CCIE SEC v5 Diagnostic Set -1

Task Number-1 : Authentication Issue

David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as : I am trying to authentication a Windows 7
laptop using 802.1x against a Cisco ISE server, The laptop is connected to a
Cisco 3560-X. The user resides in Active Directory. All authentication
attempts are tailing with a “RADIUS request dropped” error, we verified
that the password is being correctly typed.

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of the
authentication failure?

Points 1

Answer
Select an answer:
 UDP port 1812 is blocked between the switch and ISE
 Wrong EAP type is being used
 Incompatible Switch code
 Crypto Map not applied for Site-1 on GM3
 Encryption error between ISE and Active Directory
 RADIUS shared key is incorrect
 Shared secret between Windows and Switch is incorrect

live:rahulk_ashyap_1
Task Number-2 : Redirection Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as :“We are trying to implement Guest access on our
switches using ISE and Central Web Authentication. We have Configured
ISE and the Switches according to Cisco’s guides, but when the end user
opens a browser, they do not get redirection to the ISE guest portal. We
need help in troubleshooting this.”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?

Point 1

Answer
Select an answer:
 The URL redirect ACL does not allow access to cisco.com
 URL redirect only works when the original request is an intranet site
 The machine is authorized in the wrong domain
 Incompatible Switch Code
 The downloadable ACL does not allow traffic to UDP port 53
 ISE is configured on the wrong port for the portal.

live:rahulk_ashyap_1
Task Number- 3 :Authentication Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as : “I am trying to authenticate a Windows 7 laptop
using 802.1x against a Cisco ISE Server. The laptop is connected to a Cisco
3560-X. The authentication attempts keeping failing with error 5400.

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.”
With all the information available to you, what is the cause of this
problem?

Point 1

Answer
Select an answer:
 Enable EAP-TLS on the “Default Network Access” allowed protocol
object.
 Self signed certificate cannot be used for EAP authentication
 The Self signed certificate needs to be trusted on the end point
 Dot1.x priority is incorrect in switch interface configuration
 Client is rejecting the EAP protocol proposed by the ISE server.

live:rahulk_ashyap_1
Task Number-4 : Network Accessibility Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as :
“We are trying to implement Guest access on our switches using ISE and
Central Web Authentication. We have Configured ISE and the Switches
according to Cisco’s guides, but even after a successful authentication the
guest user is redirect back again and again to the guest portal page. They
do not get access to the network.”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?

Point 1

Answer
Select an answer:
 Switch is not able to accept new policies due to a defect.
 The switch is not configured to accept RADIUS CoA messages from ISE
 Wrong authorization result is applied to guest authorization policy.
 Guest credentials are incorrect
 The guest account is set to activate at a later date and time

live:rahulk_ashyap_1
Task Number-5: Profiling Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as:
“We are trying to implement profiling so as to use its results as a mean to
authorize devices. For testing, we are using a Windows 7 laptop and ISE is
not able to profile it as such. The device shows up as an Intel-device instead
of a Windows 7 Workstation.”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?

Point 1

Answer
Select an answer:
 User needs to be redirected to guest portal to profile correctly.
 Not enough probes have been enabled to profile a Windows machine
 ISE’s IP address is missing under VLAN1 as an ip helper-address
 Feed service has corrupted the profiling policies
 Device sensor configuration is incomplete

live:rahulk_ashyap_1
Task Number-6: Command Authorization Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as:
“We are trying to implement TACACS+ authentication and command
authorization on our Cisco switches with Cisco ISE as the server. We have
configured ISE and the switch as per the user guide, but we have problem
with command authorization. All authorized users should be able to use
any show command, but they are not able to”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?

Point 1

Answer
Select an answer:
 The user is authorized at privilege level 5 where show command not
available
 The implicit deny in the default authorization rule is causing command
authorization failure
 “Permit any command that is not listed below” should be enabled on
the command set
 Command set has wrong argument for the show command
 “Auto Command” should be “show” in the TACACS profile

live:rahulk_ashyap_1
Task Number-7: Performance Issue
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as“intermittent performance issue when
users trying to access the Internet through WSA”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?

Point 1

Answer
Select an answer:
 Too many requests per second (overloaded appliance)
 Network issues and disabled PMTU discovery
 Chrome browser usage influences the performance, change the browser
and test again
 Destination server is responding slower than usual
 L4 traffic monitoring feature is on and causing the performance issues
 One of the DNS servers might be root cause of the issue.

live:rahulk_ashyap_1
Task number-8: Access Issue
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as “intermittent issue with access to
specific HTTPS site access”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, What should be the next step
suggested to customer in order to resolve the issue?

Point 1

Answer
Select an answer:
 Configure decryption policy pass-through affected sites
 Test and check if server name extension is enable on WSA
 Make sure to export WSA’s ROOT CA certificate and import in to test
PCs Trusted Root Certificate Authorities store
 Test using openssl tool from other client, issue might be because site
uses SSLv3 protocol only, and client tries to negotiate using TLS v2
 One of the DNS Server might be root cause of the issue
 Disable upstream proxy and try if the site works again
 Test with another browser and collect the logs again
 Configure default access policy pass-through affected sites

live:rahulk_ashyap_1
Task Number- 9: WSA TLS Decryption Issue

Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as “Unable to access a website”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you. What is most likely to be the root
cause the client not being able to access the requested website.

Point 1

Answer
Select an answer:
 When establishing the connection, the “SEED-SHA” cipher needs to be
enabled on the appliance
 Destination server requires a client certificate
 TLS 1.2 is not supported on the server and needs to be disable so we
can Fallback to TLS 1.0
 The intermediate candidate is not send by the server and needs to me
imported
 it seems to the browser error as this Cipher is not supported in the
browser of the client. Try another browser.

live:rahulk_ashyap_1
Task Number- 10: ESA Rejecting Emails
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as “External senders are no able to send
emails”

Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is most likely to be the root
cause of the ESA rejecting many senders?

Point 1

Answer
Select an answer:
 The Default parameter for concurrent connections is very low with a
Value of “10”. Increase this Value to “100”
 Senderbase was never contacted and therefore, the Reputation
Filtering is causing issues.
 The email contains Malware and The Outbreak is putting it in
Quarantine.
 The email contains a malicious URL and is blocked by a Content filter
named “CFDefandMaliciousUrls”
 The Sender needs to be resolvable via DNS and this is not the case
“Check your DNS server”
 The sbrs score of “none” is included in the “BLACKLIST”. Remove this
setting and add the sbrs score of “none” to the “SUSPECLIST”

live:rahulk_ashyap_1