Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management

Question 1

You were hired to configure AAA services in an organization and are asked to make sure that users in the engineering department do not have access to resources that are only meant for the finance department. What authorization principle addresses this scenario?

A. The principle of least privilege and separation of duties

B. Accounting and MAC Auth-bypass

C. Deter, delay, and detect

D. Policy-based segmentation

Answer 1

A

Question 2

Which of the following describes the type of authentication where the user provides a secret that is only known by him or her?

A. Authentication by password

B. Authentication by knowledge

C. Personal identification number (PIN) code

D. Authentication by characteristics

Answer 2

B

Question 3

Which of the following is a set of characteristics that can be used to prove a subject’s identity one time and one time only?

A. One-time passcode (OTP)

B. Out-of-band (OOB)

C. Biometrics

D. None of these answers is correct.

Answer 3

A

Question 4

Which of the following is an open standard for exchanging authentication and authorization data between identity providers, and is used in many single sign-on (SSO) implementations?

A. SAML

B. OAuth 2.0

C. OpenConnectID

D. DUO Security

Answer 4

A

Question 5

Which of the following defines how access rights and permission are granted? Examples of that model include object capability, security labels, and ACLs.

A. A mandatory access control model

B. An authorization model

C. An authentication model

D. An accounting model

Answer 5

B

Question 6

An authorization policy should always implement which of the following concepts? (Select all that apply.)

A. Implicit deny

B. Need to know

C. Access control debugging logs

D. Access control filter logs

Answer 6

A + B

Question 7

Which of the following is the process of auditing and monitoring what a user does once a specific resource is accessed?

A. CoA

B. Authorization

C. Accounting

D. TACACS+ auditing

Answer 7

C

Question 8

Access control lists classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?

A. Layer 2 protocol information such as EtherTypes

B. Layer 3 header information such as source and destination IP addresses

C. Layer 4 header information such as source and destination TCP or UDP ports

D. All of these options are correct.

Answer 8

D

Question 9

Which of the following statements are true?

A. RADIUS uses UDP, and TACACS+ uses TCP.

B. In RADIUS, authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange.

C. In TACACS+, authentication, authorization, and accounting are performed with separate exchanges.

D. RADIUS provides limited support for command authorization. TACACS+ provides granular command authorization.

E. All of these answers are correct.

Answer 9

E

Question 10

Network access devices (such as network switches and wireless access points) can use an IEEE protocol that when enabled, will allow traffic on the port only after the device has been authenticated and authorized. Which of the following is an IEEE standard that is used to implement port-based access control?

A. 802.11ac

B. 802.1Q

C. 802.1X

D. pxGrid

Answer 10

C

Question 11

Which of the following provides a cross-platform integration capability between security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform?

A. pxGrid

B. 802.1X

C. TrustSec

D. SGTs

Answer 11

A

Question 12

Which of the following are examples of some of the more popular policy attributes supported by Cisco ISE?

A. Active Directory group membership and Active Directory user-based attributes

B. Time and date

C. Location of the user

D. Access method (MAB, 802.1X, wired, wireless, and so on)

E. None of these options is correct.

F. All of these options are correct.

Answer 12

F

Question 13

Which of the following commands enables AAA services on a Cisco router?

A. aaa new-model

B. aaa authentication enable

C. aaa authentication model

D. aaa enable console

Answer 13

A

Question 14

Which of the following is the default behavior of an 802.1X-enabled port?

A. To authorize only a single MAC address per port

B. To authorize only a single IP address per port

C. To perform MAC auth bypass only if the MAC is registered to ISE

D. To authenticate only a single host that has an identity certificate

Answer 14

A

Question 15

Which of the following are Cisco ISE distributed node types?

A. Primary Administration Node (PAN)

B. Secondary Administration Node (SAN)

C. Policy Service Node (PSN)

D All of these options are correct.

Answer 15

D

Question 16

Which of the following is a security model created by Google that is similar to the zero-trust concept?

A. BeyondCorp
B. TrustSec
C. pxGrid
D. Duo

Answer 16

A

Question 17

Which of the following are technologies used in SSO implementations?

A. SAML
B. OpenID Connect
C. Microsoft Account
D. All of these options are correct.

Answer 17

D

Question 18

Which of the following is true about delegation in SSO implementations? (Select all that apply.)

A. SSO implementations use delegation to call external APIs to authenticate and authorize users.

B. Delegation is used to make sure that applications and services do not store passwords and user information on-premises.

C. Delegation uses multifactor authentication to provide identity services to other servers in the environment.

D. pxGrid can be used for delegation between a PSN and PAN.

Answer 18

A + B

Question 19

Which of the following statements are true about discretionary access controls (DACs)?

A. Discretionary access controls (DACs) are defined by the owner of the object.

B. DACs are used in commercial operating systems.

C. The object owner builds an ACL that allows or denies access to the object based on the user’s unique identity.

D. All of these options are correct.

Answer 19

D

Question 20

RADIUS accounting runs over what protocol and port?

A. UDP port 1812

B. UDP port 1813

C. UDP port 1645

D. None of these options is correct.

Answer 20

B

Question 21

Which of the following is one primary difference between a malicious hacker and an ethical hacker?

A. Malicious hackers use different tools and techniques than ethical hackers use.

B. Malicious hackers are more advanced than ethical hackers because they can use any technique to attack a system or network.

C. Ethical hackers obtain permission before bringing down servers or stealing credit card databases.

D. Ethical hackers use the same methods but strive to do no harm.

Answer 21

D

Question 22

You were hired to configure RADIUS authentication in a VPN implementation. You start RADIUS debugs in the VPN device and notice ACCESS-CHALLENGE messages. What do those messages mean?

A. ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.

B. ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REJECT message.

C. ACCESS-CHALLENGE messages are sent if the client is using multifactor authentication with a mobile device. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.

D. None of these options is correct.

Answer 22

A

Question 23

Which of the following are TACACS+ exchange packets used during the authentication process?

A. START

B. REPLY

C. CONTINUE

D. All of these options are correct.

E. None of these options is correct.

Answer 23

D

Question 24

Which of the following is an entity that seeks to be authenticated by an authenticator (switch, wireless access point, and so on)? This entity could use software such as the Cisco AnyConnect Secure Mobility Client.

A. PAN

B. PSN

C. Supplicant

D. None of these options is correct.

Answer 24

C

Question 25

802.1X uses which of the following protocols?

A. EAPoL

B. EAP

C. RADIUS

D. All of these options are correct.

Answer 25

D

Question 26

Which of the following statements is true about CoA?

A. RADIUS CoA is a feature that allows a RADIUS server to adjust the authentication and authorization state of an active client session.

B. RADIUS CoA is a feature that allows a RADIUS server to detect a change of configuration from other RADIUS servers and, subsequently, deny access to a client trying to connect to the network.

C. RADIUS CoA is a feature that allows a RADIUS server to perform profiling and posture assessment simultaneously.

D. None of these options is correct.

Answer 26

A

Question 27

The _________________ is a structured replacement for feature-specific configuration commands. This concept allows you to create traffic policies based on events, conditions, and actions.

A. Cisco Common Classification Policy Language (C3PL)

B. Cisco Policy Mapping

C. Cisco TrustSec

D. None of these options is correct.

Answer 27

A