802.1x for Wired and Wireless Flashcards

1
Q

Supplicant

A

Endpoint 802.1X-compliant software service. It communicates with NAD authenticators to request network access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Authenticator

A

controls access to the network, based on client authentication status. The objective here is for the endpoints to authenticate to the authentication server via some Extensible Authentication Protocol (EAP). NAD authenticators act as an intermediary between the client and the authentication server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authentication server

A

This role performs client authentication. Then authentication server validates client identity and notifies NAD authenticators of client authorization status.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The authorization features include

A

VLAN assignment
ACL assignment
Time-based access
Security group access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Dynamic VLAN

A

After successful 802.1x/EAP authentication, the user can be authorized to be on a specific VLAN. This dynamic VLAN is configured on the Cisco ISE RADIUS service and communicated in a RADIUS Access-Accept message. It can also be used when authentication fails.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Default VLAN

A

the default VLAN is the one that is configured on a wired switch port or for a wireless service set identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

802.1x Names ACLs

A

named ACLs provide differentiated access for wireless users. Named ACLs are configured locally on the WLC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

802.1X Downloadable ACLs

A

Downloadable ACLs(dACL) can provide different levels of access to 802.1X authenticated users. The RADIUS server authenticates 802.1x connected users. Based on user identity, it retrieves ACL attributes and sends them to the switch. The switch applies attributes to the 802.1x port during the user session

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between Names ACL and Downloadable ACLs

A
  1. Named ACLs are for wireless users while Downloadable ACLs are for wired
    2.dACL are configured on Cisco ISE, and pushed down to the switch during the authentication/ authorization process
    Named ACLs are configured locally on the WLC. You merely reference this ACL in a Cisco ISE authorization policy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Monitor Mode

A
  1. 802.1X deployment without any effect on user or endpoint access
  2. AAA RADIUS accounting provides visibility into 802.1x operation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Monitor mode is configured with

A

authentication open

authentication host-mode multi-auth interface commands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Low-impact mode

A
  1. ingress ACL applied to a port configured in open mode
  2. ACL allows basic connectivity for the unauthenticated host. (Low-impact mode allows you to incrementally increase security)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Closed Mode

A
  1. The default behavior, traditional 802.1x method

2. Dynamic VLAN or DACL assignment for differentiated access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

High-security mode

A

allows only EAPOL traffic until the authentication process completes, which is the default behavior of 802.1x enabled switch port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Single Host Mode

A

in single-host mode, only one client can be connected to the 802.1x enabled port. When the port state changes to “up”, the switch detect the client and sends an EAPOL frame.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Multiple Host Mode

A

in multiple-host mode, you can attach multiple hosts to a single 802.1x enabled port. In this mode, only the first client that attaches clients must be authorized. All subsequent client is granted network access based on this authentication. If the port becomes unauthorized, the authenticator denies network access to all attached client

17
Q

Multiple Domain Authentication Mode

A

multidomain authentication mode allows an IP phone, and a single host behind the IP phone, to authenticate independently via 802.1x, MAB, or web-based authentication. In this application, multidomain refers to two domains (data and voice VLAN). Only one MAC address is allowed per domain

18
Q

Multiple Authentication Mode

A

Multiple Authentication mode allows one 802.1x or MAB client on the voice VLAN. it also allows multiple authenticated 802.1X, MAB, or web authorization client on the data VLAN. When a hub or access point is connected to an 802.1x port, multi-auth mode provides enhanced security over the multi-host mode by requiring authentication of each connected client

19
Q

802.1x implementation Guidelines

A
  1. 802.1x is supported on layer 2 wired and wireless access ports
  2. 802.1x is not supported on: Dynamic port and EtherChannel Port