Section 5.0: Implement Identity Authentication (12 Points)

Question 5.1: User-level access control (4 points)

Question:	The question says not to use the default method list. How many named method lists can be used?
Answer:	It does not matter how many, as long as you fulfill the requirement. However, two named methods should do and will fulfill all the requirements.
Question:	Do I need to configure an explicit named method list for console line authentication?
Answer:	Yes. Because the question clearly says “Ensure that the console port is unaffected by this task,” this must be fulfilled by configuring a separate named method list with none to exempt the console line from any form of authentication. This also protects you from locking out of the router because of any unforeseen errors during the configuration.
Question:	What name should be used when configuring the named method list?
Answer:	Because the question does not restrict or mention anything about this, you can use any naming convention convenient to you.
Question:	Do I need to be explicit when opening the ACL on the ASA1/abc1 context for Telnet sessions (TCP/23)?
Answer:	Because the question does not restrict or mention anything about this ACL, you can permit from any source to any destination. However, as a best practice, I recommend that you write the best possible specific ACL, because you know the destination IP address in this task. Permit any source IP address to destination Sw1 192.168.8.11 on TCP port 23. Again, this is just a recommendation, not a requirement.
Question:	The question says that both users must be assigned to the Default group. Can they be in any group, as long as they are in the same group, or must I use the built-in Default group?
Answer:	Both users must be in the system Default group.
Question:	When I browse the User Setup in Cisco Secure ACS, I am unable to see the user-level Network Access Restriction (NAR) option.
Answer:	To enable the user-level NAR option, go to the Interface Configuration menu and select Advanced Options. Then select the checkbox User-Level Network Access Restrictions.

Question 5.2: Role-based access control (4 points)

Question:	The question says not to use the default method list. How many named method lists can be used?
Answer:	It does not matter how many, as long as you fulfill the requirement. However, two named methods should do and will fulfill all the requirements.
Question:	Do I need to configure an explicit named method list for console line authentication?
Answer:	Yes. Because the question clearly says “Ensure that the console port is unaffected by this task,” this must be fulfilled by configuring a separate named method list with none to exempt the console line from any form of authentication. This also protects you from locking out of the router because of any unforeseen errors during the configuration.
Question:	What name should I use when configuring the named method list?
Answer:	Because the question does not restrict or mention anything about this, you can use any naming convention convenient to you.
Question:	Do I need to be explicit when opening the ACL on the ASA1/abc2 context for Telnet sessions (TCP/23)?
Answer:	Because the question does not restrict or mention anything about this ACL, you can permit from any source to any destination. However, as a best practice, I recommend that you write the best possible specific ACL, because you know the destination IP address in this task. Permit any source IP address to destination R2 192.168.4.11 on TCP port 23. Again, this is just a recommendation, not a requirement.
Question:	Do I need to be explicit when opening the ACL on the ASA1/abc2 context for TACACS+ sessions (TCP/49)?
Answer:	Because the question does not restrict or mention anything about this ACL, you can permit from any source to any destination. However, as a best practice, I recommend that you write the best possible specific ACL, because you know the source and destination IP address in this task. Permit any source R2 (192.168.4.11) to destination Cisco Secure ACS server (192.168.2.14) on TCP port 49. Again, this is just a recommendation, not a requirement.
Question:	When I browse the User Setup in Cisco Secure ACS, I am unable to see the custom TACACS+ attribute option.
Answer:	By default, the TACACS+ custom attribute box under the User setup is not visible. Figure 1-13 shows how to enable it from TACACS+ (Cisco IOS) on the Interface Configuration menu on Cisco Secure ACS server. Select the checkbox Display a window for each service selected in which you can enter customized TACACS+ attributes.