CCNP Security FAQ: Web Authentication
Q1. Before a Cisco switch will generate a self-signed certificate, which configuration is required?
a. The internal CA must be enabled.
b. An IPv6 address.
c. A Cisco switch cannot generate a self-signed certificate.
d. A domain name.
Q2. True or False? The URL redirection ACL can be downloaded from ISE to the NAD.
a. True
b. False
Q3. Which of the following settings is required for a WLAN to support CWA on the Cisco WLC?
a. SNMP NAC
b. Layer-3 Authentication
c. RADIUS NAC
d. Fast Transition
Q4. For wired and wireless MAB, which option must be configured for unknown identities?
a. Drop
b. Continue
c. Reject
d. Pass
Q5. Which of the following rule types need to be created for CWA? (Choose two.)
a. A WebAuth authentication rule must be created for the authentication through the web portal.
b. An authorization rule must be created that redirects the user to the CWA portal.
c. An authentication rule must be created that permits access to users who have successfully authorized through the CWA portal.
d. An authorization rule must be created that permits access to users who have successfully authenticated through the CWA portal.
e. A WebAuth authentication rule must be created that redirects the end user to the CWA portal.
Q6. Which of the following capabilities exists for MyDevices portals in ISE 1.2 but not the DeviceRegistration portal?
a. MyDevices provide a portal for the end user to manage his endpoints.
b. MyDevices provides the ability to automatically populate the MAC address of the endpoint.
c. MyDevices did not exist in ISE version 1.2.
d. MyDevices is linked to the MDM and has the knowledge of which device belongs to a user.
Q7. True or False? CWA and DRW are using the same RADIUS attributes; the difference is in the actual URL sent down to the NAD.
a. True
b. False
Q8. Which command on the NAD will display information about the URL-redirected session, including the MAC address, IP address, dACL, URL-redirect ACL, and the URL to which the end user is being redirected?
a. show epm redirection
b. show authentication sessions
c. show epm authentication | include redirection
d. show authentication session interface [interface-name]
Q9. Which of the following locations within the ISE GUI should you examine to validate that CWA is working? (Choose the best answer.)
a. Policy > Policy Elements > Results > Authorization
b. Operations > Authentications
c. Policy > Policy Elements > Results > Authentication
d. Operations > Results
Q10. Which of the following statements most accurately describes the use of change of authorization (CoA) in relation to CWA?
a. The CoA-Reauth causes the NAD to reauthenticate the endpoint within the same session, and ISE is then able to tie the MAB and CWA authentications together.
b. The CoA sends a packet of disconnect (PoD) to the NAD, which starts a new session based on the web credentials.
c. The CoA-Reauth causes the NAD to reauthenticate the endpoint, which starts a new session based on the web credentials.
d. The CoA sends a packet of disconnect (PoD) to the NAD. ISE is then able to tie the original MAB session to the new web-authenticated session by correlating the MAC addresses from both authentication sessions.