- Home
- Networking
- CCNP Security 300-208
51.
When configuring a Cisco switch for 802.1X, at which level of the configuration do the
802.1X-related commands exist?
- A.Global configuration only.
- B.Interface configuration only.
- C.Both at global configuration level as well as per interface.
- D.Enabling 802.1X changes the context to a dot1x subconfiguration mode, where all related commands are entered.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| 802.1X requires global-level configuration for servers, enabling 802.1X on the system itself, configuring change of authorization, and enabling VSAs among others. Additionally, each interface that will be performing authentication will require interface-level commands. |
52.
When configuring a Cisco Wireless LAN Controller (WLC) for communication with ISE, what
must be configured for the wireless LAN (WLAN)? (Choose two.)
- A.The authentication and authorization RADIUS servers can be pointed to different ISE PSNs, as long as those PSNs are part of a node group.
- B.The authentication and authorization RADIUS servers can be pointed to the same ISE PSN.
- C.The WLAN must be configured for SNMP NAC.
- D.The WLAN must be configured for RADIUS NAC.
- Answer & Explanation
- Report
Answer : [B, D]
Explanation :
Explanation :
| When interacting with an advanced RADIUS server, such as Cisco ISE, Cisco WLCs require that the same ISE PSN be configured as the authentication and accounting server for the WLAN. Additionally, RADIUS NAC must be enabled on the advanced tab of the WLAN configuration. |
53.
True or False? Cisco switches should be configured in production to send syslog messages to
the ISE MNT node.
- A.True
- B.False
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Cisco switches can be configured to send syslog to the MNT node, where the data will be correlated as part of the authentication reports. However, this should be configured only when performing active troubleshooting or during an initial pilot/PoC. |
54.
What is the purpose of adding a user with the username radius-test password
password command?
- A.The switch can send periodic RADIUS Access-Requests to the AAA servers to verify whether they are still alive. The username and password will be used for that test.
- B.The username and password are used for the local RADIUS server available in the switch, which is used in WAN down scenarios.
- C.The username and password are used for the supplicant’s outer identity to authenticate against the switch local user database.
- D.Without the local username and password in the configuration, an administrator can be locked out of the switch when the RADIUS server is unavailable.
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| The switch will send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the server, either an Access-Accept or Access- Reject will suffice. The username and password used by the automated test must exist in the configuration. |
55.
True or False? 802.1X can be configured on all switch interfaces, including Layer-3 interfaces.
- A.True
- B.False
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Switch interfaces must be configured as Layer-2 access ports to run 802.1X (switchport). |
|
|
||||||||||||||||||||||||||||
