Securing Cisco Wireless Enterprise Networks · A customer is concerned about denial of service...
Transcript of Securing Cisco Wireless Enterprise Networks · A customer is concerned about denial of service...
Securing Cisco Wireless Enterprise Networks
Cisco 300-375 Dumps Available Here at:
https://www.certification-questions.com/cisco-exam/300-375-dumps.html
Enrolling now you will get access to 131 questions in a unique set of 300-
375 dumps
Question 1 Which two considerations must a network engineer have when planning for voice over wireless roaming?
(Choose two.)
Options:
A. Roaming with only 802.1x authentication requires full reauthentication.
B. Roaming time increases when using 802.1x + Cisco Centralized Key Management.
C. Full reauthentication introduces gaps in a voice conversation.
D. Roaming occurs when the phone has reached -80 dBs or below.
E. Roaming occurs when the phone has seen at least four APs.
Answer: A, C
Explanation:
Explanation:
In the absence of CCKM, a WPA/WPA2 client must perform a full EAP authentication to a remote AAA/
RADIUS server, followed by a WPA/WPA2 4-way handshake whenever it roams. This process can take
more than one second. With CCKM, the roaming client and WLC can use pre-established keying material
to immediately establish a PTK—normally within a few ten of milliseconds.
Question 2 When you configure BYOD access to the network, you face increased security risks and challenges. Which
challenge is resolved by deploying digital client certificates?
Options:
A. managing the increase in connected devices
B. ensuring wireless LAN performance and reliability
C. providing device choice and support
Cisco 300-375
https://www.certification-questions.com
D. enforcing company usage policies
Answer: D
Explanation:
Explanation:
Deploying digital certificates to endpoint devices requires a network infrastructure that provides the security
and flexibility to enforce different security policies, regardless of where the connection originates. This
solution focuses on providing digital certificate enrollment and provisioning while enforcing different
permission levels.
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/
Unified_Access/byoddg.html
Question 3 Refer to the exhibit.
What is the 1.1.1.1 IP address?
Options:
A. the wireless client IP address
B. the RADIUS server IP address
C. the controller management IP address
D. the lightweight AP IP address
E. the controller A-manager IP address
Cisco 300-375
https://www.certification-questions.com
F. the controller virtual interface IP address
Answer: F
Explanation:
Explanation:
Web Authentication Process
This is what occurs when a user connects to a WLAN configured for web authentication:
- The user opens a web browser and enters a URL, for example, http://www.cisco.com. The client sends
out a DNS request for this URL to get the IP for the destination. The WLC bypasses the DNS request to
the DNS server and the DNS server responds back with a DNS reply, which contains the IP address of
the destination www.cisco.com. This, in turn, is forwarded to the wireless clients.
- The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN
packet destined to the IP address of www.cisco.com.-
The WLC has rules configured for the client and hence can act as a proxy for www.cisco.com. It sends
back a TCP SYN-ACK packet to the client with source as the IP address of www.cisco.com. The client
sends back a TCP ACK packet in order to complete the three way TCP handshake and the TCP
connection is fully established.
- The client sends an HTTP GET packet destined to www.cisco.com. The WLC intercepts this packet and
sends it for redirection handling. The HTTP application gateway prepares a HTML body and sends it
back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the
default webpage URL of the WLC, for example, http://<Virtual-Server-IP>/login.html.
- The client closes the TCP connection with the IP address, for example, www.cisco.com.
- Now the client wants to go to http://1.1.1.1/login.html. Therefore, the client tries to open a TCP
connection with the virtual IP address of the WLC. It sends a TCP SYN packet for 1.1.1.1 to the WLC.
- The WLC responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the WLC in
order to complete the handshake.
- The client sends a HTTP GET for /login.html destined to 1.1.1.1 in order to request for the login page.
- This request is allowed up to the Web Server of the WLC, and the server responds back with the default
login page. The client receives the login page on the browser window where the user can go ahead and
log in.
Reference: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-
config.html#backinfo
Question 4 A customer is concerned about denial of service attacks that impair the stable operation of the corporate
wireless network. The customer wants to purchase mobile devices that will operate on the corporate
wireless network.
Which IEEE standard should the mobile devices support to address the customer concerns?
Options:
A. 802.11w
B. 802.11k
Cisco 300-375
https://www.certification-questions.com
C. 802.11r
D. 802.11h
Answer: A
Explanation:
Explanation:
The IEEE goal with 802.11w is to protect management frames in 802.11 networks. This therefore provides
wireless networks within organisations the protection against numerous DoS attacks targeted at the Media
Access Control (MAC) layer 2. The 802.11w standard will look to provide protection in the following ways:
• Protecting unicast management frames from forgery and disclosure attacks by encrypting the unicast
management frames between an access point and the client. • Protecting broadcast management frames
from forgery attacks.
• Protecting broadcast deauthentication and disassociation frames from forgery attacks.
Reference: https://www.sans.org/reading-room/whitepapers/wireless/80211-denial-service-attacks-
mitigation-2108 (Please refer to section "802.11w to the rescue”)
Question 5 Which two 802.11 methods can be configured to protect card holder data? (Choose two.)
Options:
A. CCMP
B. WEP
C. SSL
D. TKIP
E. VPN
Answer: C, E
Explanation:
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Compliance/Compliance_DIG/
Question 6 An engineer is changing the authentication method of a wireless network from EAP-FAST to EAP-TLS.
Which two changes are necessary? (Choose two.)
Options:
A. Cisco Secure ACS is required.
B. A Cisco NAC server is required.
Cisco 300-375
https://www.certification-questions.com
C. All authenticating clients require their own certificates.
D. The authentication server now requires a certificate.
E. The users require the Cisco AnyConnect client.
Answer: C, D
Explanation:
Reference: http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300-series/
prod_qas09186a00802030dc.html
Question 7 Which mobility mode must a Cisco 5508 Wireless Controller version 8.0 be in to use the MA functionality on
a Cisco Catalyst 3850 Series Switch with a Cisco 5508 Wireless Controller as an MC?
Options:
A. classic mobility
B. new mobility
C. converged access mobility
D. auto-anchor mobility
Answer: B
Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/
configuring_new_mobility.html
Question 8 WPA2 Enterprise with 802.1x is being used for clients to authenticate to a wireless network through an
ACS
server. For security reasons, the network engineer wants to ensure only PEAP authentication can be used.
The engineer sent instructions to clients on how to configure their supplicants, but users are still in the ACS
logs authenticating using E-FAST.
Which option describes the most efficient way the engineer can ensure these users cannot access the
network unless the correct authentication mechanism is configured?
Options:
A. Enable AAA override on the SSID, gather the usernames of these users, and disable their
RADIUS
accounts until they make sure they correctly configured their devices.
B. Enable AAA override on the SSID and configure an access policy in ACS that denies access to
Cisco 300-375
https://www.certification-questions.com
the list
of MACs that have used EAP-FAST.
C. Enable A override on the SSID and configure an access policy in ACS that allows access only
when
the EAP authentication method is PEAP.
D. Enable AAA override on the SSID and configure an access policy in ACS that puts clients that
authenticated using E-FAST into a quarantine VLAN.
Answer: D
Question 9 Scenario
Refer to the exhibit. The East-WLC-2504A controller has been configured for WPA2 + PSK, although it isn’t
working properly. Refer to the exhibit to resolve the configuration issues.
WLAN ID: 11
Profile Name: Contractors
SSID: Contractors
VLAN: 2
Note, not all menu items, text boxes, or radio buttons are active.
Topology
Cisco 300-375
https://www.certification-questions.com
Virtual Terminal
Cisco 300-375
https://www.certification-questions.com
Cisco 300-375
https://www.certification-questions.com
Cisco 300-375
https://www.certification-questions.com
Cisco 300-375
https://www.certification-questions.com
Which configuration changes need to be made to allow WPA2 + PSK to operate properly on the East-WLC-
2504A controller? (Choose four.)
Options:
A. Disable Dynamic AP Management.
B. Click on the Status Enabled radio button.
C. Change the Layer 3 Security to Web Policy.
D. Change the WPA + WPA2 Parameters to WPA2 Policy-AES.
E. Change the PSK Format to HEX.
F. Change the WLAN ID.
G. Change the VLAN Identifier.
H. Change the IP Address of the Virtual interface.
I. Change the IP Address of the Virtual interface.
J. Change the SSID name of the WLAN.
K. Click on the PSK radio button and add the password in the text box.
Answer: B, F, J, K
Question 10 An engineer is configuring a new mobility anchor for a WLAN on the CLI with the config wlan mobility
anchor add 3 10.10.10.10 command, but the command is failing. Which two conditions must be met to be
able to enter this command? (Choose two.)
Options:
Cisco 300-375
https://www.certification-questions.com
A. The anchor controller IP address must be within the management interface subnet.
B. The anchor controller must be in the same mobility group.
C. The WLAN ID must be enabled.
D. The mobility group keepalive must be configured.
E. The indicated WLAN ID must be present on the controller.
Answer: A, B
Would you like to see more? Don't miss our 300-375 PDF
file at:
https://www.certification-questions.com/cisco-pdf/300-375-pdf.html
Cisco 300-375
https://www.certification-questions.com