1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Chapter Review

Chapter Review

The authentication proxy is user authentication and authorization technology, which is a part of Cisco IOS Firewall feature set. The feature is supported on a growing list of platforms using the latest IOS versions (12.2), including the SOHO 70, 800, uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers. Earlier versions won’t support the feature on the smaller units (SOHO 70 to 1720s). Authentication proxy is compatible with other Cisco IOS security features, such as NAT, CBAC, IPSec encryption, and VPN client software.

The Cisco IOS Firewall authentication proxy feature allows network administrators to implement security policies on a per-user basis through personalized ACLs. Without firewall authentication proxy, user identity and any authorized access was associated with a user’s IP address. Any single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and any access privileges can be customized, based on their individual access profiles.

With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a Cisco Secure ACS, or other RADIUS or TACACS+ authentication server. The user profiles and the resulting temporary ACL entries are active only while active traffic exists from the authenticated user. By default, the temporary openings close after 60 minutes of inactivity.

The authentication proxy feature requires that an AAA server running Cisco Secure Access Control Server (ACS) be present on the network. Configuring the AAA server to enable the features is necessary.

Next, the router running the firewall feature set, typically the perimeter router, must be configured by performing the following tasks:

  • Configuring AAA support (required)

  • Configuring the HTTP server feature (required)

  • Configuring the Authentication Proxy (required)

  • Verifying the Authentication Proxy (optional, but valuable)

Skipping the optional verifying is done only at risk to the resources you’re charged to protect.

Questions

1.?

What protocol does the authentication proxy use to trigger an authentication session?

  1. Telnet

  2. HTTPS

  3. TFTP

  4. HTTP

D. HTTP

2.?

Which two protocol authentication servers can be used with authentication proxy?

  1. TACACS

  2. Kerberos

  3. RADIUS

  4. TACACS+

C. and D. RADIUS and TACACS+

3.?

Authentication proxy allows how many attempts to enter a valid user name and password?

  1. 1

  2. 3

  3. 5

  4. unlimited

C. Five tries

4.?

True or False. User profile entries stored on the AAA server are made up of permit and deny statements used to create temporary ACL entries on the firewall router.

  1. True

  2. False

B. False. User profiles contain only permit statements.

5.?

In the temporary ACL entry permit icmp host 192.168.1.10 host 192.168.4.2, which address probably represents the authenticated user?

  1. 192.168.1.10

  2. 192.168.4.2

  3. It can be either on

  4. There’s no way to kno

A. 192.168.1.10

6.?

True or False. Authentication proxy is supported on all router platforms since v12.2.

  1. True

  2. False

A. False. IOS versions (12.2) support authentication proxy on the SOHO 70, 800, uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers.

7.?

In the ip auth-proxy auth-cache-time units command, what are the idle timer units?

  1. Bits

  2. Seconds

  3. Minutes

  4. Hours

C. Minutes (default 60)

8.?

Which technology does authentication proxy use to provide secure authentication?

  1. HTTPS

  2. DirectX

  3. JavaScript

  4. All of the above

C. JavaScript

9.?

According to the text, which of the following is the reason to configure CBAC with authentication proxy?

  1. CBAC’s attack prevention feature

  2. CBAC is so easy to configur

  3. Authentication proxy doesn’t create ACEs to support returning data traffi

  4. CBAC has its own authentication function

C. Authentication proxy does not create ACEs to support returning data traffic.

10.?

The IOS Firewall authentication proxy feature works with which technology?

  1. Dial-in connection

  2. Console connections

  3. HTTP sessions

  4. Telnet sessions

C. HTTP sessions

11.?

What additional IOS feature allows the authentication proxy to work with NAT services?

  1. AAA Accounting

  2. CBAC

  3. VPN client

  4. One-time passwords

B. CBAC

12.?

Which command is not a step in setting up an IOS Firewall authentication proxy?

  1. Configuring the HTTP server

  2. Configuring the authentication proxy

  3. Configuring AAA

  4. Configuring CBAC

D. Configuring CBAC

13.?

How many open sessions does authentication proxy support before refusing additional sessions?

  1. 24

  2. 40

  3. 100

  4. 500

B. 40

14.?

When creating the inbound ACL on the firewall for authentication proxy, all traffic is typically blocked except which one of the following that’s absolutely required?

  1. Outbound traffic to the AAA server

  2. Local user Telnet traffic

  3. Return traffic from the AAA server

  4. Local user HTTP traffic

C. Return traffic from the AAA server

15.?

When configuring the authentication proxy features, all commands are variations of which of the following?

  1. Rtr1#ip auth-proxy auth

  2. Rtr1(config)#ip auth-proxy auth

  3. Rtr1(config-if)#ip auth-proxy auth

  4. Rtr1(config-ap)#ip auth-proxy auth

B. Rtr1(config)#ip auth-proxy auth

Answers

1.?

D. HTTP

2.?

C. and D. RADIUS and TACACS+

3.?

C. Five tries

4.?

B. False. User profiles contain only permit statements.

5.?

A. 192.168.1.10

6.?

A. False. IOS versions (12.2) support authentication proxy on the SOHO 70, 800, uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers.

7.?

C. Minutes (default 60)

8.?

C. JavaScript

9.?

C. Authentication proxy does not create ACEs to support returning data traffic.

10.?

C. HTTP sessions

11.?

B. CBAC

12.?

D. Configuring CBAC

13.?

B. 40

14.?

C. Return traffic from the AAA server

15.?

B. Rtr1(config)#ip auth-proxy auth



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Chapter 3: Cisco AAA Security Technology
Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies
Chapter 5: Securing Cisco Perimeter Routers
Chapter 6: IOS Firewall Feature Set - CBAC
Chapter 7: IOS Firewall - Intrusion Detection System
Chapter 8: IOS Firewall - Authentication Proxy
Cisco IOS Firewall Authentication Proxy
AAA Server Configuration
AAA Router Configuration
Configuring the HTTP Server
Authentication Proxy Configuration on the Router
Verify Authentication Proxy Configuration
Chapter Review
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars