350-401 Security
Security
Detailed list of 350-401 knowledge points
Security Detailed Explanation
1. Device Access Control
This section focuses on how users and administrators access the network devices securely, using strong authentication methods and encrypted management protocols.
1.1 Secure Management Access
Why Secure Management Matters
If someone gains unauthorized access to your router or switch CLI (Command Line Interface), they can steal information, disrupt routing, or lock out admins. Hence, encrypted and controlled access is a must.
Secure Protocols (Preferred):
| Protocol | Use | Secure? | Notes |
|---|---|---|---|
| SSH | CLI access | Y | Replaces Telnet (encrypted) |
| HTTPS | GUI/web access | Y | Replaces HTTP |
| SNMPv3 | Monitoring | Y | Encrypted + authenticated |
| Telnet/HTTP/SNMPv1-2c | Insecure | N | Only for lab/testing use |
SSH Configuration Example:
hostname Router1
ip domain-name example.com
crypto key generate rsa
username admin privilege 15 secret cisco123
line vty 0 4
transport input ssh
login local
This sets up:
SSH only on vty lines (no Telnet)
Admin user with full access
RSA key for encryption
1.2 AAA (Authentication, Authorization, Accounting)
AAA provides centralized access control for who can log in, what they can do, and how those actions are tracked.
AAA Breakdown:
| Component | Function |
|---|---|
| Authentication | Verifies user identity (e.g., username/password) |
| Authorization | Determines what the user can access (e.g., CLI commands) |
| Accounting | Logs what the user did and when |
AAA Server Options:
| Server | Cisco Preferred? | Notes |
|---|---|---|
| TACACS+ | Yes | Cisco proprietary, encrypts entire message |
| RADIUS | Yes | Industry standard, encrypts password only |
AAA Server Integration:
Most enterprise environments integrate AAA with:
Cisco ISE (Identity Services Engine)
Microsoft Active Directory (via LDAP or RADIUS)
Basic AAA Configuration (TACACS+ Example):
aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host 10.10.10.1 key cisco123
Summary of Secure Device Access
| Method | What it Secures | Tool |
|---|---|---|
| SSH | CLI access | crypto key, line vty |
| HTTPS | GUI | ip http secure-server |
| AAA | User control | aaa new-model, TACACS+/RADIUS |
| SNMPv3 | Monitoring | Encrypted SNMP management |
2. Port-Based Access Control
Port-based access control ensures that only authorized devices can connect to your network — typically enforced at the switch port level. It’s a fundamental defense against unauthorized access.
2.1 802.1X Authentication
What is 802.1X?
802.1X is a standard for controlling access to network ports, especially used in enterprise environments for wired and wireless LANs.
802.1X Components:
| Role | Description |
|---|---|
| Supplicant | The device trying to connect (e.g., laptop) |
| Authenticator | The network device controlling the port (e.g., switch or access point) |
| Authentication Server | Typically Cisco ISE or a RADIUS server |
Authentication Workflow:
Supplicant connects to a switch port.
The switch (authenticator) blocks all traffic except 802.1X.
The switch sends credentials to the RADIUS server.
If authenticated:
Port opens
Optional VLAN or ACL is dynamically applied
If rejected:
Port remains blocked
Or fallback method used
Fallback Methods (When no supplicant is present):
| Method | Description |
|---|---|
| MAB (MAC Authentication Bypass) | Uses the device’s MAC address for authentication |
| WebAuth (Captive Portal) | Redirects user to a login page via web browser |
Configuration Example (Basic 802.1X):
interface FastEthernet0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
2.2 DHCP Snooping
Purpose:
DHCP Snooping prevents rogue DHCP servers from assigning IP addresses — a common attack vector used to redirect traffic or cause DoS.
How It Works:
Switch trusts only certain ports (e.g., uplink to real DHCP server)
Untrusted ports are blocked from sending DHCP offers
Builds a binding table of MAC-IP assignments
Configuration Example:
ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
Binding Table Example:
| MAC Address | IP Address | VLAN | Interface |
|---|---|---|---|
| 00:11:22:33:44:55 | 192.168.10.100 | 10 | Gi0/2 |
This table feeds into other Layer 2 security tools like:
DAI (Dynamic ARP Inspection)
IP Source Guard
Summary of Port-Based Access Control
| Feature | Use Case | Benefit |
|---|---|---|
| 802.1X | User/device authentication | Dynamic access control |
| MAB | Device without 802.1X client | MAC-based access control |
| WebAuth | Guest/temporary access | Web-based authentication |
| DHCP Snooping | Prevent rogue DHCP servers | Builds trusted DHCP mappings |
3. Traffic Filtering and Segmentation
This section covers the mechanisms used to filter traffic and logically separate devices in a network for security, performance, and compliance.
3.1 Access Control Lists (ACLs)
What is an ACL?
An ACL is a list of permit or deny statements that control which traffic is allowed through a device interface — based on IP addresses, protocols, and ports.
Types of ACLs:
| ACL Type | Filters On | Usage |
|---|---|---|
| Standard ACL | Source IP only | Simple filtering (near destination) |
| Extended ACL | Source + destination IP, protocol, port | More precise control (placed near source) |
Standard ACL Example:
access-list 10 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/1
ip access-group 10 in
Allows traffic from 192.168.1.0/24 on inbound traffic to interface.
Extended ACL Example (HTTP Traffic Only):
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
interface GigabitEthernet0/1
ip access-group 100 in
Only allows HTTP traffic from the 192.168.1.0/24 subnet.
Best Practices:
Standard ACL: place close to destination
Extended ACL: place close to source
Use named ACLs for clarity and management
3.2 VLAN Segmentation
What is VLAN Segmentation?
A VLAN (Virtual LAN) segments a switch into multiple broadcast domains, allowing you to:
Isolate traffic by department (e.g., HR, Finance, Sales)
Apply different security policies
Reduce broadcast traffic
VLAN Configuration Example:
vlan 10
name HR
!
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
Private VLANs (PVLANs):
PVLANs offer micro-segmentation within a single VLAN — ideal for shared environments like data centers.
| Type | Description |
|---|---|
| Primary VLAN | Main VLAN ID |
| Isolated | Can talk only to gateway (not to each other) |
| Community | Can talk to each other and gateway |
Use Case:
- You want servers to reach the internet (gateway), but not see or talk to each other? Use Isolated PVLAN.
Summary of Traffic Filtering & Segmentation
| Feature | Purpose | Benefits |
|---|---|---|
| Standard ACL | Simple traffic filtering | Basic security control |
| Extended ACL | Filter by IP, protocol, port | Granular control |
| VLAN | Logical separation | Traffic isolation |
| PVLAN | Micro-segmentation | Secure multi-tenant environments |
4. Device Security Features
This section focuses on protecting the network device itself — especially the control plane, CPU, and switch behavior. These protections prevent DoS attacks, rogue behavior, and misconfigurations.
4.1 Control Plane Policing (CoPP)
What is the Control Plane?
The control plane handles protocol-level communications like:
Routing updates (OSPF, BGP)
Management traffic (SSH, SNMP)
ARP, STP, CDP
If the control plane is overwhelmed, the device stops processing traffic properly.
CoPP Use:
CoPP protects the control plane by:
Filtering specific traffic types
Rate-limiting traffic to prevent overload (e.g., DoS attack)
Configuration Snippet (Basic):
class-map match-any CONTROL_PLANE
match protocol bgp
match protocol ospf
policy-map CONTROL_PROTECT
class CONTROL_PLANE
police 32000 conform-action transmit exceed-action drop
control-plane
service-policy input CONTROL_PROTECT
4.2 Storm Control
Purpose:
Storm control prevents broadcast, multicast, or unknown unicast traffic storms that can flood a switch and cause it to crash or freeze.
Configuration Example:
interface GigabitEthernet0/1
storm-control broadcast level 10.00
Limits broadcast traffic to 10% of the link bandwidth.
Why It's Important:
A single infected or misconfigured device can flood the LAN, overwhelming all switches and degrading performance for all users.
4.3 BPDU Guard and Root Guard
These features protect Spanning Tree Protocol (STP) behavior.
BPDU Guard:
Shuts down a port if it receives a BPDU.
Used on access ports (connected to PCs), where BPDUs should not be seen.
Prevents rogue switches from affecting STP.
interface FastEthernet0/10
spanning-tree bpduguard enable
Root Guard:
Prevents a port from becoming a new root bridge.
Used on ports where you don’t want STP changes to originate.
Keeps topology stable by enforcing trusted root locations.
interface FastEthernet0/12
spanning-tree guard root
Summary of Device Security Features
| Feature | Protects | Example |
|---|---|---|
| CoPP | Control plane (CPU) | Limits protocol traffic |
| Storm Control | Broadcast/multicast storms | Set bandwidth threshold |
| BPDU Guard | STP integrity on edge ports | Shuts port on rogue BPDU |
| Root Guard | STP topology control | Prevents STP changes |
5. Wireless Security
Wireless networks introduce unique vulnerabilities due to their open-air nature. This section focuses on securing wireless access with encryption, authentication, and rogue detection.
5.1 Encryption Protocols
Encryption ensures that data transmitted over Wi-Fi cannot be easily intercepted or read by unauthorized users.
WPA Standards:
| Protocol | Security Level | Use Case |
|---|---|---|
| WPA2-PSK | Strong | Personal/small business |
| WPA3-PSK | Stronger (SAE handshake) | Newer devices (IoT, home) |
| WPA2-Enterprise | Very strong | Enterprise, uses RADIUS + 802.1X |
| WPA3-Enterprise | Highest (192-bit encryption) | High-security environments |
Key Difference:
PSK (Pre-Shared Key): Shared password for all users
Enterprise (802.1X): Individual credentials, dynamic encryption keys
5.2 Authentication Methods
Modes of Authentication:
| Method | Description |
|---|---|
| Open Authentication | No credentials — used for guest/portal networks |
| PSK | Shared key known to all clients |
| 802.1X / EAP | Centralized authentication via RADIUS |
EAP (Extensible Authentication Protocol) Types:
| EAP Type | Description | Use |
|---|---|---|
| EAP-TLS | Certificate-based | Most secure |
| EAP-FAST | Cisco proprietary, password-based tunnel | Faster setup |
| PEAP | Encrypted tunnel with password | Windows environments |
5.3 Rogue AP Detection
What is a Rogue AP?
An unauthorized access point broadcasting in your environment — could be:
A misconfigured user device
A hacker trying to lure clients
Rogue Detection Features:
| Capability | Description |
|---|---|
| WLC Scanning | Wireless LAN Controllers scan RF channels continuously |
| Auto Containment | APs send deauth frames to block rogue SSIDs |
| Rogue Classification | Internal (connected to LAN) vs External (not on LAN) |
Example Workflow:
WLC detects unknown AP
Checks MAC address against known devices
If internal:
Flags as critical threat
May auto-contain (deny association)
Summary of Wireless Security
| Feature | Purpose | Benefit |
|---|---|---|
| WPA2/WPA3 | Encryption | Protects traffic from eavesdropping |
| PSK / 802.1X | Authentication | Ensures only authorized users connect |
| Rogue Detection | Monitor environment | Prevent unauthorized access points |
6. Layer 2 Security Mechanisms
Layer 2 (Data Link Layer) is often overlooked, but attacks at this level can be highly disruptive. These security mechanisms are used to prevent spoofing, tampering, and MAC-based attacks in switched environments.
6.1 Dynamic ARP Inspection (DAI)
Purpose:
DAI prevents ARP spoofing/poisoning, where an attacker sends fake ARP replies to redirect traffic (e.g., for a man-in-the-middle attack).
How It Works:
DAI inspects all ARP packets on untrusted ports.
It checks the sender MAC/IP against the DHCP Snooping binding table.
If the info doesn’t match → ARP packet is dropped.
Requirements:
DHCP Snooping must be enabled (to build the binding table).
Trusted ports bypass ARP inspection.
Configuration Example:
ip arp inspection vlan 10
interface GigabitEthernet0/1
ip arp inspection trust
6.2 IP Source Guard
Purpose:
IP Source Guard blocks traffic from an IP address not assigned via DHCP — a defense against IP spoofing.
How It Works:
Each untrusted port is restricted to known IP-MAC bindings (from DHCP Snooping).
If a host tries to use a different IP or MAC, traffic is blocked.
Configuration Example:
interface GigabitEthernet0/2
ip verify source
6.3 Port Security
Purpose:
Limits which devices (MAC addresses) can connect to a switch port — excellent for edge ports in offices and labs.
Key Features:
| Setting | Behavior |
|---|---|
| Maximum MACs | How many MACs are allowed |
| Sticky MACs | Automatically learn and save MACs in config |
| Violation Actions | What happens when a violation occurs |
Violation Modes:
| Mode | Action |
|---|---|
| Protect | Drop unknown traffic silently |
| Restrict | Drop + log + increment counter |
| Shutdown | Disable the port (err-disable state) |
Example Configuration:
interface FastEthernet0/10
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation restrict
switchport port-security mac-address sticky
Summary of Layer 2 Security
| Feature | Protects Against | Depends On |
|---|---|---|
| DAI | ARP spoofing | DHCP Snooping |
| IP Source Guard | IP address spoofing | DHCP Snooping |
| Port Security | MAC flooding, rogue devices | None (independent) |
7. Identity-Based Networking
This section covers how network access can be controlled based on user identity, device compliance, and role-based access, rather than just IP/MAC. This enables context-aware security and tighter access policies.
7.1 Cisco ISE (Identity Services Engine)
What is Cisco ISE?
Cisco ISE is a centralized security policy platform that:
Authenticates users and devices
Enforces access control
Performs posture assessment (e.g., is antivirus up-to-date?)
Integrates with other security tools (firewalls, endpoint agents, DNA Center)
Core Use Cases:
| Feature | Function |
|---|---|
| 802.1X Auth | Validates user/device credentials |
| Guest Access | Captive portal for visitors |
| Posture Validation | Checks device health (AV, patches) |
| Profiling | Identifies device type (e.g., printer, phone, PC) |
| Policy Enforcement | Dynamic VLANs, ACLs, SGTs |
Integration Points:
Cisco ISE integrates with:
Active Directory / LDAP
DNA Center (for SD-Access)
ASA Firewalls (for TrustSec)
AnyConnect agents on endpoints
Authorization Example:
You can create policies like:
“If the user is in the HR group and passed posture check, assign VLAN 10 and full access.”
Or
“If the device is a personal laptop (BYOD), assign VLAN 50 with restricted internet-only access.”
7.2 TrustSec
What is TrustSec?
Cisco TrustSec is a scalable method of network segmentation based on Security Group Tags (SGTs) — instead of relying only on VLANs and ACLs.
Key Concepts:
| Term | Description |
|---|---|
| SGT (Security Group Tag) | Metadata attached to traffic (e.g., “HR”, “Contractor”) |
| SGACL (Security Group ACL) | Access rules applied between groups |
| Role-Based Access | Define policies by roles, not IPs |
Example:
HR PCs get SGT = 10
Finance PCs get SGT = 20
You then create a policy:
“SGT 10 can access the payroll app, SGT 20 cannot.”
This allows you to control access without complex ACLs or IP changes.
Where SGTs Work:
Inline in the data plane (routers, switches, firewalls)
Transported across the network via Cisco TrustSec-capable devices
DNA Center can manage and distribute these policies
Summary of Identity-Based Networking
| Feature | Function | Tool |
|---|---|---|
| Cisco ISE | Centralized authentication and policy | Supports 802.1X, posture, profiling |
| TrustSec | Role-based segmentation | Uses SGTs and SGACLs |
| DNA Center | Manages ISE integration and policy orchestration | SD-Access, automation |
8. Infrastructure Device Protection
This section focuses on protecting network infrastructure devices (routers, switches, firewalls) from unauthorized access, control plane attacks, and brute-force attempts. These tools are essential for hardened, secure operation in enterprise environments.
8.1 Control Plane Protection (CPPr)
What is CPPr?
CPPr is a refined version of CoPP (Control Plane Policing). While CoPP applies policy to all control-plane traffic, CPPr allows you to apply granular policies to subinterfaces of the control plane.
Subinterfaces of the Control Plane:
| Subinterface | Purpose |
|---|---|
| Host | For traffic destined to the router itself (e.g., SSH, SNMP) |
| Transit | For routing traffic passing through (e.g., OSPF/BGP updates) |
| CEF-exception | Non-routable exceptions like TTL expired, unreachable |
CPPr Example Use:
You can rate-limit SSH traffic only, while leaving OSPF updates untouched — this gives fine-tuned control to prevent CPU overuse.
Sample Configuration:
control-plane
service-policy input CPPR-HOST
(Policy map would be defined to classify and police traffic to host subinterface)
8.2 AutoSecure
What is AutoSecure?
AutoSecure is a Cisco feature/script that applies best-practice security configurations automatically — a great baseline hardening tool.
What AutoSecure Can Do:
| Action | Description |
|---|---|
| Disable unused services | No HTTP, no finger, no bootp |
| Secure management | Enables SSH, disables Telnet |
| Enables logging | Local and remote logging |
| Enforces passwords | Enables password encryption and security |
Run AutoSecure:
auto secure
You’ll be prompted to confirm or deny each step.
8.3 Login Block-for Mechanism
Purpose:
This mechanism protects against brute-force login attacks by temporarily blocking access after a number of failed attempts.
Configuration Example:
login block-for 60 attempts 3 within 60
- If 3 login failures occur within 60 seconds, block all login attempts for 60 seconds.
Benefits:
| Feature | Purpose |
|---|---|
| Throttles brute-force | Slows attackers trying many passwords |
| Protects all vty lines | Global safeguard for device login |
| Works with local and AAA login | Versatile protection |
Summary of Infrastructure Device Protection
| Feature | Description | Use Case |
|---|---|---|
| CPPr | Fine-tunes control plane protection | Per-subinterface policing |
| AutoSecure | Automates security hardening | Fast setup of baseline protection |
| Login Block-for | Prevents brute-force attacks | Limits login attempts |
Security (Additional Content)
1. Device Access Control
Restricting Management Access by Source IP
While using encrypted protocols like SSH/HTTPS is best practice, source IP-based access restrictions provide an additional layer of protection.
Access-Class (VTY Lines):
access-list 10 permit 192.168.10.0 0.0.0.255
line vty 0 4
access-class 10 in
- Limits remote CLI access to specific IP ranges.
Interface-Level ACL (HTTPS, SNMP):
ip access-list extended MGMT_ACCESS
permit tcp 192.168.10.0 0.0.0.255 any eq 443
interface GigabitEthernet0/1
ip access-group MGMT_ACCESS in
- Only allows HTTPS (TCP port 443) traffic from trusted subnets.
2. Port-Based Access Control
802.1X + Network Access Control (NAC) Integration
NAC systems work with 802.1X to assess whether devices meet security posture requirements before granting network access.
Use Case:
Device connects → passes 802.1X → NAC checks:
Antivirus status
OS patch level
Domain membership
Based on compliance, NAC enforces:
Full access (e.g., VLAN 10)
Restricted access (e.g., quarantine VLAN 100)
Complete denial
This ensures only healthy, authorized endpoints access critical resources.
3. Traffic Filtering and Segmentation
Time-Based ACLs
Used to enforce different policies during working and non-working hours.
time-range WORK_HOURS
periodic weekdays 8:00 to 18:00
ip access-list extended TIME_FILTER
permit tcp 192.168.1.0 0.0.0.255 any eq 80 time-range WORK_HOURS
- Traffic is only allowed during defined periods.
VLAN Hopping Attack Prevention
Mitigation Techniques:
- Disable DTP (Dynamic Trunking Protocol):
switchport mode access
switchport nonegotiate
- Set native VLAN to an unused VLAN:
switchport trunk native vlan 999
- Do not use VLAN 1 for user traffic or trunking.
These steps prevent malicious frames from traversing VLANs via spoofed trunks.
4. Device Security Features
Protocol-Based Storm Control
Storm Control can differentiate among:
Broadcast
Multicast
Unknown unicast
interface GigabitEthernet0/1
storm-control broadcast level 5.00
storm-control multicast level 2.00
storm-control unicast level 1.00
Helps prevent denial-of-service from layer 2 traffic floods.
Values are percentages of total bandwidth.
5. Wireless Security
WPA3 Forward Secrecy Advantage
WPA3 uses SAE (Simultaneous Authentication of Equals) which offers:
Forward Secrecy: Even if the shared password is later stolen, previous session keys remain safe and cannot be decrypted.
This protects users from retroactive attacks on captured wireless traffic.
Wireless Intrusion Prevention System (WIPS)
WIPS is integrated with WLCs (Wireless LAN Controllers) to:
Detect rogue APs via RF scanning
Classify them (internal vs external)
Contain them using deauthentication packets
Monitor wireless threats in real-time
This provides enterprise-grade wireless threat defense.
6. Layer 2 Security
Monitoring Port Security Violations via Syslog
Enable syslog messages for port security events:
interface FastEthernet0/1
switchport port-security
switchport port-security violation restrict
Ensure logging is enabled:
logging buffered 4096
logging trap warnings
Sample Syslog:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred on Fa0/1
These logs can be sent to a SIEM or monitoring tool for real-time alerts.
7. Identity-Based Networking
Cisco ISE and SD-Access Integration
Cisco ISE plays a critical role in Cisco SD-Access by:
Assigning Security Group Tags (SGTs) based on user/device identity
Enabling dynamic access control policies using TrustSec
Automating VLAN/ACL/SGACL assignments
ISE provides identity context, while SD-Access enforces segmentation and policy via the fabric.
8. Infrastructure Device Protection
AutoSecure Applicability and Limitations
AutoSecure provides a quick baseline security hardening:
Disables unnecessary services
Enables logging, SSH
Enforces strong passwords
auto secure
Limitation:
Not suitable for all production environments
May disable services that are legitimately required
Still requires manual review and customization
Login Block-for with External AAA
When integrated with AAA:
login block-for 60 attempts 3 within 60
Important Notes:
With local login, works as expected (blocks access after failures).
With RADIUS/TACACS+, behavior may vary depending on how the AAA server handles failures.
Some external systems may not recognize "failed login" events immediately, delaying enforcement.
Frequently Asked Questions
How do Access Control Lists (ACLs) improve network security?
ACLs filter traffic by permitting or denying packets based on defined criteria such as IP address, protocol, or port number.
ACLs are applied to network interfaces to control which packets are allowed to enter or leave a device. Standard ACLs typically filter based on source IP addresses, while extended ACLs can evaluate multiple packet fields including destination addresses and transport layer ports. Proper placement of ACLs in the network topology is critical for effective security and performance. For example, extended ACLs are usually placed close to the traffic source to prevent unnecessary processing of unwanted traffic deeper in the network.
Demand Score: 80
Exam Relevance Score: 88
What occurs during the 802.1X four-way handshake process?
The four-way handshake establishes encryption keys between the wireless client and the access point.
After successful authentication, the four-way handshake generates and exchanges cryptographic keys used for securing wireless communication. The access point and client derive the Pairwise Transient Key (PTK) from the Pairwise Master Key (PMK). These keys ensure that data transmitted over the wireless network is encrypted and protected from interception. If the handshake fails, the client may authenticate successfully but still be unable to send encrypted traffic. Common causes include mismatched security parameters or client driver incompatibilities.
Demand Score: 79
Exam Relevance Score: 87
What function does Control Plane Policing (CoPP) perform on Cisco devices?
CoPP protects the control plane by limiting the rate of traffic destined for the device’s CPU.
Network devices must process certain traffic directly in the control plane, such as routing protocol updates and management packets. Without protection, malicious or excessive traffic can overwhelm the CPU and disrupt routing operations. CoPP applies rate limits and filtering policies to control-plane traffic, ensuring critical protocols continue functioning even during attack conditions. Engineers sometimes mistakenly apply traditional ACLs expecting to protect the CPU, but ACLs typically operate in the data plane and do not fully mitigate control-plane overload risks.
Demand Score: 78
Exam Relevance Score: 86
What is the key difference between 802.1X and MAC Authentication Bypass (MAB)?
802.1X uses credentials for authentication, while MAB authenticates devices based on their MAC addresses.
802.1X is a port-based authentication mechanism that requires endpoints to provide credentials through the Extensible Authentication Protocol (EAP). This method provides strong authentication and is widely used for securing enterprise access networks. MAB is typically used for devices that do not support 802.1X, such as printers or IoT devices. Instead of credentials, the device’s MAC address is used as an identity. However, MAC addresses can be spoofed, making MAB less secure. Networks often deploy MAB as a fallback when 802.1X authentication fails or is unsupported.
Demand Score: 82
Exam Relevance Score: 88
What is the role of AAA in Cisco network security?
AAA provides centralized authentication, authorization, and accounting for network access.
Authentication verifies a user’s identity, authorization determines what actions the user is allowed to perform, and accounting records the user’s activities for auditing purposes. Cisco devices commonly integrate AAA with external servers such as RADIUS or TACACS+. This centralization simplifies access management across large networks. A common configuration issue occurs when fallback authentication methods are not defined, which can prevent administrators from accessing devices if the AAA server becomes unreachable.
Demand Score: 84
Exam Relevance Score: 90
