642-591 - CANAC - Implementing Cisco NAC Appliance
Go back to Cisco
Where is a local user validated?
At the Cisco NAM
What is the local user account primarily used for?
For testing or for guest user accounts
Which three components compromise a Cisco NAC Appliance Solution? (Choose three.)
A Linux Server for in-band or out-of-band network admission control
A Linux Server for Centralized Management of network admission servers
A NAC-enabled Cisco Switch
What does the secondary Cisco NAM do after it reboots from its initial configuration?
Automatically Synchronizes its database with the primary Cisco NAM
Which interface is always used by Cisco NAM failover peers to support inter-peer connections?
The eth1 interface
In Cisco NAC Appliance Solutions, which statements is correct regarding devices on the certified list?
A device is not required to be rescanned at the next login as long as it MAC address is in the certified list
Which Cisco NAS Appliance out-of-band solution statement is correct?
The switchport access and authentication VLAN information is sent to the Access switch from the Cisco NAM
You are implementing switch management in a Cisco NAM for out-of-band deployment. Once communication between the switch and the Cisco NAM has been verified, what is configured next?
Configure the Switches to use the appropriate SNMP settings
How do you ensure that the Cisco NAS has the most recent version of the Cisco NAA to install on user devices?
Each Time the Cisco NAA is upgraded, the Cisco NAM automatically download the new version of Cisco NAA to all Cisco NAS Servers
When the Cisco NAS is configured for Windows Active Directory SSO to which component in a Cisco NAC Appliance solution does the client make a request for a Kerberos Service ticket?
Microsoft Windows Active Directory Server
When trying to restrict a guest-role end user to a host that has multiple or dynamic IP Addresses; the administrator would create which type of policy?
Host-based traffic Control Policy
What is an exempt device?
A device that does not have to go through certification while its MAC address remains on the certified list
A college network administrator wants to restrict access to specific; targeted subnets by role such as student, administration, faculty and guest roles. How would this be accomplished using the Cisco NAM?
Define an IP-Based traffic Control Policy for each role that specifies the target subnets
Which Cisco NAC appliance out-of-band solution statement is correct?
The Swichport Access and authentication VLAN information is sent to the access switch from the Cisco NAM
The NAS is configured to autogenerate an IP Address pool of 30 subnets with a netmask of /30, beginning at address 192.168.10.0. Which IP Address is leased to the end-user host on the second subnet?
If an administrator configures interfaces E0, E1 and S0 to support NAM high-availability failover, what information is exchanged over these interfaces?
NAM run-time data activities, UDP heartbeat signals, redundant heartbeat signals
Which features must be configured to ensure that users can perform update and remediation?
Session timeouts and traffic controls policies
Which two functions can a Cisco NAC Appliance Agent be configured to perform? (Choose two.)
Perform registry, service and application checks
Check for up-to-date antivirus and antispam files
Why is critically important to maintain clock synchronization between Cisco NAC Appliance components?
Cisco NAC Appliance Components communicate using SSL Certificates, which rely on accurate time to function correctly
How does the Cisco NAM determine the presence of vulnerability without using the Cisco NAA on the client machine?
The Nessus network scan report matches a defined role-based or OS-based vulnerability on the Cisco NAM
What must be done to upgrade a Cisco NAC Appliance implementation to take advantage of a major release of NAC Appliance?
Upgrade the Cisco NAM servers and Cisco NAS servers concurrently
Which high-availability option is supported by a Cisco NAC Appliance Solution?
Cisco NAM and Cisco NAS redundancy
In an out-of-band Cisco NAC Appliance high-availability deployment, why must port security be disabled between the switch interfaces to which the Cisco NAS and Cisco NAM are connected?
Port Security can interface with Cisco NAS high availability and DHCP delivery
A search of available switches has been performed and a list of switches is presented. Which two SNMP attributes need to match what is configured in the Cisco switch profile for a listed switch to be added to the Cisco NAM? (Choose two.)
SNMP read version
SNMP read community String
A CA-signed certificate is returned from the CA authority and the private key on which the CA certificate is based no longer matches the one in the Cisco NAS. What should the administrator do?
Reimport the old private key and then install the CA-signed certificate
When Configuring the Cisco NAM to implement Cisco NAA requirement checking on client machines, what is the next step after configuring checks and rules?
A small public library wants to implement network admission control for their public wireless network and their internal wired network. Their network contains switches from a variety of vendors. Which Cisco NAC Appliance solution would best suit this client?
An in-band Cisco NAS deployment and a Cisco NAM
In a Cisco NAM high-availability configuration, when does the secondary Cisco NAM take over?
When the UDP heartbeat signal is not transmitted and received within a certain time period
In a Layer 3 out-of-band deployment, which Cisco NAC Appliance component provides the Client-Machie IP Address to MAC address mapping?
How is Cisco NAC Appliance Network Scanning Configured?
Per user role
What is an advantage of a Layer 2 out-of-band virtual gateway deployment using port-based VLAN assignment?
Simplifies implementation as client IP addresses are not changed
When trying to restrict a guest role to a specific library server using a specific protocol, such as HTTP, the administrator would create which type of policy?
IP-Based Traffic Control Policy
What are two pairs of attributes of traffic policies? (Choose two.)
Global and local
Directional and hierarchical
What method is used to pass traffic from the client to the Cisco NAS in an in-band Virtual-Gateway L2 deployment?
Use VLAN traffic to aggregate the traffic from the client subnets and configure VLAN mapping between the auth and Access VLANS
Why are managed subnets configure in out-of-band virtual gateway mode?
Configure the Cisco NAS with an IP Address in the untrusted VLAN that Cisco NAS can use to send ARP request in that particular VLAN
In a Cisco NAC Appliance Windows Active Directory SSO Deployment, what are the cached credentials and Kerberos TGT from the client-machine Windows login used for?
They are used to validate the user authentication with eh backend Windows Active Directory Server
When configuring an in-band central-deployment virtual gateway on the Cisco NAS, what must be configured to ensure that the interface traffic on the same Layer 2 switch does not create a loop?
In the VLAN mapping form, map the untrusted interface VLAN ID to a trusted network VLAN ID
When using Windows Active Directory Single-Sign-On (SSO), the Cisco NAA on the client machine will ask the client machine for a service Ticket (ST) with which username to communicate with the Cisco NAS?
The Cisco NAS username
Based on the Boolean order of precedence, how would Cisco NAC Appliance evaluate the following rule? AdAwareLogRecent&(NorAVProcesslsActiveymAVProcesslsActive)
(Either the Norton Antivirus or the Symantec Antivirus process is active) and (there is a recent Ad Aware log entry)
In an edge deployment of an in-band virtual-gateway Cisco NAC Appliance solution, how does the Cisco NAS ensure that authenticated client traffic arrives at the correct default gateway?
Cisco NAS interface are connected to trunked ports to provide VLAN passthrough to the correct gateway
Which type of certificate is recommended in a high-availability Cisco NAM configuration for the service IP Address?
Which NAC Appliance Component performs network scanning?
Cisco NAC Appliance Server
Which default Administrator group has delete permissions?
After you implement a network scan and view the report, you notice that a plug-in did not access any of it's dependent plug-ins. What did you forget to do?
Load the dependent plug-ins for that plug-in in the Plug-in updates form
Which Cisco NAC Appliance Component performs network scanning?
Cisco NAC Appliance Server