CCNP Security FAQ: Implement Wired and Wireless Authentication
Q1. When configuring a Cisco switch for 802.1X, at which level of the configuration do the 802.1X-related commands exist?
a. Global configuration only.
b. Interface configuration only.
c. Both at global configuration level as well as per interface.
d. Enabling 802.1X changes the context to a dot1x subconfiguration mode, where all related commands are entered.
Q2. When configuring a Cisco Wireless LAN Controller (WLC) for communication with ISE, what must be configured for the wireless LAN (WLAN)? (Choose two.)
a. The authentication and authorization RADIUS servers can be pointed to different ISE PSNs,
as long as those PSNs are part of a node group.
b. The authentication and authorization RADIUS servers can be pointed to the same ISE PSN.
c. The WLAN must be configured for SNMP NAC.
d. The WLAN must be configured for RADIUS NAC.
Q3. True or False? Cisco switches should be configured in production to send syslog messages to the ISE MNT node.
art of the authentication reports. However, this should be configured only when performing active troubleshooting or during an initial pilot/PoC.
Q4. What is the purpose of adding a user with the username radius- test password password command?
a. The switch can send periodic RADIUS Access-Requests to the AAA servers to verify whether they are still alive. The username and password will be used for that test.
b. The username and password are used for the local RADIUS server available in the switch, which is used in WAN down scenarios.
c. The username and password are used for the supplicant’s outer identity to authenticate against the switch local user database.
d. Without the local username and password in the configuration, an administrator can be locked out of the switch when the RADIUS server is unavailable.
Q5. True or False? 802.1X can be configured on all switch interfaces, including Layer-3 interfaces.
Q6. Which of the following technologies enables an administrator to maintain the same configuration on all access ports, on all switches, regardless of the type of device connecting to the network?
Q7. Which host mode will permit a virtually unlimited number of endpoints per port, allowing all subsequent MAC addresses to share the authorization result of the first endpoint authorized?
a. Single Mode
Q8. Which interface-level command is the equivalent of “turn authentication on”?
a. authentication port-control auto
b. dot1x system-auth-control
c. ip device-tracking
d. aaa server radius dynamic-author
Q9. Which command on a Cisco switch will display the current status of the AAA server(s)?
a. show authentication servers
b. show radius servers
c. show aaa servers
d. show ise servers
Q10. Which command will validate that authentications are being attempted, which authentications are successful, and which authorization results have been assigned?
a. show authentication method dot1x
b. show aaa servers
c. show authentication statistics
d. show authentication session interface <interface>