CCSP SECUR FAQ : Authentication Proxy and the Cisco IOS Firewall


CCSP SECUR FAQ : Authentication Proxy and the Cisco IOS Firewall

Q1. Authentication proxy enables administrators to restrict access to resources .
A. by IP address of the source.
B. by the IP address of the destination.
C. on a per-user basis.
D. by limiting groups to a specific resource.
E. on a cache-limit basis.

Answer: C

Q2. Authentication proxy is not a transparent service because .
A. it only works with HTTP.
B. it requires the user to input a username and password.
C. it can block access to the requested resource.
D. it can only be configured to allow outbound access.
E. it only works with JavaScript.

Answer: B

Q3. How is authentication proxy triggered?
A. By an HTTP request to the firewall
B. By an FTP request to the destination
C. By an HTTP request to the AAA server
D. By an HTTP request to the destination
E. By a telnet request to the firewall

Answer: D

Q4. Authentication proxy first became available with what version of the Cisco IOS Software?
A. 11.3
B. 12.0.2.J
C. 12.0.5.T
D. 12.1(2)
E. 12.2

Answer: C

Q5. What configuration mode should you be in on the Cisco IOS firewall to configure AAA?
A. EXEC mode
B. Interface configuration mode
C. AAA configuration mode
D. Global configuration mode
E. Remote configuration mode

Answer: D

Q6. What command enables AAA on the Cisco IOS firewall?
A. aaa new-model
B. aaa-server
C. auth-proxy
D. aaa authentication
E. config aaa

Answer: A

Q7. What command shows the Cisco IOS firewall host name on the login page?
A. aaa banner
B. ip auth-proxy auth-proxy-banner
C. show hostname
D. ip auth-proxy login banner
E. None of the above

Answer: B

Q8. What are the two authentication protocols supported by the CSACS and used for authentication proxy? (Choose two.)

Answer: B, E

Q9. Where do you add the authentication proxy as a new service on the CSACS? (Choose two.)
A. Network configuration window
B. Administration Control window
C. Protocol configuration window
D. Interface configuration window
E. TACACS Services window

Answer: D, E

Q10. What happens if the user has previously authenticated and that authentication has not timed out?

Answer: The user is not prompted to authenticate.

Q11. If you are using NAT with authentication proxy, what other feature must you also use?

Answer: CBAC

Q12. What are the three steps for configuring authentication proxy on the Cisco IOS firewall?

Answer: Configure AAA, configure the HTTP server, and configure the authentication proxy.

Q13. True or False: The host name is required on the HTTP login page to ensure that users log in to the correct firewall?

Answer: False. The ip auth-proxy auth-proxy-banner is disabled by default

Q14. What are the three steps for configuring TACACS+ on the CSACS?

Answer: Network configuration, interface configuration, and group setup.

Q15. Where is the Cisco IOS firewall configured on the CSACS?

Answer: On the Network Configuration window, listed under AAA Clients.

Q16. Where are dynamic ACLs configured on the CSACS for RADIUS?

Answer: On the Group Setup window, under Cisco IOS/PIX RADIUS Attributes.

Q17. What must be running on the client browser to ensure secure login?

Answer: JavaScript

Q18. What happens if you attempt authentication proxy using SSL?

Answer: Nothing. Authentication proxy only works over port 80.

Q19. How many AAA servers can you match with a single Cisco IOS firewall for authentication proxy?

Answer: One. Authentication proxy does not support load balancing.

More Resources

About the author


Leave a Comment