Question 1
Question 2
Explanation
The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.
Question 3
Explanation
Usually we enter a command like this:
username bill password westward
And the system display this command as follows:
username bill password 7 21398211
The encrypted version of the password is 21398211. The password was encrypted by the Cisco-defined encryption algorithm, as indicated by the “7”.
However, if you enter the following command: “username bill password 7 21398211”, the system determines that the password is already encrypted and performs no encryption. Instead, it displays the command exactly as you entered it.
Question 4
Question 5
Question 6
Explanation
This configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).
Question 7
Explanation
TACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.
Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.
Question 8
Explanation
802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.
Question 9
Explanation
TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.
TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.
Note:
By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout
Question 10
Explanation
There are three authentication and authorization modes for 802.1x:
+ Monitor mode
+ Low impact mode
+ High security mode
Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.
With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses
Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth
For more information about each mode, please read this article: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html
Question 11
Explanation
All other answers are not recommended for a network security plan so only B is the correct answer.
Question 12
Explanation
The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.
Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.
Question 13
Explanation
In fact in question wants to mention about site-to-site VPN. A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec.
In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site VPNs.
Question 14
Explanation
SSH, or secure shell, is a secure protocol that provides a built-in encryption mechanism for establishing a secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.
Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.
Therefore answer “SSH” is still better than the answer “VPN”.
Question 15
Explanation
The “transport input” command is used to define which protocols to use to connect to a specific line (vty, console, aux…) of the router. The “transport input all” command will allow all protocols (including SSH and Telnet) to do this.
Question 16
Explanation
This question wants to ask how to use the router as the SSH client to connect into other routers. The table below shows the parameters used with SSH:
| SSH command parameters | Description |
| -v <1 | 2> | specifies whether we are going to use version 1 or version 2 |
| -c {3des | aes128-cbc | aes192-cbc j aes256-cbc} | specifies the encryption you are going to use when communicating with the router. This value is optional; if you choose not to use it, the routers will negotiate the encryption algorithm to use automatically |
| -l username | specifies the username to use when logging in to the remote router |
| -m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96} | specifies the type of hashing algorithm to use when sending your password. It is optional and if you do not use it, the routers will negotiate what type of hashing to use. |
| ip-address | hostname | we need to specify the IP address or, if you have DNS or static hostnames configured, the name of the router you want to connect to |
For example the command “ssh -v 2 -l admin 10.1.1.1” means “use SSH version 2 to connect to a router at 10.1.1.1 with username “admin”.
Answer C is not correct because it is missing the version needed to use.