Secure Network Access, Visibility, and Enforcement

Question 1

Allows you to enable authentication across the wired infrastructure, without affecting wired users or devices. It can be thought of as an audit mode. With the help of logging data for validation, administrators use the monitor mode to help ensure that all devices are authenticating correctly, either with 802.1X or MAB. If a device is misconfigured or is missing an 802.1X supplicant, access will be allowed and logged. However, if authentication succeeds, authorization (for example, Dynamic VLAN, Downloadable access control list (DACL)) can still be applied.

Answer 1

Monitor Mode

Question 2

It allows selective transition from an open (nonfiltering) preauthorization method to selective preauthorization. This function is provided by static port ACLs (Pre-ACL as shown in the previous figure) that allow necessary services such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) while blocking all other network access. Users connected to controlled ports will receive additional access (based on policy) after successful authentication, based on DACL that will override the static ACL on the port.

Answer 2

Low Impact Mode

Question 3

It provides the highest level of controls by configuring the closed preauthorization port control. No traffic will be permitted on a port except EAPOL before authentication and authorization.

Answer 3

Closed Mode

Question 4

What are some forms of 802.X fallback methods?

Answer 4

MAB, Guest VLAN, Authentication Fail VLAN, CWA (Cisco Web Authentication) with ISE

Question 5

True or False: A switch can use any Layer 2 packet including CDP, STP, DTP, and LLDP to learn a source MAC address during MAB.

Answer 5

False

Question 6

True or False: Cisco ISE MAB authentication policy is by default configured in such a way that MAB will always succeed for the unknown MAC addresses.

Answer 6

True

Question 7

What are the 4 802.1X host modes on a port?

Answer 7

Single, Multiple, Multiple Domain Authentication, Multiple Authentication

Question 8

True or False: In multiple host mode, every client on the port must be authorized.

Answer 8

False, only the first client must authenticate, then all subsequent clients are authorized.

Question 9

In MDA mode, how many MAC addresses can be learned in each domain and how many domains are there?

Answer 9

2 domains data/voice and 1 MAC per domain

Question 10

In multi-authentication mode, what determines the group VLAN assignment?

Answer 10

The first host to connect.

Question 11

How does critical authentication and low impact mode interact?

Answer 11

Low-impact mode does not work well with the inaccessible authentication bypass feature. When a RADIUS server (ISE) is not reachable, a port is put into critical state and critical VLAN is applied. The problem is that preauthentication ACL is still applied to the port in critical state, therefore limiting traffic going through the port into the critical VLAN.

Question 12

Timeout = (max-reauth-req +1) * tx-period, using the default Cisco values, what is the default amount of time an endpoint without a supplicant to get access via MAB, or the Guest VLAN.

Answer 12

90 seconds. 30 seconds tx-period and 2 max-reauth-req

Question 13

What does IP device tracking functionality do on a switch?

Answer 13

he purpose of IP device tracking is for the switch to obtain and maintain a list of devices that are connected to the switch via an IP address.

Question 14

What global AAA settings need to be configured before you can use 802.1X?

Answer 14

These settings include enabling AAA new-model and configure AAA lists for 802.1X.

Question 15

What global RADIUS setting need to be configured before you can use 802.1X?

Answer 15

Individual RADIUS servers, RADIUS server group, RADIUS attributes, RADIUS CoA

Question 16

What is the purpose of the following command: authentication port-control auto

Answer 16

Enables port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port

Question 17

What would happen without this command: authentication periodic

Answer 17

The host would be indefinitely autheticated

Question 18

On the WLC, enabling Cisco ISE Default settings sets these parameters:

Answer 18

RADIUS CoA,
applies AuthC details to the accounting server,
Sets the Layer 2 security of a WLAN to WPA+WPA2.
Sets authentication key management (AKM) method to 802.1X.
Enables MAC filtering if the Layer 2 security of a WLAN is set to None.

Question 19

What is the purpose of AAA override on the WLC?

Answer 19

This setting enables you to apply dynamic VLAN, Quality of Service (QoS), and ACLs to individual clients based on the returned RADIUS attributes from the AAA server, such as Cisco ISE.

Question 20

Cisco ISE configuration for 802.1X consists of the following overall tasks:

Answer 20

Configure Cisco ISE digital certificates. Digital certificates on Cisco ISE are used for different purposes, for example for sever-side and client-side EAP authentication.

Configure identity sources, that are used to verify clients identity. This include configuration of local user and device accounts, and integrations with external identity sources, such as Microsoft Active Directory, or general Lightweight Directory Access Protocol (LDAP) server.

Configure network devices, which act as RADIUS clients. The settings include device name, IP address, and RADIUS settings.

Review authentication policy. Generally, no changes are needed in Cisco ISE default authentication policy.

Configure authorization policy. Authorization policy on Cisco ISE usually needs to be customized based on your requirements.

Question 21

For Cisco ISE what is the most common use case for using internal identity source in the context of 802.1X

Answer 21

to maintain a database of MAC addresses for MAB, or to maintain a database of guest accounts for web authentication.

Question 22

Password is a mandatory parameter of an internal Cisco ISE user, which protocols don’t work with this?

Answer 22

EAP-TLS or Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), do not use password-based authentication. The internal database does not work with these protocols.

Question 23

What is the only mandatory setting for a user group?

Answer 23

a name

Question 24

To deploy MAB using the internal Cisco ISE endpoints database, you must identify and add endpoint MAC addresses. How can you add them?

Answer 24

You can add endpoints manually, or by importing them from a file or an LDAP database.

Question 25

In ISE, a policy set serves what three key, interrelated functions?

Answer 25

Serves as a container for a logical grouping of authentication and authorization policies.

Uses Boolean conditions to steer RADIUS authentication requests to the appropriate group of policies for network authentication and authorization.

Limits authentication session to a set of allowed protocols (or proxy to an external RADIUS server).

Question 26

A policy set by configuring which three key items?

Answer 26

a name, conditions, and a resultant set of allowed protocols.

Question 27

What is the purpose of Cisco ISE Authentication Policy?

Answer 27

used to specify the identity source RADIUS authentication request that it will be authenticated against

Question 28

What are the 3 components of an ISE Authentication Policy?

Answer 28

Name

Set of conditions

Resulting identity source

Question 29

How is machine and user authentication support handled in Cisco NAM & Native OS on supplicants?

Answer 29

Cisco NAM (network access manger) single authentication process with EAP Chaining.
Native OS machine and user authentication as a separate authentication process.

Question 30

What are the 3 steps to configure Windows supplicant?

Answer 30

Configure client and/or root CA certificate.

Start Wired AutoConfig Windows service.

Configure and enable 802.1X authentication on an interface.

Question 31

Which two options are advantages of using Cisco AnyConnect Secure Mobility Client over native Microsoft Windows 10 OS supplicant?

Answer 31

Richer EAP support & MACsec encryption

Question 32

What is the purpose of Cisco Web Authentication?

Answer 32

Web authentication provides a means to provide access to the 802.1X enabled network for endpoints that do not have 802.1X supplicant or lack local credentials to authenticate to the network. Web authentication is usually used to provide access for guest users.

Question 33

The disadvantages of the LWA (local web authentication) scenarios include:

Answer 33

No support for CoA.

Endpoints can be granted access with features such as locally configured guest VLAN or authentication failed VLAN. No information will be logged in the centralized audit trail.

You must configure web authentication and the web portal on each network access device separately.

Question 34

What are the 5 steps to CWA configuration on the Cisco ISE server.

Answer 34

Verification of the guest portal and guest authentication identity source sequence.

Verification of the MAB authentication rule.

Configuration of authorization profile for CWA redirection.

Configuration of authorization rules for redirection.

Configuration of authorization rules for guest access.

Question 35

Which two actions are needed on a Cisco WLC in order to configure a wireless CWA?

Answer 35

Enable Cisco ISE NAC state on the guest WLAN.
Configure redirect ACL to permit DHCP, DNS, and traffic to Cisco ISE.

Question 36

You are using the Microsoft Active Directory domain machine with native supplicant. You want to confirm that the network connectivity is available before a user has initiated a successful login attempt on the machine. Which type of authentication do you use?

Answer 36

Machine Connection

Question 37

Which three parameters are set by enabling Cisco ISE Default settings under AAA RADIUS configuration on Cisco WLC? (Choose three.)

Answer 37

sets the Layer 2 security of a WLAN to WPA+WPA2

enables RADIUS CoA

sets the AKM method to 802.1X