CCNP Secure FAQ Implementing and Configuring Advanced 802.1X

ccnp-secure-faq-implementing-configuring-advanced-802-1x-1

CCNP Secure FAQ Implementing and Configuring Advanced 802.1X

Q1. To provide per-user services, such as downloadable ACLs, which of the following must be deployed? (Select all that apply.)
A. User authentication
B. Machine authentication
C. Combination of user and machine authentication
D. One-time passwords
E. All of these answers are correct.

Answer: A and C

Q2. In EAP-TLS implementations, which kind of certificate is used to verify identity certificates?
A. The identity certificate belonging to each entity
B. Supplicant certificate
C. Certificate Authority (CA) certificate
D. SSL certificate

Answer: C

Q3. What identifies the hardware (computer) as opposed to the user identity that is used to identify users that are logged in to the machine?
A. SNMP
B. Host name
C. CA certificate
D. User identity
E. Machine identity

Answer: E

Q4. Cisco IBNS components can dynamically assign what two features to increase security in the environment?
A. Physical tokens
B. Access controls lists (ACL)
C. Identity certificates
D. VLAN assignment
E. Kerberos ticket

Answer: B and D

Q5. If MAB is enabled, when will the switch try to authenticate the non-802.1X-capable client by using its MAC address?
A. As soon as the switch receives the first EAPOL frame.
B. After 802.1X authentication times out.
C. It will not authenticate non-802.1X-capable clients.
D. After the client sends an authentication request.
E. None of these answers are correct.

Answer: B

Q6. How can web authentication be verified?
A. Use show ip admission cache in the CLI.
B. Call the user and ask him.
C. In the Passed Authentication report in Cisco Secure ACS.
D. Consult the logs on the web server.
E. None of these answers are correct.

Answer: A and C

Q7. Which multihost authentication mode allows multiple hosts to forward traffic through a single port but does not require authentication after the first host authenticates?
A. Multidomain mode
B. Single-host mode
C. Multihost mode
D. Multi-auth mode
E. None of these answers are correct.

Answer: C

Q8. The default, fail-closed mode of the Cisco Catalyst IOS Software 802.1X authenticator can be changed by enabling which optional fail-open features?
A. Inaccessible Authentication Bypass feature
B. MAC Authentication Bypass
C. Open Authentication feature
D. Multi-auth mode

Answer: A and C

Q9. Which of the following will not work with 802.1X authentication by default? (Select all that apply.)
A. Wake-on-LAN (WOL)
B. Non-802.1X IP phones
C. Preboot Execution Environment (PXE)
D. None of these answers are correct.

Answer: A, B, and C

Q10. The _____ and _____ do not both authenticate to the network at the same time. _____ authentication is only needed when the user logs off.

Answer: machine, user, Machine

Q11. With the _____ optional EAP-TLS parameter, the TLS session keys are essentially cached, thus allowing faster reauthentication by not having to perform a full TLS handshake.

Answer: enable fast reconnect

Q12. The _____ command can be used to choose a preferred authentication method over another.

Answer: authentication priority

Q13. When the user sends an _____ request to the web server, the switch intercepts the user’s HTTP session request and presents the user with a pop-up dialog box that has a username and password field.

Answer: HTTP

Q14. Beginning with _____ of Cisco IOS Software, the dot1x host-mode command was replaced with the _____ command.

Answer: Release 12.2(33) SXI, authentication host-mode

Q15. When configuring fail-open policies, label an interface as critical by using the _____ interface configuration command.

Answer: authentication event server dead action authorize vlan

Q16. To handle Wake-on-LAN devices in an 802.1X environment, configure the interface as _____ by using the _____ interface command.

Answer: authentication control-direction in interface command

Q17. Use the _____ with _____ to authenticate non-802.1X IP phones based on their MAC addresses.

Answer: multidomain authentication, MAB

More Resources

About the author

Scott

Leave a Comment