CCNA Security v2.

0 Chapter 3

1. Because of implemented security controls, a user can only

access a server with FTP. Which AAA component
accomplishes this?
1. accounting
2. accessibility
3. auditing
4. authorization*
5. authentication

2. Why is authentication with AAA preferred over a local

database method?
0. It provides a fallback authentication method if the administrator forgets the
username or password.*
1. It uses less network bandwidth.
2. It specifies a different password for each line or port.
3. It requires a login and password combination on the console, vty lines, and aux
ports.

3. Which authentication method stores usernames and

passwords in ther router and is ideal for small networks.
0. local AAA over TACACS+
1. server-based AAA over TACACS+
2. local AAA*
3. local AAA over RADIUS
4. server-based AAA over RADIUS
5. server-based AAA

4. Which component of AAA allows an administrator to track

individuals who access network resources and any
changes that are made to those resources?
0. accounting*
1. accessibility
2. authentication
3. authorization

5. Refer to the exhibit. Router R1 has been configured as

shown, with the resulting log message. On the basis of the
information that is presented, which two statements
 describe the result of AAA authentication operation?
(Choose two.)

CCNA Security Chapter 3 Exam Answer v2 001

0. The locked-out user stays locked out until the clear aaa local user lockout
username Admin command is issued.*
1. The locked-out user stays locked out until the interface is shut down then re-enabled.
2. The locked-out user is locked out for 10 minutes by default.
3. The locked-out user should have used the username admin and password
Str0ngPa55w0rd.
4. The locked-out user failed authentication.*
6. A user complains about being locked out of a device after
too many unsuccessful AAA login attempts. What could be
used by the network administrator to provide a secure
authentication access method without locking a user out of
a device?
0. Use the login delay command for authentication attempts.*
1. Use the login local command for authenticating user access.
2. Use the aaa local authentication attempts max-fail global configuration mode
command with a higher number of acceptable failures.
3. Use the none keyword when configuring the authentication method list.

7. A user complains about not being able to gain access to a

network device configured with AAA. How would the
network administrator determine if login access for the
user account is disabled?
0. Use the show aaa local user lockout command.*
1. Use the show running-configuration command.
2. Use the show aaa sessions command.
3. Use the show aaa user command.

8. When a method list for AAA authentication is being

configured, what is the effect of the keywordlocal?
 0. The login succeeds, even if all methods return an error.
1. It uses the enable password for authentication.
2. It accepts a locally configured username, regardless of case*
3. It defaults to the vty line password for authentication.

9. Which solution supports AAA for both RADIUS and

TACACS+ servers?
0. Implement Cisco Secure Access Control System (ACS) only.*
1. RADIUS and TACACS+ servers cannot be supported by a single solution.
2. Implement a local database.
3. Implement both a local database and Cisco Secure
4. Access Control System (ACS).

10. What difference exists when using Windows Server as

an AAA server, rather than Cisco Secure ACS?
0. Windows Server requires more Cisco IOS commands to configure.
1. Windows Server only supports AAA using TACACS.
2. Windows Server uses its own Active Directory (AD) controller for
authentication and authorization.*
3. Windows Server cannot be used as an AAA server.

11. What is a characteristic of TACACS+?

0. TACACS+ uses UDP port 1645 or 1812 for authentication, and UDP port 1646 or
1813 for accounting.
1. TACACS+ is backward compatible with TACACS and XTACACS.
2. TACACS+ is an open IETF standard.
3. TACACS+ provides authorization of router commands on a per-user or per-
group basis.*
12. Which two features are included by both TACACS+ and
RADIUS protocols? (Choose two.)
0. 802.1X support
1. separate authentication and authorization processes
2. SIP support
3. password encryption *
4. utilization of transport layer protocols *
13. Which server-based authentication protocol would be
best for an organization that wants to apply authorization
policies on a per-group basis?
0. SSH
1. RADIUS
 2. ACS
3. TACACS+*
14. Refer to the exhibit. Which statement describes the
configuration of the ports for Server1?

CCNA Security Chapter 3 Exam Answer v2 002

0. The configuration using the default ports for a Cisco router.
1. The configuration of the ports requires 1812 be used for the authentication and the
authorization ports.
2. The configuration will not be active until it is saved and Rtr1 is rebooted.
3. The ports configured for Server1 on the router must be identical to those
configured on the RADIUS server.*
15. True or False?
The single-connection keyword prevents the configuration
of multiple TACACS+ servers on a AAA-enabled router.
0. false*
1. true

16. Why would a network administrator include a local

username configuration, when the AAA-enabled router is
also configured to authenticate using several ACS
servers?
0. Because ACS servers only support remote user access, local users can only
authenticate using a local username database.
1. A local username database is required when configuring authentication using ACS
servers.
2. The local username database will provide a backup for authentication in the
event the ACS servers become unreachable.*
3. Without a local username database, the router will require successful authentication
with each ACS server.

17. Which debug command is used to focus on the status

of a TCP connection when using TACACS+ for
authentication?
0. debug tacacs events*
1. debug tacacs
2. debug tacacs accounting
3. debug aaa authentication
18. Which characteristic is an important aspect of
authorization in an AAA-enabled network device?
0. The authorization feature enhances network performance.
1. User access is restricted to certain services.*
2. User actions are recorded for use in audits and troubleshooting events.
3. A user must be identified before network access is granted.

19. What is the result of entering the aaa accounting

network command on a router?
0. The router collects and reports usage data related to network-related service
requests.*
1. The router outputs accounting data for all EXEC shell sessions.
2. The router provides data for only internal service requests.
3. The router outputs accounting data for all outbound connections such as SSH and
Telnet.

20. What is a characteristic of AAA accounting?

0. Possible triggers for the aaa accounting exec default command include start-
stop and stop-only.*
1. Accounting can only be enabled for network connections.
2. Accounting is concerned with allowing and disallowing authenticated users access to
certain areas and programs on the network.
3. Users are not required to be authenticated before AAA accounting logs their
activities on the network.

21. When using 802.1X authentication, what device controls

physical access to the network, based on the
authentication status of the client?
0. the router that is serving as the default gateway
1. the authentication server
2. the switch that the client is connected to*
3. the supplicant

22. What device is considered a supplicant during the

802.1X authentication process?
0. the client that is requesting authentication*
1. the switch that is controlling network access
2. the router that is serving as the default gateway
3. the authentication server that is performing client authentication
23. What protocol is used to encapsulate the EAP data
between the authenticator and authentication server
performing 802.1X authentication?
0. SSH
1. MD5
2. TACACS+
3. RADIUS*