Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management Flashcards
You were hired to configure AAA services in an organization and are asked to make sure that users in the engineering department do not have access to resources that are only meant for the finance department. What authorization principle addresses this scenario?
A. The principle of least privilege and separation of duties
B. Accounting and MAC Auth-bypass
C. Deter, delay, and detect
D. Policy-based segmentation
A
Which of the following describes the type of authentication where the user provides a secret that is only known by him or her?
A. Authentication by password
B. Authentication by knowledge
C. Personal identification number (PIN) code
D. Authentication by characteristics
B
Which of the following is a set of characteristics that can be used to prove a subject’s identity one time and one time only?
A. One-time passcode (OTP)
B. Out-of-band (OOB)
C. Biometrics
D. None of these answers is correct.
A
Which of the following is an open standard for exchanging authentication and authorization data between identity providers, and is used in many single sign-on (SSO) implementations?
A. SAML
B. OAuth 2.0
C. OpenConnectID
D. DUO Security
A
Which of the following defines how access rights and permission are granted? Examples of that model include object capability, security labels, and ACLs.
A. A mandatory access control model
B. An authorization model
C. An authentication model
D. An accounting model
B
An authorization policy should always implement which of the following concepts? (Select all that apply.)
A. Implicit deny
B. Need to know
C. Access control debugging logs
D. Access control filter logs
A + B
Which of the following is the process of auditing and monitoring what a user does once a specific resource is accessed?
A. CoA
B. Authorization
C. Accounting
D. TACACS+ auditing
C
Access control lists classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?
A. Layer 2 protocol information such as EtherTypes
B. Layer 3 header information such as source and destination IP addresses
C. Layer 4 header information such as source and destination TCP or UDP ports
D. All of these options are correct.
D
Which of the following statements are true?
A. RADIUS uses UDP, and TACACS+ uses TCP.
B. In RADIUS, authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange.
C. In TACACS+, authentication, authorization, and accounting are performed with separate exchanges.
D. RADIUS provides limited support for command authorization. TACACS+ provides granular command authorization.
E. All of these answers are correct.
E
Network access devices (such as network switches and wireless access points) can use an IEEE protocol that when enabled, will allow traffic on the port only after the device has been authenticated and authorized. Which of the following is an IEEE standard that is used to implement port-based access control?
A. 802.11ac
B. 802.1Q
C. 802.1X
D. pxGrid
C
Which of the following provides a cross-platform integration capability between security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform?
A. pxGrid
B. 802.1X
C. TrustSec
D. SGTs
A
Which of the following are examples of some of the more popular policy attributes supported by Cisco ISE?
A. Active Directory group membership and Active Directory user-based attributes
B. Time and date
C. Location of the user
D. Access method (MAB, 802.1X, wired, wireless, and so on)
E. None of these options is correct.
F. All of these options are correct.
F
Which of the following commands enables AAA services on a Cisco router?
A. aaa new-model
B. aaa authentication enable
C. aaa authentication model
D. aaa enable console
A
Which of the following is the default behavior of an 802.1X-enabled port?
A. To authorize only a single MAC address per port
B. To authorize only a single IP address per port
C. To perform MAC auth bypass only if the MAC is registered to ISE
D. To authenticate only a single host that has an identity certificate
A
Which of the following are Cisco ISE distributed node types?
A. Primary Administration Node (PAN)
B. Secondary Administration Node (SAN)
C. Policy Service Node (PSN)
D All of these options are correct.
D