Home > AAA Questions

AAA Questions

March 22nd, 2017 in SWITCH 300-115 Go to comments

Question 1

Explanation

AAA security provides the following services:
+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization – Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

In conclusion, authorization specifies which resources the users are allowed to access.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html

Question 2

Explanation

In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.

Question 3

Question 4

Explanation

Method lists are specific to the authorization type requested:
+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC – Applies to the attributes associated with a user EXEC terminal session.
+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access – Applies to reverse Telnet sessions.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.

Question 5

Explanation

For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html)

Question 6

Explanation

The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.

Question 7

Explanation

The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.

Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.

Question 8

Explanation

You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
+ Single host mode—Port security learns the MAC address of the authenticated host.
+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html#wp1258157

Comments
  1. john
    April 20th, 2015

    Q2.

    aaa authentication login login radius local
    should be aaa authentication login login group radius local

    right?

  2. XYZ
    April 20th, 2015

    yes coorect john..

  3. Tikitaka
    June 2nd, 2015

    thank you Jhon

  4. Saro
    June 5th, 2015

    Q2.

    @john and lofeezy

    I think you are right and none of the proposed answers is correct.

    One of these would be the right answer:

    aaa authentication login default group radius local
    aaa authentication login login group radius local

  5. Saro
    June 5th, 2015

    Actually only “aaa authentication login login group radius local” should be correct, because it is asking for a method named “login”, I missed that part.

  6. Rafi
    July 15th, 2015

    So why this is not changed ?

  7. McLuhan
    August 13th, 2015

    So where are the questions???

  8. Sam
    August 16th, 2015

    hey, where r the questions?? only answers r there !!

  9. certprepare
    August 29th, 2015

    Because of copyrighted issues, certprepare had to remove all questions and answers. You can download them at http://www.mediafire.com/view/9mq20kx0mgam6k7/SWITCH_July_2015.pdf

  10. CORRECT…..
    October 3rd, 2015

    Dear Admin

    Q2…

    there is no such command contains “login login radius “as show in your correct answer Below.

    B. (config)# aaa authentication login login radius local

    The CORRECT ANSWER is that there will be a group keyword before RADIUS as shown

    (config)# aaa authentication login login group radius local

    PLEASE CORRECT IT……………….||||||||

  11. Tom
    October 9th, 2015

    aaa authentication login login group radius local is valid
    The first “login” is an Auth List
    The second “login” just happens to be called login is the Auth list name , which could be changed if desired.

  12. alb
    October 20th, 2015

    @Tom I think the point they’re trying to raise is the omission of the keyword ‘group’ and not having a consecutive ‘login’ listed. The official cert guide is not explicitly clear on the general command syntax…

  13. poomsa
    November 2nd, 2015

    anyone has the AAA lab in packetracer ?

  14. Hennery
    November 9th, 2015

    Does anyone has time to write the questions too, there is only answers.
    who ever running the site might looking to get some money if yes please said it clear.

  15. Pekpek
    November 29th, 2015

    Hello guys!

    I took the exam yesterday and I passed with a score of 937 out of 1000.

    Layer 2 Technology : 93%
    Infrastucture Security : 100%
    Infrastructure Services : 100%

    Right before I clicked the end “exam”, I thought I got a perfect score. I don’t know how they grade the exam but I’m sure of all of my answer because I study hard for real! Anyway, the good thing is I passed.

    The dumps here are all still valid. Honestly, what you can see here are all in the exam. My labs are LACP STP, AAA, HSRP Hotspot, Vtp V3.

    Let me share what I experienced:

    1. For all the Labs, No Copy run start and write commands but the config still saves. Make sure to check your config with sh run all the time.

    2. On AAA, I put the exact commands in here but make sure check the radius server host IP and key. You can not add Vlans nor do sh vlans but its not required.

    3. On Lacp, the range command is working. Use this format: “interface range fa0/3 – 4”. Make sure to check your Vlans, trunking, etherchannel bundling, STP and Vtp mode on both switches. I did not put default gateways on both switches because they are already on the running config. To test, just ping the the default gateway which is the router with the IP Add 192.168.1.1.

    Study dumps from galvin, JvD and the labs here from Cert prepare.

    However, I highly suggest to read the Cisco Press and watch CBT nuggets tutorials because you can not be called a Network Engineer if you just rely on dumps.

    Its easy to get CCNP but its hard TO BE a CCNP!

    Thanks for sharing your experienced here and thanks Certprepare.

    GOODLUCK PEOPLE!!! Spread the LOVE and PEACE on earth! :)

  16. Sailormoon
    December 1st, 2015

    @Pekpek Congrats Can you share the galvin dumps?

  17. Mitchels
    December 22nd, 2015

    now exam is changed, i did on 21 Dec and most of questions are changed.

  18. Anonymous
    January 11th, 2016

    @mitchels: What are the new questions.

  19. Paul
    January 31st, 2016

    May I ask for dumps. The reviewers i got have lots of things and couldn’t really focus on the coverage of the exam. paulreyna@hotmail.com.. thanks in advance guys

  20. wmohammad
    March 5th, 2016

    Hi guys,
    I have scheduled my exam on next Wensda, 09/03.
    I got the “SWITCH_July_2015” dumb
    is this the latest dumb ?

  21. chrisroed
    May 10th, 2016

    DLS2(config)#do sh run
    Building configuration…

    Current configuration : 5998 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname DLS2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    username chrisroed privilege 15 secret 5 $1$DNMx$rmN5mv0u9Y3xTwo29sWib0
    !
    !
    aaa new-model
    !
    !
    !
    !
    !
    aaa session-id common
    system mtu routing 1500
    ip routing
    !
    !

    DLS2(config)#aaa authentication login login radius local
    DLS2(config)#do sh run
    Building configuration…

    Current configuration : 6048 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname DLS2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    username chrisroed privilege 15 secret 5 $1$DNMx$rmN5mv0u9Y3xTwo29sWib0
    !
    !
    aaa new-model
    !
    !
    aaa authentication login login group radius local
    !
    !
    !
    aaa session-id common
    system mtu routing 1500

    This clearly shows that using the command “aaa authentication login login radius local”, does in fact work and automatically adds the keyword ‘group’. I guess it’s yet another of Ciscos ‘hidden’ commands, possibly from older versions of IOS.

  22. Josh
    May 14th, 2016
  23. jani
    May 22nd, 2016

    @josh, Could you please send the pdf to me on the email: jv_jani @hotmail.com

    Thanks!

  24. @w@klo99
    June 10th, 2016

    Hi guys. Is anyone has a ccnp switch pdf dumps coz im planning to take the exam. heres my email {email not allowed}

  25. Mohamed haleem
    June 27th, 2016

    Passed yesterday with 953 , 191q is still valid ,, labs are multiple choice> HSRP , configuration> AAA , LACP ، drag and drop LLDP/CDP ,for more infor u can contact my whatsapp +249912299136 or facebook @mohamed.haleem136 ,,glad to help and provide dumps & support ,, just dont be shy ,,

  26. gold1986
    July 15th, 2016

    hi Guys
    I have exam switch tomorrow
    and I want witch labs come in the exam please help me and god help you

  27. Anonymous
    July 25th, 2016

    Please I will appreciate if someone can email me the 191q . my email is ftheodore1 at yahoo.com

  28. CCNPSwitch
    July 29th, 2016

    Hai mohamed haleem. Please can you share the 191q ? i have ccnp switch exam on aug 6th
    it will be really very helpful if you can share the 191q … I can give my email id if you can mail me the dumps

  29. examgeek
    September 22nd, 2016

    please send latest dump to rafalebsa at yahoo dot com
    exam planned tomorrow. dump 191 QA 300-115 exam

  30. mike
    October 12th, 2016

    could anyone pls share AAA lab in packet tracer…

    Thanks..

  31. Lucky
    November 17th, 2016

    Hey guys, I just wrote now in USA. I Passed 300-115 with 92%. This dumps http://www.testmayor.com/300-115-test.html is valid but a few answers are wrong. Although I don’t expect to pass with a full score, right? If your aim is just to pass the exam, only by memorizing the dumps is enough. But if you want to master skills, you really need to practice more.

  32. rava
    December 3rd, 2016

    having this error while trying to config dot1x on physical port

    ASW1(config)#interface fastEthernet 0/3
    ASW1(config-if)#dot&
    ASW1(config-if)#dot1
    ASW1(config-if)#dot1x ?
    % Unrecognized command
    ASW1(config-if)#dot1x

    how to make it works plz, im trying to configure port-based authentication on switch 3560

  33. rava
    December 3rd, 2016

    solved

  34. Anna
    December 13th, 2016

    I passed the written Cisco Routing and LAN Switching 646-057exam exam by scoring 95%. Most of the questions are from the http://www.grades4sure.com/646-057-exam-questions.html dumps, though the sequences of choices are changed, so it is better to understand the concepts beforehand and go through the dumps so that you will not be surprised in the exam.

  35. jane woken
    May 15th, 2017

    hi guys,
    could someone please send me the latest dumps please, please, please . My email address is jane_woken52 @ yahoo.com . it will be big help.

  1. No trackbacks yet.