CCNP Security FAQ: Authorization Policies

CCNP Security FAQ: Authorization Policies


Figure: Default authorization policy

Q1. What is an authorization profile?
a. An authorization profile is a rule in the policy table that is formatted like “IF condition THEN result.”
b. An authorization profile is created to determine which identity store to validate the credentials with.
c. An authorization profile is a sequential list of identity stores to validate the credentials with.
d. An authorization profile is the mandatory result of an authorization rule.

Answer: D. An authorization profile is the required authorization result that is made up of multiple RADIUS attributes. These RADIUS results will affect the ultimate security policy deployed to the NAD on behalf of the endpoint.

Q2. What is the purpose of an authorization profile?
a. It contains the TACACS+ response (Access-Accept or Access-Reject) along with the additional authorization attributes to be sent to the network device for enforcement.
b. It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional authorization attributes to be sent to the network device for enforcement.
c. It contains the RADIUS response (Continue or Terminate) along with additional authorization attributes to be sent to the network device for enforcement.
d. It contains the TACACS+ response (Continue or Terminate) along with additional authorization attributes to be sent to the network device for enforcement.

Answer: B. It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional authorization attributes to be sent to the network device for enforcement.

Q3. Which of the following options are part of the common tasks section of an authorization profile?
a. Access-Type (Continue or Terminate), DACL-Name, Web-Redirection, Auto Smart Port
b. Access-Type (Accept or Reject), DACL-Name, Web-Redirection, Auto Smart Port
c. DACL-Name, Role-Assignment, Local WebAuth, Auto Smart Port
d. DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port

Answer: D. DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port. These common tasks, as well as the others, are the most often used RADIUS AVPs that will be sent to the NAD for secure policy enforcement of the endpoint.

Q4. Which of the following is correct?
a. An authorization policy contains authorization rules. Each rule will have at least one authorization profile.
b. An authorization rule contains authorization policies. Each policy will have at least one authorization profile.
c. An authentication policy contains authorization rules. Each rule must have an authentication result.
d. An authentication rule contains the authorization profiles. Each profile must contain one authentication result.

Answer: A. An authorization policy contains authorization rules. Each rule will have at least one authorization profile.

Q5. True or False? Condition attributes can be saved into a library for future use and improved readability.
a. True
b. False

Answer: A. True. Condition attributes can be saved into a library for future use and improved readability.

Q6. What is special about the authorization profile required for an IP phone?
a. It contains the DNS name or IP address of the Cisco Call Manager Server.
b. It contains the voice domain permission AV pair, which authorizes the endpoint to access the voice VLAN assigned to the interface.
c. It contains the value for DHCP option 43, which provides the IP address of the Cisco Call Manager Server.
d. It contains the voice domain permission macro, which reconfigures the switch port to be a voice interface.

Answer: B. It contains the voice domain permission (cisco-av-pair = device-traffic-class = voice), which authorizes the endpoint to access the voice VLAN assigned to the interface.

Q7. What is the difference between a simple condition and compound condition?
a. Simple conditions are easier to use than compound conditions.
b. Simple conditions are created on-the-fly within the expression builder, while compound conditions must be created separately.
c. Simple conditions contain only one attribute. Compound conditions contain multiple attributes along with an operator such as AND or OR.
d. Simple conditions and compound conditions can each contain multiple attributes, but compound conditions can mix operators such as AND or OR.

Answer: C. Simple conditions contain only one attribute. Compound conditions contain multiple attributes along with an operator such as AND or OR.

Q8. True or False? A compound condition can contain a mixture of simple conditions and raw attributes.
a. True
b. False

Answer: A. A compound condition can contain a mixture of simple conditions (which are saved dictionary attributes) and raw attributes themselves.

Q9. What should be the end goal of a Secure Access deployment?
a. To provide full access to the network, so security devices such as an ASA firewall can provide defense-in-depth
b. To provide full access to the network, as long as the authentication is successful, and provide limited access to any failed authentications
c. To secure the network by purchasing Cisco ISE, thereby increasing the stock value of the company
d. To provide very specific permissions to any authorization, providing defense-in-depth

Answer: D. To provide very specific permissions to any authorization, providing defense-in-depth while meeting the goals of the company’s security policy. A printer, for example, should not have unfettered access to the network; instead it should have only what is needed (such as reaching the print servers).

Q10. What is unique about Cisco’s downloadable Access Control Lists (dACLs)?
a. Cisco dACLs allow the RADIUS server to apply ACLs that exist on the switch simply by sending the name of the ACL in the RADIUS AV pairs, while non-Cisco network devices cannot apply ACLs.
b. Cisco downloadable ACLs are created by experts at Cisco and published to Cisco.com where Cisco ISE can download the ACLs.
c. Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the network device within RADIUS AV pairs, while non-Cisco network devices must create the ACL on the individual local network device.
d. Cisco dACLs are unique because they are downloaded from ISE and applied to the Cisco ASA that is in the network path, relieving the network device from the burden of traffic control.

Answer: C. Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the network device within RADIUS AV pairs, while non-Cisco network devices must create the ACL on the individual local network device. This allows the Cisco admin to create and maintain the access lists in a central place and have any changes applied nearly instantly.

About the author

James Palmer

Leave a Comment