Home > Articles

  • Print
  • + Share This
This chapter is from the book

Exam Prep Questions

Question 1

What are the three components of the CiscoSecure ACS?

  1. AAA server

  2. User database

  3. VPN

  4. AAA client

Answers A, B, and D are correct. The three components are the AAA server, typically a TACACS+ or RADIUS server; the AAA client, such as a router or switch; and the user database, which is typically housed on the AAA server. Answer C is incorrect because VPN is not part of the CiscoSecure ACS.

Question 2

What does AAA stand for?

  1. Authority

  2. Authorization

  3. Auditing

  4. Authentication

  5. Accounting

Answers B, D, and E are correct. AAA stands for authentication, authorization, and accounting. Answers A and C are not part of AAA.

Question 3

Which command starts AAA on a Cisco router?

  1. aaa-server

  2. aaa new-model

  3. tacacs

  4. aaa tacacs-server

Answer B is correct. Answer A, aaa-server, starts the AAA process, but it does so on a PIX Firewall, so it is incorrect. The aaa new-model is not the most intuitive command, but it starts AAA on a router. Answers C and D are incorrect and do not work.

Question 4

What are the two most common AAA protocols?

  1. TCP/IP

  2. RADIUS

  3. TACACS+

  4. PPP

Answers B and C are correct. Answer A, TCP/IP, is certainly a well used protocol, and is in fact used by TACACS+, but it is not an AAA protocol. Answer D is not an AAA protocol.

Question 5

What are three characteristics of RADIUS?

  1. Proprietary

  2. Developed by the IETF

  3. Encrypts passwords only

  4. Uses TCP/IP

  5. Uses UDP/IP

Answers B, C, and E are correct. RADIUS is an open standard developed by the IETF; it uses UDP/IP and is only able to encrypt passwords. Answers A and D describe TACACS+; it is Cisco proprietary, uses TCP/IP, and encrypts all the data.

Question 6

Which ports are used in character mode? (Choose three.)

  1. Serial 2/0

  2. AUX

  3. BRI

  4. CON 0

  5. VTY

Answers B, D, and E are correct. Character mode is for data destined to the router. Serial 2/0, Answer A, and BRI, Answer C, represent interfaces; packets would travel into, out of, and through those interfaces. VTY, AUX, CON, and TTY typically represent character-mode ports.

Question 7

Which aaa accounting keyword monitors outbound Telnet traffic?

  1. connection

  2. start-stop

  3. network

  4. telnet

Answer A is correct. You use the keyword connection for all outbound connections. You use Answer B, start-stop, to record when a service or connection starts and stops, not just Telnet. Answer C is incorrect; network is for auditing service requests such as SLIP and PPP. There is no telnet keyword with accounting, so Answer D is wrong.

Question 8

How do you set an encryption key of CISCO for your RADIUS server?

  1. tacas-server key CISCO

  2. aaa-server CISCO

  3. username RADIUS password CISCO

  4. radius-server key CISCO

Answer D is correct. Answer A would be valid if the question was about a TACACS server. Answer B is made up and is incorrect. Answer C would create a local account called RADIUS with a password of CISCO, so it is also a wrong answer.

Question 9

What command would you enter to set up authentication on your router to query the TACACS servers and, if unable to communicate to the servers, authenticate from the enable password?

  1. aaa authentication login default group radius enable

  2. aaa authentication login default group tacacs+ local

  3. aaa authentication login default group tacacs+ enable

  4. aaa authentication login default group tacacs+ none

Answer C is correct; it tries TACACS first and then uses the enable password. All four of the commands are valid in some circumstances. Answer A is wrong because it goes to a RADIUS server. Answer B uses the local database if the TACACS server is down, so it is incorrect. Answer D is incorrect because it allows access if the TACACS server is unavailable because of the none option.

Question 10

If you enable aaa authentication login default and do nothing else, what happens?

  1. The TACACS server will use a guest account.

  2. Nothing, because authentication has not been applied anywhere yet.

  3. When your session times out, you are locked out from the router.

  4. You need to set up authorization and accounting before any settings go into effect.

Answer C is correct. Remember that when authentication is configured with the default option, it is applied everywhere. When you disconnect or your session times out, you cannot log in to your router. The router wants to authenticate you before allowing you access, and there is no way configured for the router to do that. You will be locked out. Answer A is incorrect because it does not use a guest account by default. Answer B is the exact opposite of the right answer; it is applied everywhere as soon as authentication is enabled. Answer D is wrong because each of the services is independent of the other.

  • + Share This
  • 🔖 Save To Your Account