CCNP Security FAQ: Deploying Guest Services

CCNP Security FAQ: Deploying Guest Services.

Figure: WebAuth process flow.

Q1. ISE Guest Services use which of the following approaches to authenticate a user?
a. Badge
b. WebAuth
d. SSH

Answer: B. When a guest connects to the network, they are given a web-redirect authorization policy. This web redirect will intercept any attempts to browse the Internet, forcing the guest user to a webpage where they will authenticate—that is, WebAuth.

Q2. The sponsor and guest portals can run on which of the following ISE personas?
a. Admin
b. MnT
c. PSN
d. a and b
e. a and c
f. b and c

Answer: C. The sponsor and guest portals can run on any PSN that has session services running.

Q3. True or False: A network administrator can customize the guest portals to run on any port greater than 1024.
a. True
b. False

Answer: B. Currently, the ISE guest portals can run only on those ports between 8000 and 8999.

Q4. Which default sponsor groups are available on ISE? (Select three.)
a. SponsorAllAccounts
b. SponsorADAccounts
c. SponsorAdministrator
d. SponsorGroupGrpAccounts
e. SponsorAllUsers
f. SponsorGroupOwnAccounts

Answer: A, D, F. The three default sponsor groups on ISE are SponsorAllAccounts, SponsorGroupGrpAccounts, and SponsorGroupOwnAccounts.

Q5. When using Active Directory group membership as authentication and authorization for sponsors, which of the following must occur?
a. ISE must be associated to the domain.
b. The sponsor must create all guest accounts on the Active Directory Server.
c. The Active Directory identity store must be part of the identity source sequence for the sponsor portal.
d. a and b.
e. b and c.
f. a and c.

Answer: F. To use Active Directory group membership as the source of authentication and authorization for sponsors, ISE must first be associated to the domain. Furthermore, the AD identity store must also be a part of the identity source sequence that is in use for the sponsor portal. If you choose, you can provide a differentiated level of guest account creation based on the AD group membership as will be demonstrated in this chapter.

Q6. Under the Operations tab of the portal configuration page, which of the following items can be configured?
a. Guest Device Registration
b. Allow or Require Guest to change password
c. Guest Self-Service
d. Acceptable Use Policy frequency
e. All of the above

Answer: E. The Operations tab of the portal configuration page allows a network administrator to define the security policy for the portal. This page outlines how often the guest will be prompted to accept the Acceptable Use Policy, whether a guest can or must change their given password, whether the guest can perform device registration, or whether a user can create their own guest account. A few additional options are also available on the portal configuration page.

Q7. What are the three configurable options for a sponsor group?
a. Authorization Levels, Guest Roles, Time Profiles
b. Access-List, VLAN, Security Group Tag
c. Switch, Router, Firewall
d. Centralized WebAuth, Network Supplicant Provisioning, Device Registration Webpage

Answer: A. Under the sponsor group, the three settings that are configurable are the Authorization Levels, Guest Roles, and Time Profiles. With Authorization levels, the network administrator can configure which functions a sponsor user can configure for his guest. The Guest Roles option allows the sponsor to create guest users for specific Guest Roles—possibly allowing a differentiated level of access for each role. The final option, Time Profiles, defines the length of time for the guest accounts that can be created by the sponsor.

Q8. Which of the following are options for provisioning guest accounts on Cisco ISE?
a. Guest, Contractor, Consultant
b. OneDay, OneWeek, OneMonth
c. Individual, Import, Random
d. Full, Basic, InternetOnly

Answer: C. From the sponsor portal, when you are creating guest accounts, you have three options— Individual, Import, and Random. The Individual option creates a single guest user account, Import allows you to create multiple accounts using a spreadsheet template, and Random allows you to create a number of random guest accounts. The level of access and the length of the account also are configurable.

Q9. Which security policy must be enabled on the Guest WLAN/SSID to facilitate WebAuth on a Cisco WLC?
a. WPA2 with 802.1X Key Management
b. WPA2 with 802.1X and CCKM Key Management
c. MAC Filtering and RADIUS NAC
d. Open

Answer: C. To trigger the WebAuth policy on Cisco ISE, the NAD must be using the MAB process. This MAB process, or RADIUS Service-Type of Call Check, is indicated by the security policy of MAC Filtering on the WLC. RADIUS NAC must also be configured as the NAC State on the Advanced tab of the SSID configuration.

Q10. To verify a guest user’s access policy on a Cisco switch, you should run which of the following commands?
a. show crypto ipsec sa
b. show aaa authorization <username> details
c. show authorization level guest interface <if_name>
d. show authentication sessions interface <if_name> details

Answer: D. The correct command to verify the level of access given to a guest user on a Cisco switch is show authentication sessions interface <if_name> details. This output will provide you with any ACLs or URL Redirects that have been deployed to the device from ISE.

About the author

James Palmer

Leave a Comment