SY0-501 Question #289: Real Exam Question with Answer & Explanation

Question

A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement?

Options

• ALDAP server 10.55.199.3
• BCN=company, CN=com, OU=netadmin, DC=192.32.10.233
• CSYSLOG SERVER 172.16.23.50
• DTACAS server 192.168.1.100

Explanation

This question tests knowledge of centralized AAA (Authentication, Authorization, and Accounting) for network device management using directory services. The correct answer identifies the LDAP Distinguished Name (DN) format used to bind to an LDAP/Active Directory server for credential authentication.

Common mistakes.

• A. While 'LDAP server 10.55.199.3' points to an LDAP server by IP address, it alone does not provide the directory binding path (Distinguished Name) needed to actually authenticate users against the LDAP directory structure.
• C. A SYSLOG server handles log forwarding for command accounting but does not provide authentication or authorization of administrator credentials against LDAP, so it only partially addresses one requirement.
• D. TACACS+ (note the answer contains a typo 'TACAS') is a valid AAA protocol for centralized device management, but the question specifically states LDAP credentials are required, and TACACS+ is a separate protocol that does not natively use LDAP DN syntax for directory binding.

Concept tested. LDAP Distinguished Name syntax for centralized AAA

Reference. https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names

No community discussion yet for this question.