5. Which command adds a RADIUS server to an IOS device's configuration?管理员可以使用哪种命令将RADIUS服务器添加到IOS设备的配置中?
A.Router(config)#RADIUS server add
B.Router(config)#aaa authentication server RADIUS
C.Router(config-if)#ip aaa RADIUS host
D.Router(config)#radius-server host
A B C D
D
6. What UDP ports are used by Cisco as the default authentication and accounting ports? Cisco ACS使用哪两种UDP端口作为默认的认证与结算端口?
A.67 and 68 67与68端口
B.1645 and 1646 1645与1646端口
C.1812 and 1813 1812与1813端口
D.20 and 21 20与21端口
E.None of the answers are correct. 以上答案均不正确
A B C D E
B
7. What must the Key field on the Network Configuration screen in Cisco Secure ACS match?配置Cisco ACS时,管理员在Network Configuration窗口的Key文本框中输入的值必须与哪个值相匹配?
A.The cryptographic key that was entered on the IOS-based switch when defining the RADIUS server定义RADIUS服务器时,在IOS交换机上输入的加密密钥
B.The IP address of the switch交换机的IP地址
C.The password that was entered for the user in the Protected Access Credentialfile PAC文件中的用户密码
D.The passphrase used to encrypt data between the AAA server and the authenticator用于加密认证方与认证服务器之间通信的密码短语
E.The password entered on the supplicant请求方使用的密码
A B C D E
A
8. If the network between the supplicant and the AAA server is trusted, you can deploy user PAC files using which method?如果请求方与认证服务器之间的网络路径可信,可以采取以下哪种方式部署用户PAC文件?
A.Manually by importing a PAC file into each client's supplicant手动将PAC文件导入每个请求方
B.Configure the switch to copy the PAC file from its flash to the client将PAC文件从交换机闪存复制到客户
C.Push the PAC file to the user from the Windows Server Active Directory store将PAC文件从Windows Active Directory复制到用户
D.Automatic(anonymous)自动(匿名)部署
A B C D
D
9. What is the tool used to create the Cisco SSC configuration profile?哪种工具用于创建Cisco SSC配置文件?
10. From where are the Cisco SSC supplicant and the Cisco SSC Management Utility obtained?如何获取Cisco SSC请求方与Cisco SSC管理工具?
A.Included in the IOS image包含在IOS镜像中
B.Included in Microsoft Windows Operating Systems包含在Windows操作系统中
C.Downloaded from Cisco.com从Cisco网站下载
D.Obtain from a TAC engineer从Cisco技术支持中心获取
A B C D
C
11. To provide per-user services, such as downloadable ACLs, which of the following must be deployed?提供针对特定用户的服务(如dACL)时,需要部署以下哪些安全措施?
A.User authentication用户认证
B.Machine authentication机器认证
C.Combination of user and machine authentication用户认证与机器认证结合在一起使用
D.One-time passwords一次性密码
E.All of these answers are correct. 以上答案均正确
A B C D E
AC
12. In EAP-TLS implementations, which kind of certificate is used to verify identity certificates?部署EAP-TLS时,以下哪种证书用于验证身份证书?
A.The identity certificate belonging to each entity认证双方的身份证书
B.Supplicant certificate请求方证书
C.Certificate Authority (CA)certificate CA证书
D.SSL certificate SSL证书
A B C D
C
13. What identifies the hardware(computer)as opposed to the user identity that is used to identify users that are logged in to the machine?以下哪种特性用于标识登录到本机的用户的硬件身份(而不是用户身份)?
A.SNMP
B.Host name主机名
C.CA certificate CA证书
D.User identity用户身份
E.Machine identity机器身份
A B C D E
E
14. Cisco IBNS components can dynamically assign what two features to increase security in the environment? Cisco IBNS组件可以动态分配以下哪两种安全特性?
A.Physical tokens物理令牌环
B.Access controls lists(ACL)访问控制列表(ACL)
C.Identity certificates身份证书
D.VLAN assignment VLAN划分
E.Kerberos ticket Kerberos认证协议
A B C D E
BD
15. If MAB is enabled, when will the switch try to authenticate the non-802.1X-capableclient by using its MAC address?启用MAB之后,对于不支持802.1X的客户设备,交换机何时采用MAC地址对它们进行认证?
A.As soon as the switch receives the first EAPOL frame. 交换机收到第一个EAPOL帧之后
B.After 802.1X authentication times out. 802.1X认证超时之后
C.It will not authenticate non-802.1X-capable clients. 交换机不会对非802.1X客户进行认证
D.After me client sends an authentication request. 客户发送认证请求之后
E.None of these answers are correct. 以上答案均不正确
A B C D E
B
16. How call web authentication be verified?如何验证所配置的Web认证?
A.Use show ip admission cache in the CLI. 使用命令show ip admission cache
B.Call the user and ask him. 打电话询问用户
C.In the Passed Authentication report in Cisco Secure ACS. 查看Cisco ACS的通过认证报告
D.Consult the logs on the web server. 查看Web服务器的日志文件
E.None of these answers are correct. 以上答案均不正确
A B C D E
AC
17. Which multi-host authentication mode allows multiple hosts to forward traffic through a single port but does not require authentication after the first host authenticates?以下描述了哪种多主机认证模式:每个交换机端口可以连接多台客户设备,第一台设备通过认证后,其他设备无需再进行认证。
A.Multi-domain authentication mode多域认证模式
B.Single-host mode单主机模式
C.Multi-host mode多主机模式
D.Multi-auth mode多认证模式
E.None of these answers are correct. 以上答案均不正确
A B C D E
C
18. The default, fail-closed mode of the Cisco Catalyst 10S Soft-ware 802.1X authenticator can be changed by enabling which optional fail-open features? Cisco Catalyst IOS软件802.1X认证方默认采用应急关闭模式,可以将其配置为以下哪些可选的应急开放模式?
D.Cannot be used with IP options packets无法用于IP选项数据包
A B C D
CD
27. which of the following are benefits that are gained by using Flexible NetFlow?以下哪些属于灵活NetFlow的优点?
A.Flexible key and non-key fields拥有灵活的关键字段与非关键字段
B.Version 5 export format可以使用第5版导出格式
C.Standardized key and non-key fields拥有标准化的关键字段与非关键字段
D.Version 9 export format可以使用第9版导出格式
A B C D
AD
28. Which of the following are Flexible NetFlow components?灵活NetFlow由哪些部分组成?
A.Flow sequencers流序列器
B.Flow policers流策略器
C.Flow monitors流监控器
D.Flow samplers流采样器
A B C D
CD
29. Unicast RPF utilizes which of the following to compare source packet information? uRPF采用哪种工具判断数据包的源信息是否合法?
A.IP routing table IP路由表
B.CEF FIB CEF转发信息库
C.Topology tables拓扑表
D.NetFlow records NetFlow记录
A B C D
B
二、填空题
1. ______ is an IEEE standard that provides a framework for authenticating and authorizing network devices connected to LAN ports and for preventing access in the event that the authentication fails. ______标准是一种基于端口的访问控制架构,它对连接到局域网端口的设备进行认证与授权,确保只有合法用户才能访问网络资源与服务。
802.1X
2. Configuring ______ causes a period verification to take place, thus ensuring that the client is still connected and the port should remain in the authenticated state. 交换机每隔一段时间对客户进行______,以确保客户仍然与端口相连,且端口仍然处于授权状态。
重认证
3. Enable 802.1X globally on the switch with the ______ global command. 全局命令______用于在交换机全局启用802.1X。
dot1x system-auth-control
4. Verify the operational status of the 802. 1X configuration on your device by using the ______ command. 命令______用于显示设备配置的802.1X参数。
show dot1x
5. ______ can be used to restrict 802.1X users to only access the network from a certain network address space. ______机制可以对认证用户做进一步限制,如仅给予来自某些地址的用户访问网络资源的权限。
网络访问限制(NAR)
6. The Cisco IOS Software ______ command can be used to verify that the 802.1X authentication is functioning properly. 管理员可以使用命令______测试请求方、认证方与认证服务器的状态。
dot1x test eapol-capable
7. The ______ and ______ do not both authenticate to the network at the same time. ______ authentication is only needed when the user logs off. 网络不必同时对______与______进行认证。用户注销后,采用______认证即可。
机器 用户 机器
8. With the ______ optional EAP-TLS parameter, the TLS session keys are essentially cached, thus allowing faster reauthentication by not having to perform a full TLS handshake. EAP-TLS可选参数______用于储存认证双方的TLS会话密钥,再次认证时无需进行完整的TLS握手过程,从而加快了重认证的速度。
enable fast reconnect
9. The ______ command Can be used to choose a preferred authentication method overanother. 命令______用于设置认证方式的优先级。
authentication priority
10. When the user sends a(n) ______ request to the web server, the switch intercepts theuser's HTTP session request and presents the user with a pop-up dialog box that hasa username and password field. 用户向Web服务器发送______请求,交换机截取该请求后在用户的Web浏览器中弹出一个对话框,提示用户输入用户名和密码。
HTTP
11. Beginning with ______ of Cisco IOS Software, the dot1x host-mode command was replaced with the ______ command. 从Cisco IOS软件版本______开始,命令dot1x host-mode被______所取代。
12.2(33)SXI authentication host-mode
12. When configuring fail-open policies, label an interface as critical by using the ______ interface configuration command. 配置应急开放策略时,接口配置命令______用于将端口标记为关键端口。
authentication event server dead action authorize vlan
13. To handle Wake-on-LAN devices in an 802.1X environment, configure the interfaceas ______ by using me ______ interface command. 在局域网唤醒技术中,接口配置命令______用于将指定端口设置为______。
authentication control-direction in 单向受控端口。
14. Use the ______ with ______ to authenticate non-802.1X IP phones based on their MAC addresses. 对于不支持802.1X的IP电话,可以将 ______ 与 ______ 结合在一起使用,根据IP电话的MAC地址进行认证。
多域认证 基于MAC地址的认证(MAB)
15. There is a(n) ______ at the end of each access list. 每个ACL的末尾都包含—条______语句。
隐式拒绝
16. An extended access list can use the number ranges of ______ and ______. 扩展ACL可以使用范围从______到______的列表编号。
100-199 2000-2699
17. The wildcard mask that would be used with a subnet mask of 255.255.255.192 would be ______. 如果子网掩码为255.255.255.192,则相应的通配符掩码为______。
0.0.0.63
18. When assigning reflexive access lists to an interface,they are typically placed ______ on an interface facing away from the internal network or ______ on an interface facing toward the internal network. 为接口配置白反ACL时,通常将其置于背对内部网络的______方向,或面向内部网络的______方向。
出站 入站
19. Both PHDF and TCDF are formatted using ______. PHDF与TCDF属于______文件。
XML
20. When using FPM, traffic can be classified using ______ files or using the ______. 采用FPM时,可以通过______文件或______划分流量的类型。
TCDF CLI
21. FPM is only able to inspect ______ unicast packets. FPM仅能检测______单播数据包。
IPv4
22. ______ fields are used by NetFlow to identify specific flows. NetFlow采用______字段标识特定的网络流。
关键(key)
23. Unicast RPF can operate in ______ or ______ mode. uRPF的工作模式包括______模式与______模式。
严格 松散
24. When configuring Unicast RPF, the first thing that must be configured is ______. 配置uRPF时,必须首先启用______。