Answers to Written Lab

Answers to Written Lab

1.Async, group-async BRI, and serial (PRI) are all considered packet-mode access methods.

2.TTY, VTY, AUX, and CTY are considered character-mode access methods.

3.The least secure authentication method is no username or password.

4.Token cards/soft tokens are the most secure type of authentication.

5.The aaa new-model command enables AAA globally on the NAS.

6.Authentication, authorization, and accounting are the three AAA components.

7.The authorization component controls user privileges.

8.False. Authentication servers cannot be used to authenticate users remotely.

9.The authentication component identifies users.

10.The authorization component limits a user’s ability on a network.

70 Chapter 2 Introduction to AAA Security

Answers to Review Questions

1.B. Token cards/soft tokens are the most secure type of authentication.

2.B. The tacacs local keywords at the end of the command say to authenticate via TACACS+, and if that is not available, then use local username authentication.

3.B. To start the AAA on an NAS, use the global configuration command aaa new-model.

4.C. Authentication identifies a user, including login, password, messaging, and encryption.

5.B, D. TACACS+ and RADIUS provide authentication for users.

6.B. Authorization determines what a user is permitted to do after logging on.

7.B, C. Interface bri0/0 is the incoming interface being challenged by CHAP.

8.A, B, D. As in start-stop, the radius command sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.

9.A, C, D. The output shows an AAA authentication, which makes answer D correct. The third line says it is a local method of authentication, and the fourth line says it passed (successful). The user is Todd, not a member of the group Todd.

10.A, B, F. Async, group-async BRI, and serial (PRI) are all considered packet-mode access methods. TTY, VTY, AUX, and CTY are considered character-mode access methods.

11.A, E, G. Async, group-async BRI, and serial (PRI) are all considered packet-mode access methods. TTY, VTY, AUX, and CTY are considered character-mode access methods.

12.C. CHAP protects against playback hacking (resending the packet as part of an attack) by using a hash value that is valid only for that transaction.

13.C. CHAP periodically verifies the identity of the peer using a three-way handshake. The handshake is done upon initial link establishment and may be repeated any time after the link has been established.

14.B. TACACS+ was developed by Cisco and is specifically designed to interact with Cisco’s AAA services.

15.C. Kerberos was developed at MIT and was designed to provide strong security using the DES cryptographic algorithm.

16.C. One-time passwords (OTP) provide the most secure username/password authentication method. Most OTP systems are based on a secret pass-phrase, which is used to generate a list of passwords. An OTP is good only for one login and is therefore not useful to anyone who manages to eavesdrop and capture it.

17.C, D. The text after AAA/ACCT means that this is from the accounting component of AAA. protocol=telnet means that the user has gained access via the Telnet protocol.

18.C, D. The text after AAA/AUTHEN means that this is from the authentication component of

AAA.Method=LOCAL means that the local line will be used for authentication.

19.A, B. The text after AAA/AUTHOR means that this is from the authorization component of AAA. The username is Todd.

20.A, B, D. The debug commands debug aaa authentication, debug aaa authorization, and debug aaa accounting can be used to help you trace AAA packets and monitor the

AAAactivities on the NAS.