CCNP Security FAQ: Deploying Safety

CCNP Security FAQ: Deploying Safety


Figure: Phased deployments.

Q1. What is Monitor Mode?
a. Using the authentication open interface configuration command on 802.1X enabled interfaces
b. A setting in ISE to record actions but not take them
c. A method for identifying which device would have failed authentication and correcting the root cause prior to it taking effect
d. A method for alerting the administrator of failed authentications, so the end user may be called and manually granted network access

Answer: C. Monitor Mode is a process, not just a command on a switch. The process is to enable authentication (with authentication open), see exactly what devices fail and which ones succeed, and correct the failed authentications before they cause any problems.

Q2. What is Low-Impact Mode?
a. One of the two end states of authentication that limits access but still uses the authentication open interface configuration command
b. One of the two end states of authentication that limits access but is less secure than closed mode
c. A method to ensure authentications occur, but the authorizations are ignored, so as not to cause a denial of service
d. A method for identifying which device would have failed authentication and correcting the root cause prior to it taking effect

Answer: A. Low-Impact Mode uses authentication open, but adds security on top of the framework that was built in Monitor Mode. It uses a PACL on the switch port to permit critical traffic of certain endpoints, like thin-clients, to function prior to an attempted authentication. After the authentication, the authorization should provide specific access, unlike Monitor Mode, which is the same pre and post authentication.

Q3. What is the primary benefit of a phased deployment approach?
a. It allows an endpoint to go through multiple phases of authentication prior to gaining network access, including dual-factor authentication.
b. It permits you to use Cisco proprietary technology and therefore increase Cisco’s stock value.
c. It enables additional security protocols to extend authentications, such as the use of smart cards.
d. To ensure that a port, switch, or location is fully ready to be successful before enabling enforcement and specific authorization results.

Answer: D. By using a phased deployment approach, you are able to start off in Monitor Mode an gradually transition into the end state of either Low-Impact Mode or Closed Mode. By doing so, you can avoid the denial of service that can often happen with 802.1X deployments.

Q4. True or False? The authentication open command performs EAP authentications but ignores authorization results.
a. True
b. False

Answer: B. authentication open will ignore RADIUS Access-Reject responses, but all other authorization results will be honored and enforced.

Q5. True of False? authentication open allows all traffic to pass through the switch port before the authentication result is received from the AAA server.
a. True
b. False

Answer: A. authentication open allows traffic to flow with our without an authentication. When an authorization result is sent back from the authentication server, the switch will ignore RADIUS Access-Reject responses, but all other authorization results will be honored and enforced.

Q6. What is the ISE configuration that will allow different groups of authentication and authorization policies?
a. Policy groupings
b. Policy sets
c. Service selection rules
d. Service sets

Answer: B. Policy sets are groupings of authentication and authorization policies. The use of policy sets makes for a nice clean way to differentiate rules for each stage of the deployment.

Q7. Where is Monitor Mode configured for wireless LANs?
a. It is configured on the WLC, under the security properties for the WLAN.
b. It is configured in the Wireless Monitor Mode policy set within ISE.
c. It is configured in ISE by enabling wireless monitor mode under the system settings.
d. Monitor Mode is not possible with wireless LANs.

Answer: D. Wireless LANs cannot have a mixture of authentication and nonauthentication. The WLAN must either be using Wi-Fi Protected Access (which facilitates the 802.1X authentication) or will be open; it cannot be both.

Q8. Using policy sets as described in this chapter, how would a switch be transitioned from Monitor Mode to one of the end state modes?
a. Move the NAD from the Monitor Mode NDG to the final state NDG.
b. Remove the authentication open command from the switch interface.
c. Enter the low-impact or closed keyword for the radius server definition in the switch.
d. Enable enforcement mode on the client supplicants.

Answer: A. The NDG assignment of the NAD is used to determine which policy set ISE uses for the incoming authentications. To change the policy set being used, move the NAD from the Monitor Mode NDG to either the Low-Impact or Closed mode NDGs.

Q9. True or False? A wired port must have a single configuration that supports authenticating supplicants, guests, and nonauthenticating devices.
a. True
b. False

Answer: A. Wired clients do not get to pick their network; there is no SSID like there is for wireless. Therefore, all the various types of authentication mechanisms possible must work within a single port configuration. Without this, an admin would have to change the port configuration for each type of device that needs to access the network, which would be extremely operationally expensive.

Q10. Which of the modes is most closely related to the default of 802.1X?
a. Closed Mode
b. Monitor Mode
c. Low-Impact Mode
d. Cisco Enhanced Security Mode

Answer: A. Just like the default behavior of the original IEEE 802.1X, Closed Mode does not allow any traffic into the switch port until after a result has been received for the attempted authentication or a timeout occurs.

About the author

James Palmer

Leave a Comment