Jump to content
shshank

400-251 CCIE Security written discussion..

Recommended Posts

There is 1 or 2 questions not seen in the 177Q,but seen in old. I have forgotten what it is. ATTENTION : some questions have more or less confusing options, but the answer is the same option

congrats. .. you just escaped....can you share the old dump....

Share this post


Link to post
Share on other sites

Guys please help me for the below questions.

 

 

QUESTION 108 For your enterprise ISE deployment, you are looking to use certificate-based authentication for all your Windows machines.You have already gone through the excercise of pushing the machine and user certificates out to all the machines using GPO. Since certificate based authentication, by default, doesn't check the certificate against Active Directory or requires credentials from the user, this essentially means that no groups are returned as a part of the authentication request. What are the possible ways to authorize the user based on Active Directory group membership?

 

 

A. Configure the Windows supplicant to use saved credentials as well as certificate-based authentication

B. Enable Change of Authorization on the deployment to perform double authentication

C. Use EAP authorization to retrieve group information from Active Directory

D. The certificate should be configured with the appropriate attributes which contain appropriate group information, which can be used in Authorization policies

E. Use ISE as the Certificate Authority, which will then allow automatic group retrieval from Active Directory to perform the required authorization

F. Configure Network Access Device (NAD) to bypass certificate-based authentication and push configured user credentials as a proxy to ISE

 

ANS : F or E ? which is more relevant ?

 

QUESTION 100 In a large organization, with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee device with the correct profiles and certificates. With ISE, it is possible to do that with client provided device. Which four conditions must be met? (Choose four.)

 

A. Endpoint operating system should be supported

B. Client provisioning is enabled on ISE

C. The pxGrid controller should be enabled on ISE

D. Device MAC addresses are added to the Endpoint Identity Group

E. Profiling is enabled on ISE F. SCEP Proxy is enabled on ISE

G. Microsoft windows server is configured with certificate services

H. ISE should be configured as SXP listener to push SGT-to-IP mapping to network access devices

I. Network access device and ISE should have the PAC provisioning for CTS environment authentication

 

Correct Answer: BDEF or ABEF

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

QUESTION 112 In an effort to secure your enterprise campus network, any endpoint that connects to the network should authenticate before being granted access. For all corporate-owned endpoints, such as laptops, mobile phones and tablets, you would like to enable 802.1x and once authenticated allow full access to the network. For all employee owned personal devices, you would like to use web authentication, and only allow limited access to the network. Which two authentication methods can ensure that an employee on a personal device can't use his or her Active Directory credentials to log on to the network by simply reconfiguring their supplicant to use 802.1x and getting unfettered access? (Choose two.)

 

A. Use PEAP-EAP-MSCHAPv2

B. Use EAP-FAST

C. Use EAP-TLS or EAP-TTLS

D. Use EAP-MSCHAPv2

E. Use PAP-CHAP-MSCHAP

F. Use PEAP-EAP-TLS

 

Correct Answer: AB or CF ?

personal devices should not get full access so need to depend on cert based auth if so then CF should match

 

 

 

QUESTION 74 Which two statements about SPAN sessions are true? (Choose two.)

 

A. A single switch stack can support up to 32 source and RSPAN destination sessions

B. They can monitor sent and received packets in the same session

C. Multiple SPAN sessions can use the same destination port

D. Source ports and source VLANs can be mixed in the same session

E. They can be configured on ports in the disabled state before enabling the port

F. Local SPAN and RSPAN can be mixed in the same session

 

Correct Answer: BE or CF ?

 

A , D are wrong

E, B,C correct ?

F looks wrong

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

 

QUESTION 85

Refer to the exhibit. Which two effects of this configuration are true? (Choose two.) Case Study Title (Case Study):

aaa new-model

aaa authentication login default local aaa

authentication exec default local username

cisco privilege 9 password 0 cisco username

five privilege 5 password 0 five

username adminuser privilege 15 password adminuser

username superuser password superuser

username superuser privilege 15 autocommand show running

privilege configure level 8 snmp-server community

privilege exec level 5 show running

privilege exec level 8 configure terminal

 

A. User five can view usernames and passwords

B. User superuser can view the configuration

C. User superuser can change usernames and passwords

D. User superuser can view usernames and passwords

E. User five can execute the show run command

F. User cisco can view usernames and passwords

 

Correct Answer: BF or BE ?

 

 

 

QUESTION 90 All your employees are required to authenticate their devices to the network, be it company owned or employee owned assets, with ISE as the authentication server. The primary identity store used is Microsoft Active directory, with username and password authentication. To ensure the security of your enterprise, your security policy dictates that only company owned assets should be able to get access to the enterprise network, while personal assets should have restricted access. Which option would allow you to enforce this policy using only ISE and Active Directory?

 

A. Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company owned or personal.

B. This would require deployment of a Mobile Device Management (MDM) solution, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels.

C. Configure an authentication policy that checks against the MAC address database of company assets in ISE endpoint identity store to determine the level of access depending on the device.

D. Configure an authorization policy that checks against the MAC address database of company assets in ISE endpoint identity store to determine the level of access depending on the device.

E. Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or not.

 

Correct Answer: D or E ?

 

 

QUESTION 95 An employee using an Android phone on your network has disabled DHCP, enabled it's firewall, modified it's HTTP User-Agent header, to tool ISE into profiling it as a Windows 10 machine connected to the wireless network. This user is now able to get authorization for unrestricted network access using his Active Directory credentials, as your policy states that a Windows device using AD credentials should be able to get full network access. Whereas, an Android device should only get access to the Web proxy. Which two steps can you take to avoid this sort of rogue behavior? (Choose two.)

 

A. Create an authentication rule that should only allow session with a specific HTTP User-Agent header

B. Modify the authorization policy to only allow windows machines that have passed Machine Authentication to get full network access

C. Add an authorization policy before the Windows authorization policy that redirects a user with a static IP to a web portal for authentication

D. Chain an authorization policy to the Windows authorization policy that performs additional NMAP scans to verify the machine type, before allowing access

E. Only allow certificate-based authentication from Windows endpoints, such as EAP-TLS, or PEAP-TLS. Should the endpoint use MSCHAPv2 (EAP or PEAP) the user shoujld be only given restricted access.

F. Perform CoA to push a restricted access when the machine is acquiring address using DHCP

 

Correct Answer: BC or BE ?

 

QUESTION 61 A client computer at 10.10.7.14 is trying to access a Linux server (11.0.1.9) that is running a Tomcat Server application. What TCP dump filter would be the best to verify that traffic is reaching the Linux Server eth0 interface?

A. tcpdump -i eth0 host 10.10.7.2 and host 11.0.1.9 and port 8080

B. tcpdump -i eth0 host 10.10.7.2 and 11.0.1.9

C. tcpdump -i eth0 host dst 11.0.1.9 and dst port 8080

D. tcpdump -i eth0 host 10.10.7.2 and dst 11.0.1.9 and dst port 8080

 

Correct Answer: A or D ? which is more suitable ?

 

QUESTION 86 In a Cisco ASA multiple-context mode of operation configuration, which three session types are resource limited by default when their context is a member of the default class? (Choose three.)

 

A. RADIUS sessions

B. TCP sessions

C. SSL VPN sessions

D. CTS sessions

E. SSH sessions

F. TELNET sessions

G. ASDM sessions

H. IPSec sessions

 

Correct Answer: EFG or EFH ?

 

Hidden Content

    Give reaction to this post to see the hidden content.

Edited by ssree

Share this post


Link to post
Share on other sites

congrats. .. you just escaped....can you share the old dump....

Okey,due to the pictures,the file is about 12MB, I upload the file to the cloud disk.

Hidden Content

    Give reaction to this post to see the hidden content.

if it forbid you download, you can give me one of your email

 

The file have some different answer from 177Q.

 

Open with OneNote

Hidden Content

    Give reaction to this post to see the hidden content.

Share this post


Link to post
Share on other sites

answers you followed from 177q or any changes you made ?

 

This is for practice. There is no answer.

I mean, the '176.one'

Edited by TonyChen

Share this post


Link to post
Share on other sites

any changes ? what was the score ? 177q ?

do you remember the questions came for you ?

Edited by ssree

Share this post


Link to post
Share on other sites

Great.. The dumps are the same 180Q..

 

Keeps changing... now its 184Q, but its the same doc... just updated

Share this post


Link to post
Share on other sites

Okey,due to the pictures,the file is about 12MB, I upload the file to the cloud disk.

Hidden Content

    Give reaction to this post to see the hidden content.

if it forbid you download, you can give me one of your email

 

The file have some different answer from 177Q.

 

Open with OneNote

Hidden Content

    Give reaction to this post to see the hidden content.

 

what exactly is this bro? Im a bit confused, as the original file has no pictures at all, not even for drag and drop, and this file of yours is like full of pics... is it the same stuff?

Share this post


Link to post
Share on other sites

what exactly is this bro? Im a bit confused, as the original file has no pictures at all, not even for drag and drop, and this file of yours is like full of pics... is it the same stuff?

 

its onenote file, may be usefull for practice like VCE

Share this post


Link to post
Share on other sites

its onenote file, may be usefull for practice like VCE

 

Ok, but... exactly the same questions, right? Did you maybe update in accordance with all the comments here in the forum? Thanks

Share this post


Link to post
Share on other sites

Guys please help me for the below questions.

 

 

QUESTION 108 For your enterprise ISE deployment, you are looking to use certificate-based authentication for all your Windows machines.You have already gone through the excercise of pushing the machine and user certificates out to all the machines using GPO. Since certificate based authentication, by default, doesn't check the certificate against Active Directory or requires credentials from the user, this essentially means that no groups are returned as a part of the authentication request. What are the possible ways to authorize the user based on Active Directory group membership?

 

 

A. Configure the Windows supplicant to use saved credentials as well as certificate-based authentication

B. Enable Change of Authorization on the deployment to perform double authentication

C. Use EAP authorization to retrieve group information from Active Directory

D. The certificate should be configured with the appropriate attributes which contain appropriate group information, which can be used in Authorization policies

E. Use ISE as the Certificate Authority, which will then allow automatic group retrieval from Active Directory to perform the required authorization

F. Configure Network Access Device (NAD) to bypass certificate-based authentication and push configured user credentials as a proxy to ISE

 

ANS : F or E ? which is more relevant ?

 

QUESTION 100 In a large organization, with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee device with the correct profiles and certificates. With ISE, it is possible to do that with client provided device. Which four conditions must be met? (Choose four.)

 

A. Endpoint operating system should be supported

B. Client provisioning is enabled on ISE

C. The pxGrid controller should be enabled on ISE

D. Device MAC addresses are added to the Endpoint Identity Group

E. Profiling is enabled on ISE F. SCEP Proxy is enabled on ISE

G. Microsoft windows server is configured with certificate services

H. ISE should be configured as SXP listener to push SGT-to-IP mapping to network access devices

I. Network access device and ISE should have the PAC provisioning for CTS environment authentication

 

Correct Answer: BDEF or ABEF

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

QUESTION 112 In an effort to secure your enterprise campus network, any endpoint that connects to the network should authenticate before being granted access. For all corporate-owned endpoints, such as laptops, mobile phones and tablets, you would like to enable 802.1x and once authenticated allow full access to the network. For all employee owned personal devices, you would like to use web authentication, and only allow limited access to the network. Which two authentication methods can ensure that an employee on a personal device can't use his or her Active Directory credentials to log on to the network by simply reconfiguring their supplicant to use 802.1x and getting unfettered access? (Choose two.)

 

A. Use PEAP-EAP-MSCHAPv2

B. Use EAP-FAST

C. Use EAP-TLS or EAP-TTLS

D. Use EAP-MSCHAPv2

E. Use PAP-CHAP-MSCHAP

F. Use PEAP-EAP-TLS

 

Correct Answer: AB or CF ?

personal devices should not get full access so need to depend on cert based auth if so then CF should match

 

 

 

QUESTION 74 Which two statements about SPAN sessions are true? (Choose two.)

 

A. A single switch stack can support up to 32 source and RSPAN destination sessions

B. They can monitor sent and received packets in the same session

C. Multiple SPAN sessions can use the same destination port

D. Source ports and source VLANs can be mixed in the same session

E. They can be configured on ports in the disabled state before enabling the port

F. Local SPAN and RSPAN can be mixed in the same session

 

Correct Answer: BE or CF ?

 

A , D are wrong

E, B,C correct ?

F looks wrong

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

 

QUESTION 85

Refer to the exhibit. Which two effects of this configuration are true? (Choose two.) Case Study Title (Case Study):

aaa new-model

aaa authentication login default local aaa

authentication exec default local username

cisco privilege 9 password 0 cisco username

five privilege 5 password 0 five

username adminuser privilege 15 password adminuser

username superuser password superuser

username superuser privilege 15 autocommand show running

privilege configure level 8 snmp-server community

privilege exec level 5 show running

privilege exec level 8 configure terminal

 

A. User five can view usernames and passwords

B. User superuser can view the configuration

C. User superuser can change usernames and passwords

D. User superuser can view usernames and passwords

E. User five can execute the show run command

F. User cisco can view usernames and passwords

 

Correct Answer: BF or BE ?

 

 

 

QUESTION 90 All your employees are required to authenticate their devices to the network, be it company owned or employee owned assets, with ISE as the authentication server. The primary identity store used is Microsoft Active directory, with username and password authentication. To ensure the security of your enterprise, your security policy dictates that only company owned assets should be able to get access to the enterprise network, while personal assets should have restricted access. Which option would allow you to enforce this policy using only ISE and Active Directory?

 

A. Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company owned or personal.

B. This would require deployment of a Mobile Device Management (MDM) solution, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels.

C. Configure an authentication policy that checks against the MAC address database of company assets in ISE endpoint identity store to determine the level of access depending on the device.

D. Configure an authorization policy that checks against the MAC address database of company assets in ISE endpoint identity store to determine the level of access depending on the device.

E. Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or not.

 

Correct Answer: D or E ?

 

 

QUESTION 95 An employee using an Android phone on your network has disabled DHCP, enabled it's firewall, modified it's HTTP User-Agent header, to tool ISE into profiling it as a Windows 10 machine connected to the wireless network. This user is now able to get authorization for unrestricted network access using his Active Directory credentials, as your policy states that a Windows device using AD credentials should be able to get full network access. Whereas, an Android device should only get access to the Web proxy. Which two steps can you take to avoid this sort of rogue behavior? (Choose two.)

 

A. Create an authentication rule that should only allow session with a specific HTTP User-Agent header

B. Modify the authorization policy to only allow windows machines that have passed Machine Authentication to get full network access

C. Add an authorization policy before the Windows authorization policy that redirects a user with a static IP to a web portal for authentication

D. Chain an authorization policy to the Windows authorization policy that performs additional NMAP scans to verify the machine type, before allowing access

E. Only allow certificate-based authentication from Windows endpoints, such as EAP-TLS, or PEAP-TLS. Should the endpoint use MSCHAPv2 (EAP or PEAP) the user shoujld be only given restricted access.

F. Perform CoA to push a restricted access when the machine is acquiring address using DHCP

 

Correct Answer: BC or BE ?

 

QUESTION 61 A client computer at 10.10.7.14 is trying to access a Linux server (11.0.1.9) that is running a Tomcat Server application. What TCP dump filter would be the best to verify that traffic is reaching the Linux Server eth0 interface?

A. tcpdump -i eth0 host 10.10.7.2 and host 11.0.1.9 and port 8080

B. tcpdump -i eth0 host 10.10.7.2 and 11.0.1.9

C. tcpdump -i eth0 host dst 11.0.1.9 and dst port 8080

D. tcpdump -i eth0 host 10.10.7.2 and dst 11.0.1.9 and dst port 8080

 

Correct Answer: A or D ? which is more suitable ?

 

QUESTION 86 In a Cisco ASA multiple-context mode of operation configuration, which three session types are resource limited by default when their context is a member of the default class? (Choose three.)

 

A. RADIUS sessions

B. TCP sessions

C. SSL VPN sessions

D. CTS sessions

E. SSH sessions

F. TELNET sessions

G. ASDM sessions

H. IPSec sessions

 

Correct Answer: EFG or EFH ?

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

can any one help me on confirming the answers ?

  • Like 1

Share this post


Link to post
Share on other sites

any changes ? what was the score ? 177q ?

do you remember the questions came for you ?

 

I got 8**, it is all the same question in the dumps, nothing from outside. I think few answers are wrong.

Share this post


Link to post
Share on other sites

Ok, so here are the questions that dont match in the 2 dumps ppl are often reporting as valid: BATA and SPOTO:

 

QUESTION 62

 

Refer to the exhibit. Which two effects of this configuration are true? (Choose two.)

 

Case Study Title (Case Study):

authentication priority dot1x mab

authentication order dot1x mab

authentication event fail action next-method

authentication event server dead action reinitialize vlan 50

authentication host-mode multi-auth

authentication violation restrict

  • A If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50
  • B The device allows multiple authenticated sessions for a single MAC address in the voice domain
  • C If multiple hosts have authenticated to the same port, each can be in their own assigned VLAN
  • D If the authentication priority is changed the order in which authentication is performed also changes
  • E The switch periodically sends an EAP-Identity-Request to the endpoint supplicant
  • F The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass

Correct Answer: AF (SPOTO SAYS CF)

 

QUESTION 71

 

Which two options are benefits of network summarization? (Choose two.)

  • A It can summarize discontiguous IP addresses
  • B It can easily be added to existing networks
  • C It prevents unnecessary routing updates at the summarization boundary if one of the routes in the summary is unstable
  • D It reduces the number of routes
  • E It can increase the convergence time of the network

Correct Answer: CD

SPOTO SAYS DE

 

QUESTION 74

 

Which two statements about SPAN sessions are true? (Choose two.)

  • A A single switch stack can support up to 32 source and RSPAN destination sessions
  • B They can monitor sent and received packets in the same session
  • C Multiple SPAN sessions can use the same destination port
  • D Source ports and source VLANs can be mixed in the same session
  • E They can be configured on ports in the disabled state before enabling the port
  • F Local SPAN and RSPAN can be mixed in the same session

Answer: BE

Old answer (591): CF

SPOTO says CE

 

 

 

QUESTION 86

 

In a Cisco ASA multiple-context mode of operation configuration, which three session types are resourcelimited

by default when their context is a member of the default class? (Choose three.)

  • A RADIUS sessions
  • B TCP sessions
  • C SSL VPN sessions
  • D CTS sessions
  • E SSH sessions
  • F TELNET sessions
  • G ASDM sessions
  • H IPSec sessions

Correct Answer: EFG

SPOTO says EFH

 

QUESTION 117

 

An university has hired you as a consultant to advise them on the best method to prevent DHCP starvation

attacks in the campus. They have already implemented DHCP snooping and port security to control the

situation, but those do not fully contain the issue. Which two actions do you suggest to fix this issue?

(Choose two.)

 

A. Use the ip dhcp snooping limit rate command on trusted and untrusted interfaces and set the rate to suitable values that are relevant to each interface reqpectively

B. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in the DHCP rquest matches the client hardware address (CHADDR) sent to the DHCP server.

C. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in the DHCP request matches the client identifier (CLID) field sent to the DHCP server.

D. Use the ip dhcp snooping limit rate command only to ensure that the source MAC address in the DHCP request matches the client identifier (CLID) field sent to the DHCP server.

E. User the ip dhcp snooping limit rate command on trusted and untrusted interfaces set to the same rate value.

F. Use the ip dhcp snooping limit rate command only on untrusted interfaces and set the rate to suitable values that are relevant to the interface.

 

 

Correct Answer: BF

SPOTO says CF

 

 

Opinions?

Edited by thewildone

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...