Home > Security Questions

Security Questions

May 1st, 2017 Go to comments

Question 1

Question 2

Explanation

The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.

Question 3

Explanation

Usually we enter a command like this:

username bill password westward

And the system display this command as follows:

username bill password 7 21398211

The encrypted version of the password is 21398211. The password was encrypted by the Cisco-defined encryption algorithm, as indicated by the “7”.
However, if you enter the following command: “username bill password 7 21398211”, the system determines that the password is already encrypted and performs no encryption. Instead, it displays the command exactly as you entered it.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1001412

Question 4

Question 5

Question 6

Explanation

This configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).

Question 7

Explanation

TACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.

Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.

Reference: http://www.cisco.com/c/dam/en/us/products/collateral/security/secure-access-control-server-windows/prod_white_paper0900aecd80737943.pdf

Question 8

Explanation

802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN.

Question 9

Explanation

TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.

TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.

Note:

By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Question 10

Explanation

There are three authentication and authorization modes for 802.1x:
+ Monitor mode
+ Low impact mode
+ High security mode

Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth

For more information about each mode, please read this article: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html

Question 11

Explanation

All other answers are not recommended for a network security plan so only B is the correct answer.

Question 12

Explanation

The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.

Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.

Comments (15) Comments
  1. Leaks
    February 21st, 2017

    New Update, My student passed today. Latest 100% VALID CCNA Security 210-260 Exam Questions Dumps at below page including all labs in Packet Tracer format. Working VCE player also included in package
    INSTANT Download at below page:

    https://anon.click/bijus95

  2. datsmyaggro@yahoo.com
    March 13th, 2017

    looking for the latest dumps for CCNA Security Certification. Looking to take the test soon. Thanks.

    email is the name

  3. SlimShaddy
    March 23rd, 2017

    How come exec mode user privilage is achieved by setting privilage to 1 in the indicated answer A for question 3? Can someone explain please?

  4. jojo
    May 24th, 2017

    Question 14. Really SSH? because ssh is used for secure remote login to device, not for encrypted traffic. SSH doesnt carry data. I would say VPN – see http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14106-how-vpn-works.html

  5. froggen
    June 8th, 2017

    @jojo Q14 is a bad question for the CCNA. SSH is capable of tunneling traffic over a leased line. Putting a VPN into a Leased Line would be like putting a tunnel into an already existing tunnel.

  6. Becky
    June 29th, 2017

    How come the following statement:
    device-administration packets are encrypted in their entirely

    is true in Q9 but false in Q1.

  7. Josiah
    June 30th, 2017

    Passed today, Labs are same as the one here. Questions were all from this dumps #"fixed">

  8. osman
    July 4th, 2017

    i need ccna security dumps please share it here. my exam in august.

  9. aleon
    August 23rd, 2017

    @9tut

    in question 3 it says “configure a local username with an encrypted password and EXEC mode user privileges”

    and you elected option A, but if it says in the reference that if you type the kind of password as A the system consider the password allready encrypted, isnt the answer B?

  10. Anonymous
    September 8th, 2017

    Hi,
    There is a new question with drag and drop regarding TACACS+ and RADIUS, with 2 answers each:

    TACACS+ had something like: – port on which operates;
    – TACACS+ encrypts the entire body of the packet but leaves a standard header
    RADIUS: – RADIUS encrypts only the password and the rest of the packet is unencrypted.
    – RADIUS uses UDP

    I hope it helps at something.

  11. anon
    September 10th, 2017

    Q3. Explanation does not match question.

    Answer supposedly is A but I think it is D.

  12. Mack
    October 6th, 2017

    For all of you looking for the dumps, I used this ones and they were good enough https://drive.google.com/open?id=0B5mAFqgydmCzUWJPTTFkemFuQTA

    good luck

  13. noney12
    November 17th, 2017

    question 3 relevant piece is “with an encrypted password”
    the only relevant answer contains “password 7 [encrypted password]”
    exec level is irrelevant and a distraction

Add a Comment