Share your IAUWS Experience
Please share with us your experience after taking the IAUWS 642-737 exam, your materials, the way you learned, your recommendations… But please DO NOT share any information about the detail of the exam or your personal information, your score, exam date and location, your email…
Your posts are warmly welcome!
Please don’t ask for links to download copyright materials here…
@Thibault Gibard
@Lionel Zumaran
@Anonymous
They are agents of PassLeader, absolutely false!
@ Thibault Gibard
Thanks for sharing premium PassLeader 300-375 dumps!!!
I have passed my 300-375 exam yesterday by only learning PassLeader 300-375 dumps (http://www.passleader.com/300-375.html) [60q VCE and PDF]
100% valid now!!!
@Michael Nicol
FAKE!!!
@Anonymous
do you have any resource for study?
Hi Amirhossein,
No, I don’t
……
Part of FREE VERSION of premium PassLeader 300-360 dumps on Google Drive:
https://drive.google.com/open?id=0B-ob6L_QjGLpWVVreDl3bGRhakk
……
……
Part of FREE VERSION of premium PassLeader 300-365 dumps on Google Drive:
https://drive.google.com/open?id=0B-ob6L_QjGLpR3dFYkJubjFZaDQ
……
……
Part of FREE VERSION of premium PassLeader 300-370 dumps on Google Drive:
https://drive.google.com/open?id=0B-ob6L_QjGLpM3ZXaF9TdmZSeUU
……
……
Part of FREE VERSION of premium PassLeader 300-375 dumps on Google Drive:
https://drive.google.com/open?id=0B-ob6L_QjGLpQ2hZQ0c4c2d1QjA
……
Suck it Carina
NO.4 An engineer is configuring a new mobility anchor for a WLAN on the CLI with the config wlan
mobility anchor add 3 10.10.10.10 command, but the command is failing. Which two conditions must
be met to be able to enter this command? (Choose two.)
A. The anchor controller IP address must be within the management interface subnet.
B. The anchor controller must be in the same mobility group.
C. The WLAN must be enabled.
D. The mobility group keepalive must be configured.
E. The indicated WLAN ID must be present on the controller.
Answer: A,B
WRONG?: I guess it’s BE
A IS AMBIGUOUS. IP ADDRESS MAY BE THE CONFIGURED IN COMMAND. MANAGEMENT INTERFACE SUBNET MAY BE THE ONE OF THE MACHINE WHERE THE COMMAND IS BEING ISSUED. IT’S ASSUMED THE CONFIGURED IP ADDRESS IS THE OTHER CONTROLLER.
NO.8 An engineer has determined that the source of an authentication issue is the client laptop.
Which three items must be verified for EAP-TLS authentication? (Choose three.)
A. The client certificate is formatted as X 509 version 3
B. The validate server certificate option is disabled.
C. The client certificate has a valid expiration date.
D. The user account is the same in the certificate.
E. The supplicant is configured correctly.
F. The subject key identifier is configured correctly.
Answer: A,D,F
WRONG?: I guess it’s ACE
A,C, E OPTIONS ARE MANDATORY. D OPTION IS VALID ACCORDINGLY WITH BELOW LINK: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
NO.9 MFP is enabled globally on a WLAN with default settings on single controller wireless network.
Older client devices are disconnected from the network during a deauthentication attack. What is the
cause of this issue?
A. The client devices do not support WPA.
B. The client devices do not support CCXv5.
C. The MFP on the WLAN is set to optional
D. The NTP server is not configured on the controller.
Answer: C
WRONG?: I guess it’s B. B OPTION DEFINES OLDER CLIENTS, C OPTION ALLOWS OLDER CLIENTS TO CONNECT.
NO.11 Which client roam is considered the fastest in a wireless deployment using Cisco IOS XE
mobility controllers and mobility agents?
A. Roam within stack members
B. Inlet-SPG roam
C. Interdomain roam
D. Intermobility roam
E. lntra-SPG roam
Answer: E
WRONG?: I guess it’s A. INTRA-SWITCH (STACK – THAT IS THE SAME MA) IS FASTER THAN INTRA-SPG ROAMING? http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/system_management/configuration_guide/b_sm_3se_3850_cg/b_sm_3se_3850_cg_chapter_0111.html
NO.12 Which two 802.11 methods can be configured to protect card holder data? (Choose two.)
A. CCMP
B. WEP
C. SSL
D. TKIP
E. VPN
Answer: C,E
IS WRONG: The correct answer is AD.
CISCO WIRELESS PCI MANDATES WPA (TKIP) ENCRYPTION OR WPA2 AES (CCMP) http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/pci-compliance/at_a_glance_c45-639503.pdf
NO.15 When a wireless client uses WPA2 AES, which keys are created at the end of the four way
handshake process between the client and the access point?
A. AES key, TKIP key, WEP key
B. AES key, WPA2 key, PMK
C. KCK, KEK, TK
D. KCK, KEK, MIC key
Answer: A
IS WRONG: The correct answer is C.
WPA2’s PTK comprises three types of keys. They are the Key Confirmation Key (KCK), which is used to check the integrity of an EAPOL Key frame(used in the MIC), the Key Encryption Key (KEK), which encrypts the GTK, and the Temporal Keys (TK), which secure data traffic. http://www.informationweek.com/learn-the-basics-of-wpa2-wi-fi-security/d/d-id/1039894?print=yes
NO.17 LAB
Answer:
Please refer the link below in Explanation to configure this simulation.
Example:
Use this link to configure all the steps for this simulation :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-
wpa2-psk-00.html
THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP): http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
NO.18 Which mobility mode must a Cisco 5508 wireless Controller be in to use the MA functionality
on a cisco catalyst 3850 series switch with a cisco 550 Wireless Controller as an MC?
A. classic mobility
B. new mobility
C. converged access mobility
D. auto-anchor mobility
Answer: C
IS WRONG: The answer is B
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_010010101.html
NO.19 Scenario
Which configuration changes need to be made to allow WPA2 + PSK to operate property on the East-
WLC-2504A controller? (Choose four.)
A. Disable Dynamic AP Management.
B. Click on the Status Enabled radio button.
C. Change the Layer 3 Security to Web Policy.
D. Change the WPA + WPA2 Parameters to WPA2 Policy-AES.
E. Change the PSK Format to HEX.
F. Change the WLAN ID.
G. Change the VLAN Identifier.
H. Change the IP Address of the Virtual interface.
I. Change the SSID name of the WLAN.
J. Click on the PSK radio button and add the password in the text box.
Answer: B,F,I,J
IS CORRECT: A NOT APPLICABLE.B CHANGE STATUS TO ENABLED.C NOT APPLICABLE (WEB IS LAYER 3).D NOT NEEDED (ALREADY CONFIGURED). E NOT APPLICABLE (PASSWORD IN ASCII). F CHANGE WLAN ID TO 11 (IT’S 10). THE WRONG WLAN ID DOES NOT PREVENT THE CLIENT TO CONNECT. IF VLAN NEED TO BE CHANGED TOO, DO NOT CHANGE WLAN ID. G MAYBE NOT NEEDED (THE SCREENSHOTS DON’T PROVIDE VLAN ID). H NOT APPLICABLE (ONLY FOR WEB AUTH). I CHANGE SSID TO Contractors (IT’S EMPLOYEES). J ADD PSK AFTER CHANGING AUTHENTICATION KEY MANAGEMENT TO PSK (IT’S DOT1X).
NO.26 An engineer is considering an MDM integration with Cisco ISE to assist with security for lost
devices. Which two functions of MDM increase security for lost devices that access data from the
network? (Choose two.)
A. PIN enforcement
B. Jailbreak/root detection
C. data wipe
D. data encryption
E. data loss prevention
Answer: A,C
WRONG?: OPTIONS AC ARE LOST/STOLEN DEVICES RELATED. OPTIONS BD SEEMS TO BE RELATED TO ACCESS TO THE (DATA) NETWORK. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_MDMs.pdf
NO.15 When a wireless client uses WPA2 AES, which keys are created at the end of the four way
handshake process between the client and the access point?
A. AES key, TKIP key, WEP key
B. AES key, WPA2 key, PMK
C. KCK, KEK, TK
D. KCK, KEK, MIC key
Answer: A
IS WRONG: The correct answer is C.
WPA2’s PTK comprises three types of keys. They are the Key Confirmation Key (KCK), which is used to check the integrity of an EAPOL Key frame(used in the MIC), the Key Encryption Key (KEK), which encrypts the GTK, and the Temporal Keys (TK), which secure data traffic. http://www.informationweek.com/learn-the-basics-of-wpa2-wi-fi-security/d/d-id/1039894?print=yes
NO.17 LAB
Answer:
Please refer the link below in Explanation to configure this simulation.
Example:
Use this link to configure all the steps for this simulation :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-
wpa2-psk-00.html
THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP): http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
NO.18 Which mobility mode must a Cisco 5508 wireless Controller be in to use the MA functionality
on a cisco catalyst 3850 series switch with a cisco 550 Wireless Controller as an MC?
A. classic mobility
B. new mobility
C. converged access mobility
D. auto-anchor mobility
Answer: C
IS WRONG: The answer is B
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_010010101.html
NO.17
Answer:
Please refer the link below in Explanation to configure this simulation.
Example:
Use this link to configure all the steps for this simulation :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-
wpa2-psk-00.html
THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP): http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
NO.19 Scenario
Which configuration changes need to be made to allow WPA2 + PSK to operate property on the East-
WLC-2504A controller? (Choose four.)
A. Disable Dynamic AP Management.
B. Click on the Status Enabled radio button.
C. Change the Layer 3 Security to Web Policy.
D. Change the WPA + WPA2 Parameters to WPA2 Policy-AES.
E. Change the PSK Format to HEX.
F. Change the WLAN ID.
G. Change the VLAN Identifier.
H. Change the IP Address of the Virtual interface.
I. Change the SSID name of the WLAN.
J. Click on the PSK radio button and add the password in the text box.
Answer: B,F,I,J
IS CORRECT: A NOT APPLICABLE.B CHANGE STATUS TO ENABLED.C NOT APPLICABLE (WEB IS LAYER 3).D NOT NEEDED (ALREADY CONFIGURED). E NOT APPLICABLE (PASSWORD IN ASCII). F CHANGE WLAN ID TO 11 (IT’S 10). THE WRONG WLAN ID DOES NOT PREVENT THE CLIENT TO CONNECT. IF VLAN NEED TO BE CHANGED TOO, DO NOT CHANGE WLAN ID. G MAYBE NOT NEEDED (THE SCREENSHOTS DON’T PROVIDE VLAN ID). H NOT APPLICABLE (ONLY FOR WEB AUTH). I CHANGE SSID TO Contractors (IT’S EMPLOYEES). J ADD PSK AFTER CHANGING AUTHENTICATION KEY MANAGEMENT TO PSK (IT’S DOT1X).
NO.26 An engineer is considering an MDM integration with Cisco ISE to assist with security for lost
devices. Which two functions of MDM increase security for lost devices that access data from the
network? (Choose two.)
A. PIN enforcement
B. Jailbreak/root detection
C. data wipe
D. data encryption
E. data loss prevention
Answer: A,C
WRONG?: OPTIONS AC ARE LOST/STOLEN DEVICES RELATED. OPTIONS BD SEEMS TO BE RELATED TO ACCESS TO THE (DATA) NETWORK. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_MDMs.pdf
NO.17
Answer:
Please refer the link below in Explanation to configure this simulation.
Example:
Use this link to configure all the steps for this simulation :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-
wpa2-psk-00.html
THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP): http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
NO.26 An engineer is considering an MDM integration with Cisco ISE to assist with security for lost
devices. Which two functions of MDM increase security for lost devices that access data from the
network? (Choose two.)
A. PIN enforcement
B. Jailbreak/root detection
C. data wipe
D. data encryption
E. data loss prevention
Answer: A,C
WRONG?: OPTIONS AC ARE LOST/STOLEN DEVICES RELATED. OPTIONS BD SEEMS TO BE RELATED TO ACCESS TO THE (DATA) NETWORK. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_MDMs.pdf
NO.29 A customer wants to allow employees to easily onboard their devices to the wireless network.
Which process can be configured on Cisco ISE to support this requirement?
A. self registration guest portal
B. client provisioning
C. native supplicant provisioning
D. local web auth
Answer: B
WRONG?: I guess the answer is A.
The Cisco ISE server has the capability to host multiple portals. The BYOD system design relies on the Guest Portal to provide wireless guest access and, for provisioning purposes, the redirection of employees to the Self-Registration portal to on-board their devices. The DefaultGuestPortal refers to the portal used for self-registration—otherwise known as the Self-Registration portal. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html
NO.31 What is the maximum number of clients that a small branch deployment using a four-member
Cisco Catalyst 3850 stack (acting as MC/MA) can support?
A. 10000
B. 1000
C. 500
D. 2000
E. 5000
Answer: E
IS WRONG: I guess the answer is D.
the 3850 switch gives you smart, simple, and highly secure unified access with an integrated wireless controller. Support up to 100 access points and 2000 wireless clients on each switching entity (switch or stack).
http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/index.html
NO.32 Access points at branch sites for a company are in FlexConncct mode and perform local
switching, but they authenticate to the central RADIUS at headquarters. VPN connections to the
headquarters have gone down, but each branch site has a local authentication server. Which three
features on the wireless controller can be configured to maintain network operations if this situation
reoccurs? (Choose three.)
A. Put APs in FlexConnect Group for Remote Branches.
B. Set Branch RADIUS as Primary.
C. Put APs in AP Group Per Branch.
D. Put APs in FlexConnect Group Per Branch.
E. Set Branch RADIUS OS Secondary.
F. Set HQ RADIUS a-s primary.
Answer: A,E,F
IS WRONG: I guess the answer is DEF
FlexConnect APs at each branch site are part of a single FlexConnect Group, To increase the resiliency of the branch, administrators can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers are used only when the FlexConnect AP is not connected to the controller. http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html
NO.34 Refer to the exhibit.
A customer is having problems with clients associating to me wireless network. Based on the
configuration, which option describes the most likely cause of the issue?
A. Both AES and TKIP must be enabled
B. SA Query Timeout is set too low
C. Comeback timer is set too low
D. PME is set to “required”
E. MAC Filtering must be enabled
Answer: E
IS WRONG: I guess the answer is D
MAC filtering not enabled does not prevent client association. Required—Ensures that the clients that do not support 802.11w cannot associate with the WLAN.
The Comeback Timer and the SA Query Timeout are applicable after a valid security association.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_01001101.html
NO.39 WPA2 Enterprise with 802.1x is being used for clients to authenticate to a wireless network
through an ACS server. For security reasons, the network engineer wants to ensure only PEAP
authentication can be used. The engineer sent instructions to clients on how to configure their
supplicants, but users are still in the ACS logs authentication using EAPFAST. Which option describes
the most efficient way the engineer can ensure these users cannot access the network unless the
correct authentication mechanism is configured?
A. Enable AAA override on the SSID, gather the usernames of these users, and disable their RADIUS
accounts until they make sure they correctly configured their devices.
B. Enable AAA override on the SSID and configure an access policy in ACS that denies access to the list
of MACs that have used EAP-FAST.
C. Enable AAA override on the SSID and configure an access policy in ACS that allows access only
when the EAP authentication method is PEAP.
D. Enable AAA override on the SSID and configure an access policy in ACS that puts clients that
authenticated using EAP-FAST into a quarantine VLAN.
Answer: D
WRONG?: I guess the answer is C
A AND B ARE NOT SCALABLE, D ALLOWS THE ACCESS, ALTHOUGH IT’S A QUARANTINE VLAN. OPTION C IS THE TECHNICALLY CORRECT SOLUTION RESTRICTING THE EAP AUTHENTICATION METHOD TO PEAP ONLY. CONFIGURATION IN “APPLY ACCESS POLICIES” IN EXAMPLE ON THE LINK BELOW: http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113670-eap-authentication-00.html
NO.45 Refer to the exhibit.
A WLAN with the SSID “Enterprise” is configured. Which rogue is marked as malicious?
A. a rogue with two clients, broadcasting the SSID “Employee” heard at -50 dBm
B. a rogue with no clients, broadcasting the SSID “Enterprise” heard at -50 dBm
C. a rouge with two clients, broadcasting the SSID “Enterprise” heard at -80 dBm
D. a rogue with two clients, broadcasting the SSID “Enterprise” heard at -50 dBm
Answer: C
IS WRONG: The answer is D.
OPTION D IS THE ONE THAT MATCHES ALL CRITERIA SIMULTANEOUSLY: THE ROGUE AP HAS 2 CLIENTS (MORE THAN THE MINIMUM NUMBER OF ROGUE CLIENTS CONFIGURED VALUE), MANAGED SSID “”Enterprise”” MATCHES WLAN CONFIGURED SSID AND IS HEARD AT A RSSI (-50dBm) THAT IS HIGHER THAN THE MINIMUM RSSI CONFIGURED VALUE (-70dBm) Match All—If this rule is enabled, a detected rogue access point must meet all of the conditions specified by the rule in order for the rule to be matched and the rogue to adopt the classification type of the rule. RSSI—Requires that the rogue access point have a minimum received signal strength indication (RSSI) value. For example, if the rogue access point has an RSSI that is greater than the configured value, then the access point could be classified as malicious.
Client Count—Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients text box.
Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the controller. No further configuration is required for this option. http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111110.html#ID4120
NO.46 After receiving an alert regarding a rogue AP, a network engineer logs into Cisco Prime and
looks at the floor map where the AP that detected the rogue is located. The map is synchronized with
a mobility services engine that determines the rogue device is actually inside the campus. The
engineer determines the rogue to be a security threat and decides to stop it from broadcasting inside
the enterprise wireless network. What is the fastest way to disable the rogue?
A. Go to the location the rogue device is indicated to be and disable the power.
B. Create an SSID on WLAN controller resembling the SSID of the rogue to spoof it and disable clients
from connecting to it.
C. Classify the rogue as malicious in Cisco Prime.
D. Update the status of the rogue in Cisco Prime to contained.
Answer: C
WRONG?: I guess the answer is D.
CLASSIFYING AS MALICIOUS ONLY DOES NOT TRIGGER ANY ACTION AGAINST THE ROGUE AP. The next step is to mark them as Known or Acknowledged rogue access points (no further action), Alert rogue access points (watch for and notify when active), or Contained rogue access points. http://www.cisco.com/c/en/us/td/docs/wireless/mse/3350/7-3/wIPS_Configuration_guide/Guide/wIPS/msecg_appB_wIPS.html
NO.47 An engineer must change the wireless authentication from WPA2-Personal to
WPA2Enterprise. Which three requirements are necessary? (Choose three.)
A. EAP
B. 802.1x
C. RADIUS
D. per-shared key
E. 802.11u
F. fast secure roaming
G. 802.11i
Answer: A,C,G
IS WRONG: The answer is ABC.
The authentication method used to verify the user (and server) credentials on WPA/WPA2-Enterprise networks is defined in the IEEE 802.1X standard. This requires an external server called a Remote Authentication Dial In User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server, which is used for a variety of network protocols and environments including ISPs.
A RADIUS server understands the Extensible Authentication Protocol (EAP) language and communicates with the wireless APs, referred to as RADIUS clients or authenticators. http://www.ciscopress.com/articles/article.asp?p=1576225&seqNum=2
Personal WPA relies on a PSK secret (Pre-Shared Key), and you don’t need an external server to perform authentication
Enterprise WPA (as defined in the 802.11i standard) uses WPA2 with AES-CCM encryption, and authentication is based on 802.1x/EAP using the RADIUS protocol.
So to migrate from WPA-Personal to Enterprise, you need to use an external server performing the RADIUS authentication.
For this authentication to happen, many EAP methods can be used: EAP-TLS, EAP-TTLS, PEAP, EAP-MD5, LEAP and EAP-FAST (the last two methods being Cisco-Proprietary)
https://learningnetwork.cisco.com/thread/66042
NO.49 An engineer must enable EAP on a new WLAN and is ensuring that the necessary components
are available. Which component uses EAP and 802.1x to pass user authentication to the
authenticator?
A. AP
B. AAA server
C. supplicant
D. controller
Answer: D
IS WRONG: The correct answer is C.
The role of the supplicant is to facilitate end-user authentication using EAP and 802.1X to an upstream authenticator; in this case, the WLC. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/secwlandg20/sw2dg/ch3_2_SPMb.html#wp1056345
NO.50 Which customizable security report on Cisco Prime Infrastructure would show rogue APs
detected since a point in time?
A. New Rogue APs
B. Rogue AP Events
C. Rogue APs
D. Rogue AP Count Summary
Answer: C
WRONG?: OPTION C: ROGUE APS This report displays all rogues detected by the access points in your network based on the Last Seen Time of the rogue access points and the selected filtering criteria. OPTION B ROGUE AP EVENTS: A new rogue access point event is created by Prime Infrastructure based on polled data when there is a newly detected rogue access point. OPTIONS A AND D OPTIONS ARE NOT CORRECT BECAUSE THEY ARE NOT CUSTOMIZABLE. http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/user/guide/prime_infra_ug/reps.html
NO.51 A corporation has recently implemented a BYOD policy at their HQ. Which three risks should
the security director be concerned about? (Choose three.)
A. unauthorized users
B. rogue ad-hocs
C. software piracy
D. lost and stolen devices
E. malware
F. keyloggers
Answer: A,C,E
WRONG?: I guess the answer is DEF.
http://ccbtechnology.com/byod-5-biggest-security-risks/
NO.52 A network engineer is implementing a wireless network and is considering deploying a single
SSID for device onboarding. Winch option is a benefit of using dual SSIDs with a captive portal on the
onboard SSID compared to a single SSID solution?
A. limit of a single device per user
B. restrict allowed devices types
C. allow multiple devices per user
D. minimize client configuration errors
Answer: B
WRONG?: I guess the answer is D
OPTIONS A AND C ARE NOT APPLICABLE SINCE BOTH METHODS ALLOW OWN DEVICES ONBOARDING SO THE NUMBER OF DEVICES ARE NOT RELEVANT.
APPARENTLY THE SUPPORTED DEVICE TYPES DOES NOT DEPENDS ON THE METHOD USED FOR ONBOARDING SO OPTION B MAY NOT BE THE CORRECT ANSWER.
Windows, MacOS, iOS, or Android device — The native supplicant flow starts similarly regardless of device type by redirecting employees using a supported personal device to the SelfProvisioning portal to confirm their device information.
http://www.cisco.com/c/en/us/td/docs/security/ise/12/user_guide/ise_user_guide/ise_mydevices.html
BY OTHER HAND THE BELOW RECOMMENDATIONS POINT OUT THE COMPLEXITY OF THE CLIENT CONFIGURATION FOR SINGLE-SSID USAGE (AD CREDENTIALS MUST BE AVAILABILITY, ISE CERTIFICATE MUST BE TRUSTED BY CLIENT, ETC), SO IT SEEMS TO ME THAT OPTION D MAY BE THE CORRECT OPTION.
In a single SSID design, the same WLAN is used for certificate enrollment, provisioning (on-boarding
process), and secure network access. There are some considerations that should be taken into
consideration while deploying a Single SSID solution:
1. Since the authentication method is PEAP, the user is expected to enter the AD credentials before the
registration process can begin. In the PEAP protocol, the server presents its identity certificate to
the end user. In this design, ISE presents its identity certificate to the endpoint. Some endpoints may
reject the certificate if the root certificate is not present in their list of trusted providers. During the
registration process, the root CA certificate is installed on the endpoint, but this can’t be done if the
initial dialog itself fails. Hence, this presents a chicken-and-egg problem. To prevent this from
happening the ISE identity certificate must be signed by a third-party trusted provider such as
VeriSign.
2. If the above cannot be done, then it is better to deploy dual SSID design.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Wireless.html#50182
Single or dual SSID—With single SSID, the same WLAN is used for certificate enrollment, provisioning, and network access. In a dual SSID deployment, there are two SSIDs: one provides enrollment and provisioning and the other provides secure network access.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mydevices.html
Unfortunately the forum is not accepting my comments about questions 17, 47 and 52 that I believe they are wrong.
Trying one more time:
NO.17
Answer:
Please refer the link below in Explanation to configure this simulation.
Example:
Use this link to configure all the steps for this simulation :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-
wpa2-psk-00.html
THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP)
NO.47 An engineer must change the wireless authentication from WPA2-Personal to
WPA2Enterprise. Which three requirements are necessary? (Choose three.)
A. EAP
B. 802.1x
C. RADIUS
D. per-shared key
E. 802.11u
F. fast secure roaming
G. 802.11i
Answer: A,C,G
IS WRONG: The answer is ABC.
NO.52 A network engineer is implementing a wireless network and is considering deploying a single
SSID for device onboarding. Winch option is a benefit of using dual SSIDs with a captive portal on the
onboard SSID compared to a single SSID solution?
A. limit of a single device per user
B. restrict allowed devices types
C. allow multiple devices per user
D. minimize client configuration errors
Answer: B
WRONG?: I guess the answer is D
Unfortunately the forum is not accepting my comments about questions 17, 47 and 52 that I believe they are wrong.
I’ll try later.
Please share your comments.
@FCS32
Thanks for your share
do you have any source for study??
The source is google and cisco.com.
Here they are the answers to the above mentioned questions 17, 47 and 52 with the documents I’ve found in cisco.com:
NO.17 LAB
Answer:
Please refer the link below in Explanation to configure this simulation.
Example:
Use this link to configure all the steps for this simulation :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-
wpa2-psk-00.html
THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP): http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
The documents I’ve found in cisco.com to answer questions 17, 47 and 52 are:
17. THE ANSWER IS WRONG: INCOMPLETE CONFIGURATION. WPA MUST ALSO BE CONFIGURED (MAYBE TKIP):
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116880-config-wpa2-psk-00.html
47. PART 1 OF THE ANSWER: REQUISITES FOR WPA/WPA2-Enterprise AUTHENTICATION
The authentication method used to verify the user (and server) credentials on WPA/WPA2-Enterprise networks is defined in the IEEE 802.1X standard. This requires an external server called a Remote Authentication Dial In User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server, which is used for a variety of network protocols and environments including ISPs.
A RADIUS server understands the Extensible Authentication Protocol (EAP) language and communicates with the wireless APs, referred to as RADIUS clients or authenticators.
http://www.ciscopress.com/articles/article.asp?p=1576225&seqNum=2
PART TWO OF THE ANSWER: THE MIGRATION from WPA-Personal to Enterprise (THE EXACT QUESTION).
Personal WPA relies on a PSK secret (Pre-Shared Key), and you don’t need an external server to perform authentication
Enterprise WPA (as defined in the 802.11i standard) uses WPA2 with AES-CCM encryption, and authentication is based on 802.1x/EAP using the RADIUS protocol.
So to migrate from WPA-Personal to Enterprise, you need to use an external server performing the RADIUS authentication.
For this authentication to happen, many EAP methods can be used: EAP-TLS, EAP-TTLS, PEAP, EAP-MD5, LEAP and EAP-FAST (the last two methods being Cisco-Proprietary)
https://learningnetwork.cisco.com/thread/66042
47. PART 1 OF THE ANSWER: TE REQUISITES FOR WPA-ENTERPRISE.
The authentication method used to verify the user (and server) credentials on WPA/WPA2-Enterprise networks is defined in the IEEE 802.1X standard. This requires an external server called a Remote Authentication Dial In User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server, which is used for a variety of network protocols and environments including ISPs.
A RADIUS server understands the Extensible Authentication Protocol (EAP) language and communicates with the wireless APs, referred to as RADIUS clients or authenticators.
http://www.ciscopress.com/articles/article.asp?p=1576225&seqNum=2
47. PART 2 OF THE ANSWER: THE WPA-PERSONAL TO WPA-ENTERPRISE MIGRATION (THE EXACT QUESTION).
Personal WPA relies on a PSK secret (Pre-Shared Key), and you don’t need an external server to perform authentication
Enterprise WPA (as defined in the 802.11i standard) uses WPA2 with AES-CCM encryption, and authentication is based on 802.1x/EAP using the RADIUS protocol.
So to migrate from WPA-Personal to Enterprise, you need to use an external server performing the RADIUS authentication.
For this authentication to happen, many EAP methods can be used: EAP-TLS, EAP-TTLS, PEAP, EAP-MD5, LEAP and EAP-FAST (the last two methods being Cisco-Proprietary)
https://learningnetwork.cisco.com/thread/66042
52. PART 1 OF THE ANSWER:
OPTIONS A AND C ARE NOT APPLICABLE SINCE BOTH METHODS ALLOW OWN DEVICES ONBOARDING SO THE NUMBER OF DEVICES ARE NOT RELEVANT.
APPARENTLY THE SUPPORTED DEVICE TYPES DOES NOT DEPENDS ON THE METHOD USED FOR ONBOARDING SO OPTION B MAY NOT BE THE CORRECT ANSWER.
Windows, MacOS, iOS, or Android device — The native supplicant flow starts similarly regardless of device type by redirecting employees using a supported personal device to the SelfProvisioning portal to confirm their device information.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mydevices.html
52. PART 2 OF THE ANSWER:
BY OTHER HAND THE BELOW RECOMMENDATIONS POINT OUT THE COMPLEXITY OF THE CLIENT CONFIGURATION FOR SINGLE-SSID USAGE (AD CREDENTIALS MUST BE AVAILABILITY, ISE CERTIFICATE MUST BE TRUSTED BY CLIENT, ETC), SO IT SEEMS TO ME THAT OPTION D MAY BE THE CORRECT OPTION.
In a single SSID design, the same WLAN is used for certificate enrollment, provisioning (on-boarding
process), and secure network access. There are some considerations that should be taken into
consideration while deploying a Single SSID solution:
52 PART 3 OF THE ANSWER:
1. Since the authentication method is PEAP, the user is expected to enter the AD credentials before the
registration process can begin. In the PEAP protocol, the server presents its identity certificate to
the end user. In this design, ISE presents its identity certificate to the endpoint. Some endpoints may
reject the certificate if the root certificate is not present in their list of trusted providers. During the
registration process, the root CA certificate is installed on the endpoint, but this can’t be done if the
initial dialog itself fails. Hence, this presents a chicken-and-egg problem. To prevent this from
happening the ISE identity certificate must be signed by a third-party trusted provider such as
VeriSign.
2. If the above cannot be done, then it is better to deploy dual SSID design.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Wireless.html#50182
52. PART 4 OF THE ANSWER:
Single or dual SSID—With single SSID, the same WLAN is used for certificate enrollment, provisioning, and network access. In a dual SSID deployment, there are two SSIDs: one provides enrollment and provisioning and the other provides secure network access.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_mydevices.html
Now that all sources of study to answer the questions were given, I kindly invite you all to comment them and share your thoughts, especially about those I’m not sure if they are wrong.
Many thanks
Question 4 update:
I just confirmed the dump answer (AB) is wrong and the correct answer is the one I suggested (BE).
Accordingly with a footnote in the link I added to my comment above: ” The wlan_id or guest_lan_id must exist and be disabled, and the anchor_controller_ip_address must be a member of the default mobility group.”