Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management Flashcards

1
Q

You were hired to configure AAA services in an organization and are asked to make sure that users in the engineering department do not have access to resources that are only meant for the finance department. What authorization principle addresses this scenario?

A. The principle of least privilege and separation of duties

B. Accounting and MAC Auth-bypass

C. Deter, delay, and detect

D. Policy-based segmentation

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following describes the type of authentication where the user provides a secret that is only known by him or her?

A. Authentication by password

B. Authentication by knowledge

C. Personal identification number (PIN) code

D. Authentication by characteristics

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is a set of characteristics that can be used to prove a subject’s identity one time and one time only?

A. One-time passcode (OTP)

B. Out-of-band (OOB)

C. Biometrics

D. None of these answers is correct.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is an open standard for exchanging authentication and authorization data between identity providers, and is used in many single sign-on (SSO) implementations?

A. SAML

B. OAuth 2.0

C. OpenConnectID

D. DUO Security

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following defines how access rights and permission are granted? Examples of that model include object capability, security labels, and ACLs.

A. A mandatory access control model

B. An authorization model

C. An authentication model

D. An accounting model

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An authorization policy should always implement which of the following concepts? (Select all that apply.)

A. Implicit deny

B. Need to know

C. Access control debugging logs

D. Access control filter logs

A

A + B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is the process of auditing and monitoring what a user does once a specific resource is accessed?

A. CoA

B. Authorization

C. Accounting

D. TACACS+ auditing

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Access control lists classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?

A. Layer 2 protocol information such as EtherTypes

B. Layer 3 header information such as source and destination IP addresses

C. Layer 4 header information such as source and destination TCP or UDP ports

D. All of these options are correct.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following statements are true?

A. RADIUS uses UDP, and TACACS+ uses TCP.

B. In RADIUS, authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange.

C. In TACACS+, authentication, authorization, and accounting are performed with separate exchanges.

D. RADIUS provides limited support for command authorization. TACACS+ provides granular command authorization.

E. All of these answers are correct.

A

E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Network access devices (such as network switches and wireless access points) can use an IEEE protocol that when enabled, will allow traffic on the port only after the device has been authenticated and authorized. Which of the following is an IEEE standard that is used to implement port-based access control?

A. 802.11ac

B. 802.1Q

C. 802.1X

D. pxGrid

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following provides a cross-platform integration capability between security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platform?

A. pxGrid

B. 802.1X

C. TrustSec

D. SGTs

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following are examples of some of the more popular policy attributes supported by Cisco ISE?

A. Active Directory group membership and Active Directory user-based attributes

B. Time and date

C. Location of the user

D. Access method (MAB, 802.1X, wired, wireless, and so on)

E. None of these options is correct.

F. All of these options are correct.

A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following commands enables AAA services on a Cisco router?

A. aaa new-model

B. aaa authentication enable

C. aaa authentication model

D. aaa enable console

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is the default behavior of an 802.1X-enabled port?

A. To authorize only a single MAC address per port

B. To authorize only a single IP address per port

C. To perform MAC auth bypass only if the MAC is registered to ISE

D. To authenticate only a single host that has an identity certificate

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following are Cisco ISE distributed node types?

A. Primary Administration Node (PAN)

B. Secondary Administration Node (SAN)

C. Policy Service Node (PSN)

D All of these options are correct.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is a security model created by Google that is similar to the zero-trust concept?

A. BeyondCorp
B. TrustSec
C. pxGrid
D. Duo

A

A

17
Q

Which of the following are technologies used in SSO implementations?

A. SAML
B. OpenID Connect
C. Microsoft Account
D. All of these options are correct.

A

D

18
Q

Which of the following is true about delegation in SSO implementations? (Select all that apply.)

A. SSO implementations use delegation to call external APIs to authenticate and authorize users.

B. Delegation is used to make sure that applications and services do not store passwords and user information on-premises.

C. Delegation uses multifactor authentication to provide identity services to other servers in the environment.

D. pxGrid can be used for delegation between a PSN and PAN.

A

A + B

19
Q

Which of the following statements are true about discretionary access controls (DACs)?

A. Discretionary access controls (DACs) are defined by the owner of the object.

B. DACs are used in commercial operating systems.

C. The object owner builds an ACL that allows or denies access to the object based on the user’s unique identity.

D. All of these options are correct.

A

D

20
Q

RADIUS accounting runs over what protocol and port?

A. UDP port 1812

B. UDP port 1813

C. UDP port 1645

D. None of these options is correct.

A

B

21
Q

Which of the following is one primary difference between a malicious hacker and an ethical hacker?

A. Malicious hackers use different tools and techniques than ethical hackers use.

B. Malicious hackers are more advanced than ethical hackers because they can use any technique to attack a system or network.

C. Ethical hackers obtain permission before bringing down servers or stealing credit card databases.

D. Ethical hackers use the same methods but strive to do no harm.

A

D

22
Q

You were hired to configure RADIUS authentication in a VPN implementation. You start RADIUS debugs in the VPN device and notice ACCESS-CHALLENGE messages. What do those messages mean?

A. ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.

B. ACCESS-CHALLENGE messages are sent if additional information is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REJECT message.

C. ACCESS-CHALLENGE messages are sent if the client is using multifactor authentication with a mobile device. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.

D. None of these options is correct.

A

A

23
Q

Which of the following are TACACS+ exchange packets used during the authentication process?

A. START

B. REPLY

C. CONTINUE

D. All of these options are correct.

E. None of these options is correct.

A

D

24
Q

Which of the following is an entity that seeks to be authenticated by an authenticator (switch, wireless access point, and so on)? This entity could use software such as the Cisco AnyConnect Secure Mobility Client.

A. PAN

B. PSN

C. Supplicant

D. None of these options is correct.

A

C

25
Q

802.1X uses which of the following protocols?

A. EAPoL

B. EAP

C. RADIUS

D. All of these options are correct.

A

D

26
Q

Which of the following statements is true about CoA?

A. RADIUS CoA is a feature that allows a RADIUS server to adjust the authentication and authorization state of an active client session.

B. RADIUS CoA is a feature that allows a RADIUS server to detect a change of configuration from other RADIUS servers and, subsequently, deny access to a client trying to connect to the network.

C. RADIUS CoA is a feature that allows a RADIUS server to perform profiling and posture assessment simultaneously.

D. None of these options is correct.

A

A

27
Q

The _________________ is a structured replacement for feature-specific configuration commands. This concept allows you to create traffic policies based on events, conditions, and actions.

A. Cisco Common Classification Policy Language (C3PL)

B. Cisco Policy Mapping

C. Cisco TrustSec

D. None of these options is correct.

A

A