CCNP Security FAQ: Deploying Safety
Q1. What is Monitor Mode?
a. Using the authentication open interface configuration command on 802.1X enabled interfaces
b. A setting in ISE to record actions but not take them
c. A method for identifying which device would have failed authentication and correcting the root cause prior to it taking effect
d. A method for alerting the administrator of failed authentications, so the end user may be called and manually granted network access
Q2. What is Low-Impact Mode?
a. One of the two end states of authentication that limits access but still uses the authentication open interface configuration command
b. One of the two end states of authentication that limits access but is less secure than closed mode
c. A method to ensure authentications occur, but the authorizations are ignored, so as not to cause a denial of service
d. A method for identifying which device would have failed authentication and correcting the root cause prior to it taking effect
Q3. What is the primary benefit of a phased deployment approach?
a. It allows an endpoint to go through multiple phases of authentication prior to gaining network access, including dual-factor authentication.
b. It permits you to use Cisco proprietary technology and therefore increase Cisco’s stock value.
c. It enables additional security protocols to extend authentications, such as the use of smart cards.
d. To ensure that a port, switch, or location is fully ready to be successful before enabling enforcement and specific authorization results.
Q4. True or False? The authentication open command performs EAP authentications but ignores authorization results.
Q5. True of False? authentication open allows all traffic to pass through the switch port before the authentication result is received from the AAA server.
Q6. What is the ISE configuration that will allow different groups of authentication and authorization policies?
a. Policy groupings
b. Policy sets
c. Service selection rules
d. Service sets
Q7. Where is Monitor Mode configured for wireless LANs?
a. It is configured on the WLC, under the security properties for the WLAN.
b. It is configured in the Wireless Monitor Mode policy set within ISE.
c. It is configured in ISE by enabling wireless monitor mode under the system settings.
d. Monitor Mode is not possible with wireless LANs.
Q8. Using policy sets as described in this chapter, how would a switch be transitioned from Monitor Mode to one of the end state modes?
a. Move the NAD from the Monitor Mode NDG to the final state NDG.
b. Remove the authentication open command from the switch interface.
c. Enter the low-impact or closed keyword for the radius server definition in the switch.
d. Enable enforcement mode on the client supplicants.
Q9. True or False? A wired port must have a single configuration that supports authenticating supplicants, guests, and nonauthenticating devices.
Q10. Which of the modes is most closely related to the default of 802.1X?
a. Closed Mode
b. Monitor Mode
c. Low-Impact Mode
d. Cisco Enhanced Security Mode