Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
43 Cards in this Set
- Front
- Back
|
What is Identity Based Network Services (IBNS)?
|
Expands L2 security through 802.1x technologies; verifies based on personal ID, not just MAC or Ip
|
|
|
What enforcement services are available in Standard IBNS?
|
Authentication based on users or device; policies mapped to network identity; Port based access based on AAA; policy enforcement based on access level;
|
|
|
What extra services are available in Cisco IBNS?
|
VLAN Assignment; Connect directly to port security; Voice VLAN ID; Guest VLAN; ACL assignment; high availability with redundant supervisors (high Cat Switches)
|
|
|
What are the three components to an 802.1x infrastructure?
|
Supplicant; Authenticator; Authentication Server
|
|
|
Describe the 802.1x message exchange process?
|
Ignore This One
|
|
|
What general configuration on the supplicant, authenticator, and authentication server are required for 802.1x?
|
Authenticator - communicate with Auth Server using RADIUS; Authentication Server - configured to allow 802.1x and provide info back to Authenticator (eg: VLAN)
|
|
|
How do you configure the RADIUS server on a Cisco Switch? (in prep for 802.1x)
|
conf t aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius < allow RADIUS to send VLAN or ACL info radius-server host 10.1.1.10 [auth-port PORT] key securekey
|
|
|
How do you configure the 802.1x on the switch?
|
dot1x system-auth-control < globally enable interface fa0/1 (or interface range fa0/1 fa0/10) switchport mode access dot1x port-control auto (force-authorization or force-unauthorized) dot1x guest-vlan 10 < vlan if auth fails
|
|
|
What benefits are there to IBNS?
|
improved user flexibility and mobility; increased network and resource connectivity; reduced operating costs and user productivity
|
|
|
What type of traffic is permitted before 802.1x authentication occurs?
|
CDP, STP, and 802.1x
|
|
|
What are the parts to an EAP frame?
|
Code 1 Byte: 1, Request, 2, Response, 3, Success, 4, Failure ID 1 Byte - match requests with responses Length 2 bytes Data 0+ bytes
|
|
|
In an EAPoL packet, what are the different values for the Packet Type?
|
0 - EAP-Packet 1 - EAPoL Start 2 - EAPoL Logoff 3 - EAPoL Key 4 - EAPoL Encapsulated-ASF-Alert
|
|
|
What are the 4 general types of EAP Authentication and the specific methods within each?
|
Challenge-response - EAP-MD5, LEAP, EAP-MSCHAPv2 Cryptographic - EAP-TLS Tunneling Based - PEAP, EAP-TTLS, and EAP-FAST Other - EAP-GTC
|
|
|
Describe EAP-MD5
|
Identity not sent directly, instead some clear text is hashed with password and sent to server for verification; requires reversible encryption passwords on Auth Server; Being phased out by Microsoft
|
|
|
Describe LEAP
|
Mutual authentication based hashes of challenge information with both the user password and shared secret
|
|
|
Describe EAP-TLS
|
Mutual Authentication based on certificates Requires complex configuration with CA suitable for large enterprises
|
|
|
Describe PEAP
|
Created by Cisco, Microsoft and RSA uses only server passwords to create TLS tunnel Inside tunnel, client is authenticated with another method such as OTP (one time password) or AD through MS-CHAPv2
|
|
|
Describe EAP-FAST
|
created by Cisco for customers looking for strong password policies without certificates protected against MitM Attacks, replay attacks, and dictionary attacks symmetric key algorithms; uses Protected Access Credential (PAC) Phase 1 - tunnel using PAC for mutual auth Phase 2 - client auth with whatever method using Phase 0 - infrequently used to dynamically assign PAC
|
|
|
What port types don't allow 802.1x auth?
|
EtherChannel, SPAN, RSPAN, and maybe Trunking ports (think this may have changed and are now included in some switch platforms)
|
|
|
What are optional tasks that can be done as part of an 802.1x config?
|
configure re-authentication manually re-authentication changing quiet period changing switch-client transmission times setting switch-client retransmission numbers config host mode config guest VLAN resetting 802.1x to default values debugging 802.1x
|
|
|
What are the RADIUS attributes used in VLAN assignment?
|
Attrib 54 - Tunnel-Type=VLAN (type 13) Attrib 65 - Tunnel-Medium-Type=802 (type 6) Attrib 81 - Tunnel-Private-Group-ID=VLANID (name not number)
|
|
|
What is required for per-user ACL?
|
single host mode - this is the default
|
|
|
How (and what types) can you configure global radius values
|
radius-server timeout radius-server retransmit radius-server key
|
|
|
How do you configured 802.1x re-authentication
|
interface level configuration conf t int fa0/3 dot1x reauthentication dot1x timeout reauth-period 7200 < seconds
|
|
|
How do you force a re-authentication?
|
in Priv Exec Mode dot1x re-authenticate interface fa0/3 DOESN'T DESTURB CONNECTIVITY
|
|
|
How do you force a full reconnection?
|
in Priv Exec Mode dot1x initialize interface fa0/1 DOES STOP CURRENT CONNECTIONS
|
|
|
What is the quiet period on a switch?
|
Time between failed authentication attempts
|
|
|
How do you change the quiet period
|
conf t int fa0/3 dot1x timeout quiet-period 45 < seconds
|
|
|
How do you change the switch-client retransmission time and number?
|
conf t int fa0/3 dot1x timeout tx-period 90 < seconds 15-65,535 dot1x max-req count 4 < integer 1-10
|
|
|
What controls access to medium in 802.1x multi-host mode?
|
If one host is authenticated, all gain access
|
|
|
How do you configure multi-host mode?
|
conf t int fa0/3 dot1x port-control auto < must be in auto mode dot1x host-mode multi-host
|
|
|
How do you configure the guest vlan information?
|
conf t dot1x guest-vlan supplicant < allow clients 802.1x capable that fail auth onto guest vlan int fa0/3 dot1x guest-vlan 2
|
|
|
What DHCP related problem could arise in an 802.1x environment?
|
The DHCP process could timeout on the client while the 802.1x system is processing. May need to reduce transmission times and retry counts
|
|
|
How can you reset 802.1x to default values?
|
conf t int fa0/3 dot1x default
|
|
|
What is the command and format for displaying 802.1x info?
|
show dot1x [all]| [interface ID] | [statistics interface ID] [|begin |include |exclude] [expression]
|
|
|
What type of info is showed with the show dot1x command?
|
Whether Enabled Guest VLAN Setup dot1x version
|
|
|
What type of info is showed with the show dot1x interface/all command?
|
Client MAC Auth State Port Status MaxReq Host Mode Port Control Quiet Period Re-Auth Status and Period Server Timeout Supp Timeout TxPeriod Guest VLAN
|
|
|
What information is displayed by show dot1x statistics interface ID?
|
TxReqID - Request Identity Frames Sent TxReq - Non Request Identity but Request packets TxTotal - Total EAPoL frames sent RxStart - EAPoL frames received RxLogoff - EAPoL-Logoff Frames received RxRespId - EAPoL-Response Identity Frames received RxResp - Non-Response EAPoL response frames received RxInvalid - unrecognized frame types received RxLenErr - with invalid body length fields RxTotal - Valid EAPoL frames received RxVersion - packets with 802.1x v1 LastRxSrcMac - Last MAC from an EAPoL packet
|
|
|
What different debug dot1x options are there?
|
errors events packets registry state-machine all
|
|
|
How can you set the maximum number of failed authentication attempts before moving to the restricted vlan in dot1x
|
conf t int fa0/2 dot1x auth-fail max-attempts (1-3)
|
|
|
How do you enable Vendor Specific Attributes on the switch?
|
radius-server vsa send [accounting / authentication]
|
|
|
How do you configure the restricted vlan on a port?
|
conf t int fa0/2 dot1x auth-fail vlan 34
|
|
|
What timer values are recommended to ensure compatibility with DHCP?
|
conf t int fa0/2 dot1x timeout tx-period 15 dot1x timeout quiet-period 3
|
