300-715 Question #407: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question Drag and drop the CLI commands from the bottom onto the boxes in the code to enable 802.1x authentication and MAB on the same interface of a Cisco switch. Not all options are used. Answer:

Explanation

This question assesses the test-taker's ability to correctly configure a Cisco switch interface for 802.1X and MAC Authentication Bypass (MAB) by dragging the appropriate CLI commands into the correct sequence.

Approach. To enable both 802.1X and MAB on a Cisco switch interface, specific commands must be applied in a logical order:

1. Blank 1: authentication order dot1x mab
   • This command sets the order in which authentication methods are attempted. dot1x is tried first, and if it fails or times out, then mab (MAC Authentication Bypass) is attempted. This is crucial for enabling both methods.
2. Blank 2: dot1x pae authenticator
   • This command enables the 802.1X Port Access Entity (PAE) in authenticator mode on the interface, making the switch an authenticator for connected devices.
3. Blank 3: authentication host-mode multi-auth
   • This command configures the interface to allow multiple hosts to authenticate independently. In a scenario with MAB and 802.1X, this is often necessary to allow various device types (e.g., IP phone and PC) to connect and authenticate, or multiple MAB devices.
4. Blank 4: mab
   • This command explicitly enables MAC Authentication Bypass (MAB) on the interface, allowing devices to authenticate based on their MAC addresses against a RADIUS server if 802.1X fails or is not supported.

Following these steps ensures that the interface properly attempts 802.1X, falls back to MAB, and allows multiple authenticated devices.

Common mistakes.

• common_mistake. Several options in the command pool are incorrect or misplaced:
• dot1x: While related to 802.1X, dot1x pae authenticator is the specific command to enable 802.1X on the interface as an authenticator, making dot1x by itself an incomplete or incorrect choice for this blank.
• authentication host-mode domain: This host mode is typically used for scenarios involving IP phones (where the phone handles 802.1X and the PC behind it uses a different authentication mechanism or no authentication). It's not the correct mode for enabling multiple independent authentications via 802.1X or MAB on a general access port, which is handled by multi-auth.
• authentication answer dot1x mab: This is not a valid Cisco IOS command for configuring 802.1X or MAB authentication methods in this context. It appears to be a fabricated command to mislead the test-taker.
• Incorrect order of correct commands: Even if the correct commands are selected, placing them in the wrong blanks would result in an incorrect or non-functional configuration. For example, enabling mab before defining the authentication order might not work as intended, or setting the host-mode before enabling 802.1X itself is illogical.

Concept tested. Cisco switch security configuration, specifically implementing 802.1X Port-Based Authentication and MAC Authentication Bypass (MAB) on an access port, including understanding authentication order, host modes, and enabling the respective features.

No community discussion yet for this question.