Exam Prep Questions


Question 1

You want to use an access list with authentication proxy to better define which hosts and networks must authenticate. Which of the following ACLs can you use with authentication proxy?

  • A. Either extended IP ACLs or standard IP ACLs

  • B. Standard named IP ACLs only

  • C. Extended named IP ACLs only

  • D. Standard numbered IP ACLs only

  • E. Extended numbered IP ACLs only

A1:

Answer: D. According to current Cisco course curriculum for authentication proxy, you can use only standard numbered IP ACLs. For testing purposes, go with standard numbered IP ACLs. However, newer versions of the IOS allow for standard or extended IP ACLs that are either numbered or named.

Question 2

For a client to successfully authenticate with the IOS Firewall's authentication proxy feature, what protocol must the client be using?

  • A. FTP

  • B. HTTP

  • C. SSH

  • D. SSL

  • E. Telnet

A2:

Answer: B. Authentication proxy requires the HTTP protocol; authentication proxy is HTTP-based authentication. Authentication proxy intercepts HTTP requests on port 80. None of the other protocols listed use port 80.

Question 3

You are configuring the Custom Attributes field on a CSACS server for use with authentication proxy. Which of the following statements are correct regarding this configuration?

  • A. Only deny entries are allowed.

  • B. Either permit or deny entries are allowed.

  • C. Source IP addresses must use the any keyword.

  • D. Destination address must use the any keyword.

  • E. Only permit entries are allowed.

A3:

Answer: C, E. The IOS Firewall router will replace the any keyword for the source IP address in the proxyacl entry with the actual source IP address of the authenticated user . Therefore, you can only use the any keyword for the source IP address. Also, you can configure only permit entries on the CSACS server when using authentication proxy.

Question 4

You are configuring the Custom Attributes field on a CSACS server for use with authentication proxy. What privilege level must you enable for all users in the Custom Attributes field?

  • A. 0

  • B. 1

  • C. 5

  • D. 10

  • E. 15

A4:

Answer: E. Use the command priv-lvl=15 in the CSACS Custom Attributes field. When using authentication proxy, the only privilege level allowed is level 15. However, this does not mean the user has access to a router's EXEC mode.

Question 5

You are configuring the Custom Attributes field on a CSACS server for use with authentication proxy. What is the correct form to configure a user's authorization profile?

  • A. proxy#99=permit ip any any

  • B. acl#55=permit ip any any

  • C. proxyacl#10=permit ip any any

  • D. proxacl#11=permit ip host 1.1.1.1 any

  • E. proxacl#11=permit ip any host 1.1.1.1 eq 80

A5:

Answer: C. The correct command to configure a user authorization profile is proxyacl# n where n is a number. Remember that only the keyword any is allowed for the source IP address. The other answers do not use the correct command to configure a proxy ACL.

Question 6

By default, how long will the IOS Firewall's authentication proxy service maintain dynamic ACL entries for an idle user?

  • A. 90 seconds

  • B. 8 minutes

  • C. 15 minutes

  • D. 45 minutes

  • E. 60 minutes

A6:

Answer: E. When the authentication proxy idle timeout expires , the service removes the user authentication cache in addition to the router's dynamically configured access list entries for the user. You can configure the cache timeout value by using the ip auth-proxy auth-cache-time min command.

Question 7

Choose the correct command to configure a router's HTTP server to use AAA services for authentication.

  • A. ip http authentication aaa

  • B. http aaa enable

  • C. ip http aaa enable

  • D. http authentication aaa

  • E. aaa authentication http

A7:

Answer: A. Ensure that you have enabled the router's HTTP server, which is disabled by default, with the ip http server command. Use the command ip http authentication aaa to have the router's HTTP server use AAA services.

Question 8

You have issued the show ip auth-proxy cache command to display authentication proxy information. What does the word HTTP_ESTAB mean in the display output?

  • A. The router is downloading the user's authorization profile.

  • B. A user has been successfully authenticated.

  • C. The router has established an HTTP connection to the AAA server.

  • D. The host has established an HTTP connection to the IOS router.

  • E. The router is in the process of authenticating a user.

A8:

Answer: B. After a user is authenticated, the IOS router downloads his or her associated authorization profile. Use the show ip auth-proxy cache command to troubleshoot your configuration and to verify that a user has successfully authenticated.




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net