Secure Network Access Control - Network Access Control (NAC)

13 important questions on Secure Network Access Control - Network Access Control (NAC)

What are the 3 roles network devices can have with 802.1X?

1. Supplicant (Endpoints)
2. Authenticator (Network Access Device)
3. Authentication Server (RADIUS server)

What is MAC Authentication Bypass (MAB) and how does it work?

It is an access control technique that enables port-based access control using the MAC address, typically used as a fallback to 802.1X.
The Authenticator learns the MAC address from the Supplicant if the 802.1X phase times out which it then authenticates against the Authentication Server.

What is the default order when 802.1X, MAB and WebAuth is enabled?

1. 802.1X
2. MAB
3. WebAuth
  • Higher grades + faster learning
  • Never study anything twice
  • 100% sure, 100% understanding
Discover Study Smart

What is Enhanced Flexible Authentication (FlexAuth)?

Enhanced FlexAuth, or Access Session Manager, allows multiple authentication methods at the same time.
For example 802.1X and MAB.
It is a key component of Cisco Identity-Based Networking Services

What is Cisco Identity-Based Networking Services (IBNS) 2.0?

A combination of 3 existing features and products:
1. Enhanced FlexAuth (Access Session Manager)
2. Cisco Common Classification Policy Language (C3PL)
3. Cisco ISE

What is Cisco TrustSec?

A Next-Gen access control enforcement solution developed by Cisco.
It uses Security Group Tags (SGTs) to perform Ingress tagging and Egress filtering to enforce access control policy.

What are dynamic ways users and devices can be given SGTs by Cisco TrustSec?

Users and devices that are authorized through 802.1X, MAB or WebAuth.

What are the 3 phases of TrustSec?

1. Ingress Classification
2. Propagation
3. Egress Enforcement

What are the 2 options for Ingress Classification in Cisco TrustSec?

1. Dynamic (802.1X, MAB or WebAuth)
2. Static Assignment (IP, Subnet, VLAN, Layer2 interface, Layer 3 interface, Port or Port Profile)

What are the 2 methods of Propagation in Cisco TrustSec?

1. Inline tagging (switch inserts SGT tag which stays in the packet throughout the network, Layer 2 and 3. Must be supported on all participating devices otherwise it is dropped)

2. SXP Propagation (TCP-bases P2P protocol. SGT tagged packets can be transported from a SXP device over Non-TrustSec devices to another SXP device)

What are the 2 major types of Egress Enforcement in Cisco TrustSec?

1. Security Group ACL (SGACL) Enforcement on routers and switches using ACLs based on source and destination ACLs.

2. Security Group Firewall (SGFW) Enforcement on firewalls. Require tag-based rules to be defined locally on the firewall.

What are 2 MACsec keying mechanisms available?

1. Security Association Protocol (SAP) (A Cisco proprietary keying protocol used between Cisco switches)

2. MACsec Key Agreement (MKA) protocol (provides session keys and manages encryption keys. Supported between endpoints and switches as well as between switches.

What is the difference between Downlink MACsec and Uplink MACsec?

Downlink MACsec is between a switch and an endpoint. Which needs MKA

Uplink MACsec is between two switches. Between two cisco switches Cisco SAP is used by default.

The question on the page originate from the summary of the following study material:

  • A unique study and practice tool
  • Never study anything twice again
  • Get the grades you hope for
  • 100% sure, 100% understanding
Remember faster, study better. Scientifically proven.
Trustpilot Logo