Home > AAA Questions 3

AAA Questions 3

November 16th, 2018 in SWITCH 300-115 Go to comments

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Explanation

The LDAP is an open, vendor-neutral, industry standard application protocol to access and maintain distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in the development of intranet and Internet applications as they allow the sharing of information about users, systems, networks, services, and applications throughout the network.

On Cisco IOS headends, the “memberOf” AD attribute is mapped to the Authentication, Authorization, and Accounting (AAA) attribute supplicant-group.

Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-sslvpn/118695-config-sslvpn-00.html

Question 8

Explanation

To configure the network access server to recognize and use vendor- specific attributes, use the radius-server vsa send command in global configuration mode. With additional “authentication” keyword, we limits the set of recognized vendor-specific attributes to only authentication attributes.

Question 9

Question 10

Question 11

Explanation

With TACACS+, authentication, authorization and accouting are separated while with RADIUS authentication and authorization are combined in one function

Question 12 (maybe same question as Q.9 https://www.certprepare.com/aaa-questions-2)

Explanation

Authentication with a remote security database:

You must first populate the remote security database with user profiles for each remote user who might log in. You must also configure the network access server (or other network equipment) to interoperate with the remote security database for AAA services. The AAA process with a remote security database is as follows:

1. User establishes a PPP connection with the network access server.
2. The network access server prompts the user for the username and password, and the user responds.
3. The network access server passes the username and password to the security server.
4. The remote security database authenticates and authorizes the user to access the network. The database in effect configures the network access server with authentication parameters by downloading commands and activating access lists in the network access server.
5. The network access server compiles accounting records as specified in the remote security database and sends the records to the security server. The security server may also compile accounting records.

Reference: http://www.ciscopress.com/articles/article.asp?p=25471&seqNum=6

Comments
  1. MM
    June 27th, 2019

    Q8 Answer D. radius-server vsa send authentication is incorrect I think, Cisco configuration guide says D is for vendor specific attributes and “authentication” keyword limits that to authentication attributes. The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.

    I think the answer is C. radius-server host non-standard, Cisco configuration Guide says:

    The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.

    Source: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfrad.html#wp1017757

  2. Anonymous
    June 28th, 2019

    question 8 talk about to Use Vendor-Specific RADIUS Attributes, not about Vendor-Proprietary RADIUS Server Communication.

    ftp://ftp.media.it/router/radius/scradius.pdf

  3. Efiko
    September 27th, 2019

    Q8. I agree with MM’s answer (C)

    Key difference in the information below is “radius-server host non-standard” command relates to “Vendor-proprietary attributes”, whereas “radius-server vsa send” command relates to “vendor-specific attributes”.

    The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command

    The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes.

    Source: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfrad.html#wp1017757

  4. C grade
    October 21st, 2019

    Just pass today
    sims: LACP WITH STP sim, hsrp, vtpv3
    i did not get DND.

    Remember seeing these 2 questions
    goto
    https://www.certprepare.com/aaa-questions-3
    Q7 Which AAA authorization method uses a vendor-neutral directory information protocol?

    Q9 Which three feature of AAA with RADIUS are true? (Choose three)

    Cannot remember much ,hope it helps.

  1. No trackbacks yet.