CCNP Security FAQ: Web Authentication

CCNP Security FAQ: Web Authentication


Figure: Web authentication.

Q1. Before a Cisco switch will generate a self-signed certificate, which configuration is required?
a. The internal CA must be enabled.
b. An IPv6 address.
c. A Cisco switch cannot generate a self-signed certificate.
d. A domain name.

Answer: D. The Cisco switch will need the https server enabled to redirect https traffic. Before that service can be enabled, the switch needs a certificate. One of the prerequisites is a hostname and domain name, providing the switch a fully qualified domain name (FQDN). This FQDN will become the Subject Name of the self-signed certificate.

Q2. True or False? The URL redirection ACL can be downloaded from ISE to the NAD.
a. True
b. False

Answer: B. The traffic filtering ACL can be downloaded from ISE as a dACL, but the redirection ACL must preexist on the switch and is called by reference using a RADIUS AV-Pair. The AirespaceOS-based Cisco WLCs support only locally configured ACLs; therefore, all ACLs must be called by reference (also named ACLs).

Q3. Which of the following settings is required for a WLAN to support CWA on the Cisco WLC?
a. SNMP NAC
b. Layer-3 Authentication
c. RADIUS NAC
d. Fast Transition

Answer: C. RADIUS NAC is a critical setting for the WLAN that enables URL redirection and the preRUN states. Without this setting, CWA is not possible.

Q4. For wired and wireless MAB, which option must be configured for unknown identities?
a. Drop
b. Continue
c. Reject
d. Pass

Answer: B. CWA is controlled by the Authorization Policy. Even an unknown MAC address needs to “continue” out of the Authentication Policy, so the appropriate response can be sent to the NAD, including the URL redirection to the portal.

Q5. Which of the following rule types need to be created for CWA? (Choose two.)
a. A WebAuth authentication rule must be created for the authentication through the web portal.
b. An authorization rule must be created that redirects the user to the CWA portal.
c. An authentication rule must be created that permits access to users who have successfully authorized through the CWA portal.
d. An authorization rule must be created that permits access to users who have successfully authenticated through the CWA portal.
e. A WebAuth authentication rule must be created that redirects the end user to the CWA portal.

Answer: B, D. The first rule should match if no more specific authorization rule is used and should redirect the user to the CWA portal. The second rule types should exist above the redirection rule and allow access to the user after she has successfully authenticated to the CWA portal. The authorization policy rules read like an ACL—from top down, whereby the first matched rule is applied.

Q6. Which of the following capabilities exists for MyDevices portals in ISE 1.2 but not the DeviceRegistration portal?
a. MyDevices provide a portal for the end user to manage his endpoints.
b. MyDevices provides the ability to automatically populate the MAC address of the endpoint.
c. MyDevices did not exist in ISE version 1.2.
d. MyDevices is linked to the MDM and has the knowledge of which device belongs to a user.

Answer: A. DRW is an older method but uses a base license only. It does not provide a portal for the end user to manage his endpoints. When the end user accepts the AUP, the device’s MAC address is automatically added to the configured Endpoint Identity Group.

Q7. True or False? CWA and DRW are using the same RADIUS attributes; the difference is in the actual URL sent down to the NAD.
a. True
b. False

Answer: A. The same URL-Redirect and URL-Redirect-ACL AV pairs are sent to the Cisco NADs regardless of the redirection type. The URL will be different for each portal type. When building the authorization profile, the common tasks area will provide a drop-down to select the type of URL redirection being used and to change the URL accordingly.

Q8. Which command on the NAD will display information about the URL-redirected session, including the MAC address, IP address, dACL, URL-redirect ACL, and the URL to which the end user is being redirected?
a. show epm redirection
b. show authentication sessions
c. show epm authentication | include redirection
d. show authentication session interface [interface-name]

Answer: D. The show authentication sessions interface [interface-name] is like the Swiss Army knife of show commands for authentications. With the output, you see the MAC address, IP address, dACL (listed as an ACS ACL), URL-redirect ACL, and URL to which the end user is being redirected.

Q9. Which of the following locations within the ISE GUI should you examine to validate that CWA is working? (Choose the best answer.)
a. Policy > Policy Elements > Results > Authorization
b. Operations > Authentications
c. Policy > Policy Elements > Results > Authentication
d. Operations > Results

Answer: B. Cisco ISE has a phenomenally useful tool built in to it, commonly called Live Log. Live Log provides a near real-time view of all incoming authentications, change of authorizations (CoAs), and more.

Q10. Which of the following statements most accurately describes the use of change of authorization (CoA) in relation to CWA?
a. The CoA-Reauth causes the NAD to reauthenticate the endpoint within the same session, and ISE is then able to tie the MAB and CWA authentications together.
b. The CoA sends a packet of disconnect (PoD) to the NAD, which starts a new session based on the web credentials.
c. The CoA-Reauth causes the NAD to reauthenticate the endpoint, which starts a new session based on the web credentials.
d. The CoA sends a packet of disconnect (PoD) to the NAD. ISE is then able to tie the original MAB session to the new web-authenticated session by correlating the MAC addresses from both authentication sessions.

Answer: A. The CoA is a key function. Specifically, it is a CoA-Reauth and causes the switch to reauthenticate the endpoint without starting a new session. The switch sends another MAB request to ISE, which is able to tie the guest authentication from the centralized portal to the MAB request from the switch and assign the appropriate permission.

About the author

James Palmer

Leave a Comment