CCNP Security FAQ : Configuration of AAA on the Cisco Security Appliance

CCNP Security FAQ : Configuration of AAA on the Cisco Security Appliance

Q1. What is the best way to authenticate an H.323 connection?
A. Authenticate to the H.323 server
B. Telnet to the H.323 server
C. Virtual Telnet to the PIX Firewall for authentication
D. Virtual HTTP to the Cisco Secure ACS for authentication

Answer: C

Q2. What three services are used to authenticate by default in the Cisco Security Appliance?
A. FTP, HTTP, HTTPS
B. FTP, Telnet, SSH
C. Auth-proxy, Local-auth, console
D. FTP, HTTPS, Telnet
E. None of these answers are correct

Answer: E

Q3. Which options are mandatory in every aaa authentication command on the PIX Firewall? (Select all that apply.)
A. include/exclude
B. inbound/outbound
C. local-ip/mask
D. group-tag
E. acl-name

Answer: A, B, D

Q4. How do you configure client IP address assignment on the Cisco Secure ACS when using the Security Appliance as the AAA client?
A. Edit the AAA-client IP address in the System Configuration window.
B. Edit the AAA-client information in the Network Configuration window.
C. Edit the AAA Server information in the Interface Configuration window.
D. Edit the Security Appliance information in the Network Configuration window.
E. None of these answers are correct.

Answer: B

Q5. Why is it a good idea to rename your groups in Cisco Secure ACS?
A. To get the groups into a hierarchical format.
B. To increase the performance of the Cisco Secure ACS.
C. To simplify administration of users and groups.
D. You cannot rename groups after they have been created.
E. None of these answers are correct.

Answer: C

Q6. You are trying to create downloadable IP ACLs in Cisco Secure ACS, but the option is not available. What are two possible reasons?
A. You are running an older version of Cisco Secure ACS that does not support downloadable ACLs.

B. The Security Appliance cannot connect to the Cisco Secure ACS.

C. Your authentication protocol is not RADIUS.

D. You do not have User-Level or Group-Level Downloadable ACLs selected in the Interface Configuration window, Advanced Options pane.

Answer: C, D

Q7. Where do you see the logs on the Cisco Secure ACS?
A. Interface Configuration window
B. Reports and Activity window
C. Network Configuration window
D. System Configuration window

Answer: B

Q8. You are installing Cisco Secure ACS on your new Windows 2000 Professional, but you cannot get it to load correctly. What is most likely the problem?
A. Cisco Secure ACS requires server software.

B. Your patch level is not up to date.

C. You are running a personal firewall or host-based IDS that is blocking the installation.

D. You do not have administrative privileges on that system.

E. All of these answers are correct.

Answer: A

Q9. Cisco Secure ACS comes with its own online documentation.
A. True
B. False

Answer: A

Q10. The show aaa command shows you everything that has to do with your AAA server in its configuration.
A. True
B. False

Answer: B

Q11. What happens to virtual HTTP if you disable timeout uauth absolute?
A. The user cannot authenticate.

B. The user authenticates and never has to reauthenticate because the connection stays open.

C. The user can authenticate but cannot connect to the server.

D. None of these answers are correct

Answer: C

Q12. Both your Cisco Security Appliance and your Cisco Secure ACS are configured for TACACS+, but you cannot configure the downloadable Security Appliance ACLs. What is the problem?

Answer: Downloadable ACLs are supported only by RADIUS.

Q13. What is the command to get authorization to work with access lists?

Answer: The command to get authorization to work with access lists isaaa authorization match acl-name if-name server-tag.

Q14. What Cisco Secure ACS window is used to configure the Security Appliance, and what is the firewall considered?

Answer: The Security Appliance is configured as an AAA client in the Network Configuration window.

Q15. How do you put text messages into the logon prompt for a Telnet session?

Answer: You use the auth-prompt command put text messages into the logon prompt for a Telnet session.

Q16. What three messages can you change with the auth-prompt command?

Answer: You can change the prompt, accept, and reject messages with the auth-prompt command.

Q17. If your timeout uauth is set to 0:58:00, when is the user prompted to reauthenticate after the session times out?

Answer: By default, timeout uauth absolute does not prompt the user to reauthenticate until they start a new connection after the uauth timer has expired.

Q18. What two formats can logs be written to using the Cisco Secure ACS?

Answer: Logs are written to either the CSV or ODBC formats.

Q19. You have added a new RSA SecurID Token Server to the network. In which two places do you configure the Cisco Secure ACS to use it?

Answer: The RSA SecurID Token Server must be configured as an external user database, and you must select it for password authentication in the User Setup window.

Q20. What commands are most commonly used to check your AAA configuration on the Security Appliance?

Answer: Theshow aaa or show aaa-server commands are most commonly used to check the AAA configuration on the Security Appliance.

Q21. What is the total number of AAA servers to which the Security Appliance can connect?

Answer: The total number of AAA servers that the Security Appliance can connect to is 196 (14 groups, each group containing a maximum of 14 servers).

Q22. How do you disable caching of user authentication?

Answer: You use the timeout uauth 0 command to disable caching of user authentication.

More Resources

About the author

Scott

Leave a Comment