Security Questions
Question 1
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Question 2
Explanation
Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal Access Controller Access-Control System) Plus) are the main protocols to provide Authentication, Authorization, and Accounting (AAA) services on network devices.
Both RADIUS and TACACS+ support accounting of commands. Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.
For example, to send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode
Note: TACACS+ was developed by Cisco from TACACS.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html
Question 3
Explanation
TACACS+ encrypts the entire body of the packet (but leaves a standard TACACS+ header).
TACACS+ is an AAA protocol developed by Cisco.
Question 4
Question 5
Question 6
Explanation
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
thanks
is this a new question in the exam? Admin.
this comes in fundamental of router security concepts
Question 5
What is supported RADIUS server? (Choose two)
A. telnet
B. authentication
C. accounting
D. authorization
E. SSH
B is correct, D is wrong, C is correct. RADIUS doesn support Authorization separately! Only together with Authentication as a single proccess!
So the correct answers are B C!
what is correct answer for Q5? really confused.
I agree with @Werewolf, B and C are better for Q5.
Q5 – Accounting is definitely supported on RADIUS:
From: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html
Cisco IOS supports the following two methods for accounting:
•TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
•RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
until where exam wil be current
which type of access list allows granular session filtering for upper-level protocols?
A content-based access lists
B Context-based access-lists
C Reflexive access-lists
D Extended access lists
Based on new 477=498 edited recently the answer is A but based on other sources its C
Second opinion would be great.
Thanks
Based on my knowledge i would definitely go with option C
@Almost there..
I think if the question asks about ‘session’ you should answer ‘reflexive’. In case with the question without ‘session’ (just about the filtering of protocols) the best answer would be ‘extended’.
p.s. Do not use 477Q as you primary dump. It has about 10% incorrect answers.
Agree with Werewolf and Marcus regarding Q5
Radius cannot authorized specific command as TACACS+. It can send only (for example) user-shell-priv 5 in response to authentication phase and all priv 15 commands will be executed
Errata: user-priv 5 and all priv 5 commands will be executed
which type of access list allows granular session filtering for upper-level protocols?
A content-based access lists
B Context-based access-lists
C Reflexive access-lists
D Extended access lists
Very nice question and answer si A not C
Reflexive access-list is something very basic( NOT GRANULAR!!!) just look at outgoing traffic and allow the inverse to come back in. They don’t know anything about particular protocols and don’t look any further than the src/dest addresses and ports in the outgoing packet.
They don’t have any knowledge about specific protocols (GRANULAR)
CBAC is part of IOS Firewall Feature and turns router into a stateful firewall. CBAC is protocol-specific and will open up additional holes to allow certain types of traffic back in (for the FTP data channel, for example). Reflexive ACL’s cannot do that.
More than that, CBAC checks the ACK/SEQ numbers.
In my opinion that means “granular session filtering”.
Hi guys – does this site include CCNP Security Exams study material?
which type of access list allows granular session filtering for upper-level protocols?
A content-based access lists
B Context-based access-lists
C Reflexive access-lists
D Extended access lists
if you read the config guide, Configuring IP Session Filtering (Reflexive Access Lists)
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html
Reflexive access lists allow IP packets to be filtered based on upper-layer session information. You can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive filtering, a kind of session filtering.
The keyword of the question is “session filtering”, only “Reflexive access-lists” mention about this, therefore the answer should be C. :-)
– testking360.com
@Digitaltut
For Q5 and Q6 : https://www.networkworld.com/article/2838882/radius-versus-tacacs.html or https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html
RADIUS :
– Support Authentication and Accounting
– Combines Authentication and Authorization
TACAS+ :
– Support Authentication, Authorization and Accounting
– Separates Authentication & Authorization
Question 5
What is supported RADIUS server? (Choose two)
A. telnet
B. authentication
C. accounting
D. authorization
E. SSH
Answer: B C (not D, supported means he can use it separately)
Question 6
Which two features does RADIUS combine (Choose two)?
A. telnet
B. SSH
C. Authentication
D. Authorization
E. Accounting
Answer: C D
Q5 – I was wondering if the question refers to IOS as a local AAA server:
The Local AAA Server feature allows you to configure your router so that user authentication and authorization attributes currently available on AAA servers are available locally on the router. The attributes can be added to existing framework, such as the local user database or subscriber profile. The local AAA server provides access to the complete dictionary of Cisco IOS supported attributes.
The answer BD would then make sense.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radcfg/configuration/12-4t/sec-usr-radcfg-12-4t-book/Local_AAA_Server.html
does anyone have the latest dumps? I have been going through a lot of videos and read the book, but I feel Cisco is just going to screw me with tough questions. Please send it to roger_59 at rocketma1l dot com
Thanks!
Hello.
For Question 2, Radius DOES NOT allow for accounting of commands, see Cisco doc linked below, quote here “The Cisco Systems implementation of RADIUS does not support command accounting.”
Question 2
Which two statements about AAA implementation in a Cisco router are true? (Choose two)
A. RADIUS is more flexible than TACACS+ in router management.
B. RADIUS and TACACS+ allow accounting of commands.
C. RADIUS and TACACS+ encrypt the entire body of the packet.
D. RADIUS and TACACS+ are client/server AAA protocols.
E. Neither RADIUS nor TACACS+ allow for accounting of commands.
Answer: B D <—- cannot be B
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-cfg-accountg.html#GUID-FC92726B-5BA8-44FE-AA0E-B026BE165D62