Home > Security Questions

Security Questions

July 18th, 2017 in ROUTE 300-101 Go to comments

Question 1

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

Question 2

Explanation

Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal Access Controller Access-Control System) Plus) are the main protocols to provide Authentication, Authorization, and Accounting (AAA) services on network devices.

Both RADIUS and TACACS+ support accounting of commands. Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

For example, to send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode

Note: TACACS+ was developed by Cisco from TACACS.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html

Question 3

Explanation

TACACS+ encrypts the entire body of the packet (but leaves a standard TACACS+ header).

TACACS+ is an AAA protocol developed by Cisco.

Question 4

Question 5

Question 6

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

Comments
  1. Anonymous
    August 3rd, 2017

    thanks

  2. Anonymous
    August 3rd, 2017

    is this a new question in the exam? Admin.

  3. Raj7437
    November 22nd, 2017

    this comes in fundamental of router security concepts

  4. Werewolf
    January 27th, 2018

    Question 5
    What is supported RADIUS server? (Choose two)
    A. telnet
    B. authentication
    C. accounting
    D. authorization
    E. SSH

    B is correct, D is wrong, C is correct. RADIUS doesn support Authorization separately! Only together with Authentication as a single proccess!
    So the correct answers are B C!

  5. question
    March 1st, 2018

    what is correct answer for Q5? really confused.

  6. Marcus
    March 21st, 2018

    I agree with @Werewolf, B and C are better for Q5.

  7. renewer
    April 9th, 2018

    Q5 – Accounting is definitely supported on RADIUS:

    From: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html
    Cisco IOS supports the following two methods for accounting:

    •TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

    •RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

  8. no name
    April 10th, 2018

    until where exam wil be current

  9. Almost there..
    April 20th, 2018

    which type of access list allows granular session filtering for upper-level protocols?
    A content-based access lists
    B Context-based access-lists
    C Reflexive access-lists
    D Extended access lists

    Based on new 477=498 edited recently the answer is A but based on other sources its C
    Second opinion would be great.
    Thanks

  10. Almost there..
    April 20th, 2018

    Based on my knowledge i would definitely go with option C

  11. Marcus
    April 27th, 2018

    @Almost there..
    I think if the question asks about ‘session’ you should answer ‘reflexive’. In case with the question without ‘session’ (just about the filtering of protocols) the best answer would be ‘extended’.

    p.s. Do not use 477Q as you primary dump. It has about 10% incorrect answers.

  1. No trackbacks yet.