CCNP Security FAQ: Non-802.1X Authentications
Figure:Web authentication.
Q1. True or False? To allow endpoints without configured supplicants to connect to a network where IEEE 802.1X has been enabled, the administrator must disable 802.1X on the endpoints’ switch port.
a. True
b. False
Q2. Which of the following is true?
a. With nonauthenticating endpoints, the authenticator takes over the EAP communication instead of the endpoint.
b. With nonauthenticating endpoints, the authenticator can be configured to send the MAC address of the endpoint to the authentication server in a RADIUS Access-Request message.
c. The endpoint’s supplicant uses RADIUS to communicate the endpoint’s MAC address to the authentication server.
d. The authenticator can use TACACS+ to send the endpoint’s MAC address to the authentication server.
Q3. Which of following is an accurate statement when using MAC authentication bypass (MAB)?
a. An administrator is limited in the types of authorization results that can be sent and is restricted to a simple Permit-All or Deny-All result.
b. An administrator can assign all authorization results, except for VLAN assignment.
c. An administrator can assign all authorization results, except for security group tags (SGTs).
d. An administrator is not limited in the types of authorization results that can be sent, which can include dACL, VLAN Assignment, SGT, and others.
Q4. True or False? With centralized web authentication (CWA), ISE sends the username and password to the authenticator.
a. True
b. False
Q5. Which of following accurately describes local web authentication (LWA)?
a. With LWA, the authenticator redirects the end user’s web traffic to a centralized portal hosted on the authentication server, which is then returned to the local device (authenticator).
b. With LWA, the authenticator hosts a local web portal, which is coded to send an HTTP POST to the authentication server containing the credentials of the end user. The authentication server returns an HTTP POST with the Access-Accept or Access-Reject.
c. With LWA, the authenticator receives the credentials from the end user through a locally hosted web portal, and it is the authenticator that sends the credentials to the authentication server through a RADIUS Access-Request.
d. With LWA, the authenticator receives the credentials from the end user through a locally hosted web portal, and the authenticator sends the credentials to the authentication server through a TACACS+ Access-Request.
Q6. Which of the following lists are non-802.1X authentications?
a. WebAuth, MAB, RA VPN
b. Remote Access, WebAuth, EAP-MSChapV2
c. PAP, LWA, RA VPN
d. WebAuth, EAP-GTC, HTTP POST
Q7. True or False? Cisco recommends changing the VLAN for a guest user after that visitor has authenticated through Web Authentication to put that guest user into an isolated “guest network.”
a. True
b. False
Q8. Which non-802.1X authentication method uses specialized authorization results to connect a user’s credentials to a MAB session?
a. Remote access
b. Local web authentication with a centralized portal
c. Centralized web authentication (CWA)
d. Local web authentication
Q9. What is one of the main reasons that MAB is used in modern-day networks?
a. Most endpoints, such as printers and IP phones, do not have supplicants and therefore cannot use 802.1X.
b. The endpoints can have a supplicant, but the enablement and configuration of that supplicant
could be overcomplicated or operationally difficult for the company. Therefore, the company opts to use MAB instead.
c. The endpoints mostly do have supplicants, but those are not compatible with Cisco networks.
d. MAB is equally as secure as 802.1X and therefore is chosen often to save the company the operational difficulties of configuring the supplicants on such disparate endpoints.
Q10. True or False? Web authentication can be used for guest users as well as internal employees.
a. True
b. False