CCNP Security FAQ: Implement Wired and Wireless Authentication

CCNP Security FAQ: Implement Wired and Wireless Authentication


Figure: Flexible authentication.

Q1. When configuring a Cisco switch for 802.1X, at which level of the configuration do the 802.1X-related commands exist?
a. Global configuration only.
b. Interface configuration only.
c. Both at global configuration level as well as per interface.
d. Enabling 802.1X changes the context to a dot1x subconfiguration mode, where all related commands are entered.

Answer: C. 802.1X requires global-level configuration for servers, enabling 802.1X on the system itself, configuring change of authorization, and enabling VSAs among others. Additionally, each interface that will be performing authentication will require interface-level commands.

Q2. When configuring a Cisco Wireless LAN Controller (WLC) for communication with ISE, what must be configured for the wireless LAN (WLAN)? (Choose two.)
a. The authentication and authorization RADIUS servers can be pointed to different ISE PSNs,
as long as those PSNs are part of a node group.
b. The authentication and authorization RADIUS servers can be pointed to the same ISE PSN.
c. The WLAN must be configured for SNMP NAC.
d. The WLAN must be configured for RADIUS NAC.

Answer: B, D. When interacting with an advanced RADIUS server, such as Cisco ISE, Cisco WLCs require that the same ISE PSN be configured as the authentication and accounting server for the WLAN. Additionally, RADIUS NAC must be enabled on the advanced tab of the WLAN configuration.

Q3. True or False? Cisco switches should be configured in production to send syslog messages to the ISE MNT node.
a. True
b. False

Answer: B. Cisco switches can be configured to send syslog to the MNT node, where the data will be correlated as p

art of the authentication reports. However, this should be configured only when performing active troubleshooting or during an initial pilot/PoC.

Q4. What is the purpose of adding a user with the username radius- test password password command?
a. The switch can send periodic RADIUS Access-Requests to the AAA servers to verify whether they are still alive. The username and password will be used for that test.
b. The username and password are used for the local RADIUS server available in the switch, which is used in WAN down scenarios.
c. The username and password are used for the supplicant’s outer identity to authenticate against the switch local user database.
d. Without the local username and password in the configuration, an administrator can be locked out of the switch when the RADIUS server is unavailable.

Answer: A. The switch will send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the server, either an Access-Accept or AccessReject will suffice. The username and password used by the automated test must exist in the configuration.

Q5. True or False? 802.1X can be configured on all switch interfaces, including Layer-3 interfaces.
a. True
b. False

Answer: B. Switch interfaces must be configured as Layer-2 access ports to run 802.1X (switchport).

Q6. Which of the following technologies enables an administrator to maintain the same configuration on all access ports, on all switches, regardless of the type of device connecting to the network?
a. AnyConnect
b. Multi-Auth
c. Flex-Auth
d. Flex-Connect

Answer: C. Flex-Auth allows a network administrator to set an authentication order and priority on the switchport, thereby allowing the port to attempt 802.1X, MAC authentication bypass, and then WebAuth in order. All of these functions are provided while maintaining the same configuration on all access ports, thereby providing a much simpler operational model for customers than traditional 802.1X deployments.

Q7. Which host mode will permit a virtually unlimited number of endpoints per port, allowing all subsequent MAC addresses to share the authorization result of the first endpoint authorized?
a. Single Mode
b. MDA
c. Multi-Auth
d. Multi-Host

Answer: D. Multi-Host mode is not commonly used but is still a valid option. Much like Multi-Auth mode, Multi-Host mode is an extension to MDA. There is one authentication on the voice domain and one authentication on the data domain. All other hosts on the data domain will be allowed onto the network using the first successful authentication. It’s an “authenticate one, allow the rest” type of model.

Q8. Which interface-level command is the equivalent of “turn authentication on”?
a. authentication port-control auto
b. dot1x system-auth-control
c. ip device-tracking
d. aaa server radius dynamic-author

Answer: A. The authentication port-control auto command will enable authentication on the port and allow the authorization result to be sent from the RADIUS server. Short answer: “Turn authentication on!”

Q9. Which command on a Cisco switch will display the current status of the AAA server(s)?
a. show authentication servers
b. show radius servers
c. show aaa servers
d. show ise servers

Answer: C. The show aaa servers command is a quick and simple way to see the current status of the ISE server from the switch’s perspective.

Q10. Which command will validate that authentications are being attempted, which authentications are successful, and which authorization results have been assigned?
a. show authentication method dot1x
b. show aaa servers
c. show authentication statistics
d. show authentication session interface <interface>

Answer: D. The command will show that the authentications are being attempted, which are successful, which authorization results have been assigned, and much more. Some of the information that is quickly provided by this command output includes the endpoint’s MAC address, the authentication method used, any assigned redirect URL, Access Control Lists, and other RADIUS AVPs that are provided via the authentication and authorization process.

About the author

James Palmer

Leave a Comment