CCNP Security FAQ: Non-802.1X Authentications

CCNP Security FAQ: Non-802.1X Authentications



Figure:Web authentication.

Q1. True or False? To allow endpoints without configured supplicants to connect to a network where IEEE 802.1X has been enabled, the administrator must disable 802.1X on the endpoints’ switch port.
a. True
b. False

Answer: B. The available options for nonauthenticating endpoints are MAC Authentication Bypass (MAB) and Web Authentication (WebAuth).

Q2. Which of the following is true?
a. With nonauthenticating endpoints, the authenticator takes over the EAP communication instead of the endpoint.
b. With nonauthenticating endpoints, the authenticator can be configured to send the MAC address of the endpoint to the authentication server in a RADIUS Access-Request message.
c. The endpoint’s supplicant uses RADIUS to communicate the endpoint’s MAC address to the authentication server.
d. The authenticator can use TACACS+ to send the endpoint’s MAC address to the authentication server.

Answer: B. With nonauthenticating endpoints, the authenticator (a switch, for example) can be configured to send the MAC address of the endpoint to the authentication server in a RADIUS Access-Request message. This process is known as MAC authentication bypass (MAB).

Q3. Which of following is an accurate statement when using MAC authentication bypass (MAB)?
a. An administrator is limited in the types of authorization results that can be sent and is restricted to a simple Permit-All or Deny-All result.
b. An administrator can assign all authorization results, except for VLAN assignment.
c. An administrator can assign all authorization results, except for security group tags (SGTs).
d. An administrator is not limited in the types of authorization results that can be sent, which can include dACL, VLAN Assignment, SGT, and others.

Answer: D. With MAB, it is not recommended to use VLAN assignment, but MAB authorizations do not limit the authorization results.

Q4. True or False? With centralized web authentication (CWA), ISE sends the username and password to the authenticator.
a. True
b. False

Answer: B. With CWA, the authenticator only recognizes a MAB, and ISE maintains administrative control of the entire session and the tracking of the user’s credentials.

Q5. Which of following accurately describes local web authentication (LWA)?
a. With LWA, the authenticator redirects the end user’s web traffic to a centralized portal hosted on the authentication server, which is then returned to the local device (authenticator).
b. With LWA, the authenticator hosts a local web portal, which is coded to send an HTTP POST to the authentication server containing the credentials of the end user. The authentication server returns an HTTP POST with the Access-Accept or Access-Reject.
c. With LWA, the authenticator receives the credentials from the end user through a locally hosted web portal, and it is the authenticator that sends the credentials to the authentication server through a RADIUS Access-Request.
d. With LWA, the authenticator receives the credentials from the end user through a locally hosted web portal, and the authenticator sends the credentials to the authentication server through a TACACS+ Access-Request.

Answer: C. With LWA, the web portal is hosted within the authenticator, the end user enters her credentials into the web portal and the authenticator sends those credentials inside a RADIUS Access-Request message to the authentication server. The authentication server returns the Access-Accept or Access-Reject along with the full response.

Q6. Which of the following lists are non-802.1X authentications?
a. WebAuth, MAB, RA VPN
b. Remote Access, WebAuth, EAP-MSChapV2
c. PAP, LWA, RA VPN
d. WebAuth, EAP-GTC, HTTP POST

Answer: A. The three main non-802.1X authentication use cases are WebAuth (CWA and LWA), MAB, and Remote Access VPN (RA VPN).

Q7. True or False? Cisco recommends changing the VLAN for a guest user after that visitor has authenticated through Web Authentication to put that guest user into an isolated “guest network.”
a. True
b. False

Answer: B. When changing a VLAN assigned to an endpoint, that endpoint must know (somehow) to renew the DHCP address. The best solution is to not use VLAN changes on open networks because there is nothing on the client to detect the VLAN change and trigger the DHCP renewal.

Q8. Which non-802.1X authentication method uses specialized authorization results to connect a user’s credentials to a MAB session?
a. Remote access
b. Local web authentication with a centralized portal
c. Centralized web authentication (CWA)
d. Local web authentication

Answer: C. Centralized web authentication uses a web portal that is hosted on ISE to receive the user’s credentials. The authenticator sends a MAB request to ISE, and ISE responds with a RADIUS Access-Accept, a URL redirection, and often a dACL that limits the access to the network. After the credentials are received through the web portal, ISE sends a change of authorization (CoA) to the authenticator causing a reauthentication. The reauthentication maintains the same session ID, and ISE is able to tie the user’s credentials to the MAB request, sending the final authorization results for the end user.

Q9. What is one of the main reasons that MAB is used in modern-day networks?
a. Most endpoints, such as printers and IP phones, do not have supplicants and therefore cannot use 802.1X.
b. The endpoints can have a supplicant, but the enablement and configuration of that supplicant
could be overcomplicated or operationally difficult for the company. Therefore, the company opts to use MAB instead.
c. The endpoints mostly do have supplicants, but those are not compatible with Cisco networks.
d. MAB is equally as secure as 802.1X and therefore is chosen often to save the company the operational difficulties of configuring the supplicants on such disparate endpoints.

Answer: B. There are many different “headless” endpoints in an organization, such as IP phones, IP cameras, printers, badge readers, IV pumps, medical imaging systems, and so many more. Some do not have supplicants. For those that do, the enablement and configuration of supplicants on the disparate endpoints could be overcomplicated or operationally difficult for the company. Many of the devices do not have a central management platform that is capable of configuring each supplicant across large numbers of devices deployed at scale. Therefore, MAB is chosen to provide network access to those headless devices.

Q10. True or False? Web authentication can be used for guest users as well as internal employees.
a. True
b. False

Answer: A. Web authentication is used for any interactive login when a supplicant is not available, and sometimes it is even used as second authentication after 802.1X.

About the author

James Palmer

Leave a Comment