CCNP 新题库 实题题，AAA认证

gbcbooks

Question:
Acme is a small shipping company that has an existing enterprise network
comprised of 2 switches;DSW1 and ASW1. The topology diagram indicates
their layer 2 mapping. VLAN 40 is a new VLAN that will be used to provide the
shipping personnel access to the server. For security reasons, it is necessary
to restrict access to VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate before they are given
access to the network. Authentication is to be done via a Radius server:
– Radius server host: 172.120.39.46
– Radius key: rad123
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of
172.120.40.0/24.
– Packets from devices in the address range of 172.120.40.0/24 should be
passed on VLAN 20.
– Packets from devices in any other address range should be dropped on
VLAN 20.
– Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date.
You have been tasked with implementing the above access control as a
pre-condition to installing the servers. You must use the available IOS switch
features.


Answer and Explanation:
1)configure ASW1
ASW1>aaa new-model
ASW1#enable
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#dot1x system-auth-control
ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#switchport mode access

ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy running-config startup-config
2)Configure DSW1:
DSW1>aaa new-model
DSW1#enable
Define an access-list:
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit
Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYACCMAP 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
DSW1(config)#vlan access-map MYACCMAP 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
鸿鹄论坛:http://bbs.hh010.com/Apply a vlan-map into a vlan:
DSW1(config)#vlan filter MYACCMAP vlan-list 20
DSW1#copy running-config startup-config
端口 f0/1 一定要 up,启用 dotx 时,命令缩写不恰当会报错。不要以为是系统的
bug。
请用完整命令配置或修改缩写长度到被系统接受。 pacl 一定要应用到 vlan20 上。


这题有两个疑问，
一个是 答案中的DSW1 启用了aaa new-mode ，这个需要是在ASW1上做的，DSW1上做是不是多余了？
二个是 DSW1上的F0/1要启用Dot1x实证，是不是还少了一条命令dot1x pae authenticator?

gbcbooks

在考试中，没有dot1x par authenticator 这个命令