Jump to content
MrR0b0t

CCIE Security v5 Lab Exam Strategy

Recommended Posts

Task 4.2 Question,

 

When I tested the configuration on C3650 switch for dot1x and mab authentication, I don't think I need the following commands (those two VSA commands are ON by default), could be in the lab they need to be turned on manually?

 

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server vsa send accounting

radius-server vsa send authentication

 

Also we are not required to do any accounting here, so the following line is not needed too.

!

aaa accounting dot1x default start-stop group ISE

!

 

 

Please correct me if you see any problem. Thanks!

Edited by beiyanglong

Share this post


Link to post
Share on other sites

Hi MrR0b0t,

 

in your post I see that you add specific authentication policy for each task based on NAS IP and flow type. Is that required for getting all points or can also just default authentication policy set can be used as it covers all auth requirments in general ?

Also for endpoint groups you define custom one for MAB PC which you used in authorization rule ? Do you think that lab proctor are expecting that candidate create custom one or is it also fine if pre-defined (like workstation) is used ?

Share this post


Link to post
Share on other sites

Hi MrR0b0t,

 

in your post I see that you add specific authentication policy for each task based on NAS IP and flow type. Is that required for getting all points or can also just default authentication policy set can be used as it covers all auth requirments in general ?

Also for endpoint groups you define custom one for MAB PC which you used in authorization rule ? Do you think that lab proctor are expecting that candidate create custom one or is it also fine if pre-defined (like workstation) is used ?

 

You are right. Although question does not specify any condition for Authentication Policy so any common authentication rule with just MAB condition for example can be used but i prefer to keep all the authentication and authorization rules separate so that i can see the right rule matching to the connection.

 

Also iirc in lab, the policy will be empty so you will not have even default authentication rule.

 

Regarding groups, it does not really matter if you use system defined group or custom unless question asks for it explicitly. I prefer creating my own elements so that i have more control rather than be dependent on automatic elements. Also, you can possibly face an issue in lab where it does not allow you to edit system elements.

Share this post


Link to post
Share on other sites

 

Also iirc in lab, the policy will be empty so you will not have even default authentication rule.

 

 

Can the default authentication rule be disabled? Just tried it on my test ISE and I don't think I have the option to do so.

Share this post


Link to post
Share on other sites

Can the default authentication rule be disabled? Just tried it on my test ISE and I don't think I have the option to do so.

 

Yes, you can disable or delete default authentication policy rules.

Share this post


Link to post
Share on other sites

 

 

my friend could you pls help me setup EVE LAB

L2/L3 images are working fine with ASA 8XX

only IOUL are not working ?!

generate iourc key and fixpermissions for warpper still these images are not working

 

appreciate your support ..

Share this post


Link to post
Share on other sites

Hi all,

 

I would like some clarifications/tips for the following questions. Preferably from someone who passed the lab exam.

 

Task 2.1/2.2

After we configure WCCP on R2 and WSA, what IP should we see as the Router Identifier when we perform "sh ip wccp" on R2 ?

Is it 150.1.7.232 ?

 

Task 3.5

Can someone verify that the SW2 needs to be provisioned with a PAC file?

Correct me if I am wrong, but even if we don't provision SW2 with a PAC file, the ASA will still be able to resolve the SGTs.

So the question is , if we don't provision SW2 with a PAC file, do we loose the points of the question?

 

Should I close the RDP connection?

Before we submit the CFG section, should we close the RDP connection to "client_pc1" & "client_pc2" or not ?

I am asking this because the Notes are not the same for the relevant questions.

 

Task 3.1: Make sure that even when you close the RDP connection to "client_pc2, that should not tear down the established VPN session"

Task 4.1: VPN session should be in established state when you have ended the Configuration module.

 

Task 5.2

Is the VLAN assignment to VLAN 102 required? In my opinion is not required.

Especially, because we configure the interface on VLAN 102 and the question does not mention anything for VLAN assignment like the Task 4.2 where is says

"On successful authorization ISE should assign the session VLAN 8, SGT of "PC2" and push DACL to permit ip traffic from any source to any destination."

 

As always, thanks in advance

Hidden Content

    Give reaction to this post to see the hidden content.
/uploads/emoticons/default_cool.png">

Edited by tonythetiger
  • Like 2

Share this post


Link to post
Share on other sites

Hi, any info from those who passed?

 

in section 1.4 there is a note: In exam read question carefully sometimes they use Allow/Pass/Permit interchangeably apply solution accordingly

sample task:

rule 1 Permit

rule 2 Allow

rule 3 Allow

 

based on the FMC: there are only: monitor/trust/block/allow = as you can see there is no Permit option.

Share this post


Link to post
Share on other sites

Hi All - I am working on LAB creation on EVE-NG anybody please help me out to make the physical topology for CCIE LAB V5. your support will be highly appreciated.

  • Like 1

Share this post


Link to post
Share on other sites

Hi arsalanraz . I am also preparing for ccie security and preparing lab topologies and initial configs.. Do you want to form study group? Thanks.

Edited by AndreTJ89

Share this post


Link to post
Share on other sites

Hi folks,

 

Does anyone idea abt registering NGIPSv on FMC in section 1.4.

I have lab installed on servers with EVE Community engine. whenever i tried to add/register, it gives me error like "Registration incorrect or network interface is down or software version is different". even though i check the reg_key it is the same and all other possibilities which are showing in the error, already checked.

 

give me any idea plz.

Share this post


Link to post
Share on other sites

Hi folks,

 

Does anyone idea abt registering NGIPSv on FMC in section 1.4.

I have lab installed on servers with EVE Community engine. whenever i tried to add/register, it gives me error like "Registration incorrect or network interface is down or software version is different". even though i check the reg_key it is the same and all other possibilities which are showing in the error, already checked.

 

give me any idea plz.

this is the actual error

"

Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection"

 

Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...