CCNP Secure FAQ Implementing and Configuring Advanced 802.1X
Q1. To provide per-user services, such as downloadable ACLs, which of the following must be deployed? (Select all that apply.)
A. User authentication
B. Machine authentication
C. Combination of user and machine authentication
D. One-time passwords
E. All of these answers are correct.
Q2. In EAP-TLS implementations, which kind of certificate is used to verify identity certificates?
A. The identity certificate belonging to each entity
B. Supplicant certificate
C. Certificate Authority (CA) certificate
D. SSL certificate
Q3. What identifies the hardware (computer) as opposed to the user identity that is used to identify users that are logged in to the machine?
A. SNMP
B. Host name
C. CA certificate
D. User identity
E. Machine identity
Q4. Cisco IBNS components can dynamically assign what two features to increase security in the environment?
A. Physical tokens
B. Access controls lists (ACL)
C. Identity certificates
D. VLAN assignment
E. Kerberos ticket
Q5. If MAB is enabled, when will the switch try to authenticate the non-802.1X-capable client by using its MAC address?
A. As soon as the switch receives the first EAPOL frame.
B. After 802.1X authentication times out.
C. It will not authenticate non-802.1X-capable clients.
D. After the client sends an authentication request.
E. None of these answers are correct.
Q6. How can web authentication be verified?
A. Use show ip admission cache in the CLI.
B. Call the user and ask him.
C. In the Passed Authentication report in Cisco Secure ACS.
D. Consult the logs on the web server.
E. None of these answers are correct.
Q7. Which multihost authentication mode allows multiple hosts to forward traffic through a single port but does not require authentication after the first host authenticates?
A. Multidomain mode
B. Single-host mode
C. Multihost mode
D. Multi-auth mode
E. None of these answers are correct.
Q8. The default, fail-closed mode of the Cisco Catalyst IOS Software 802.1X authenticator can be changed by enabling which optional fail-open features?
A. Inaccessible Authentication Bypass feature
B. MAC Authentication Bypass
C. Open Authentication feature
D. Multi-auth mode
Q9. Which of the following will not work with 802.1X authentication by default? (Select all that apply.)
A. Wake-on-LAN (WOL)
B. Non-802.1X IP phones
C. Preboot Execution Environment (PXE)
D. None of these answers are correct.
Q10. The _____ and _____ do not both authenticate to the network at the same time. _____ authentication is only needed when the user logs off.
Q11. With the _____ optional EAP-TLS parameter, the TLS session keys are essentially cached, thus allowing faster reauthentication by not having to perform a full TLS handshake.
Q12. The _____ command can be used to choose a preferred authentication method over another.
Q13. When the user sends an _____ request to the web server, the switch intercepts the user’s HTTP session request and presents the user with a pop-up dialog box that has a username and password field.
Q14. Beginning with _____ of Cisco IOS Software, the dot1x host-mode command was replaced with the _____ command.
Q15. When configuring fail-open policies, label an interface as critical by using the _____ interface configuration command.
Q16. To handle Wake-on-LAN devices in an 802.1X environment, configure the interface as _____ by using the _____ interface command.
Q17. Use the _____ with _____ to authenticate non-802.1X IP phones based on their MAC addresses.
More Resources