Aaa Flashcards
The login method is configured on the VTY lines of a router with these parameters:
* The first method for authentication is TACACS
* If TACACS is unavailable, login is allowed without any provided credentials
Which configuration accomplishes this task?
here some helping thoughts.
aaa new-model invalidates the previous configuration
aaa authentication login <name> group <Radius> <fall></fall></Radius></name>
DO NOT be confused by
VTY or TELNET in the AAA Authentication List name which is just a name and lists the options to the right of it.
the requirements of TACACS and NO PASSWORD -> always watch out that you have the NO PASSWORD = NONE keyword at the end of the line.
next is the question about LOGIN
to LOGIN only you dont need a LINE VTY LOGIN AUTHENTICATION LOCAL or PASSWORD XZY as these would be only required if you wanted to ellevate your default priv-level from 1 to a higher number (in this case 15)
A network administrator applies the following configuration to an IOS device: aaa new-model aaa authentication login default local group tacacs+
What is the process of password checks when a login attempt is made to the device?
A. A TACACS+ server is checked first. If that check fails, a local database is checked.
B. A TACACS+ server is checked first. If that check fails, a RADIUS server is checked. If that check fails, a local database is checked.
C. A local database is checked first. If that check fails, a TACACS+ server is checked. If that check fails, a RADIUS server is checked.
D. A local database is checked first. If that check fails, a TACACS+ server is checked.
D. A local database is checked first. If that check fails, a TACACS+ server is checked.
Explanation: The “aaa authentication login default local group tacacs+” command is broken down as follows:
+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/ password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.
+ The ‘local group tacacs+” means all users are authenticated using router’s local database (the first method). If the credentials are not found on the local database, then the TACACS+ server is used (the second method).
Refer to the exhibit. An engineer must create a configuration that executes the show run command and then terminates the session when user CCNP logs in.
Which configuration change is required?
A. Add the access-class keyword to the username command.
B. Add the autocommand keyword to the aaa authentication command.
C. Add the access-class keyword to the aaa authentication command.
D. Add the autocommand keyword to the username command.
D. Add the autocommand keyword to the username command.
DRAG DROP -
An engineer creates the configuration below. Drag and drop the authentication methods from the left into the order of priority on the right. Not all options are used.
R1#sh run | i aaa -
aaa new-model
aaa authentication login default group ACE group AAA_RADIUS local-case aaa session-id common
R1#
Select and Place:
priority 1: AAA servers of ACE group
priority 2: AAA servers of AAA_RADIUS group
priority 3: local configured username in case-sensitive format
priority 4: If no method works, then deny login
Refer to the exhibit. An engineer has configured Cisco ISE to assign VLANs to clients based on their method of authentication, but this is not working as expected.
Which action will resolve this issue?
A. enable AAA override
B. set a NAC state
C. utilize RADIUS profiling
D. require a DHCP address assignment
A. enable AAA override
Enable AAA Override and Cisco Identity Services Engine (ISE) Assign VLANs features are often used together
Enable AAA Override is a feature that allows the authentication, authorization, and accounting (AAA) server to override the VLAN assignment of a user’s device. This allows the AAA server, such as Cisco ISE, to assign a specific VLAN to a user’s device based on the user’s credentials and the policies configured on the AAA server.
Which configuration allows administrators to configure the device through the console port and use a network authentication server?
A.
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization config-commands username netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDAx1uV
B.
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization config-commands
C.
aaa new-model
aaa authentication login default line
D.
aaa new-model
aaa authentication login default group radius
aaa authorization console
aaa authorization config-commands
D.
aaa new-model
aaa authentication login default group radius
aaa authorization console
aaa authorization config-commands
Weird possible answers…
By process of elemination only D possible. Because its the only answer which utilizes the AAA servers.
Refer to the exhibit. The network administrator must be able to perform configuration changes when all the RADIUS servers are unreachable. Which configuration allows all commands to be authorized if the user has successfully authenticated?
A. aaa authentication login default group radius local none
B. aaa authorization exec default group radius
C. aaa authorization exec default group radius if-authenticated
D. aaa authorization exec default group radius none
C. aaa authorization exec default group radius if-authenticated
Refer to the exhibit. A network engineer must configure the router to use the ISE-Servers group for authentication. If both ISE servers are unavailable, the local username database must be used. If no usernames are defined in the configuration, then the enable password must be the last resort to log in. Which configuration must be applied to achieve this result?
A. aaa authorization exec default group ISE-Servers local enable
B. aaa authentication login error-enable aaa authentication login default group enable local ISE-Servers
C. aaa authentication login default group ISE-Servers local enable
D. aaa authentication login default group enable local ISE-Servers
C. aaa authentication login default group ISE-Servers local enable
the authentication order is ISE servers/Loggin Local / Enable pass
Aaa authorization
Refer to the exhibit.
Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available?
A.
Router(config)# aaa fallback local
B.
Router(config)# aaa authentication login FALLBACK local
Router(config)# aaa authorization exec FALLBACK local
C.
Router(config)# aaa authentication login default local
Router(config)# aaa authorization exec default local
D.
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
D.
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied?
A. aaa authorization exec default local group radius none
B. aaa authorization exec default group radius local none
C. aaa authorization exec default group radius local
D. aaa authorization exec default local group tacacs+
C. aaa authorization exec default group radius local
__
A. aaa authorization exec default local group radius none
-wrong because it checks local first
B. aaa authorization exec default group radius local none
-WRONG, it checks everything in the correct order, but “none” doesn;t require any
C. aaa authorization exec default group radius local
-CORRECT, the only correct order that only allows what we want
D. aaa authorization exec default local group tacacs+
-WRONG, for same reason as A
An engineer must implement a configuration to allow a network administrator to connect to the console port of a router and authenticate over the network. Which command set should the engineer use?
A. aaa new-model
aaa authentication login console local
B. aaa new-model
aaa authentication login console group radius
C. aaa new-model
aaa authentication login default enable
D. aaa new-model
aaa authentication enable default
B. aaa new-model
aaa authentication login console group radius
A. is wrong because not use external server
c. is wrong because use the (default) keyword
d. is wrong because use the (default) keyword and not use the external server
connect to the console port => mean just console , default keyword is wrong because is mean all methods (vty,aux,cons).
authenticate over the network => mean use external server (tacacs+ , radius).
Refer to the exhibit. A network engineer must permit administrators to automatically authenticate if there is no response from either of the AAA servers. Which configuration achieves these results?
A. aaa authentication enable default group radius local
B. aaa authentication login default group radius
C. aaa authentication login default group tacacs+ line
D. aaa authentication login default group radius none
D. aaa authentication login default group radius none
“aaa authentication login default none” command to get access to Router via Console / VTY / AUX without authentication.
“default” means —> console/vty/aux
“none” means —> no authentications
The “‘none’” keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.
An engineer must configure router R1 to validate user logins via RADIUS and fall back to the local user database if the RADIUS server is not available. Which configuration must be applied?
A. aaa authentication exec default radius local
B. aaa authentication exec default radius
C. aaa authorization exec default radius local
D. aaa authorization exec default radius
A. aaa authentication exec default radius local
Community vote distribution
A (52%)
C (48%)
An engineer must configure AAA on a Cisco 9800 WLC for central web authentication. Which two commands are needed to accomplish this task? (Choose two.)
A. Device(config)# aaa server radius dynamic-author
B. (Cisco Controller) > config wlan aaa-override disable < wlan-id >
C. (Cisco Controller) > config radius acct add 10.10.10.12 1812 SECRET
D. Device(config-locsvr-da-radius)# client 10.10.10.12 server-key 0 SECRET
E. (Cisco Controller) > config wlan aaa-override enable < wlan-id >
A. Device(config)# aaa server radius dynamic-author
D. Device(config-locsvr-da-radius)# client 10.10.10.12 server-key 0 SECRET
What is the effect of this configuration?
A. The device will allow users at 192.168.0.202 to connect to vty lines 0 through 4 using the password ciscotestkey.
B. The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+.
C. The device will allow only users at 192.168.0.202 to connect to vty lines 0 through 4.
D. When users attempt to connect to vty lines 0 through 4, the device will authenticate them against TACACS+ if local authentication fails.
B. The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+.
___
When login is indicated in the aaa authentication method, any passwords in the VTY will be ignored. So this removes A from the equation.
C is wrong because it says only users at 192.168.0.202. That implies they are attempting to telnet/ssh from that server, that IP is an authentication server for TACACS+ not a source connection.
D is wrong because only TACACS+ is listed in the AAA string. There is no fall-back method
B is correct because all users are forced to authenticate against TACACS+ only.
A network engineer must configure a password expiry mechanism on the gateway router for all local passwords to expire after 60 days. What is required to complete this task?
A. Add the username admin privilege 15 common-criteria-policy Administrators password 0 Cisco13579! command.
B. The password expiry mechanism is on the AAA server and must be configured there.
C. Add the aaa authentication enable default Administrators command.
D. No further action is required. The configuration is complete.
A. Add the username admin privilege 15 common-criteria-policy Administrators password 0 Cisco13579! command.
Th policy is created but not applied and needs to be applied using the following:
username username common-criteria-policy policy-name password password
so provided answer is correct.
Remote users cannot access the Internet but can upload files to the storage server. Which configuration must be applied to allow Internet access?
A.
ciscoasa(config)# access-list MAIL_AUTH extended permit udp any any eq http
ciscoasa(config)# aaa authentication listener http outside redirect
B.
ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq www
ciscoasa(config)# aaa authentication listener http inside redirect
C.
ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq http
ciscoasa(config)# aaa authentication listener http inside port 43
D.
ciscoasa(config)# access-list HTTP_AUTH extended permit udp any any eq http
ciscoasa(config)# aaa authentication listener http outside port 43
B.
ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq www
ciscoasa(config)# aaa authentication listener http inside redirect
Refer to the exhibit. An engineer must deny HTTP traffic from host A to host B while allowing all other communication between the hosts. Which command set accomplishes this task?
A.
SW1(config)# mac access-list extended HOST-A-B
SW1(config-ext-macl)# permit host aaaa.bbbb.cccc aaaa.bbbb.dddd
SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# vlan access-map DROP-MAC 10
SW1(config-access-map)# match mac address HOST-A-B
SW1(config-access-map)# action drop
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan filter HOST-A-B vlan 10
B.
SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# ip access-list extended MATCH_ALL
SW1(config-ext-nacl)# permit ip any any
SW1(config)# vlan access-map HOST-A-B 10
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address MATCH_ALL
SW1(config-access-map)# action forward
SW1(config)# vlan filter HOST-A-B vlan 10
C.
SW1(config)# mac access-list extended HOST-A-B
SW1(config-ext-macl)# permit host aaaa.bbbb.cccc aaaa.bbbb.dddd
SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# vlan access-map DROP-MAC 10
SW1(config-access-map)# match mac address HOST-A-B
SW1(config-access-map)# action forward
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan filter HOST-A-B vlan 10
D.
SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# permit tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# ip access-list extended MATCH_ALL
SW1(config-ext-nacl)# permit ip any any
SW1(config)# vlan access-map HOST-A-B 10
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address MATCH_ALL
SW1(config-access-map)# action forward
SW1(config)# vlan filter HOST-A-B vlan 10
B.
SW1(config)# ip access-list extended DENY-HTTP
SW1(config-ext-nacl)# deny tcp host 10.1.1.10 host 10.1.1.20 eq www
SW1(config)# ip access-list extended MATCH_ALL
SW1(config-ext-nacl)# permit ip any any
SW1(config)# vlan access-map HOST-A-B 10
SW1(config-access-map)# match ip address DENY-HTTP
SW1(config-access-map)# action drop
SW1(config)# vlan access-map HOST-A-B 20
SW1(config-access-map)# match ip address MATCH_ALL
SW1(config-access-map)# action forward
SW1(config)# vlan filter HOST-A-B vlan 10
Refer to the exhibit. An engineer configured TACACS+ to authenticate remote users, but the configuration is not working as expected. Which configuration must be applied to enable access?
A. R1 (config)# ip tacacs source-interface Gig 0/0
B. R1 (config)# tacacs server prod -
R1(config-server-tacacs)# port 1020
C. R1 (config)# aaa authorization exec default group tacacs+ local
D. R1 (config)# tacacs server prod -
R1(config-server-tacacs)# key cisco123
D. R1 (config)# tacacs server prod -
R1(config-server-tacacs)# key cisco123
Selected Answer: D
This is a sample debug output from the Router, when the TACACS server is configured with a wrong pre shared key:
…
*Apr 6 13:35:07.886: TPLUS: received bad AUTHEN packet: length = 6, expected 43974
*Apr 6 13:35:07.886: TPLUS: Invalid AUTHEN packet (check keys).
Copy code
R1(config)# tacacs server prod
R1(config-server-tacacs)# key cisco123
This configuration sets up the TACACS+ server named “prod” with the key “cisco123”. Ensure that the key configured on the router matches the key configured on the TACACS+ server. Also, make sure that the TACACS+ server is reachable and correctly configured to handle authentication requests from the router.
