Home > AAA Questions 3

AAA Questions 3

November 16th, 2018 in SWITCH 300-115 Go to comments

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Explanation

The LDAP is an open, vendor-neutral, industry standard application protocol to access and maintain distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in the development of intranet and Internet applications as they allow the sharing of information about users, systems, networks, services, and applications throughout the network.

On Cisco IOS headends, the “memberOf” AD attribute is mapped to the Authentication, Authorization, and Accounting (AAA) attribute supplicant-group.

Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-sslvpn/118695-config-sslvpn-00.html

Question 8

Explanation

To configure the network access server to recognize and use vendor- specific attributes, use the radius-server vsa send command in global configuration mode. With additional “authentication” keyword, we limits the set of recognized vendor-specific attributes to only authentication attributes.

Question 9

Question 10

Question 11

Explanation

With TACACS+, authentication, authorization and accouting are separated while with RADIUS authentication and authorization are combined in one function

Question 12 (maybe same question as Q.9 https://www.certprepare.com/aaa-questions-2)

Explanation

Authentication with a remote security database:

You must first populate the remote security database with user profiles for each remote user who might log in. You must also configure the network access server (or other network equipment) to interoperate with the remote security database for AAA services. The AAA process with a remote security database is as follows:

1. User establishes a PPP connection with the network access server.
2. The network access server prompts the user for the username and password, and the user responds.
3. The network access server passes the username and password to the security server.
4. The remote security database authenticates and authorizes the user to access the network. The database in effect configures the network access server with authentication parameters by downloading commands and activating access lists in the network access server.
5. The network access server compiles accounting records as specified in the remote security database and sends the records to the security server. The security server may also compile accounting records.

Reference: http://www.ciscopress.com/articles/article.asp?p=25471&seqNum=6

Comments
  1. MM
    June 27th, 2019

    Q8 Answer D. radius-server vsa send authentication is incorrect I think, Cisco configuration guide says D is for vendor specific attributes and “authentication” keyword limits that to authentication attributes. The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.

    I think the answer is C. radius-server host non-standard, Cisco configuration Guide says:

    The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command.

    Source: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfrad.html#wp1017757

  2. Anonymous
    June 28th, 2019

    question 8 talk about to Use Vendor-Specific RADIUS Attributes, not about Vendor-Proprietary RADIUS Server Communication.

    ftp://ftp.media.it/router/radius/scradius.pdf

  1. No trackbacks yet.