Home > Security Questions

Security Questions

July 18th, 2019 in ROUTE 300-101 Go to comments

Question 1

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

Question 2

Explanation

Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal Access Controller Access-Control System) Plus) are the main protocols to provide Authentication, Authorization, and Accounting (AAA) services on network devices.

Both RADIUS and TACACS+ support accounting of commands. Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

For example, to send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode

Note: TACACS+ was developed by Cisco from TACACS.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html

Question 3

Explanation

TACACS+ encrypts the entire body of the packet (but leaves a standard TACACS+ header).

TACACS+ is an AAA protocol developed by Cisco.

Question 4

Question 5

Question 6

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

Comments
  1. Anonymous
    August 3rd, 2017

    thanks

  2. Anonymous
    August 3rd, 2017

    is this a new question in the exam? Admin.

  3. Raj7437
    November 22nd, 2017

    this comes in fundamental of router security concepts

  4. Werewolf
    January 27th, 2018

    Question 5
    What is supported RADIUS server? (Choose two)
    A. telnet
    B. authentication
    C. accounting
    D. authorization
    E. SSH

    B is correct, D is wrong, C is correct. RADIUS doesn support Authorization separately! Only together with Authentication as a single proccess!
    So the correct answers are B C!

  5. question
    March 1st, 2018

    what is correct answer for Q5? really confused.

  6. Marcus
    March 21st, 2018

    I agree with @Werewolf, B and C are better for Q5.

  7. renewer
    April 9th, 2018

    Q5 – Accounting is definitely supported on RADIUS:

    From: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html
    Cisco IOS supports the following two methods for accounting:

    •TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

    •RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

  8. no name
    April 10th, 2018

    until where exam wil be current

  9. Almost there..
    April 20th, 2018

    which type of access list allows granular session filtering for upper-level protocols?
    A content-based access lists
    B Context-based access-lists
    C Reflexive access-lists
    D Extended access lists

    Based on new 477=498 edited recently the answer is A but based on other sources its C
    Second opinion would be great.
    Thanks

  10. Almost there..
    April 20th, 2018

    Based on my knowledge i would definitely go with option C

  11. Marcus
    April 27th, 2018

    @Almost there..
    I think if the question asks about ‘session’ you should answer ‘reflexive’. In case with the question without ‘session’ (just about the filtering of protocols) the best answer would be ‘extended’.

    p.s. Do not use 477Q as you primary dump. It has about 10% incorrect answers.

  12. Dany1
    October 28th, 2018

    Agree with Werewolf and Marcus regarding Q5
    Radius cannot authorized specific command as TACACS+. It can send only (for example) user-shell-priv 5 in response to authentication phase and all priv 15 commands will be executed

  13. Dany1
    October 28th, 2018

    Errata: user-priv 5 and all priv 5 commands will be executed
    which type of access list allows granular session filtering for upper-level protocols?
    A content-based access lists
    B Context-based access-lists
    C Reflexive access-lists
    D Extended access lists
    Very nice question and answer si A not C
    Reflexive access-list is something very basic( NOT GRANULAR!!!) just look at outgoing traffic and allow the inverse to come back in. They don’t know anything about particular protocols and don’t look any further than the src/dest addresses and ports in the outgoing packet.
    They don’t have any knowledge about specific protocols (GRANULAR)
    CBAC is part of IOS Firewall Feature and turns router into a stateful firewall. CBAC is protocol-specific and will open up additional holes to allow certain types of traffic back in (for the FTP data channel, for example). Reflexive ACL’s cannot do that.
    More than that, CBAC checks the ACK/SEQ numbers.
    In my opinion that means “granular session filtering”.

  14. Anonymous
    November 6th, 2018

    Hi guys – does this site include CCNP Security Exams study material?

  15. testking360
    January 4th, 2019

    which type of access list allows granular session filtering for upper-level protocols?
    A content-based access lists
    B Context-based access-lists
    C Reflexive access-lists
    D Extended access lists

    if you read the config guide, Configuring IP Session Filtering (Reflexive Access Lists)
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html

    Reflexive access lists allow IP packets to be filtered based on upper-layer session information. You can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive filtering, a kind of session filtering.

    The keyword of the question is “session filtering”, only “Reflexive access-lists” mention about this, therefore the answer should be C. :-)

    – testking360.com

  16. Sorlags
    February 3rd, 2019

    @Digitaltut

    For Q5 and Q6 : https://www.networkworld.com/article/2838882/radius-versus-tacacs.html or https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html

    RADIUS :
    – Support Authentication and Accounting
    – Combines Authentication and Authorization

    TACAS+ :
    – Support Authentication, Authorization and Accounting
    – Separates Authentication & Authorization

    Question 5

    What is supported RADIUS server? (Choose two)
    A. telnet
    B. authentication
    C. accounting
    D. authorization
    E. SSH

    Answer: B C (not D, supported means he can use it separately)

    Question 6

    Which two features does RADIUS combine (Choose two)?
    A. telnet
    B. SSH
    C. Authentication
    D. Authorization
    E. Accounting

    Answer: C D

  17. Valkyrie17
    April 2nd, 2019

    Q5 – I was wondering if the question refers to IOS as a local AAA server:

    The Local AAA Server feature allows you to configure your router so that user authentication and authorization attributes currently available on AAA servers are available locally on the router. The attributes can be added to existing framework, such as the local user database or subscriber profile. The local AAA server provides access to the complete dictionary of Cisco IOS supported attributes.

    The answer BD would then make sense.

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radcfg/configuration/12-4t/sec-usr-radcfg-12-4t-book/Local_AAA_Server.html

  18. Anonymous
    September 15th, 2019

    does anyone have the latest dumps? I have been going through a lot of videos and read the book, but I feel Cisco is just going to screw me with tough questions. Please send it to roger_59 at rocketma1l dot com

    Thanks!

  19. RADIUSissue
    November 3rd, 2019

    Hello.
    For Question 2, Radius DOES NOT allow for accounting of commands, see Cisco doc linked below, quote here “The Cisco Systems implementation of RADIUS does not support command accounting.”
    Question 2
    Which two statements about AAA implementation in a Cisco router are true? (Choose two)
    A. RADIUS is more flexible than TACACS+ in router management.
    B. RADIUS and TACACS+ allow accounting of commands.
    C. RADIUS and TACACS+ encrypt the entire body of the packet.
    D. RADIUS and TACACS+ are client/server AAA protocols.
    E. Neither RADIUS nor TACACS+ allow for accounting of commands.
    Answer: B D <—- cannot be B
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-cfg-accountg.html#GUID-FC92726B-5BA8-44FE-AA0E-B026BE165D62

  1. No trackbacks yet.