Security Questions 2
Here you will find answers to Security Questions – Part 2
Question 1
A network administrator wants to configure 802.1x port-based authentication, however, the client workstation is not 802.1x compliant. What is the only supported authentication server that can be used?
A. TACACS with LEAP extensions
B. TACACS+
C. RADIUS with EAP extensions
D. LDAP
Answer: C
Explanation
For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Question 2
When creating a network security solution, which two pieces of information should you have obtained previously to assist in designing the solution? (Choose two)
A. a list of existing network applications currently in use on the network
B. network audit results to uncover any potential security holes
C. a planned Layer 2 design solution
D. a proof-of-concept plan
E. device configuration templates
Answer: A B
Question 3
What action should you be prepared to take when verifying a security solution?
A. having alternative addressing and VLAN schemes
B. having a rollback plan in case of unwanted or unexpected results
C. running a test script against all possible security threats to insure that the solution will mitigate all potential threats
D. isolating and testing each security domain individually to insure that the security design will meet overall requirements when placed into production as an entire system
Answer: B
Question 4
You are tasked with designing a security solution for your network. What information should be gathered before you design the solution?
A. IP addressing design plans, so that the network can be appropriately segmented to mitigate potential network threats
B. a list of the customer requirements
C. detailed security device specifications
D. results from pilot network testing
Answer: B
Question 5
| Sw2#show running-config –output omitted– aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control –output omitted– interface fastethernet 0/6 dot1x port-control auto |
Refer to the exhibit. Which statement is true about the show running-config output?
A. Sw2 is configured for switch-based authentication using RADIUS
B. Interface FastEthernet0/6 is configured with a SmartPort macro using RADIUS
C. Interface FastEthernet0/6 is configured for 802.1X Authenticated Trunking Protocol (ATP)
D. Interface FastEthernet0/6 is configured for port-based traffic control
E. Interface FastEthernet0/6 is configured for port-based authentication
Answer: E
Explanation
The command “dot1x port-control auto” enables authentication on a port. For more information about configuring 802.1X Port-Based Authentication please read http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_11_yj4/configuration/guide/lrescg/Sw8021x.html.
Question 6
In the use of 802.1x access control, which three protocols are allowed through the switch port before authentication takes place? (Select three)
A. STP
B. CDP
C. EAPMD5
D. TACACS+
E. EAP-over-LAN
F. Protocols not filtered by an ACL
Answer: A B E
Explanation
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass
through the port.
Question 7
You are implementing basic switch security best practices. Which of these is a tactic that you can use to mitigate compromises from being launched through the switch?
A. Make all ports private VLAN ports
B. Place all unused ports in native VLAN 1 until needed
C. Proactively configure unused switch ports as access ports
D. Disable Cisco Discovery Protocol
Answer: C
Explanation
“Disable Cisco Discovery Protocol” is also a good way to mitigate compromises but configure all unused switch ports as access ports is the best choice.
