Answer CCNA Security Chapter 3 Test – CCNAS v1.1

chapter 3 ccna security

This post is about questions and answer for CCNA Security Chapter 3 Test. The questions is based on CCNAS v1.1. All the answers has been verified to be 100% correct. Hopefully all these questions and answers will be a good guide and reference to all of us.

Why is local database authentication preferred over a password-only login?

It specifies a different password for each line or port.

It provides for authentication and accountability.

It requires a login and password combination on console, vty lines, and aux ports.

It is more efficient for users who only need to enter a password to gain entry to a device.

 

Which authentication method stores usernames and passwords in the router and is ideal for small networks?

local AAA

local AAA over RADIUS

local AAA over TACACS+

server-based AAA

server-based AAA over RADIUS

server-based AAA over TACACS+

 

In regards to Cisco Secure ACS, what is a client device?

a web server, email server, or FTP server

the computer used by a network administrator

network users who must access privileged EXEC commands

a router, switch, firewall, or VPN concentrator

 

When configuring a Cisco Secure ACS, how is the configuration interface accessed?

A Web browser is used to configure a Cisco Secure ACS.

The Cisco Secure ACS can be accessed from the router console.

Telnet can be used to configure a Cisco Secure ACS server after an initial configuration is complete.

The Cisco Secure ACS can be accessed remotely after installing ACS client software on the administrator workstation.

 

What is a difference between using the login local command and using local AAA authentication for authenticating administrator access?

Local AAA authentication supports encrypted passwords; login local does not.

Local AAA provides a way to configure backup methods of authentication; login local does not.

A method list must be configured when using the login local command, but is optional when using local AAA authentication.

The login local command supports the keyword none, which ensures that authentication succeeds, even if all methods return an error.

 

Due to implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?

accessibility

accounting

auditing

authentication

authorization

 

Which two AAA access method statements are true? (Choose two.)

Character mode provides remote users with access to network resources and requires use of the console, vty, or tty ports.

Character mode provides remote users with access to network resources and requires use of dialup or VPN.

Character mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

Packet mode provides users with administrative privilege EXEC access and requires use of dialup or VPN.

Packet mode provides remote users with access to network resources and requires use of dialup or VPN.

Packet mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

 

What is a characteristic of TACACS+?

TACACS+ is an open IETF standard.

TACACS+ is backward compatible with TACACS and XTACACS.

TACACS+ provides authorization of router commands on a per-user or per-group basis.

TACACS+ uses UDP port 1645 or 1812 for authentication, and UDP port 1646 or 1813 for accounting.

 

chapter 3 ccna security

Refer to the exhibit. Router R1 is configured as shown. An administrative user attempts to use Telnet from router R2 to router R1 using the interface IP address 10.10.10.1. However, Telnet access is denied. Which option corrects this problem?

The R1 10.10.10.1 router interface must be enabled.

The vty lines must be configured with the login authentication default command.

The aaa local authentication attempts max-fail command must be set to 2 or higher.

The administrative user should use the username Admin and password Str0ngPa55w0rd.

 

chapter 3 ccna security

Refer to the exhibit. In the network shown, which AAA command logs the use of EXEC session commands?

aaa accounting connection start-stop group radius

aaa accounting connection start-stop group tacacs+

aaa accounting exec start-stop group radius

aaa accounting exec start-stop group tacacs+

aaa accounting network start-stop group radius

aaa accounting network start-stop group tacacs+

 

When configuring a method list for AAA authentication, what is the effect of the keyword local?

It accepts a locally configured username, regardless of case.

It defaults to the vty line password for authentication.

The login succeeds, even if all methods return an error.

It uses the enable password for authentication.

 

What is the result if an administrator configures the aaa authorization command prior to creating a user with full access rights?

The administrator is immediately locked out of the system.

The administrator is denied all access except to aaa authorization commands.

The administrator is allowed full access using the enable secret password.

The administrator is allowed full access until a router reboot, which is required to apply changes.

 

Which statement identifies an important difference between TACACS+ and RADIUS?

TACACS+ provides extensive accounting capabilities when compared to RADIUS.

The RADIUS protocol encrypts the entire packet transmission.

The TACACS+ protocol allows for separation of authentication from authorization.

RADIUS can cause delays by establishing a new TCP session for each authorization request.

 

Which two statements describe Cisco Secure ACS? (Choose two.)

Cisco Secure ACS supports LDAP.

Cisco Secure ACS is only supported on wired LAN connections.

Cisco Secure ACS only supports the TACACS+ protocol.

Cisco Secure ACS supports both TACACS+ and RADIUS protocols.

Cisco Secure ACS Express is a rack-mountable unit intended for more than 350 users.

 

How does a Cisco Secure ACS improve performance of the TACACS+ authorization process?

reduces overhead by using UDP for authorization queries

reduces delays in the authorization queries by using persistent TCP sessions

reduces bandwidth utilization of the authorization queries by allowing cached credentials

reduces number of authorization queries by combining the authorization process with authentication

 

How does a Cisco Secure ACS improve performance of the TACACS+ authorization process?

reduces overhead by using UDP for authorization queries

reduces delays in the authorization queries by using persistent TCP sessions

reduces bandwidth utilization of the authorization queries by allowing cached credentials

reduces number of authorization queries by combining the authorization process with authentication

 

What is an effect if AAA authorization on a device is not configured?

Authenticated users are granted full access rights.

User access to specific services is determined by the authentication process.

Character mode authorization is limited, and packet mode denies all requests.

All authorization requests to the TACACS server receive a REJECT response.

 

CCNAS chapter 3 question

Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information presented, which two AAA authentication statements are true? (Choose two.)

Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information that is presented, which two statements describe the result of AAA authentication operation? (Choose two.)

The locked-out user failed authentication.

The locked-out user is locked out for 10 minutes by default.

The locked-out user should have used the username Admin and password Pa55w0rd.

The locked-out user should have used the username admin and password Str0ngPa55w0rd.

The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.

 

Which technology provides the framework to enable scalable access security?

role-based CLI access

Simple Network Management Protocol

AutoSecure

Cisco Configuration Professional communities

authentication, authorization, and accounting

 

Which two modes are supported by AAA to authenticate users for accessing the network and devices? (Choose two.)

verbose mode

character mode

quiet mode

packet mode

ancillary mode

 

Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)

separate authentication and authorization processes

password encryption

utilization of transport layer protocols

SIP support

802.1X support

 

As stated earlier, all the answers should be 100% correct. However if you find any mistake or wrong answer in the solution above, please do not hesitate to comment below. Also, if you have new updated questions, you may share here to all the readers. We really appreciate it. Hopefully it will benefits all of us.

Questions and answers in this chapter 3 test has been provided by XASE. All credits goes to him.

 

New Questions Sections

 

[by Naji Alobaidi]

After accounting is enabled on an IOS device, how is a default accounting method list applied? 

Accounting method lists are applied only to the VTY interfaces.

A named accounting method list must be explicitly defined and applied to desired interfaces.

Accounting method lists are not applied to any interfaces until an interface is added to the server group.

The default accounting method list is automatically applied to all interfaces, except those with named accounting method lists.

 

[by Layla]

A company is deploying user device access control through a NAC appliance as part of the Cisco TrustSec solution. Which device is needed to serve as the central management for the access control?

Cisco Secure ACS
Cisco NAC Profiler
Cisco NAC Manager
Cisco NAC Guest Server

A global company is deploying Cisco Secure ACS to manage user access to its headquarters campus. The network administrator configures the ACS to use multiple external databases for users from different geographical regions. The administrator creates user groups to match these databases. What is a purpose of creating different groups of users to authenticate through the Cisco Secure ACS?

to better manage the user database.
to improve the performance of the authentication process.
to accommodate any difference in the authorization process between the ACS and an external database. [Gilton]
to accommodate any difference in the authentication requirements between the ACS and an external database. [Layla]

Refer to the exhibit. A network administrator configures AAA authentication on R1. When the administrator tests the configuration by telneting to R1 and no ACS servers can be contacted, which password should the administrator use in order to login successfully?

LetMe1n2
Pa$$w0rD
authen-radius
authen-tacacs

 

[by Jaime]

Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?

authentication
authorization
accounting
auditing

 

[by Kezo and Jaime]

CCNA Security Chapter 3 v1.2

Refer to the exhibit. A network administrator configures AAA authentication on R1. Which statement describes the effect of the keyword single-connection in the configuration?

The TACACS+ server only accepts one successful try for a user to authenticate with it.

The authentication performance is enhanced by keeping the connection to the TACACS+ server open.

R1 will open a separate connection to the TACACS+ server for each user authentication session.

R1 will open a separate connection to the TACACS server on a per source IP address basis for each authentication session.

 

[by dekaytar]

Which two statements describe AAA access methods? (Choose two.)
Character mode provides remote users with access to network resources and requires use of the console, vty, or tty ports.
Packet mode provides users with administrative privilege EXEC access and requires use of dialup or VPN.
Packet mode provides remote users with access to network resources and requires use of dialup or VPN.
Character mode provides remote users with access to network resources and requires use of dialup or VPN.
Character mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.
Packet mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
accounting
accessibility
auditing
authentication
authorization

When a method list for AAA authentication is being configured, what is the effect of the keyword local?
It defaults to the vty line password for authentication.
The login succeeds, even if all methods return an error.
It uses the enable password for authentication.
It accepts a locally configured username, regardless of case.

What is the result if an administrator uses the aaa authorization command prior to creating a user with full access rights?
The administrator is allowed full access until the router is rebooted and the configuration changes are applied.
The administrator is immediately locked out of the system.
The administrator is denied all access except to aaa authorization commands.
The administrator is allowed full access by using the enable secret password.

In the context of Cisco Secure ACS, what is a client device?
network users who must access privileged EXEC commands
the computer used by a network administrator
a web server, email server, or FTP server
a router, switch, firewall, or VPN concentrator

When a Cisco Secure ACS is being configured, how is the configuration interface accessed?
The Cisco Secure ACS can be accessed remotely after installing ACS client software on the administrator workstation.
The Cisco Secure ACS can be accessed from the router console.
Telnet can be used to configure a Cisco Secure ACS server after an initial configuration is complete.
A web browser is used to configure a Cisco Secure ACS.

 

[by Manual Lopez]

CCNAS Chapter 3 v1.2

Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information that is presented, which two statements describe the result of AAA authentication operation? (Choose two.)

The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.

The locked-out user should have used the username admin and password Str0ngPa55w0rd.

The locked-out user is locked out for 10 minutes by default.

The locked-out user failed authentication.

The locked-out user should have used the username Admin and password Pa55w0rd.

 

CCNAS Chapter 3 v1.2

Refer to the exhibit. A network administrator configures AAA authentication on R1. When the administrator tests the configuration by telneting to R1 and no ACS servers can be contacted, which password should the administrator use in order to login successfully?

authen-tacacs

LetMe1n2

Pa$$wOrD

authen-radius

 

CCNAS Chapter 3 v1.2

Refer to the exhibit. What is represented by the area marked as “A”?

Internal network

Untrusted network

DMZ

Perimeter security boundary

 

 

CCNAS Chapter 3 v1.2

Refer to the exhibit. Which Cisco IOS security feature is implemented on router FW?

AAA access control firewall

Zone-based policy firewall

Classic firewall

Reflexive ACL firewall

 

Many thanks to contributor for updated question. Should you have latest question that did not appear in a particular chapter post, please do share with us. You may email to admin@invialgo.com. Thank you

33 thoughts on “Answer CCNA Security Chapter 3 Test – CCNAS v1.1”

  1. I had my quzie today and I got those qusetions which not here……..It is %100 corect

    When configuring a Cisco Secure ACS, how is the configuration interface accessed?

    A Web browser is used to configure a Cisco Secure ACS.(answer)

    The Cisco Secure ACS can be accessed from the router console.

    Telnet can be used to configure a Cisco Secure ACS server after an initial configuration is complete.

    The Cisco Secure ACS can be accessed remotely after installing ACS client software on the administrator workstation.

    After accounting is enabled on an IOS device, how is a default accounting method list applied?

    Accounting method lists are applied only to the VTY interfaces.

    A named accounting method list must be explicitly defined and applied to desired interfaces.

    Accounting method lists are not applied to any interfaces until an interface is added to the server group.

    The default accounting method list is automatically applied to all interfaces, except those with named accounting method lists.(answer)

    Thank you
    I got 100% by your help

    1. Hi Naji Alobaidi,
      I believe the first question is already stated in the post.
      I have update the second question in this post.
      Thank you very much for the update and congrats.

  2. New question
    When configuring a method list for AAA authentication, what is the effect of the keyword local?

    *It accepts a locally configured username, regardless of case.* – truly

    It defaults to the vty line password for authentication.

    The login succeeds, even if all methods return an error.

    It uses the enable password for authentication.

    1. I believe the question is already in the list. Just copy, use find on your browser and you’ll found it.
      Thanks for your effort anyway.

  3. new question:
    Refer to the exhibit. Router R1 has been configured as
    shown, with the resulting log message. On the basis of
    the information presented, which two AAA authentication
    statements are true? (Choose two.)

    Correct
    Response

    The locked-out user failed authentication.

    The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.

    1. thanks. however i believe the question is already in the list.
      copy the question and use “find” in your browser.
      Thanks anyway

  4. I think there is a duolicated question. The question is “How does a Cisco Secure ACS improve performance of the TACACS+ authorization process?”
    I hope it not only for me. But if it just for me then sorry 🙂

    Btw great site, i loved it 🙂

  5. new question:
    A company is deploying user device access control through a NAC appliance as part of the Cisco TrustSec solution. Which device is needed to serve as the central management for the access control?

    Cisco Secure ACS
    Cisco NAC Profiler
    Cisco NAC Manager (correct answer)
    Cisco NAC Guest Server

    A global company is deploying Cisco Secure ACS to manage user access to its headquarters campus. The network administrator configures the ACS to use multiple external databases for users from different geographical regions. The administrator creates user groups to match these databases. What is a purpose of creating different groups of users to authenticate through the Cisco Secure ACS?

    to better manage the user database.
    to improve the performance of the authentication process.
    to accommodate any difference in the authorization process between the ACS and an external database.
    to accommodate any difference in the authentication requirements between the ACS and an external database. (Correct Response )

    Refer to the exhibit. A network administrator configures AAA authentication on R1. When the administrator tests the configuration by telneting to R1 and no ACS servers can be contacted, which password should the administrator use in order to login successfully?

    LetMe1n2
    Pa$$w0rD (correct rep)
    authen-radius
    authen-tacacs

      1. A global company is deploying Cisco Secure ACS to manage user access to its headquarters campus. The network administrator configures the ACS to use multiple external databases for users from different geographical regions. The administrator creates user groups to match these databases. What is a purpose of creating different groups of users to authenticate through the Cisco Secure ACS?

        to better manage the user database.
        to improve the performance of the authentication process.
        to accommodate any difference in the authorization process between the ACS and an external database. [Gilton]
        to accommodate any difference in the authentication requirements between the ACS and an external database. [Layla]

        1. It didn’t save what I added, but the correct answer is as below:

          to accommodate any difference in the authorization process between the ACS and an external database. [Gilton] (correct answer)

  6. A global company is deploying Cisco Secure ACS to manage user access to its headquarters campus. The network administrator configures the ACS to use multiple external databases for users from different geographical regions. The administrator creates user groups to match these databases. What is a purpose of creating different groups of users to authenticate through the Cisco Secure ACS?
    -to better manage the user database
    -to improve the performance of the authentication process
    —>to accommodate any difference in the authorization process between the ACS and an external database
    (it’s correct)
    -to accommodate any difference in the authentication requirements between the ACS and an external database

  7. to accommodate any difference in the AUTHORIZATION process between the ACS and an external database.

    Gilton had the correct answer, not Layla. i confirm since i just Layla’s answer wrong and i have to correct answer on my screen.

  8. New question:

    Refer to the exhibit. A network administrator configures AAA authentication on R1. Which statement describes the effect of the keyword single-connection in the configuration?

    The TACACS+ server only accepts one successful try for a user to authenticate with it.

    The authentication performance is enhanced by keeping the connection to the TACACS+ server open.

    R1 will open a separate connection to the TACACS+ server for each user authentication session.

    R1 will open a separate connection to the TACACS server on a per source IP address basis for each authentication session.

  9. I can’t find this one, from v1.2

    Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?

    authentication
    *authorization*
    accounting
    auditing

  10. Another one from v1.2 chapter 3:

    Exhibit:
    R1 (config)# enable secret level 15 LetMe1n2
    R1 (config)# username ADMIN privilege 15 secret Pa$$w0rD
    R1 (config)# aaa new-model
    R1 (config)# tacacs-server host 192.168.100.250 single-connection key authen-tacacs
    R1 (config)# radius-server host 192.168.100.252 key authen-radius
    R1 (config)# aaa authentication login default group tacacs+ enable
    R1 (config)# aaa authentication login AUTHEN group radius local enable
    R1 (config)# line vty 0 15
    R1 (config-line)# login authentication AUTHEN
    R1 (config-line)# line con 0
    R1 (config-line)# login authentication default
    R1 (config-line)# end
    R1#

    Refer to the exhibit. A network administrator configures AAA authentication on R1. Which statement describes the effect of the keyword single-connection in the configuration?

    – R1 will open a separate connection to the TACACS server on a per source IP address basis for each authentication session.
    – R1 will open a separate connection to the TACACS+ server for each user authentication session.
    – The TACACS+ server only accepts one successful try for a user to authenticate with it.
    – *The authentication performance is enhanced by keeping the connection to the TACACS+ server open.*

  11. new question

    Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?

    ( answer is authorization)

  12. Maybe new questions :

    Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information that is presented, which two statements describe the result of AAA authentication operation? (Choose two.)

    The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.

    The locked-out user failed authentication.

    The locked-out user is locked out for 10 minutes by default.

    The locked-out user should have used the username admin and password Str0ngPa55w0rd.

    The locked-out user should have used the username Admin and password Pa55w0rd.

    Which two statements describe AAA access methods? (Choose two.)

    Character mode provides remote users with access to network resources and requires use of the console, vty, or tty ports.

    Packet mode provides users with administrative privilege EXEC access and requires use of dialup or VPN.

    Packet mode provides remote users with access to network resources and requires use of dialup or VPN.

    Character mode provides remote users with access to network resources and requires use of dialup or VPN.

    Character mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

    Packet mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

    Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?

    accounting

    accessibility

    auditing

    authentication

    authorization

    When a method list for AAA authentication is being configured, what is the effect of the keyword local?

    It defaults to the vty line password for authentication.

    The login succeeds, even if all methods return an error.

    It uses the enable password for authentication.

    It accepts a locally configured username, regardless of case.

    What is the result if an administrator uses the aaa authorization command prior to creating a user with full access rights?

    The administrator is allowed full access until the router is rebooted and the configuration changes are applied.

    The administrator is immediately locked out of the system.

    The administrator is denied all access except to aaa authorization commands.

    The administrator is allowed full access by using the enable secret password.

    A global company is deploying Cisco Secure ACS to manage user access to its headquarters campus. The network administrator configures the ACS to use multiple external databases for users from different geographical regions. The administrator creates user groups to match these databases. What is a purpose of creating different groups of users to authenticate through the Cisco Secure ACS?

    to improve the performance of the authentication process

    to better manage the user database

    to accommodate any difference in the authentication requirements between the ACS and an external database

    to accommodate any difference in the authorization process between the ACS and an external database

    In the context of Cisco Secure ACS, what is a client device?

    network users who must access privileged EXEC commands

    the computer used by a network administrator

    a web server, email server, or FTP server

    a router, switch, firewall, or VPN concentrator

    When a Cisco Secure ACS is being configured, how is the configuration interface accessed?

    The Cisco Secure ACS can be accessed remotely after installing ACS client software on the administrator workstation.

    The Cisco Secure ACS can be accessed from the router console.

    Telnet can be used to configure a Cisco Secure ACS server after an initial configuration is complete.

    A web browser is used to configure a Cisco Secure ACS.

  13. Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?

    accessibility
    auditing
    **authorization**
    authentication
    accounting

    In the context of Cisco Secure ACS, what is a client device?

    **a router, switch, firewall, or VPN concentrator**
    a web server, email server, or FTP server
    network users who must access privileged EXEC commands
    the computer used by a network administrator

Leave a Reply

Your email address will not be published. Required fields are marked *