Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCNP Enterprise ENCOR 350-401 > 25 - Implementing Secure Access Control > Flashcards

25 - Implementing Secure Access Control Flashcards

1
Q

What command will give full privileges on a router. By default, the password appears in the running config as a MD5 hash.

A

Enable secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What command changes the algorithm type used to hash a configured password?

A

Enable algorithm-type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When viewed in the running config, a password hashed with SHA256 will show the number _ preceding the has value, while a password hashed with SCRYPT will show the number _. The SCRYPT algorithm is considered more resistant to brute force attacks than SHA-256. The MD5 algorithm is now considered insecure and should be avoided. If used, the number _ will appear before the hash value.

A

8, 9, 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What command defines line password but still shows up in the runnin config in clear text?

A

Password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What command encrypts a password but the encryption isn’t very strong? This uses a Vigenere cipher also know as type 7 encryption

A

Service password-encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

While this type of encryption can protect passwords from a casual observer, it can be easily deciphered if someone were to get the routers running config. Therefore Cisco recommends configured username/password combinations.

A

Vigenere cipher also know as type 7 encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What command enables the ability for someone to log in to the console port, supplying the configured password as their only authentication credential?

A

login

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What command prevents users from remaining connected to a console port when they leave a station? When no user input is detected for 5 minutes, the user is automatically disconnected.

A

Exec-timeout 5 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What command populates the locally stored user database?

A

Username privilege secret password –

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Using the username command caused a __ hash of the password in the routers running config, which is more secure than type 7 encryption but could be still improved upon by either using type 8 or type 9

A

MD5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When viewing the running config, all passwords are hashed according to their individual encryption algorithms. What are these?

A
  • 5 for MD5
  • 9 for type 9 (SCRYPT)
  • 8 for type 8 (SHA256)
  • 7 for Vigenere
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What command ensures all configured passwords are at least a specific length?

A

Security password min-length

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What command allows only inbound SSH connections instead of telnet?

A

Transport input ssh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What command disables logins after a specific number of failed login attempts with a specific time?

A

Login block-for attempts within

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What command allows named or numbered ACLs to identify permitted hosts to ensure that authorised devices can always connect?

A

Login quiet-mode access-class

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What command specifies a number of seconds the user must wait between unsuccessful login attempts?

A

Login delay

17
Q

What are the 3 A’s of AAA?

A

Authentication – who are you?
Authorisation – what are you allowed to do?
Accounting – what did you do?

18
Q

RADIUS and TACACS+ are __ protocols.

A

AAA

19
Q

Both RADIUS and TACACS+ protocols use the __model.

A

client-server

20
Q

What is the AAA process when using TACACS+ or RADIUS?

A
  1. A user or machine sends request to a client. The client is also called a Network Access Server (NAS). Typically, this is a router, switch, firewall or AP.
  2. The client then communicates with a server by exchanging RADIUS or TACACS+ messages.
  3. If authentication is successful, the user is granted access to a protected resource such as a device CLI, network, and so on.
21
Q

What are the features of RADIUS?

A
  • Transport protocol = UDP ports 1812/1813
  • AAA support - Combines authentication and authorisations and separates accounting
  • Challenge response - One-way, unidirectional, with a single challenge response
  • Security - Encrypts only password in packet
  • Type – network access
22
Q

What are the features of TACACS+?

A
  • Cisco proprietary
  • Transport protocol = TCP port 49
  • AAA support – uses AAA model and separates 3 services
  • Challenge response – Two way, bidirectional, with multiple challenge responses
  • Security - Encrypts entire packet body
  • Type – device administration
23
Q

Which command enables AAA services?

A

aaa new model

24
Q

Which command configures a local username?

A

username admin secret adminpass

25
Q

Which command specifies local AAA only?

A

aaa authentication login default local

26
Q

Which command uses local AAA as a fallback?

A

aaa authentication login default group radius local

27
Q

Until ___ command is enabled, all other AAA commands are hidden.

A

aaa new-model

28
Q

How do you configure RADIUS for console and VTY access?

A

Configure the radius server:
Router(config)# radius server RADSRV
Router(config-radius-server)# address ipv4 10.255.255.101 auth-port 1812 acct-port 1813
Router(config-radius-server)# key SecretRAD

Associate radius server with a server group:
Router(config)# aaa group server radius RADSRVGROUP
Router(config-sg-radius)# server name RADSRV

Configure aaa authentication login to use a server group with a fallback to local:
Router(config)# aaa authentication login SRVAUTH group RADSRVGROUP local

Configure the named method list to the console:
Router(config)# line con 0
Router(config-line)# login authentication SRVAUTH

Configure the named method list to the vty 0 4 lines:
Router(config)# line vty 0 4
Router(config-line)# login authentication SRVAUTH

29
Q

How do you configure TACACS+ for console and VTY access?

A

Configure the TACACS+ server:
Router(config)# radius server TACSRV
Router(config-radius-server)# address ipv4 10.255.255.102
Router(config-radius-server)# key SecretTAC

Associate TACACS+ server with a server group:
Router(config)# aaa group server tacacs+ TACSRVGROUP
Router(config-sg-radius)# server name TACSRV

Configure aaa authentication login to use a server group with a fallback to local:
Router(config)# aaa authentication login default group TACSRVGROUP local

30
Q

Once AAA is enabled on a Cisco IOS device and the aaa authentication command is configured, you can optionally configure the dependant AAA functions aaa __ and aaa __.

A

authorisation, accounting

31
Q

How do you configure AAA authorisation?

A

Configure AAA authorisation using a named method list with a server group and fallback to local authentication:
Router(config)# aaa authorization exec MYTACAUTH group TACSRVGROUP local if-authenticated
Router(config)# aaa authorization commands 15 MYTACAUTH group TACSRVGROUP local
Router(config)# aaa authorization config-commands

Configure authorisation using a named method applied to the vty lines:
Router(config)# line vty 0 4
Router(config-line)# authorization exec MYTACAUTH
Router(config-line)# authorization commands 15 MYTACAUTH

32
Q

After a user is authenticated, the device allows access to certain services or commands based on the users privilege level. Authenticated users are put at the __ level by default.

A

EXEC

33
Q

Authorisation does not get applied to console unless the ___ command is present in the configuration. By default the command is not present in the config.

A

aaa authorisation console

34
Q

How do you configure AAA accounting?

A

Configure AAA accounting using a named method list with a server group:
Router(config)# aaa accounting exec MYTACACC start-stop group TACSRVGROUP
Router(config)# aaa accounting commands 15 MYTACACC start-stop group TACSRVGROUP

Configure accounting using a named method applied to the VTY lines:
Router(config)# line vty 0 4
Router(config-line)# accounting exec MYTACACC
Router(config-line)# accounting commands 15 MYTACACC

35
Q

The function triggering the accounting can be one of the following keywords:

A
  • System – major router events such as a reload
  • Exec – user authentication into an EXEC session is recorded
  • Commands level – info about any command running at a specific privilege level is recorded.
36
Q

You can specify that certain types of accounting records to be sent to the accounting server using the following keywords:

A
  • Start-stop – events are recorded when they start and stop
  • Stop-only - events are recorded only when they stop
  • None – no events are recorded.

CCNP Enterprise ENCOR 350-401 (31 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions