CCNP Security FAQ: Introduction to AAA Advanced Concepts

Q1. A RADIUS change of authorization enables an authentication server to do which of the following?
a. Escalate an administrative user’s access level within the server’s administration portal
b. Grant context appropriate network access after initial access has previously been granted
c. Gain root-level access of all network devices
d. Take over the world

Answer: B. A RADIUS CoA allows an authentication server to trigger a reauthorization. This provides an opportunity for the server to update a user’s level of network access as the server learns additional information about an endpoint, such as endpoint posture information.

Q2. Three possible options for change of authorization actions are which of the following?
a. IKEv1, IKEv2, SSL
b. HTTP, FTP, Telnet
c. No COA, Port Bounce, Reauth
d. User mode, privileged mode, configuration mode

Answer: C. In a situation where a CoA is warranted, an authentication server can perform a number of actions: No COA (that is, do nothing), Port Bounce (i.e. shut/no shut the relevant access “port”), or Reauth (that is, force the endpoint to reauthenticate in cases where multiple endpoints are present on a single access medium.). Supported CoA actions can vary depending on the selected authentication server.

Q3. MAC Authentication Bypass is a process by which a device does which of the following?
a. Bypasses all authentication and authorization processes by using a supplicant
b. Authenticates with an X.509 certificate to establish a secure tunnel with the network
c. Authenticates without a 802.1X supplicant on the endpoint by using its MAC address as the RADIUS identity
d. Hides its MAC address from being discovered on the network

Answer: C. Those devices that don’t have an 802.1X supplicant available use MAC Authentication Bypass. Without the supplicant, the device does not recognize EAP messages and, therefore, EAP authentication techniques are NOT available. In the absence of EAP, the device will use its MAC address as its unique identifier to authenticate to the network.

Figure: MAC address.

Q4. A MAC address is six octets in length, of which the first three octets are which of the following?
a. A duplicate of the IP address subnet in hexadecimal format
b. Always the same across all network devices
c. Assigned dynamically upon connection to the network
d. An organizationally unique identifier (OUI) that indicates the device’s vendor
e. All F’s—that is, FF:FF:FF

Answer: D. The first three octets of a MAC address are the organizationally unique identifier (OUI). This OUI indicates which vendor manufactured the device. This can be useful, at times, to also indicate the function of the device—for instance, an IP phone or printer.

Q5. Which devices often lack an 802.1X supplicant?
a. Printers
b. Laptops
c. Cell phones
d. All of the above

Answer: A. Often, the “dumb” network devices are those that lack 802.1X supplicants. From this list, a printer would be the most common device to lack 802.1X support. Other examples would include an IP phone, IP cameras, and badge readers, amongst others.

Q6. Prior to MAB, a switchport with a non-802.1x client would be configured without 802.1x. This presented issues because of which of the following?
a. A broadcast storm would be created as the endpoint device was plugged into the interface.
b. A non-802.1x client would still not be able to gain network access.
c. A rogue user could unplug the non-802.1x endpoint and gain unauthorized access to the network.
d. Rebooting the device would cause the switchport to go into error disable.

Answer: C. Prior to MAB, there wasn’t a mechanism to authenticate a device based strictly on the device’s MAC address. For this reason, the switchport would be configured without port security or any level of end user or device authentication. This would allow any device, either the intended device or an unintended rogue device that was plugged into that switchport, to have unfettered access to the network.

Q7. Posture assessment can check for which of the following?
a. File conditions including existence, date, and/or version
b. Registry condition, whether a registry entry is or is not present, on Windows-based endpoints
c. Service condition, whether a service is or is not running, on Windows-based endpoints
d. A and B
e. B and C
f. A, B, and C

Answer: A, B, C. Via posture checking, the endpoint can be checked for file conditions (existence, date, and/or version), registry conditions (whether a registry entry is or is not present), and service condition (whether a service is or is not running), so all of the above are correct. posture checking also can confirm the presence, absence, and status of antivirus and antispyware programs running on the endpoint.

Q8. When configuring authorization policy based on posture assessment outcome, which of the following values are available for the PostureStatus attribute?
a. Permit, Deny, Drop
b. Compliant, NonCompliant, Unchecked
c. Internet Only, Partial Access, Full Access
d. Compliant, NonCompliant, Unknown
e. AntiVirusNotPresent, AntiVirusNeedsUpdate, AntiVirusCurrent

Answer: D. When using posture assessment as a condition for authorization policy, the values of the PostureStatus condition can be Compliant, NonCompliant, or Unknown. Different levels of network access and/or remediation can be authorized based on the status of this variable.

Q9. To remediate noncompliant endpoints, a redirect ACL must be defined _____ and the web redirection must be destined to ______ portal on the authentication server.
a. as a dACL, remediation
b. on the switch, remediation
c. as a dACL, profiling mitigation
d. on the switch, profiling mitigation
e. as a dACL, authentication DMZ
f. on the switch, authentication DMZ

Answer: B. To remediate a noncompliant endpoint, a redirect ACL must be defined on the switch and the redirect destination must be set to remediation portal.

Q10. A mobile device manager is which of the following?
a. A network administrator responsible for onboarding all mobile devices into the authentication server
b. An application that runs on a mobile device, allowing the user or endpoint to manage the authentication server and other network devices
c. A wireless access point that detects rogue mobile endpoints
d. A software system or service that provides advanced posture assessment for mobile endpoints

Answer: D. A mobile device manager is a software system or service that provides advanced posture assessment for mobile endpoints. The MDM can determine the type of mobile device, the level of operating system on the endpoint, the presence/absence of PIN lock, and whether encryption is being used, as well as provide remote security services such as device lock and secure wipe. Depending on the MDM vendor chosen, additional services also might be available.

More Resources

About the author

James Palmer

Leave a Comment