350-701 Practice Questions

Explanation

Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a

second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they

know your password.

Note: Single sign-on (SSO) is a property of identity and access management that enables users to securely

authenticate with multiple applications and websites by logging in only once with just one set of credentials

(username and password). With SSO, the application or website that the user is trying to access relies on a

trusted third party to verify that users are who they say they are.

 The Cisco WSA supports mainly two authentication protocols: LDAP and NTLM. LDAP is a standard protocol for accessing directory services, such as Active Directory or OpenLDAP. NTLM is a proprietary protocol for authenticating Windows clients to Windows servers. NTLM has two versions: NTLMv1 and NTLMv2. NTLMSSP (NT LAN Manager Security Support Provider) is a variant of NTLMv2 that provides additional security features, such as message integrity and confidentiality. The Cisco WSA supports both LDAP and NTLMSSP using basic authentication, which requires the user to enter a username and password. The Cisco WSA also supports Kerberos, which is a network authentication protocol that uses tickets to authenticate users and services. Kerberos is based on symmetric-key cryptography and requires a trusted third party, called the Key Distribution Center (KDC), to issue and validate tickets. Kerberos is more secure and efficient than NTLM, as it does not require the user to enter credentials repeatedly and does not send passwords over the network. The Cisco WSA supports Kerberos only in standard mode, not in cloud connector mode. The Cisco WSA does not support TACACS+ or CHAP as authentication protocols. TACACS+ is a Cisco proprietary protocol for authenticating network devices and users to a central server. CHAP is a challenge-response protocol for authenticating PPP connections. These protocols are not designed for web security appliances and are not compatible with the Cisco WS

A.  

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances (Section: Acquire End-User Credentials)

Cisco WSA Authentication

WSA Authentication

IKEv1 has two modes of operation: main mode and aggressive mode. Main mode uses six messages to establish the IKE SA, while aggressive mode uses only three messages. Therefore, aggressive mode is faster than main mode, but less secure, as it exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-the-middle attacks. IKEv2 does not have these modes, but uses a single four-message exchange to establish the IKE S

A.  

IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs. IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the use of various authentication methods, such as certificates, tokens, or passwords.

IKEv1 conversations are initiated by the ISAKMP header, which contains the security parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT message, which contains the security parameters, the message type, and the message I

D.  

NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and IPsec packets in UDP headers, so that they can be translated by the NAT device. References:

IKEv1 vs IKEv2 – What is the Difference?

Comparison between IKEv1 and IKEv2

IKEv2 vs IKEv1: What are the differences?