Do I Know This Already Quiz Answers

1 What are the three components of AAA? (Choose the three best answers.)

a. Accounting b. Authorization c. Adapting d. Authentication

AAA is used for authentication, authorization, and accounting. Answer c is incorrect because adapting is not part of the security options available with AAA.

2 What IOS command must be issued to start AAA on a Cisco router?

a. aaa old-model b. aaa model c. aaa new model d. aaa new-model e. aaa new_model Answer: d

The aaa new-model command starts authentication, authorization and accounting (AAA). Answers a, b, and c are incorrect because they represent invalid IOS commands.

3 What algorithm initiates and encrypts a session between two routers' exchange keys between two encryption devices?

a. Routing algorithm b. Diffie-Hellman algorithm c. The switching engine d. The stac compression algorithm

Answer: b

When using encryption between two routers, the Diffie-Hellman algorithm is used to exchange keys. This algorithm initiates the session between two routers and ensures that it is secure. Answer a is incorrect because the routing algorithm is used for routing, not for encryption. Answer c is incorrect because a switching engine is used to switch frames and has nothing to do with encryption. Answer d is incorrect because the stac compression algorithm is used by PPP; it compresses data on a PPP WAN link.

4 Can you configure RADIUS and TACACS+ concurrently on a Cisco IOS router?

b. Yes, provided you have the same lists names applied to the same interfaces.

c. Yes, provided you have the different lists names applied to the same interfaces.

d. Yes, provided you have the different lists names applied to different interfaces.

Answer: d

List names and interfaces must be different.

5 How do you enable a RADIUS server to debug messages for Cisco Secure on a UNIX server?

a. Terminal monitor b. Edit the configuration file on the router c. Edit the syslog.conf and csu.cfg files d. Not possible, as UNIX does not run IOS

Answer: c

You can enable debugging on a UNIX host running Cisco Secure by editing the syslog.confg and csu.cfg files.

6 What RADIUS attribute is used by vendors and not predefined by RFC 2138?

Answer: f

Attribute 26 is a vendor-specific attribute. Cisco uses vendor ID 9.

7 RADIUS can support which of the following protocols?

b. OSPF

c. AppleTalk d. IPX

e. NLSP Answer: a

RADIUS supports PPP and none of the multiprotocols listed in options b, c, d, or e.

8 When a RADIUS server identifies the wrong password entered by the remote users, what packet type is sent?

a. Accept-user b. Reject-users c. Reject-deny d. Reject-accept e. Reject-Error f. Access-reject

Answer: f

RADIUS sends an access-reject error if the password entered is invalid.

9 Identify the false statement about RADIUS.

a. RADIUS is a defined standard in RFC 2138/2139.

b. RADIUS runs over TCP port 1812.

c. RADIUS runs over UDP port 1812.

d. RADIUS accounting information runs over port 1646. Answer: b

RADIUS does not deploy TCP.

10 What is the RADIUS key for the following configuration? If this configuration is not valid, why isn't it?

aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius radius-server 3.3.3.3 radius-server key IlovemyMum a. IlovemyMum b. Ilovemymum c. This configuration will not work because the command aaa new-model is missing.

Answer: c

Because aaa new-model is not configured, this is not a valid configuration and no requests will be sent to the RADIUS server.

11 What is the RADIUS key for the following configuration?

Aaa new-model aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius radius-server 3.3.3.3 radius-server key IlovemyMum a. IlovemyMum b. Ilovemymum c. This configuration will not work d. 3.3.3.3

Answer: a

The key is case-sensitive; the IOS command, radius-server key IlovemyMum, defines the key as IlovemyMum.

12 What versions of TACACS does Cisco IOS support? (Select the best three answers.)

a. TACACS+

b. TACACS

c. Extended TACACS

d. Extended TACACS+ Answers: a, b, and c

There is no Cisco Extended TACACS+ support.

13 TACACS+ is transported over which TCP port number?

14 What is the predefined TACACS+ server key for the following configuration?

radius-server host 3.3.3.3 radius-server key CCIEsrock a. 3.3.3.3

b. Not enough data c. CCIESROCK

d. CCIEsRock e. CCIEsrock Answer: e

The key is case-sensitive and is defined by the IOS command, radius-server key CCIEsrock.

15 What does the following command accomplish?

tacacs_server host 3.3.3.3

a. Defines the remote TACACS+ server as 3.3.3.3

b. Defines the remote RADIUS server as 3.3.3.3

e. Host unknown; no DNS details for 3.3.3.3 provided Answer: c

The IOS command to define a remote TACACS+ server is tacacs-server host ip-address.

16 Which of the following protocols does TACACS+ support?

b. AppleTalk c. NetBIOS

d. All the above

Answer: d

TACACS+ has multiprotocol support for PPP, AppleTalk, NetBIOS and IPX.

17 Kerberos is defined at what layer of the OSI model?

a. Layer 1

b. Layer 2

c. Layer 3

d. Layer 4

e. Layer 5

f. Layer 6

g. Layer 7 Answer: g

Kerberos is an application layer protocol defined at Layer 7 of the OSI model.

18 What definition best describes a key distribution center when Kerberos is applied to a network?

a. A general term that refers to authentication tickets b. An authorization level label for Kerberos principals c. Applications and services that have been modified to support the Kerberos credential infrastructure d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server e. A Kerberos server and database program running on a network host

Answer: e

The KDC is a server and database program running on a network host.

19 What definition best describes a Kerberos credential?

a. A general term that refers to authentication tickets b. An authorization level label for Kerberos principals c. Applications and services that have been modified to support the Kerberos credential infrastructure d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server e. A Kerberos server and database program running on a network host

Answer: a

A credential is a general term that refers to authentication tickets, such as ticket granting tickets (TGTs) and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of retyping a username and password. Credentials have a default lifespan of eight hours.

20 What definition best describes Kerberized?

a. A general term that refers to authentication tickets b. An authorization level label for Kerberos principals c. Applications and services that have been modified to support the Kerberos credential infrastructure d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server e. A Kerberos server and database program running on a network host

Answer: c

Kerberized refers to applications and services that have been modified to support the Kerberos credential infrastructure.

21 What definition best describes a Kerberos realm?

a. A general term that refers to authentication tickets b. An authorization level label for the Kerberos principals c. Applications and services that have been modified to support the Kerberos credential infrastructure d. A domain consisting of users, hosts, and network services that are registered to a Kerberos server e. A Kerberos server and database program running on a network host

Answer: d

The Kerberos realm is also used to map a DNS domain to a Kerberos realm.

22 What IOS command enables VPDN in the global configuration mode?

a. vpdn-enable b. vpdn enable c. vpdn enable in interface mode d. Both a and c are correct Answer: b

To Enable VPDN in global configuration mode, the correct IOS command is vpdn enable.

23 What is the number of bits used with a standard DES encryption key?

a. 56 bits b. 32 bits; same as IP address c. 128 bits d. 256 bits e. 65,535 bits f. 168 bits Answer: a

DES applies a 56-bit key. The documented time taken to discover the 56-bit key is 7 hours on a Pentium III computer, so DES is not a common encryption algorithm used in today's networks.

24 What is the number of bits used with a 3DES encryption key?

a. 56 bits b. 32 bits; same as IP address c. 128 bits d. 256 bits e. 65,535 bits f. 168 bits Answer: f

Triple DES (3DES) is today's standard encryption with a 168-bit key.

25 In IPSec, what encapsulation protocol only encrypts the data and not the IP header?

d. HASH

e. Both a and b are correct

Answer: a

ESP only encrypts the data, not the IP header.

26 In IPSec, what encapsulation protocol encrypts the entire IP packet?

d. HASH

e. Both a and b are correct Answer: b

AH encrypts the entire IP packet. The time to live (TTL) is not encrypted because this value decreases by one (1) every time a router is traversed.

27 Which of the following is AH's destination IP port?

The AH destination port number is 51.

28 Which of the following is ESP's destination IP port?

Answer: c

The ESP destination IP port number is 50.

29 Which of the following is not part of IKE phase I negotiations?

a. Authenticating IPSec peers b. Exchanges keys c. Establishes IKE security d. Negotiates SA parameters

Answer: d

IKE phase II negotiates SA parameters.

30 Which of the following is not part of IKE phase II?

a. Negotiates IPSec SA parameters b. Periodically updates IPSec SAs c. Rarely updates SAs (at most, once a day)

d. Established IPSec security parameters

Answer: c

IKE phase II updates SAs at periodically-defined intervals.

31 Which is the faster mode in IPSEC?

a. Main mode b. Fast mode c. Aggressive mode d. Quick mode

Answer: c

Aggressive mode is faster than Main mode but is less secure. They can both occur in Phase I. Phase II only has Quick mode. Fast mode does not exist in the IPSec standard set of security protocols.

32 Certificate Enrollment Process (CEP) runs over what TCP port number? (Choose the best two answers.)

a. Same as HTTP

b. Port 80

c. Port 50

d. Port 51

e. Port 333

f. Port 444

Answers: a and b

CEP uses the same port as HTTP, port 80.

Was this article helpful?

0 0

Post a comment