Authentication Authorization & Accounting
Here you will find answers to Authentication Authorization & Accounting Questions
Question 1
How do you define the authentication method that will be used with AAA?
A. With a method list
B. With the method command
C. With the method aaa command
D. With a method statement
Answer: A
Explanation
A method list is a sequential list of authentication methods to query to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.
When you first enable AAA, there is a default method list named default, which is automatically applied to all interfaces and lines, but which has no authentication methods defined. To configure AAA authentication, you must first either define a list of authentication methods for the default method, or configure your own named method lists and apply them to interfaces or lines. For flexibility, you can apply different method lists to different interfaces and lines. If an interface or line has a nondefault method list applied to it, that method overrides the default method list.
(Reference: Implementing Cisco IOS Network Security – Self Study)
Question 2
What is the objective of the aaa authentication login console-in local command?
A. It specifies the login authorization method list named console-in using the local RADIUS username-password database
B. It specifies the login authorization method list named console-in using the local username-password database on the router
C. It specifies the login authentication method list named console-in using the local user database on the router
D. It specifies the login authentication list named console-in using the local username- password database on the router
Answer: C
Question 3
Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level?
A. aaa authentication enable default local
B. aaa authentication enable level
C. aaa authentication enable method default
D. aaa authentication enable default
Answer: D
Question 4
Which two ports are used with RADIUS authentication and authorization? (Choose two)
A. TCP port 2002
B. UDP port 2000
C. UDP port 1645
D. UDP port 1812
Answer: C D
Question 5
Which two statements about configuring the Cisco ACS server to perform router command authorization are true? (Choose two)
A. In the ACS User Group setup screen, use the Shell Command Authorization Set options to configure which commands and command arguments to permit or deny.
B. From the ACS Interface Configuration screen, select RADIUS (Cisco IOS/PIX 6.0), and then enable the Shell (exec) option on the RADIUS Services screen.
C. When adding the router as an AAA client on the Cisco ACS server, choose the TACACS+ (Cisco IOS) protocol.
D. Configure the Cisco ACS server to forward authentication of users to an external user databases, like Windows Database.
Answer: A C
Question 6
What should be enabled before any user views can be created during role-based CLI configuration?
A. usernames and passwords
B. secret password for the root user
C. aaa new-model command
D. multiple privilege levels
Answer: C
Question 7
For the following statements, which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)?
A. It is restricted in size to only three segments
B. It requires the implementation of IKE
C. It relies on an underlying Public Key Infrastructure (PKI)
D. It requires the use of netBT as the network protocol
Answer: C
Explanation
FCAP relies on an underlying public key infrastructure (PKI) to provide enterprise-class security. By using PKI, often present in more security-conscious organizations, as a foundational element, along with a certificate-based protocol, FCAP provides numerous advantages. Central among these are strong authentication and management data integrity.
For some organizations, the complexities associated with a PKI can be daunting. This is the only significant argument against FCAP.
(Reference: CCNA Security Official Exam Certification Guide)
Question 8
| 1 | Has no option to authorize router commands |
| 2 | Encrypts the entire packet |
| 3 | Combines authentication and authorization functions |
| 4 | Uses TCP port 49 |
A. TACACS+ – 1 and 3
RADIUS – 2 and 4
B. TACACS+ – 2 and 4
RADIUS – 1 and 3
C. TACACS+ – 1 and 4
RADIUS – 2 and 3
D. TACACS+ – 2 and 3
RADIUS – 1 and 4
Answer: B
Question 9
Which statement is correct regarding the aaa configurations based on the exhibit provided?
| R(config)# username admin privilege level 15 secret hardtOcRackPw R(config)# aaa new-model R(config)# aaa authentication login default tacacs+ R(config)# aaa authentication login test tacacs+ local R(config)# line vty 0 4 R(config-line)# login authentication test R(config-line)# line con 0 R(config-line)# end |
A. The authentication method list used by the console port is named test
B. The authentication method list used by the vty port is named test
C. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database
D. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router
Answer: B
Question 10
Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router?
A. aaa accounting connection start-stop tacacs+
B. aaa accounting network start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
D. aaa accounting system start-stop tacacs+
Answer: C
Question 11
For the following items ,which one can be used to authenticate the IPsec peers during IKE Phase 1?
A. XAUTH
B. pre-shared key
C. integrity check value
D. Diffie-Hellman Nonce
Answer: B
Explanation
Internet Key Exchange (IKE) executes the following phases:
+ IKE Phase 1: Two IPsec peers perform the initial negotiation of SAs. Phase 1 generates an Internet Security
Association and Key Management Protocol (ISAKMP) SA, used for management traffic. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, Aggressive Mode does not.
+ IKE Phase 2: SAs are negotiated by the IKE process ISAKMP on behalf of other services, such as IPsec, that need
encryption key material for operation. IKE Phase 2 is used to build IPsec SAs, which are for passing end-user data.
Additional service negotiations occur in IKE Phase 1, DPD, Mode Config, and so on.
Question 12
Which statement is true about a certificate authority (CA)?
A. A trusted third party responsible for signing the private keys of entities in a PKIbased system
B. A trusted third party responsible for signing the public keys of entities in a PKIbased system
C. An entity responsible for registering the private key encryption used in a PKI
D. An agency responsible for granting and revoking public-private key pairs
Answer: B
Question 13
In computer security, AAA commonly stands for “authentication, authorization and accounting”. Which three of the following are common examples of AAA implementation on Cisco routers? (Choose three)
A. authenticating remote users who are accessing the corporate LAN through IPSec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. securing the router by locking down all unused services
D. performing router commands authorization using TACACS+
Answer: A B D
Question 14
When configuring AAA login authentication on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can log in to the router in case the external AAA server fails?
A. Group RADIUS
B. Group TACACS+
C. Local
D. Krb5
E. Enable
F. If-authenticated
Answer: C E
Explanation
If you are working with multiple authentication methods, it is a best practice to have either local or enable authentication as the final method to recover from a severed link to the chosen method server.
Notice:
+ “Local authentication”: login authentication method list named console-in using the local username-password database on the router (command: aaa authentication login console-in local)
+ “Enable authentication”: specify a default login authentication method list using the enable password (command: aaa authentication login default enable)
I’ve recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.
Hi,
Isn’t question 2 suppose to be D.
I dont see how this is a method list if it is using one one way.
The Answer C is more precise and therefore the correct. console-in is the name of the method list, not just list. The cisco term for the local stored username and password is “local user database”.
yes
question 2 : the correct answer is D.
if you check out page No. 120 in “Official Exam certification guide” you will see that the correct answer is D
No Otto is correct.
The answer is b
B. It specifies the login authorization method list named console-in using the local username-password database on the router
The question in the official exam guide proves this.
Question 5 Chapter 4 on AAA Foundation topics.
The mistake may have been made as the multiple choice question on the official exam guide is “lettered” differently to the question on this webpage
woops I meant c—As per Ottos comment
C. It specifies the login authentication method list named console-in using the local user database on the router
I got confused myself with the lettering of the questions and copied the incorrect answer into the post for a moment
I had been arguing with my close friend on this issue for quite a while, base on your ideas prove that I am right, let me show him your webpage then I am sure it must make him buy me a drink, lol, thanks.
- Kris
The Ans to Question 2 should be D.
As per book ccna security by michael watkins page 120 ans mentioned is D.
Any comments
The answer is C. The catch word to look for in the answer is “Method List” and not just “list”. Check the answer to Question number 1.
Could you please anyone explain how a view can be attached to a user? To move to a view, anyway the user has to go via privileged mode where is can access all the privilege level commands. Then what is the use of a view?
I an currently reading the same book and notice that the answer is B. When I did the CCNP I came cross the same thing and the answer is B.
I strongly believe that the answer is B.
Quoted from Michael Watkins book Page 120″ ” aaa authentication login console-in local -specifies the login authentication medthod list name console-in using the local username-password database on the router”
@Shervin…I think u by mistake write and. B ..the correct ans. is C…as per yr explaination..
Hi Viv,
When creating users, we can directly assign views to them:
(config)#username Aninda view MY_VIEW secret aninda
In this way, when I log in with the username ‘Aninda’, I would directly be placed under MY_VIEW and only the commands in that view will be available to me.
I hope this was helpful
I think I have the answer to question #2.
The answer is C
The key word set are Authorization and Authentication
The aaa is authenticating the user profile via username/password at the time of login
The aaa authorizes access based on user profiles after the login. User A has a secret view while user B has a confidential view.
====================================
B. It specifies the login authorization method list named console-in using the local username-password database on the router
C. It specifies the login authentication method list named console-in using the local user database on the router
Question 2: The answer is C:
C. It specifies the login authentication method list named console-in using the local user database on the router (LOCAL USER DATABASE = USERNAME -PASSWORD)
D. It specifies the login authentication list named console-in using the local username- password database on the router (STATES LIST INSTEAD OF METHOD LIST)
Merci d’avoir un blog interessant
Thank you for the work you have done into this article, this helps clear away some questions I had.
I think one of your advertisements caused my internet browser to resize, you might want to put that on your blacklist.
Q10 is wrong. None of the Answers listed is right. The correct answer is actually
R1(config)#aaa accounting exec system start-stop ?
broadcast Use Broadcast for Accounting
group Use Server-group
aaa accounting exec start-stop is not even a valid command
R1(config)#aaa accounting exec ?
WORD Named Accounting list (max 31 characters, longer will be rejected).
default The default accounting list.
Thoughts?
aaa accounting WORD(Named Accounting list) start-stop (broadcast or group), so p.e.
aaa accounting serverslist start-stop servers
Cheers
..This chapter discusses how to enable and configure TACACS which provides detailed accounting information and flexible administrative control over authentication and authorization processes. ..TACACS provides for separate and modular authentication authorization and accounting facilities.
this page is amazing. I studied with 9tut for ccna and I got pass the test
I just have a doubt
are these questions valid yet?. I will take the ccna security certification in 2 weeks
thank for all
Hi, I’ve my exam on 19th august 2011. Is P4S 4.38 still valid? Questions shown here are still valid? Has anyone given exam recently?
Question 2 the answer should be D
Cisco Press Chapter 4 Page 120
■ aaa authentication login console-in local specifies the login authentication method
list named console-in using the local username-password database on the router
i believe 10 is correct
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group
group-name aaa accounting
exec Provides accounting for EXEC shell sessions.
pg 125 of cisco official exam cert guide
order an to get new coupon