CCNP Security FAQ: Fundamentals of AAA

CCNP Security FAQ: Fundamentals of AAA

Figure: Device administration.

Q1. Which of the following best describes the difference between authentication and authorization?
a. There is no difference between authentication and authorization.
b. Authorization determines what a user may do, whereas an authentication determines what devices the user can interact with.
c. Authentication is used with both network access and device administration, whereas authorization applies only to device administration.
d. Authentication validates the user’s identity, whereas authorization determines what that user is permitted to do.

Answer: D. Simply put, authentication is the validation of the identity credentials. Authorization is the determination of what is allowed or disallowed based on those credentials.

Q2. Which of the following are types of AAA as related to the topics of this exam? (Select two.)
a. Device administration
b. Device access
c. A division of minor league baseball
d. Network access
e. Network administration

Answer: A, D. The two forms of authentication, authorization, and accounting that are relevant to the SISAS exam are network access and device administration.

Q3. Which of the following protocols is best suited for granular command-level control with device administration AAA?

Answer: B. TACACS+ is best suited for granular command-level control due to its ability to separate authentication and authorization.

Q4. Which of the following protocols is best suited for authenticating and authorizing a user for network access AAA?
d. MS-CHAPv2

Answer: C. RADIUS is best suited for network access AAA due to its capability to work with numerous authentication protocols, such as CHAP and MS-CHAPv2, but more importantly the dependency on RADIUS for 802.1X authenticationsand the enhancements to RADIUS for change of authorization.

Q5. True or False? RADIUS can be used for device administration AAA.
a. True
b. False

Answer: A. Both TACACS+ and RADIUS can be used to provide device administration AAA services; however, TACACS+ offers command-level authorization and RADIUS does not.

Q6. Which of the following Cisco products should be used for device administration with TACACS+?
a. Cisco Secure Access Control Server (ACS)
b. Cisco Identity Services Engine
c. Cisco TACACS+ Control Server (TCS)
d. Cisco Centri

Answer: A. Cisco ACS supports both RADIUS and TACACS+ and command sets, while Cisco ISE version 1.2 supports only RADIUS.

Q7. Why is RADIUS or TACACS+ needed? Why can’t the end user authenticate directly to the authentication server?
a. The added level of complexity helps Cisco and other vendors to sell more products.
b. Because the names sound so cool.
c. RADIUS and TACACS+ are used between the end user and the authentication server.
d. Both RADIUS and TACACS+ extend the Layer-2 authentication protocols, allowing the end user to communicate with an authentication server that is not Layer-2 adjacent.

Answer: D. The majority of the authentication protocols used (EAP, CHAP, MS-CHAPv2, PAP) are Layer-2 protocols meant to be topology independent. RADIUS and TACACS+ are used to connect the end user to the authentication server, even when they are not on the same LAN segment.

Q8. Which of the following are TACACS+ messages sent from the AAA client to the AAA server? (Select all that apply.)

Answer: A. TACACS+ clients send only two message types: START and CONTINUE. REPLY is sent from the AAA server to the AAA client.

Q9. When using RADIUS, what tells the AAA server which type of action is being authenticated?
a. The TACACS+ service.
b. The Service-Type field.
c. RADIUS does not distinguish between different services.
d. The action AV-pair.

Answer: B. The Service-Type value tells the RADIUS server what is being performed. For example, service-type of Call-Check informs the AAA server that the client is performing a MAB request.

Q10. Which of the following best describes an AV-pair?
a. When communicating with an AAA protocol, the AV-pair stipulates a common attribute or object and its assigned value.
b. Cisco likes to throw in terms to confuse the reader.
c. The AV-pair is used to choose either TACACS+ or RADIUS.
d. The AV-pair is used to specify the quality of service (QoS) for audio and video traffic.

Answer: A. The RADIUS server may be assigning an attribute to the authentication session, like a VLAN, for example. The VLAN place holder is the attribute, and the actual assigned VLAN number is the value for that place holder, as a pair.

About the author

James Palmer

Leave a Comment