discretionary access controls (DACs) are defined by the owner of the object. DACs are used in commercial operating systems. The object owner builds an ACL that allows or denies access to the object based on the user's unique identity. All of these options are correct.
.
Which of the following statements are true? RADIUS uses UDP, and TACACS+ uses TCP. In RADIUS, authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange. In TACACS+, authentication, authorization, and accounting are performed with separate exchanges. RADIUS provides limited support for command authorization. TACACS+ provides granular command authorization. All of these answers are correct.
RADIUS CoA is a feature that allows a RADIUS server to adjust the authentication and authorization state of an active client session.
Which of the following statements is true about CoA? RADIUS CoA is a feature that allows a RADIUS server to adjust the authentication and authorization state of an active client session. RADIUS CoA is a feature that allows a RADIUS server to detect a change of configuration from other RADIUS servers and, subsequently, deny access to a client trying to connect to the network. RADIUS CoA is a feature that allows a RADIUS server to perform profiling and posture assessment simultaneously. None of these options is correct.
The principle of least privilege and separation of duties
You were hired to configure AAA services in an organization and are asked to make sure that users in the engineering department do not have access to resources that are only meant for the finance department. What authorization principle addresses this scenario? The principle of least privilege and separation of duties Accounting and MAC Auth-bypass Deter, delay, and detect Policy-based segmentation
ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.
You were hired to configure RADIUS authentication in a VPN implementation. You start RADIUS debugs in the VPN device and notice ACCESS-CHALLENGE messages. What do those messages mean? ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message. ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REJECT message. ACCESS-CHALLENGE messages are sent if the client is using multifactor authentication with a mobile device. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message. None of these options is correct.
