Introduction to 802.1X Operations for Cisco Security · C. A Cisco ISE node can be configured as a...

Introduction to 802.1X Operations for Cisco Security

Number: 650-472Passing Score: 800Time Limit: 120 minFile Version: 5.0

http://www.gratisexam.com/

Cisco 650-472

Introduction to 802.1X Operations for Cisco Security

Version: 5.0, updated on Jun 27, 2013

Exam A

QUESTION 1Which two statements represent good use cases for Wake on LAN? (Choose two.)

A. WoL can be used to power-up hosts for on-demand PXE booting.B. WoL can be used to power-up hosts for after-hours operating system updates and application patching.C. WoL can be used to power-up hosts to access the IPMI.D. WoL can be used to save electricity by powering down underused servers and desktops.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 2Which two choices are valid methods of authorizing a wired supplicant? (Choose two.)

A. EAP-FASTB. VLAN assignmentC. dACLD. EAPOLE. RADIUS

Correct Answer: BCSection: (none)Explanation


QUESTION 3Which two statements about MACsec security are true? (Choose two.)

A. MACsec is an IEEE standard that is defined by 802.3AE.B. MACsec leverages an 802.1X EAP framework to negotiate the MACsec Key Agreement.C. MACsec is an IETF standard that is defined by RFC 4501.D. MACsec can negotiate a MACsec Key Agreement without 802.1X.E. MACsec is an IETF standard that is defined by RFC 4505.F. MACsec is an IEEE standard that is defined by 802.1AE.

Correct Answer: BFSection: (none)Explanation


QUESTION 4Which statement correctly defines a persona?

A. A Cisco ISE node can be configured as a primary or backup persona.B. Persona refers to collections of services running on a Cisco ISE node.

C. A Cisco ISE node can be configured as a wired or wireless persona.D. Persona relates to the collection of 802.1X services configured on a Cisco Catalyst switch.E. Persona refers to the collection of EAP methods available to a supplicant.F. A Cisco ISE node can be configured as a standalone or distributed persona.

Correct Answer: BSection: (none)Explanation


QUESTION 5Which two EAP methods are examples of challenge-response methods? (Choose two.)

A. EAP-TLSB. PEAPC. EAP-FASTD. LEAPE. EAP-MD5

Correct Answer: DESection: (none)Explanation


QUESTION 6On a Cisco Catalyst switch, which default ports will the radius-server host command use for RADIUSauthentication and accounting messages?


A. TCP - Authentication 1645/Accounting 1646B. TCP - Authentication 1535/Accounting 1536C. TCP - Authentication 1812/Accounting 1813D. UDP - Authentication 1535/Accounting 1536E. UDP - Authentication 1812/Accounting 1813F. UDP - Authentication 1645/Accounting 1646

Correct Answer: ESection: (none)Explanation


QUESTION 7

Which three modules are valid components of Cisco AnyConnect Secure Mobility Client for Windows? (Choosethree)

A. Network Access ManagerB. VPN ModuleC. Network Authentication ManagerD. Telemetry and Profiling ModuleE. Profiling ModuleF. Posture ModuleG. Profiling Module

Correct Answer: AEFSection: (none)Explanation


QUESTION 8Which option is a good example of a non-supplicant host?

A. Laptop running Microsoft Windows 7B. IP printerC. desktop PC running Ubuntu LinuxD. IP cameraE. Apple Macintosh running Mac OS X

Correct Answer: BDSection: (none)Explanation


QUESTION 9Which three RADIUS attributes art required to dynamically assign a VIAN? (Choose three)

A. Attribute 65 (Tunnel-Medium-Type)B. Attribute 26 (Vendor-Specific)C. Attribute 64 (Tunnel-Type)D. Attribute 8 (Framed-IP-Address)E. Attribute 5 (NASPort)F. Attribute 81 (Tunne1-Private-Group-ID)

Correct Answer: ACFSection: (none)Explanation


QUESTION 10Consider the example of an end user plugging an unmanaged third-party switch into a port in a conferenceroom. If the wiring closet switch port requires 802.1X authentication (and the authentication host mode is set tothe default), what would be the result of multiple 802.1X clients attempting to access the network from the

unmanaged switch?

A. After the first supplicant authenticates, other hosts connected to the unmanaged switch will be blocked fromthe network.

B. After 802.1X times out three times, all hosts on the unmanaged switch will have access to the network.C. Up to eight hosts and one IP phone can be authenticated.D. After the first supplicant authenticates, all other hosts connected to the unmanaged switch have access to

the network.

Correct Answer: ASection: (none)Explanation


QUESTION 11Which two Cisco Catalyst switch command fragments enable WebAuth support on an interface? (Choose two.)

A. 3k-access(config-if)# authentication fallbackB. 3k-access(config-if)# authentication dotlx webauthC. 3k-access(config-if)S authentication webauthD. 3k-access(config-if)# dotlx priority webauthE. 3k-access(config-if)- ip admissionF. 3k-access(config-if)ff dotlx fallbackG. 3k-access(config-if)# authentication order dotlx webauth

Correct Answer: AESection: (none)Explanation


QUESTION 12Which two statements are true with regard to the inner and outer phases of an EAP method? (Choose two.)

A. PEAP can include an optional phase 0 for PAC provisioning.B. All EAP methods include an inner and outer phase.C. The outer phase is used for authentication.D. The inner phase is used for authentication.E. The outer phase is used for securing the communication channel.F. The inner phase is used for securing the communication channel.

Correct Answer: DESection: (none)Explanation


QUESTION 13Which Cisco ISE persona must run on dedicated hardware?

A. Inline Posture

B. AdministrativeC. CentralizedD. MonitoringE. Distributed PolicyF. Policy ServicesG. Standalone



QUESTION 14Which statement accurately describes why it is a best practice to pre-populate the MAC addresses of non-802.1X-capable Cisco IP phones into an endpoint database?

A. If the MAC address is not found in an endpoint database, any PC tethered to the Cisco IP phone will beallowed to access the network unauthenticated.

B. If the MAC address is not found in an endpoint database, it will take 3 MAB timeouts (90 seconds) beforethe MAC address of the Cisco IP phone is automatically entered in the database.No calls can be made in the interim.

C. If the MAC address is not found in an endpoint database, authentication will fail for the Cisco IP phone andthe tethered PC port on the phone will be set to err-disable. The PC will not be able to communicate on thenetwork.

D. If the MAC address is not found in an endpoint database, authentication will fail for the Cisco IP phone andthe Catalyst switch port will be set to err-disable. Neither the PC host nor the phone will be able tocommunicate on the network.



QUESTION 15Which two Cisco security products act as 802.1X authenticate servers? (Choose two)

A. Cisco Security AgentB. CiscoWorks LAN Management SystemC. Cisco Information Security EngineD. Cisco Security ManagerE. Cisco Secure Access Control System for WindowsF. CiscoWorks LAN Management SolutionG. CiscoWorks Open RADIUS ServerH. Cisco Identity Services Engine

Correct Answer: EHSection: (none)Explanation


QUESTION 16Which two EAP methods require server-side digital certificates? (Choose two)

A. EAP-FASTB. PEAPC. LEAPD. EAP-MD5E. EAP-TLS

Correct Answer: BESection: (none)Explanation


QUESTION 17Which two statements are true regarding load balancing Cisco ISE Policy Services nodes with a CiscoApplication Control Engine? (Choose two.)

A. Each Cisco ISE Policy Services node must be configured with an identical unicast IP address that is used toreceive policy requests from the load balancer.

B. Each Cisco ISE Policy Services node must be configured with a unique (and non-reserved) multicast IPaddress that is used as a heartbeat channel.

C. Each Cisco ISE Policy Services node must be configured with an identical (and non-reserved) multicast IPaddress that is used as a heartbeat channel.

D. The virtual IP address of the ACE must be on the same IP subnet as the unicast subnet of the Cisco ISEPolicy Services node.

E. The virtual IP address of the ACE must not be on the same IP subnet as the unicast subnet of the CiscoISE Policy Services node.

F. Each Cisco ISE Policy Services node must be configured with a unique unicast IP address that is used toreceive policy requests from the load balancer.

Correct Answer: DFSection: (none)Explanation


QUESTION 18Which statement is true for certificate auto-enrollment on a Cisco IP phone?

A. Cisco Unified Communications Manager CA Proxy Function (CAPF) is capable of auto-enrolling certificates.B. Cisco Unified Communications Manager Certificate Auto-Enroll Function (CAEF) is capable of auto-

enrolling certificates.C. Cisco IP phones are capable of using digital certificates, but manual enrollment is required.D. Cisco IP phones are not capable of using digital certificates.E. Microsoft Windows 2003 Certificate Server Telephony plug-in can be used for auto-enrolling certificates.F. Microsoft Windows 2008 Enterprise Certificate Server Telephony plug-in can be used for auto- enrolling

certificates.

Correct Answer: ASection: (none)

Explanation


QUESTION 19What is the purpose of the guest VLAN on a Cisco Catalyst switch?

A. It provides configurable guest access to devices that have a supplicant but lack local credentials.B. It provides configurable guest access to non-supplicant devices that lack local credentials.C. It provides configurable guest access to devices that have a supplicant when the authenticator is down or

unreachable.D. It provides configurable guest access to non-supplicant devices that have local credentials.E. It provides configurable guest access to devices that have a supplicant when the authentication server is

down or unreachable.



QUESTION 20Which two PEAP requirements must be met to authenticate the TLS session? (Choose two.)

A. The supplicant requires only an identity certificate.B. Cisco ISE requires an identity certificate and a CA certificate.C. The authenticator requires only an identity certificate.D. The supplicant requires an identity certificate and a CA certificate.E. The authenticator requires an identity certificate and a CA certificate.F. The supplicant requires only a CA certificate.G. Cisco ISE requires only an identity certificate.

Correct Answer: BDSection: (none)Explanation


QUESTION 21Which two sets of ports does Cisco ISE listen on for RADIUS authentication and accounting messages?(Choose two.)

A. UDP - Authentication 1535/Accounting 1536B. UDP - Authentication 1645/Accounting 1646C. TCP - Authentication 1535/Accounting 1536D. TCP - Authentication 1645/Accounting 1646E. UDP - Authentication 1812/Accounting 1813F. TCP - Authentication 1812/Accounting 1813



QUESTION 22Which three elements are required fields when adding a Cisco Wireless IAN Controller as a network device inCisco ISE? (Choose three)

A. NameB. Software VersionC. Device Configuration DeploymentD. RADIUS Shared SecretE. SSIDF. Model NumberG. IP Address

Correct Answer: ADGSection: (none)Explanation


QUESTION 23During initial ISE setup, foe which three of the following required and optional elements does the setup scriptprompt the administrator to enter a value? (Choose three)

A. Device GatewayB. Static Host RoutesC. IP AddressD. Active Directory Domain NameE. Path to RSA SecuriD Seed FileF. NTP Server IP AddressG. Path to RAMUS Seed File

Correct Answer: ACDSection: (none)Explanation


QUESTION 24What action must be performed immediately after initial login to the Cisco ISE GUI?

A. Configure an alternate local administrator account for password recovery.B. Configure profiling services to authenticate IP phones for MAB.C. Join a Microsoft Active Directory domain for time synchronization.D. Change the administrative user account password.E. Configure an NTP server for time synchronization.F. Configure RSA SecurelD to secure administrative access to Cisco ISE.

Correct Answer: ESection: (none)

Explanation


QUESTION 25Which method provides authenticated guest access to nonsupplicant hosts?

A. restricted VIANB. authentication fallbackC. authentication proxyD. web authenticationE. guest VIANF. flexible authentication

Correct Answer: DSection: (none)Explanation


QUESTION 26Which hardware component of a Cisco TrustSec solution for 802.1X is optional but widely adopted in mostnetworks?

A. external Authentication serverB. Cisco AnyConnect Secure Mobility ClientC. authentication serverD. authenticatorE. Cisco 4200 Series IPS



QUESTION 27Consider a design where a Cisco Catalyst switch that supports Network Edge Access Topology (NEAT) isconnected to an upstream switch that requires 802.1X authentication on the switch-to- switch link. Whatdifferentiates a Cisco Catalyst switch configured for NEAT from an unmanaged switch connected to the sameupstream switch port?

A. Switches that support NEAT can be configured with a port in supplicant mode.B. Switches that support NEAT can perform Layer 2 MAC address translation to allow multiple hosts to be

seen by the upstream switch as the same host.C. Switches that support NEAT can be configured with a port in authenticator mode that supports

authentication multi-host.D. Switches that support NEAT can be configured with a port in authenticator mode that supports

authentication multi-auth.

Correct Answer: ASection: (none)

Explanation


QUESTION 28Which two of these Cisco products can act as 802.1X authenticates? (Choose two.)

A. Cisco 4255 Intrusion Prevention SensorB. Cisco Catalyst 37SO Series SwitchC. Cisco Wireless LAN ControlD. Cisco Secure Access Control Server for WidowsE. Cisco 3640 RooterF. Cisco 5510 Adaptive Security ApplianceG. Cisco Secure Access Control Solution for WindowsH. Cisco 4255 Intrusion Prevention System

Correct Answer: CDSection: (none)Explanation


QUESTION 29What is the purpose of the fallback profile command?

A. This command configures the Critical VLAN policy on an interface.B. This command configures a WebAuth profile to use in the event that MAB authentication fails.C. This command configures a WebAuth profile to use in the event that 802.1X authentication fails.D. This command globally enables WebAuth authentication.E. This command configures the Guest VLAN policy on an interface.F. This command configures the Restricted VLAN policy on an interface.

Correct Answer: CSection: (none)Explanation


QUESTION 30What is the purpose of the restricted VLAN (authentication failed VLAN) on a Cisco Catalyst switch?

A. It provides configurable guest access to nonsupplicant devices that have local credentials.B. It provides configurable guest access to devices that have a supplicant when the authenticator is down or

unreachable.C. It provides configurable guest access to nonsupplicant devices that lack local credentials.D. It provides configurable guest access to devices that have a supplicant when the authentication server is

down or unreachable.E. It provides configurable guest access to devices that have a supplicant but lack local credentials.

Correct Answer: ESection: (none)

Explanation


QUESTION 31Which three services run on a Cisco ISE node?

A. Network Access ManagerB. guest VLANC. WebAuthD. telemetryE. profilingF. authenticationG. security postureH. MAC security

Correct Answer: EFGSection: (none)Explanation


QUESTION 32Whit is the default username and password for Cisco ISE?

A. Admin/adminB. Cisco/CiscoC. Admin/CiscoD. Administrator/ CiscoE. Administrator/AdminF. Cisco/Cisco123G. Admin/Cisco 123H. Administrator/ Cisco 123



QUESTION 33On which two non-ISE appliances can Cisco ISE also be loaded? (Choose two)

A. Cisco Secure ACS Appliance 3315B. Cisco Secure ACS Appliance 1121C. Cisco 5510 Adaptive Security ApplianceD. Cisco NAC Appliance 1121E. Cisco NAC Appliance 3315F. Cisco 4255 Intrusion Prevention SystemG. Cisco 4255 Intrusion Prevention Sensor



QUESTION 34Which three types of NAD support RADIUS Change of Authorization requests? (Choose three)

A. switches manufactured by other companiesB. Cisco Wireless LAN ControlC. remote-access VPN devicesD. unmanaged switches and hubsE. Cisco Catalyst 3750 running IOS 12 2(52) SEl

Correct Answer: ABESection: (none)Explanation


QUESTION 35Which four of these operating systems include a native 802.IX? (Choose four.)

A. Ubuntu LinuxB. Microsoft Windows 7C. Red Hat Enterprise LinuxD. Apple OS XE. Microsoft Windows for WorkgroupsF. OpenVMSG. MVS/ESA

Correct Answer: ABCDSection: (none)Explanation


QUESTION 36Which standards body maintains the 802.1X standard?

A. ANSIB. ISOC. ITUD. IEEEE. NIST



QUESTION 37Which two choices are valid Cisco TrustSec topologies? (Choose two)

A. point-to-multipointB. EAPC. wirelessD. point-to-pointE. wireless point-to-pointF. wireless multipoint

Correct Answer: CDSection: (none)Explanation


QUESTION 38What is the default authentication mode after initial configuration of Cisco ISE?

A. hierarchical authenticationB. rule-based authenticationC. Simple authenticationD. Microsoft Active Directory authenticationE. distributed authentication



QUESTION 39Which three of these options can be configured as external identity servers for Cisco ISE? (Choose three)

A. RSASecurIDB. Microsoft Windows Active Directory ServerC. Banyan StreetTalkD. generic LDAP serverE. Microsoft NT Server Domain ControllerF. Novell Directory Services

Correct Answer: ABDSection: (none)Explanation


QUESTION 40Which two of these partial Cisco Catalyst switch commands are used to configure FlexAuth? (Choose two)

A. 3k-access(config-if)# authentication orderB. 3k-access{config-if)# authentication priorityC. 3k-access(config-rf)# authentication fallbackD. 3k-access(config)# authentication directionE. 3k-access(config)# authentication priorityF. 3k-access (config-rf) # authentication directionG. 3k-access (config) # authentication orderH. 3k-access (config) #authentication fallback



QUESTION 41What is the purpose of local WebAuth on a Cisco Catalyst switch?

A. It provides configurable guest access to nonsupplicant devices that lack local credentials.B. It provides configurable guest access to devices that have a supplicant when the authenticator is down or

unreachable.C. It provides configurable guest access to devices that have a supplicant when the authentication server is

down or unreachable.D. It provides configurable guest access to nonsupplicant devices that have local credentials.E. It provides configurable guest access to devices that have a supplicant but lack local credentials.



QUESTION 42Which three implementation modes are valid for phased implementation of Cisco TrustSec? (Choose three.)

A. low-impactB. administrative traceC. monitorD. low-securityE. high-impactF. high-security

Correct Answer: ACFSection: (none)Explanation


QUESTION 43In which OSI layer does EAP operate?

A. Layer 2 (data Link)B. Layer 4 (transport)C. Layer 7 (application)D. Layer 1 (physical)E. Layer 3 (network)



QUESTION 44Which Cisco TrustSec device performs user authenticated?

A. RADIUSB. EAPC. supplicantD. authenticatorE. authentication server



QUESTION 45Which three authentication c interface commands are valid for MACsec? (Choose three.)

A. 3k-access(config-if)# authentication host-mode multi-domainB. 3k-access(config-if)# authentication host-mode multi-authC. 3k-access(config)# authentication host-mode single-hostD. 3k-access(config)# authentication host-mode multi-authE. 3k-access(config)# authentication host-mode multi-hostF. 3k-access(config-if)# authentication host-mode multi-hostG. 3k-access(config)# authentication host-mode multi-domainH. 3k-access(config-if)# authentication host-mode single-host

Correct Answer: AFHSection: (none)Explanation


QUESTION 46The information security policy of your organization requires that ports should remain administratively Up.Which selection represents the best practice for an 802.1X-enabled port that is configured to allow only onehost to authenticate on the port?

A. The 3k-access(config-if)# authentication violation shutdown command can be used to prevent a secondMAC address from authenticating on the port.

B. The 3k-access(config-if)# authentication violation restrict command can be used to prevent any MACaddress from authenticating on the port.

C. The 3k-access(config-if)# authentication violation ignore command can be used to prevent any MACaddress from authenticating on the port.

D. The 3k-access(config-if)# authentication violation shutdown command can be used to prevent a secondMAC address from authenticating on the port.



QUESTION 47Which three statements about hosts moving from port to port on the same switch that is configured for 802.1Xare true? (Choose three.)

A. Cisco IP phones send a RADIUS packet with Cisco-av-pair UCPort= Disco to signal to the Cisco Catalystswitch that the tethered PC has disconnected.

B. The 3k-access(config-if)# authentication violation replace command can be used to allow a new host toauthenticate to an IP phone that is not manufactured by Cisco.

C. The 3k-access(config-if)# authentication violation replace command can be used to allow a host todisconnect from an IP phone that is not manufactured by Cisco and authenticate on a different "Pass AnyExam. Any Time." - www.actualtests.com 19 Cisco 650-472 Examport on the same switch.

D. The 3k-access(config)# authentication mac-move permit command can be used to allow a new host toauthenticate to an IP phone that is not manufactured by Cisco Cisco IP phones use Cisco DiscoveryProtocol to signal to the Cisco Catalyst switch that the tethered PC has disconnected.

E. The 3k-access(config)# authentication mac-move permit command can be used to allow a host todisconnect from an IP phone that is not manufactured by Cisco and authenticate on a different port on thesame switch.



QUESTION 48What must be configured on a Microsoft Windows 7 host to enable the Microsoft 802.1X supplicant for wirednetworks?

A. Wired 802.1X support requires installation of Windows 7 Service Pack JLB. The 802.1X supplicant in the Authentication tab of interface Properties must be enabled.C. The host must acquire its IP address from DHCP.D. The Microsoft Wired AutoConfig service must be started.E. 802.1X must be enabled in BIOS.F. On systems running Intel 82566 Ethernet controllers, Intel driver vl6.1 or higher is required to enable 802.1X

support

Correct Answer: DSection: (none)

Explanation


QUESTION 49Which three selections are valid model numbers for Cisco ISE hardware appliances? (Choose three)

A. Cisco ISE 3355B. Cisco ISE 3315C. Cisco ISE 3390D. Cisco ISE 3350E. Cisco ISE 3395F. Cisco ISE 3310



QUESTION 50What is the purpose of the ip device-tracking command on a Cisco Catalyst switch?

A. enables DHCP snooping, which creates a trusted binding table of MAC and IP addresses required byWebAuth

B. enables the local DCHP proxy service required by WebAuthC. enables Dynamic ARP Inspection on an interface required by WebAuthD. enables ICMP probes to discover new hosts and add them to the tracking table required by WebAuthE. globally enables Dynamic ARP Inspection required by WebAuthF. enables ARP probes to discover new hosts and add them to the tracking table required by WebAuthG. enables port security required by WebAuth



QUESTION 51Which two choices are valid components of a Cisco TrustSec wireless infrastructure solution? (Choose two.)

A. 802.11 supplicantB. autonomous access pointC. lightweight access pointD. wired LAN controllerE. wireless repeaterF. wireless LAN controller

Correct Answer: CFSection: (none)Explanation


QUESTION 52Which section of the 802.1X standard cites other 802 standards needed to Wry understand the scope of802.1X?

A. Section 3 - DefinitionsB. Section 2 - Normative ReferencesC. Section 5 - Acronyms and AbbreviationsD. Section 4 - Normative DefinitionsE. Section 6 - Conformance



QUESTION 53Which section of the 802.1X standard includes use cases?

A. Section 4 - Acronyms and AbbreviationsB. Section 7 - Port-Based Network Access Control ApplicationsC. Section 2 - Normative ReferencesD. Section 6 - Principles of Port-Based Network Access Control OperationE. Section 3 - Definitions



QUESTION 54Which two statements are true regarding communication from the authenticator to the authentication server(Cisco ISE)? (Choose two.)

A. EAP messages are sent encapsulated in RADIUS protocol over UDP port 1645.B. EAP messages are sent encapsulated in RADIUS protocol over UDP port 1812.C. EAP messages are sent to the RADIUS server over UDP port 1812.D. EAP messages are sent to the RADIUS server over UDP port 1646.E. EAP messages are sent encapsulated in RADIUS protocol over UDP port 1646.F. EAP messages are sent to the RADIUS server over UDP port 1645.



QUESTION 55Which four selections below describe valid Cisco ISE Personas? (Choose four.)

A. Cisco ISCB. StandaloneC. AdministrativeD. CentralizedE. Inline PostureF. Policy ServicesG. MonitoringH. Distributed

Correct Answer: CEFGSection: (none)Explanation


QUESTION 56Which statement is true regarding the initiation of an 802.1X authentication exchange?

A. EAPOL-Start is always initiated by the supplicant.B. EAPOL-Start can be initiated by the supplicant or the authenticator.C. EAPOL-Start is never initiated by the supplicantD. EAPOL-Start is always initiated by the authenticator.E. EAPOL-Start is never initiated by the authenticator.



QUESTION 57Which protocol used to communicate between the authenticator and authentication server?

A. RADIUSB. EAP-FASTC. EAPOLD. EAP-TLSE. PEAP



QUESTION 58Which two choices are drivers of IEEE 802.1X adoption? (Choose two.)

A. wireless routersB. guest networksC. Wired Equivalent Privacy insecurityD. Wireless Encryption Protocol insecurityE. open switch ports



QUESTION 59Which EAP method requires a digital certificate on the client?

A. P1AP-MD5B. LEAPC. EAP-GTCD. PEAPE. EAP-TLSF. EAP-MOSG. EAP-FAST



QUESTION 60Which two elements must you configure on a Cisco Wireless LAN Controller to allow Cisco ISE to authenticatewireless users? (Choose two.)

A. Configure each WLAN to use the configured Cisco ISE node.B. Configure all attached LWAPs to use the configured Cisco ISE node.C. Configure the WLC to join a Microsoft Active Directory domain.D. Configure Cisco ISE as a RADIUS accounting server and shared secret.E. Configure Cisco ISE as a RADIUS authentication server and shared secret.F. Configure RADIUS attributes for each SSID.

Correct Answer: AESection: (none)Explanation


QUESTION 61Which two NADs does NOT support RADIUS Change of Authorization requests?(Choose two.)

A. Cisco Catalyst 3750 switchesB. Cisco Adaptive Security Appliances

C. Unmanaged switches and hubsD. Cisco Wireless LAN Controllers

Correct Answer: BCSection: (none)Explanation


QUESTION 62Which two choices are drivers of IEEE 802.1X adoption? (Choose two.)

A. Guest networksB. Heterogeneous NetworksC. Pervasive Wireless DeploymentsD. Unprotected switch portsE. Limited 802.1X standard functionality

Correct Answer: ACSection: (none)Explanation


QUESTION 63Which module is NOT a valid component of Cisco AnyConnect Secure Mobility Client for Windows?

A. VPN ModuleB. Profiling ModuleC. Network Access ManagerD. Telemetry Module


Explanation/Reference:Explanation:These are the VPN modules in Cisco Anyconnect client:Network Access ManagerPosture ModuleTelemetry ModuleWebSecurity Module

QUESTION 64EAP was original created for which network type?

A. Point-to-Point ProtocolB. Local Area NetworkC. Wide Area NetworkD. Wireless Local Area Network

Correct Answer: A

Section: (none)Explanation

Explanation/Reference:Reference:http://www.cisco.com/en/US/docs/wireless/wlan_adapter/cb21ag/user/vista/1.0/configur ation/guide/eap_types.html

QUESTION 65What is the Cisco Catalyst Switch default port used for CoA?

A. UDP 3799B. UDP 1812C. UDP 1645D. UDP 1700


Explanation/Reference:Reference:http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html

Note: If using ISE then the port will be 1700 and if using ACS then it will be 3799 (according to RFC 3799 is thedefault port for CoA).

QUESTION 66Which of the following RADIUS attribute is vendor specific and enables

vendors to easily extend the protocol functionality?

A. 1B. 2C. 5D. 26E. 64


Explanation/Reference:Reference:http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html

QUESTION 67Which of the following is true about PEAP?

A. PEAP was created as an alternative to EAP-FASTB. PEAP is limited to MS-CHAP to authenticate the supplicantC. PEAP authentication operates in two phasesD. PEAP only requires a client-side certificate


Explanation/Reference:

Reference:http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa.html

QUESTION 68Which Cisco Catalyst Switch command enables 802.1X authentication globally?

A. authentication priority dot1x mabB. authentication order dot1x mabC. dot1x pae authenticatorD. dot1x system-auth-controlE. aaa new-model


Explanation/Reference:Reference:http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ ea1/configuration/guide/Sw8021x.html

QUESTION 69Which two Cisco Catalyst switch commands are required for URL-redirection? (Choose two.)

A. 3k-access(config-if)# authentication webauthB. 3k-access(config-if)# authentication dot1x webauthC. 3k-access(config-if)# ip http secure-serverD. 3k-access(config-if)# authentication order dot1x webauthE. 3k-access(config-if)# ip http serverF. 3k-access(config-if)# dot1x priority webauth

Correct Answer: CESection: (none)Explanation



Date post:	11-Jul-2018
Category:	Documents
Upload:	trankhuong
View:	232 times
Download:	0 times

Introduction to 802.1X Operations for Cisco Security · C. A Cisco ISE node can be configured as a...

Documents