2013 Latest Cisco 350-001 Exam Section 3: Device Security/Access (10 Questions)
QUESTION NO: 1
What are the differences between TACACS+ and RADIUS? (Choose all that apply)
A. TACACS+ uses UDP while RADIUS uses TCP for transport.
B. RADIUS and TACACS+ encrypts the entire body of the packet.
C. RADIUS is an IETF standard, while TACACS+ is not.
D. TACACS+ sends a separate request for authorization, while RADIUS uses the same request for authentication and authorization.
E. RADIUS offers multi-protocol support while TACACS+ does not.
Answer: C, D
RADIUS uses UDP while TACACS+ uses TCP.
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted while TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
RADIUS combines authentication and authorization while TACACS+ uses the AAA
architecture, which separates authentication, authorization, and accounting. *
TACACS+ offers multiprotocol support while RADIUS does not support AppleTalk Remote Access (ARA) protocol, NetBIOS Frame Protocol Control protocol, Novell Asynchronous Services Interface (NASI) and X.25 PAD connection.
* RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services. TACACS+ on the other hand does allow users to control the authorization of router commands on a per-user or per-group basis.
TACACS+ and RADIUS Comparison, http://www.cisco.com/warp/public/480/10.html
QUESTION NO: 2
You want to prevent all telnet access to your Cisco router. In doing so, you type in the following:
line vty 0 4 no login password cisco
Will this prevent all telnet access to the router as desired?
A. Yes. The “no login” command disables all telnet access, even though the password is cisco.
B. Yes. The VTY password is needed but not set, so all access will be denied.
C. No. The VTY password is cisco.
D. No. No password is needed for VTY access.
E. No. The password is login.
“No Login” will not prompt users for any initial login, allowing them to access the router
without a password.
QUESTION NO: 3
A new TACACS+ server is configured to provide authentication to a NAS for remote access users. A user tries to connect to the network and fails. The NAS reports a FAIL message. What could be the problem? (Choose all that apply).
A. The TACACS+ service is not running on the server.
B. The password for this user is incorrect.
C. The username does not exist in the TACACS+ user database.
D. The NAS server lost its route to the TACACS+ server.
E. The TACACS+ server is down.
Answer: B, C
A FAIL condition is a result of incorrect username/password information. It means that an authentication request was successfully received, but that it had failed. A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list.
A, D, E. These would have resulted in an ERROR condition instead of a FAIL condition.
With an error, the NAS would query the next authentication method.
QUESTION NO: 4
While setting up remote access for your network, you type in the “aaa new-model”
configuration line in your Cisco router. Which authentication methods have you disabled
as a result of this change? (Choose all that apply.)
C. Extended TACACS (XTACACS)
Answer: C, D
When you enable AAA, you can no longer access the commands to configure the older deprecated protocols, TACACS or Extended TACACS. If you decided to use TACACS or Extended TACACS in your security solution, do not enable AAA.
QUESTION NO: 5
With regard to IPSec, which of the following are true?
A. IPSec supports Multicast.
B. IPSec does not support Multicast.
C. IPSec supports Multicast in IOS 12.x or later.
D. IPSec supports Multicast in IOS 10.x or earlier.
E. IPSec supports Multicast only in combination with GRE tunnels.
IPSec does not support multicast, as secure IPSec tunnels are always between unicast hosts.
C, D, E. Cisco does not support IPSec protection for multicast traffic on any IOS release.
QUESTION NO: 6 You are setting up a secure connection to another company’s device. You are not certain that they are using Cisco so you want your router to manually exchange the RSA public keys between each other. How should you configure your router?
A. Use IPSec with RSA signatures
B. Use IPSec with RSA encrypted nonces
C. Use IPSec with manual keying
D. Use Cisco Encryption Technology
E. Use IPSec using preshared keys
F. Use IPSec using RSA authentication
Manual keying is usually only necessary when configuring a Cisco device to encrypt
traffic to another vendor’s device, which does not support IKE. If IKE is configurable on
both devices, it is preferable to using manual keying.
A, B, F. In this question we want the keys to be exchanged manually, so this not the best
E. Preshared keys are static keys that do not change, but they can not be keyed manually.
Cisco – “Configuring IPSec Manual Keying between Routers”
QUESTION NO: 7
Which of the following are security services provided by IPSec?
A. Data integrity
B. Data origin authentication
C. Data confidentiality
D. Protection for multicast/broadcast traffic
Answer: A, B, C, E
Data integrity, data origin authentication, data confidentiality, and protection from replay are all security features and functions of IPSec
D. IPSec provides no security against multicast and broadcast traffic. In fact, IPSec does not support multicast traffic.
QUESTION NO: 8
You wish to change the IKE policies of your IPSec configuration in your site to site router VPN. Which of the following are valid ISAKMP policy parameters that can be changed in the configurations?
A. Security Association’s lifetime
B. Encryption algorithm
C. Hash algorithm
D. Authentication method
E. Diffie-Hellman group identifier
F. All of the above
G. None of the above
There are five parameters to define in each IKE policy:
Parameter Accepted Value s Keyword Default Value
encryption algorithm 56-bit DES-CBC des 56-bit DES-CBC
hash algorithm SHA-1 (HMAC variant) MD5 (HMAC variant) sha md5 SHA-1
authentication method RSA signatures RSA encrypted nonces pre-shared keys rsa-sig rsa-encr pre-share RSA signatures
Diffie-Hellman group identifier 768-bit Diffie-Hellman or 1024-bit Diffie-Hellman 1 2 768-bit Diffie-Hellman
security association’s lifetime
QUESTION NO: 9 Unauthorized access to Cisco devices can be prevented through different privilege level settings. How many of these privilege levels exist?
There are 16 privilege-levels (0 to 15, inclusive).
A. This is the default number of vty sessions that can be placed on a router for remote telnet access (vty levels 0-4, inclusive).
E. The highest level is level 15, but we must also count the lowest level (level 0) for a total of 16.
QUESTION NO: 10 Router TK1 has been configured for authentication as shown in the following display:
enable secret 483924
username myname password abc123
aaa authentication login default enable
aaa authentication login access1 local
aaa authentication login access2 radius tacacs+
aaa authentication login access3 tacacs+ local
tacacs-server host 192.168.1.15 key qwert123
radius-server host 192.168.2.27 key poiuy098
Line console 0
login authentication access3
line vty 0 4
What method is being used to secure the console port of this router?
A. Authentication is being done using the local database.
B. Authentication is being done using the login password dfgh456.
C. Authentication is being done using the enable password as a default
D. Authentication is being done using the server at IP address 192.168.1.15. If a connection to that server fails, the local database will be used.
E. Authentication is being done using the server at IP address 192.168.2.27
The router is using the keyword access3 for authentication for the console port. Access3
at 192.168.1.15. If the authentication connection to the server fails, then the local database will be used as a backup.
A. Based on the configuration file above, TACAS+ is the primary authentication method and the local database is to only be used as a backup method.
B. This is the password that is to be used for Telnet access, not the console password.
C. The enable password is not used, since the login authentication information is taken from the “access3” keyword.
E. This is the IP address of the RADIUS server, not the TACACS+ server.
Ensurepass offers Latest 2013 CCIE 350-001 Real Exam Questions , help you to pass exam 100%.