Introduction to 802.1X Operations for Cisco Security

Transcription

1 Introduction to 802.1X Operations for Cisco Security Number: Passing Score: 800 Time Limit: 120 min File Version: Cisco Introduction to 802.1X Operations for Cisco Security Version: 5.0, updated on Jun 27, 2013

2 Exam A QUESTION 1 Which two statements represent good use cases for Wake on LAN? (Choose two.) A. WoL can be used to power-up hosts for on-demand PXE booting. B. WoL can be used to power-up hosts for after-hours operating system updates and application patching. C. WoL can be used to power-up hosts to access the IPMI. D. WoL can be used to save electricity by powering down underused servers and desktops. Correct Answer: AB QUESTION 2 Which two choices are valid methods of authorizing a wired supplicant? (Choose two.) A. EAP-FAST B. VLAN assignment C. dacl D. EAPOL E. RADIUS Correct Answer: BC QUESTION 3 Which two statements about MACsec security are true? (Choose two.) A. MACsec is an IEEE standard that is defined by 802.3AE. B. MACsec leverages an 802.1X EAP framework to negotiate the MACsec Key Agreement. C. MACsec is an IETF standard that is defined by RFC D. MACsec can negotiate a MACsec Key Agreement without 802.1X. E. MACsec is an IETF standard that is defined by RFC F. MACsec is an IEEE standard that is defined by 802.1AE. Correct Answer: BF QUESTION 4 Which statement correctly defines a persona? A. A Cisco ISE node can be configured as a primary or backup persona. B. Persona refers to collections of services running on a Cisco ISE node.

3 C. A Cisco ISE node can be configured as a wired or wireless persona. D. Persona relates to the collection of 802.1X services configured on a Cisco Catalyst switch. E. Persona refers to the collection of EAP methods available to a supplicant. F. A Cisco ISE node can be configured as a standalone or distributed persona. Correct Answer: B QUESTION 5 Which two EAP methods are examples of challenge-response methods? (Choose two.) A. EAP-TLS B. PEAP C. EAP-FAST D. LEAP E. EAP-MD5 Correct Answer: DE QUESTION 6 On a Cisco Catalyst switch, which default ports will the radius-server host command use for RADIUS authentication and accounting messages? A. TCP - Authentication 1645/Accounting 1646 B. TCP - Authentication 1535/Accounting 1536 C. TCP - Authentication 1812/Accounting 1813 D. UDP - Authentication 1535/Accounting 1536 E. UDP - Authentication 1812/Accounting 1813 F. UDP - Authentication 1645/Accounting 1646 Correct Answer: E QUESTION 7

4 Which three modules are valid components of Cisco AnyConnect Secure Mobility Client for Windows? (Choose three) A. Network Access Manager B. VPN Module C. Network Authentication Manager D. Telemetry and Profiling Module E. Profiling Module F. Posture Module G. Profiling Module Correct Answer: AEF QUESTION 8 Which option is a good example of a non-supplicant host? A. Laptop running Microsoft Windows 7 B. IP printer C. desktop PC running Ubuntu Linux D. IP camera E. Apple Macintosh running Mac OS X Correct Answer: BD QUESTION 9 Which three RADIUS attributes art required to dynamically assign a VIAN? (Choose three) A. Attribute 65 (Tunnel-Medium-Type) B. Attribute 26 (Vendor-Specific) C. Attribute 64 (Tunnel-Type) D. Attribute 8 (Framed-IP-Address) E. Attribute 5 (NASPort) F. Attribute 81 (Tunne1-Private-Group-ID) Correct Answer: ACF QUESTION 10 Consider the example of an end user plugging an unmanaged third-party switch into a port in a conference room. If the wiring closet switch port requires 802.1X authentication (and the authentication host mode is set to the default), what would be the result of multiple 802.1X clients attempting to access the network from the

5 unmanaged switch? A. After the first supplicant authenticates, other hosts connected to the unmanaged switch will be blocked from the network. B. After 802.1X times out three times, all hosts on the unmanaged switch will have access to the network. C. Up to eight hosts and one IP phone can be authenticated. D. After the first supplicant authenticates, all other hosts connected to the unmanaged switch have access to the network. Correct Answer: A QUESTION 11 Which two Cisco Catalyst switch command fragments enable WebAuth support on an interface? (Choose two.) A. 3k-access(config-if)# authentication fallback B. 3k-access(config-if)# authentication dotlx webauth C. 3k-access(config-if)S authentication webauth D. 3k-access(config-if)# dotlx priority webauth E. 3k-access(config-if)- ip admission F. 3k-access(config-if)ff dotlx fallback G. 3k-access(config-if)# authentication order dotlx webauth Correct Answer: AE QUESTION 12 Which two statements are true with regard to the inner and outer phases of an EAP method? (Choose two.) A. PEAP can include an optional phase 0 for PAC provisioning. B. All EAP methods include an inner and outer phase. C. The outer phase is used for authentication. D. The inner phase is used for authentication. E. The outer phase is used for securing the communication channel. F. The inner phase is used for securing the communication channel. Correct Answer: DE QUESTION 13 Which Cisco ISE persona must run on dedicated hardware? A. Inline Posture

6 B. Administrative C. Centralized D. Monitoring E. Distributed Policy F. Policy Services G. Standalone Correct Answer: A QUESTION 14 Which statement accurately describes why it is a best practice to pre-populate the MAC addresses of non X-capable Cisco IP phones into an endpoint database? A. If the MAC address is not found in an endpoint database, any PC tethered to the Cisco IP phone will be allowed to access the network unauthenticated. B. If the MAC address is not found in an endpoint database, it will take 3 MAB timeouts (90 seconds) before the MAC address of the Cisco IP phone is automatically entered in the database. No calls can be made in the interim. C. If the MAC address is not found in an endpoint database, authentication will fail for the Cisco IP phone and the tethered PC port on the phone will be set to err-disable. The PC will not be able to communicate on the network. D. If the MAC address is not found in an endpoint database, authentication will fail for the Cisco IP phone and the Catalyst switch port will be set to err-disable. Neither the PC host nor the phone will be able to communicate on the network. Correct Answer: B QUESTION 15 Which two Cisco security products act as 802.1X authenticate servers? (Choose two) A. Cisco Security Agent B. CiscoWorks LAN Management System C. Cisco Information Security Engine D. Cisco Security Manager E. Cisco Secure Access Control System for Windows F. CiscoWorks LAN Management Solution G. CiscoWorks Open RADIUS Server H. Cisco Identity Services Engine Correct Answer: EH

7 QUESTION 16 Which two EAP methods require server-side digital certificates? (Choose two) A. EAP-FAST B. PEAP C. LEAP D. EAP-MD5 E. EAP-TLS Correct Answer: BE QUESTION 17 Which two statements are true regarding load balancing Cisco ISE Policy Services nodes with a Cisco Application Control Engine? (Choose two.) A. Each Cisco ISE Policy Services node must be configured with an identical unicast IP address that is used to receive policy requests from the load balancer. B. Each Cisco ISE Policy Services node must be configured with a unique (and non-reserved) multicast IP address that is used as a heartbeat channel. C. Each Cisco ISE Policy Services node must be configured with an identical (and non-reserved) multicast IP address that is used as a heartbeat channel. D. The virtual IP address of the ACE must be on the same IP subnet as the unicast subnet of the Cisco ISE Policy Services node. E. The virtual IP address of the ACE must not be on the same IP subnet as the unicast subnet of the Cisco ISE Policy Services node. F. Each Cisco ISE Policy Services node must be configured with a unique unicast IP address that is used to receive policy requests from the load balancer. Correct Answer: DF QUESTION 18 Which statement is true for certificate auto-enrollment on a Cisco IP phone? A. Cisco Unified Communications Manager CA Proxy Function (CAPF) is capable of auto-enrolling certificates. B. Cisco Unified Communications Manager Certificate Auto-Enroll Function (CAEF) is capable of autoenrolling certificates. C. Cisco IP phones are capable of using digital certificates, but manual enrollment is required. D. Cisco IP phones are not capable of using digital certificates. E. Microsoft Windows 2003 Certificate Server Telephony plug-in can be used for auto-enrolling certificates. F. Microsoft Windows 2008 Enterprise Certificate Server Telephony plug-in can be used for auto- enrolling certificates. Correct Answer: A

8 QUESTION 19 What is the purpose of the guest VLAN on a Cisco Catalyst switch? A. It provides configurable guest access to devices that have a supplicant but lack local credentials. B. It provides configurable guest access to non-supplicant devices that lack local credentials. C. It provides configurable guest access to devices that have a supplicant when the authenticator is down or unreachable. D. It provides configurable guest access to non-supplicant devices that have local credentials. E. It provides configurable guest access to devices that have a supplicant when the authentication server is down or unreachable. Correct Answer: B QUESTION 20 Which two PEAP requirements must be met to authenticate the TLS session? (Choose two.) A. The supplicant requires only an identity certificate. B. Cisco ISE requires an identity certificate and a CA certificate. C. The authenticator requires only an identity certificate. D. The supplicant requires an identity certificate and a CA certificate. E. The authenticator requires an identity certificate and a CA certificate. F. The supplicant requires only a CA certificate. G. Cisco ISE requires only an identity certificate. Correct Answer: BD QUESTION 21 Which two sets of ports does Cisco ISE listen on for RADIUS authentication and accounting messages? (Choose two.) A. UDP - Authentication 1535/Accounting 1536 B. UDP - Authentication 1645/Accounting 1646 C. TCP - Authentication 1535/Accounting 1536 D. TCP - Authentication 1645/Accounting 1646 E. UDP - Authentication 1812/Accounting 1813 F. TCP - Authentication 1812/Accounting 1813 Correct Answer: BE

9 QUESTION 22 Which three elements are required fields when adding a Cisco Wireless IAN Controller as a network device in Cisco ISE? (Choose three) A. Name B. Software Version C. Device Configuration Deployment D. RADIUS Shared Secret E. SSID F. Model Number G. IP Address Correct Answer: ADG QUESTION 23 During initial ISE setup, foe which three of the following required and optional elements does the setup script prompt the administrator to enter a value? (Choose three) A. Device Gateway B. Static Host Routes C. IP Address D. Active Directory Domain Name E. Path to RSA SecuriD Seed File F. NTP Server IP Address G. Path to RAMUS Seed File Correct Answer: ACD QUESTION 24 What action must be performed immediately after initial login to the Cisco ISE GUI? A. Configure an alternate local administrator account for password recovery. B. Configure profiling services to authenticate IP phones for MAB. C. Join a Microsoft Active Directory domain for time synchronization. D. Change the administrative user account password. E. Configure an NTP server for time synchronization. F. Configure RSA SecurelD to secure administrative access to Cisco ISE. Correct Answer: E

10 QUESTION 25 Which method provides authenticated guest access to nonsupplicant hosts? A. restricted VIAN B. authentication fallback C. authentication proxy D. web authentication E. guest VIAN F. flexible authentication Correct Answer: D QUESTION 26 Which hardware component of a Cisco TrustSec solution for 802.1X is optional but widely adopted in most networks? A. external Authentication server B. Cisco AnyConnect Secure Mobility Client C. authentication server D. authenticator E. Cisco 4200 Series IPS Correct Answer: B QUESTION 27 Consider a design where a Cisco Catalyst switch that supports Network Edge Access Topology (NEAT) is connected to an upstream switch that requires 802.1X authentication on the switch-to- switch link. What differentiates a Cisco Catalyst switch configured for NEAT from an unmanaged switch connected to the same upstream switch port? A. Switches that support NEAT can be configured with a port in supplicant mode. B. Switches that support NEAT can perform Layer 2 MAC address translation to allow multiple hosts to be seen by the upstream switch as the same host. C. Switches that support NEAT can be configured with a port in authenticator mode that supports authentication multi-host. D. Switches that support NEAT can be configured with a port in authenticator mode that supports authentication multi-auth. Correct Answer: A

11 QUESTION 28 Which two of these Cisco products can act as 802.1X authenticates? (Choose two.) A. Cisco 4255 Intrusion Prevention Sensor B. Cisco Catalyst 37SO Series Switch C. Cisco Wireless LAN Control D. Cisco Secure Access Control Server for Widows E. Cisco 3640 Rooter F. Cisco 5510 Adaptive Security Appliance G. Cisco Secure Access Control Solution for Windows H. Cisco 4255 Intrusion Prevention System Correct Answer: CD QUESTION 29 What is the purpose of the fallback profile command? A. This command configures the Critical VLAN policy on an interface. B. This command configures a WebAuth profile to use in the event that MAB authentication fails. C. This command configures a WebAuth profile to use in the event that 802.1X authentication fails. D. This command globally enables WebAuth authentication. E. This command configures the Guest VLAN policy on an interface. F. This command configures the Restricted VLAN policy on an interface. Correct Answer: C QUESTION 30 What is the purpose of the restricted VLAN (authentication failed VLAN) on a Cisco Catalyst switch? A. It provides configurable guest access to nonsupplicant devices that have local credentials. B. It provides configurable guest access to devices that have a supplicant when the authenticator is down or unreachable. C. It provides configurable guest access to nonsupplicant devices that lack local credentials. D. It provides configurable guest access to devices that have a supplicant when the authentication server is down or unreachable. E. It provides configurable guest access to devices that have a supplicant but lack local credentials. Correct Answer: E

12 QUESTION 31 Which three services run on a Cisco ISE node? A. Network Access Manager B. guest VLAN C. WebAuth D. telemetry E. profiling F. authentication G. security posture H. MAC security Correct Answer: EFG QUESTION 32 Whit is the default username and password for Cisco ISE? A. Admin/admin B. Cisco/Cisco C. Admin/Cisco D. Administrator/ Cisco E. Administrator/Admin F. Cisco/Cisco123 G. Admin/Cisco 123 H. Administrator/ Cisco 123 Correct Answer: C QUESTION 33 On which two non-ise appliances can Cisco ISE also be loaded? (Choose two) A. Cisco Secure ACS Appliance 3315 B. Cisco Secure ACS Appliance 1121 C. Cisco 5510 Adaptive Security Appliance D. Cisco NAC Appliance 1121 E. Cisco NAC Appliance 3315 F. Cisco 4255 Intrusion Prevention System G. Cisco 4255 Intrusion Prevention Sensor

13 Correct Answer: BE QUESTION 34 Which three types of NAD support RADIUS Change of Authorization requests? (Choose three) A. switches manufactured by other companies B. Cisco Wireless LAN Control C. remote-access VPN devices D. unmanaged switches and hubs E. Cisco Catalyst 3750 running IOS 12 2(52) SEl Correct Answer: ABE QUESTION 35 Which four of these operating systems include a native 802.IX? (Choose four.) A. Ubuntu Linux B. Microsoft Windows 7 C. Red Hat Enterprise Linux D. Apple OS X E. Microsoft Windows for Workgroups F. OpenVMS G. MVS/ESA Correct Answer: ABCD QUESTION 36 Which standards body maintains the 802.1X standard? A. ANSI B. ISO C. ITU D. IEEE E. NIST Correct Answer: D

14 QUESTION 37 Which two choices are valid Cisco TrustSec topologies? (Choose two) A. point-to-multipoint B. EAP C. wireless D. point-to-point E. wireless point-to-point F. wireless multipoint Correct Answer: CD QUESTION 38 What is the default authentication mode after initial configuration of Cisco ISE? A. hierarchical authentication B. rule-based authentication C. Simple authentication D. Microsoft Active Directory authentication E. distributed authentication Correct Answer: B QUESTION 39 Which three of these options can be configured as external identity servers for Cisco ISE? (Choose three) A. RSASecurID B. Microsoft Windows Active Directory Server C. Banyan StreetTalk D. generic LDAP server E. Microsoft NT Server Domain Controller F. Novell Directory Services Correct Answer: ABD QUESTION 40 Which two of these partial Cisco Catalyst switch commands are used to configure FlexAuth? (Choose two)

15 A. 3k-access(config-if)# authentication order B. 3k-access{config-if)# authentication priority C. 3k-access(config-rf)# authentication fallback D. 3k-access(config)# authentication direction E. 3k-access(config)# authentication priority F. 3k-access (config-rf) # authentication direction G. 3k-access (config) # authentication order H. 3k-access (config) #authentication fallback Correct Answer: AB QUESTION 41 What is the purpose of local WebAuth on a Cisco Catalyst switch? A. It provides configurable guest access to nonsupplicant devices that lack local credentials. B. It provides configurable guest access to devices that have a supplicant when the authenticator is down or unreachable. C. It provides configurable guest access to devices that have a supplicant when the authentication server is down or unreachable. D. It provides configurable guest access to nonsupplicant devices that have local credentials. E. It provides configurable guest access to devices that have a supplicant but lack local credentials. Correct Answer: D QUESTION 42 Which three implementation modes are valid for phased implementation of Cisco TrustSec? (Choose three.) A. low-impact B. administrative trace C. monitor D. low-security E. high-impact F. high-security Correct Answer: ACF QUESTION 43 In which OSI layer does EAP operate?

16 A. Layer 2 (data Link) B. Layer 4 (transport) C. Layer 7 (application) D. Layer 1 (physical) E. Layer 3 (network) Correct Answer: A QUESTION 44 Which Cisco TrustSec device performs user authenticated? A. RADIUS B. EAP C. supplicant D. authenticator E. authentication server Correct Answer: E QUESTION 45 Which three authentication c interface commands are valid for MACsec? (Choose three.) A. 3k-access(config-if)# authentication host-mode multi-domain B. 3k-access(config-if)# authentication host-mode multi-auth C. 3k-access(config)# authentication host-mode single-host D. 3k-access(config)# authentication host-mode multi-auth E. 3k-access(config)# authentication host-mode multi-host F. 3k-access(config-if)# authentication host-mode multi-host G. 3k-access(config)# authentication host-mode multi-domain H. 3k-access(config-if)# authentication host-mode single-host Correct Answer: AFH QUESTION 46 The information security policy of your organization requires that ports should remain administratively Up. Which selection represents the best practice for an 802.1X-enabled port that is configured to allow only one host to authenticate on the port?

17 A. The 3k-access(config-if)# authentication violation shutdown command can be used to prevent a second MAC address from authenticating on the port. B. The 3k-access(config-if)# authentication violation restrict command can be used to prevent any MAC address from authenticating on the port. C. The 3k-access(config-if)# authentication violation ignore command can be used to prevent any MAC address from authenticating on the port. D. The 3k-access(config-if)# authentication violation shutdown command can be used to prevent a second MAC address from authenticating on the port. Correct Answer: B QUESTION 47 Which three statements about hosts moving from port to port on the same switch that is configured for 802.1X are true? (Choose three.) A. Cisco IP phones send a RADIUS packet with Cisco-av-pair UCPort= Disco to signal to the Cisco Catalyst switch that the tethered PC has disconnected. B. The 3k-access(config-if)# authentication violation replace command can be used to allow a new host to authenticate to an IP phone that is not manufactured by Cisco. C. The 3k-access(config-if)# authentication violation replace command can be used to allow a host to disconnect from an IP phone that is not manufactured by Cisco and authenticate on a different "Pass Any Exam. Any Time." Cisco Exam port on the same switch. D. The 3k-access(config)# authentication mac-move permit command can be used to allow a new host to authenticate to an IP phone that is not manufactured by Cisco Cisco IP phones use Cisco Discovery Protocol to signal to the Cisco Catalyst switch that the tethered PC has disconnected. E. The 3k-access(config)# authentication mac-move permit command can be used to allow a host to disconnect from an IP phone that is not manufactured by Cisco and authenticate on a different port on the same switch. Correct Answer: ABE QUESTION 48 What must be configured on a Microsoft Windows 7 host to enable the Microsoft 802.1X supplicant for wired networks? A. Wired 802.1X support requires installation of Windows 7 Service Pack JL B. The 802.1X supplicant in the Authentication tab of interface Properties must be enabled. C. The host must acquire its IP address from DHCP. D. The Microsoft Wired AutoConfig service must be started. E X must be enabled in BIOS. F. On systems running Intel Ethernet controllers, Intel driver vl6.1 or higher is required to enable 802.1X support Correct Answer: D

18 QUESTION 49 Which three selections are valid model numbers for Cisco ISE hardware appliances? (Choose three) A. Cisco ISE 3355 B. Cisco ISE 3315 C. Cisco ISE 3390 D. Cisco ISE 3350 E. Cisco ISE 3395 F. Cisco ISE 3310 Correct Answer: ABE QUESTION 50 What is the purpose of the ip device-tracking command on a Cisco Catalyst switch? A. enables DHCP snooping, which creates a trusted binding table of MAC and IP addresses required by WebAuth B. enables the local DCHP proxy service required by WebAuth C. enables Dynamic ARP Inspection on an interface required by WebAuth D. enables ICMP probes to discover new hosts and add them to the tracking table required by WebAuth E. globally enables Dynamic ARP Inspection required by WebAuth F. enables ARP probes to discover new hosts and add them to the tracking table required by WebAuth G. enables port security required by WebAuth Correct Answer: D QUESTION 51 Which two choices are valid components of a Cisco TrustSec wireless infrastructure solution? (Choose two.) A supplicant B. autonomous access point C. lightweight access point D. wired LAN controller E. wireless repeater F. wireless LAN controller Correct Answer: CF

19 QUESTION 52 Which section of the 802.1X standard cites other 802 standards needed to Wry understand the scope of 802.1X? A. Section 3 - Definitions B. Section 2 - Normative References C. Section 5 - Acronyms and Abbreviations D. Section 4 - Normative Definitions E. Section 6 - Conformance Correct Answer: B QUESTION 53 Which section of the 802.1X standard includes use cases? A. Section 4 - Acronyms and Abbreviations B. Section 7 - Port-Based Network Access Control Applications C. Section 2 - Normative References D. Section 6 - Principles of Port-Based Network Access Control Operation E. Section 3 - Definitions Correct Answer: B QUESTION 54 Which two statements are true regarding communication from the authenticator to the authentication server (Cisco ISE)? (Choose two.) A. EAP messages are sent encapsulated in RADIUS protocol over UDP port B. EAP messages are sent encapsulated in RADIUS protocol over UDP port C. EAP messages are sent to the RADIUS server over UDP port D. EAP messages are sent to the RADIUS server over UDP port E. EAP messages are sent encapsulated in RADIUS protocol over UDP port F. EAP messages are sent to the RADIUS server over UDP port Correct Answer: AB

20 QUESTION 55 Which four selections below describe valid Cisco ISE Personas? (Choose four.) A. Cisco ISC B. Standalone C. Administrative D. Centralized E. Inline Posture F. Policy Services G. Monitoring H. Distributed Correct Answer: CEFG QUESTION 56 Which statement is true regarding the initiation of an 802.1X authentication exchange? A. EAPOL-Start is always initiated by the supplicant. B. EAPOL-Start can be initiated by the supplicant or the authenticator. C. EAPOL-Start is never initiated by the supplicant D. EAPOL-Start is always initiated by the authenticator. E. EAPOL-Start is never initiated by the authenticator. Correct Answer: A QUESTION 57 Which protocol used to communicate between the authenticator and authentication server? A. RADIUS B. EAP-FAST C. EAPOL D. EAP-TLS E. PEAP Correct Answer: A QUESTION 58 Which two choices are drivers of IEEE 802.1X adoption? (Choose two.)

21 A. wireless routers B. guest networks C. Wired Equivalent Privacy insecurity D. Wireless Encryption Protocol insecurity E. open switch ports Correct Answer: BE QUESTION 59 Which EAP method requires a digital certificate on the client? A. P1AP-MD5 B. LEAP C. EAP-GTC D. PEAP E. EAP-TLS F. EAP-MOS G. EAP-FAST Correct Answer: E QUESTION 60 Which two elements must you configure on a Cisco Wireless LAN Controller to allow Cisco ISE to authenticate wireless users? (Choose two.) A. Configure each WLAN to use the configured Cisco ISE node. B. Configure all attached LWAPs to use the configured Cisco ISE node. C. Configure the WLC to join a Microsoft Active Directory domain. D. Configure Cisco ISE as a RADIUS accounting server and shared secret. E. Configure Cisco ISE as a RADIUS authentication server and shared secret. F. Configure RADIUS attributes for each SSID. Correct Answer: AE QUESTION 61 Which two NADs does NOT support RADIUS Change of Authorization requests?(choose two.) A. Cisco Catalyst 3750 switches B. Cisco Adaptive Security Appliances

22 C. Unmanaged switches and hubs D. Cisco Wireless LAN Controllers Correct Answer: BC QUESTION 62 Which two choices are drivers of IEEE 802.1X adoption? (Choose two.) A. Guest networks B. Heterogeneous Networks C. Pervasive Wireless Deployments D. Unprotected switch ports E. Limited 802.1X standard functionality Correct Answer: AC QUESTION 63 Which module is NOT a valid component of Cisco AnyConnect Secure Mobility Client for Windows? A. VPN Module B. Profiling Module C. Network Access Manager D. Telemetry Module Correct Answer: B These are the VPN modules in Cisco Anyconnect client: Network Access Manager Posture Module Telemetry Module WebSecurity Module QUESTION 64 EAP was original created for which network type? A. Point-to-Point Protocol B. Local Area Network C. Wide Area Network D. Wireless Local Area Network Correct Answer: A

23 Reference: ation/guide/ eap_types.html QUESTION 65 What is the Cisco Catalyst Switch default port used for CoA? A. UDP 3799 B. UDP 1812 C. UDP 1645 D. UDP 1700 Correct Answer: A Reference: Note: If using ISE then the port will be 1700 and if using ACS then it will be 3799 (according to RFC 3799 is the default port for CoA). QUESTION 66 Which of the following RADIUS attribute is vendor specific and enables vendors to easily extend the protocol functionality? A. 1 B. 2 C. 5 D. 26 E. 64 Correct Answer: D Reference: QUESTION 67 Which of the following is true about PEAP? A. PEAP was created as an alternative to EAP-FAST B. PEAP is limited to MS-CHAP to authenticate the supplicant C. PEAP authentication operates in two phases D. PEAP only requires a client-side certificate Correct Answer: C

24 Reference: fa.html QUESTION 68 Which Cisco Catalyst Switch command enables 802.1X authentication globally? A. authentication priority dot1x mab B. authentication order dot1x mab C. dot1x pae authenticator D. dot1x system-auth-control E. aaa new-model Correct Answer: D Reference: ea1/ configuration/guide/sw8021x.html QUESTION 69 Which two Cisco Catalyst switch commands are required for URL-redirection? (Choose two.) A. 3k-access(config-if)# authentication webauth B. 3k-access(config-if)# authentication dot1x webauth C. 3k-access(config-if)# ip http secure-server D. 3k-access(config-if)# authentication order dot1x webauth E. 3k-access(config-if)# ip http server F. 3k-access(config-if)# dot1x priority webauth Correct Answer: CE