Chapter 13 363

Chapter 13

"Do I Know This Already?" Quiz

1What is the relationship between the Cisco PIX Firewall and the AAA server?

Answer: The Cisco PIX Firewall acts as a client to the AAA server.

2What three methods are used to authenticate to the Cisco PIX Firewall?

Answer: HTTP, FTP, Telnet

3How does the Cisco PIX Firewall process cut-through proxy?

Answer: The user connects to the PIX using HTTP, FTP, or Telnet, and then the PIX either authenticates the user locally or forwards the authentication information to a AAA server. After authenticating the user, the PIX opens the requested connection (if allowed in the security policy).

4 What are the main differences between RADIUS and TACACS+?

Answer: RADIUS travels over UDP and combines authentication and authorization; TACACS+ travels over TCP and sends authentication and authorization separately.

5What patch level must you have Windows 2000 Professional configured to before you install CSACS?

Answer: Trick question. CSACS can be installed only on Windows NT/2000 Server.

6Why is it important to authenticate a user before completing authorization?

Answer: You cannot assign any permissions unless you know who the user is.

7What are the three layers of authentication?

Answer: Something you know, something you have, something you are

8 What is the purpose of the explain box during the CSACS installation?

Answer: The explain box brings up a window that provides explanations for each of the options in the configuration.

9 What do you need to verify before installing CSACS?

Answer: Your system should be up to date, including Internet Explorer, and you need connectivity with the NAS (PIX).

10Why is it important to have Internet Explorer up to date on your CSACS?

Answer: Because CSACS is controlled through the browser.

364 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

Q&A

1What platforms does CSACS support?

A Windows XP Professional

BUNIX

CWindows NT Workstation

DWindows 2000 Professional

Answer: B

2 Why is it important to do accounting on your network?

Answer: To keep track of who is accessing the network and what they are doing

3What options are available to authenticate users on a PIX Firewall?

A Local user database

B Remote RADIUS server

C Remote TACACS+ server

D All of the above

Answer: D

4What two technologies does the CSACS support?

Answer: RADIUS and TACACS+

5True or false: Cut-through proxy authenticates users and then allows them to connect to anything.

Answer: False. Cut-through proxy authenticates users and connects them to resources they are authorized to use.

6True or false: The CSACS installation on Windows NT/2000 Server is a relatively simple Installation Wizard.

Answer: True

7Which of the following are not connection types for authenticating to a PIX Firewall? (Select all that apply.)

ATelnet

BSSH

CFTP

DHTTPS

Answer: B, D

Chapter 14 365

Chapter 14

"Do I Know This Already?" Quiz

1True or false: The show aaa command shows you everything that has to do with your AAA server in its configuration.

Answer: False. It does not show you the output of aaa-server.

2Both your Cisco PIX Firewall and your CSACS are configured for TACACS+, but you cannot configure the downloadable PIX ACLs. What is the problem?

Answer: Downloadable PIX ACLs are supported only by RADIUS server.

3 What is the command to get authorization to work with access lists?

Answer: aaa authorization match acl_name inbound/outbound if_name group_tag

4What is the one type of database you do not want to implement for a large enterprise network with many users?

Answer: A PIX local database, because it significantly increases the PIX Firewall's processor workload and can become very difficult to administer as the database's size increases.

5What tab on the CSACS is used to configure the PIX, and what is the firewall considered?

Answer: The PIX is configured as a AAA client on the Network Configuration tab.

6What three services are used to authenticate by default in the PIX?

Answer: FTP, HTTP, Telnet

7How do you put text messages into the logon prompt for a Telnet session?

Answer: auth-prompt command

8What three messages can you change with the auth-prompt command?

Answer: Prompt, accept, reject

9If your timeout uauth is set to 0:58:00, when is the user prompted to reauthenticate after the session times out?

Answer: By default, timeout uauth absolute does not prompt the user to reauthenticate until he or she starts a new connection after the uauth timer has expired.

10 What does the option inactivity in the timeout uauth command mean?

Answer: This is the period of inactivity that elapses before the timeout timer is started.