Answer: A

Q: 17 Which two things should you verify if the Cisco NAC Guest Server is configured on the network and the client cannot access the guest network? (Choose two.)
A. The controller can ping Cisco NAC Guest Server.
B. The controller can mping and eping Cisco NAC Guest Server.
C. AAA override is enabled on the guest WLAN.
D. Controllers and Cisco NAC Guest Server are in the same mobility group.

Answer: A, C

Q: 18 To assign Cisco Airespace vendor-specific attributes to a wireless client, the wireless controller needs to be defined as which type of AAA client in Cisco Secure ACS Server?
A. TACACS+
B. RADIUS (IETF)
C. RADIUS (Cisco Aironet)
D. RADIUS (Cisco Airespace)

Answer: D

Q: 19 Which two statements about EAP-FAST operation are true when the Cisco
Secure ACS is configured to support anonymous in-band PAC provisioning? (Choose two.)
A. An anonymous Diffie-Hellman TLS handshake will be used between the wireless client and the Cisco Secure ACS.
B. A digital certificate will be required on the client and on the Cisco Secure ACS.
C. EAP-MSCHAP will be used as the only inner method in phase zero to authenticate the client.
D. Cisco Secure ACS will provision the wireless client with a PAC using a TLS tunnel.
E. Cisco Secure ACS will verify the user identity by doing a binary comparison of the end-user certificate to the user certificate stored in Active Directory.

Answer: A, C

Q: 20 Which WLAN security feature enables clients to securely roam from one access point to another without the need to reauthenticate to the RADIUS server?
A. CKIP
B. TKIP
C. CCKM
D. 802.1x
E. WPA2

Answer: C

Q: 21 Which configuration option can make the shared secret between the controller and the RADIUS server more secure?
A. RFC 3576 Dynamic Authorization Extensions support
B. AES key wrap
C. IPsec
D. single connect
E. 3DES encryption

Answer: B

Q: 22 Which wireless attack can cause most client wireless adapters to lock up?
A. management frame flood
B. null probe response
C. EAPOL flood
D. RF jamming
E. disassociation flood
F. deauthentication flood

Answer: B

Q: 23 When is local EAP authentication on the controller used?
A. to authenticate the APs that act as 802.1X supplicants
B. as a backup in case the APs cannot reach the controllers
C. as a backup in case the RADIUS servers are not reachable
D. when deploying guest access using the anchor controller

Answer: C

Q: 24 What must the client have to be able to use client MFP?
A. Cisco Secure Services Client
B. diagnostic channels enabled
C. support for broadcast management frames (such as disassociation, deauthentication, or action)
D. Cisco Compatible Extensions v5 support and must use either TKIP or AES-CCMP

Answer: D

Q: 25 Which controller GUI screen can be used to check the current NAC state of a client?
A. WLANs > Edit > Advanced
B. Controller > Interfaces > Edit
C. Management > User Sessions
D. Monitor > Clients > Details
E. Security > AAA > Local Net Users

Answer: D

Q: 26 Why would the network administrator enable TACACS+ server(s) on the Cisco wireless controllers rather than RADIUS server(s)?
A. to support IBN (AAA overrides)
B. to support EAP-FAST
C. to support H-REAP APs
D. to provide more robust accounting services
E. to provide more extensive management users authorization services

Answer: E

Q: 27 The administrator account on the Cisco NAC Guest Server can be authenticated using which two methods? (Choose two.)
A. Local Database
B. LDAP
C. Active Directory
D. RADIUS
E. TACACS+
F. Active Directory single sign-on

Answer: A, D

Q: 28 Which command tests the mobility ping over UDP?
A. mping mobility_peer_IP_address
B. mping port 16666
C. eping mobility_peer_IP_address
D. eping port 97

Answer: A

Q: 29 When implementing an Cisco IPS Sensor in a multi-controller network, what is the recommended configuration?
A. Add the Cisco IPS Sensor to each controller.
B. Add the Cisco IPS Sensor to one controller and ensure all controllers are in the same mobility group.
C. Add the Cisco IPS Sensor to each controller and ensure all controllers are in the same mobility group.
D. Add the Cisco IPS Sensor to one controller and ensure all controllers are on the same Layer 2 broadcast domain.

Answer: B

Q: 30 The Cisco NAC Guest Server can authenticate the “sponsors” using which four methods? (Choose four.)
A. authenticates the sponsor accounts directly on the Cisco NAC Guest Server
B. authenticates sponsors against an existing AD
C. authenticates sponsors against an existing LDAP server
D. authenticates sponsors against a TACACS+ server
E. authenticates sponsors against a RADIUS server
F. authenticates the sponsor accounts against the Cisco WCS

Answer: A, B, C, E

Q: 31 When using the foreign and anchor controllers for WLAN guest access, which two things should you do if the guest cannot access the web login page? (Choose two.)
A. Verify correct ports are allowed on the firewall.
B. Verify the anchor and foreign controllers are in the same subnet.
C. Verify the firewall is configured for static one-to-one NAT and not PAT.
D. Verify that the client account was created on the anchor controller and the foreign controller.

Answer: A, C

Q: 32 What two configuration parameters are usually different on the foreign and anchor controllers? (Choose two.)
A. guest WLAN SSID
B. guest WLAN Layer 2 and 3 security policies
C. WLAN mobility anchor configuration
D. interface mapped to the WLAN

Answer: C, D

Q: 33 Which three items are needed to execute an effective hijacking attack? (Choose three.)
A. rogue AP
B. rouge DHCP server
C. operating system of the victim
D. RF jammer
E. Layer 3 address of the victim

Answer: A, B, D

Q: 34 Drop
Answer & Explanation
Correct Answer
Explanations
No more information available

Answer: Check unicerts eEngine, Download from Member Center

Q: 35 Drop
Answer & Explanation
Correct Answer
Explanations
No more information available

Answer: Check unicerts eEngine, Download from Member Center

Q: 36 Which three information items does Spectrum Expert provide to Cisco WCS about an interfering device? (Choose three.)
A. type of interfering device
B. bandwidth of the interferer
C. power of the interferer
D. exact location of the interferer
E. spectrum capture of the device’s transmission

Answer: A, B, C

Q: 37 Which two statements about the switch port tracing feature are true? (Choose two.)
A. Cisco WLC performs switch port tracing using the Rogue Location Discovery Protocol.
B. Cisco WCS uses CDP to perform switch port tracing.
C. Switch port tracing has an option to trace the switch port or another option to shut down the switch port.
D. The detecting AP connects as a client to the rogue AP to track down the switch port the rouge AP is connected to.
E. Switch port tracing uses the detected RF characteristics and known properties of the managed RF network to locate the switch port the rogue AP is connected to.

Answer: B, C

Q: 38 When management frame protection is enabled, what does the AP add?
A. Cisco PMK keys
B. Cisco Aironet extensions to control frames
C. Frame Check Sequence to each management frame
D. message integrity check information element to each management frame

Answer: D

Q: 39 Which Adaptive wIPS component is the central point or alarm aggregation from all controllers and their respective Adaptive wIPS monitor mode APs and is where the alarm information and forensic files are stored for archival purposes?
A. Cisco WCS
B. Cisco IPS appliance
C. Cisco MSE
D. Cisco MARS appliance
E. Cisco Secure ACS

Answer: C

Q: 40 Drop
Answer & Explanation
Correct Answer
Explanations
No more information available

Answer: Check unicerts eEngine, Download from Member Center

Q: 41 What is required on the controller for performing local EAP-TLS authentication?
A. protected access credentials
B. 802.1x supplicant
C. access to the RADIUS server
D. access to an external LDAP database
E. a Cisco-installed or vendor-specific device digital certificate

Answer: E

Q: 42 Which level of rogue location capability is available on Cisco WCS when no context-aware or location server is implemented?
A. real-time rogue location by floor only
B. real-time rogue location for one rogue only
C. on-demand rogue location by floor only
D. on-demand rogue location for one rogue only

Answer: D

Q: 43 Which two situations permit Cisco WCS to successfully trace a rogue to a switch port? (Choose two.)
A. The rogue is broadcasting an infrastructure SSID.
B. The rogue has a client associated.
C. The rogue’s wired MAC address is equal to or +1/-1 of the rogue’s wireless MAC address. D. The rogue is on the same switch as a CAPWAP AP.
E. The rogue has been identified using RLDP.

Answer: B, C

Q: 44 When deploying Cisco Unified Wireless Network solutions, what is typically connected to the enterprise’s firewall DMZ?
A. Cisco NAC Appliance Server
B. Cisco NAC Appliance Manager
C. foreign controller
D. anchor controller
E. Cisco IPS Sensor
F. Cisco MSE

Answer: D

Q: 45 When adding a new Local Net User on the controller, what happens if the
Guest User check box is selected?
A. Web authentication will be enabled on the guest account.
B. The amount of time the guest user has access to the local network will be limited.
C. The controller will authenticate the guest account using the Cisco NAC Guest Server.
D. The guest user traffic will be associated to the guest VLAN.
E. 802.1x authentication will be disabled on the guest account.

Answer: B

Implementing Advanced Cisco Unified Wireless Security (IAUWS)

Product Description Exam Number/Code: 642-736
Exam Number/Code: 642-736
Exam Name:Implementing Advanced Cisco Unified Wireless Security (IAUWS)
“Implementing Advanced Cisco Unified Wireless Security (IAUWS)”, also known as 642-736 exam, is a Cisco certification.With the complete collection of questions and answers, Pass4sure has assembled to take you through 85 Q&As to your 642-736 Exam preparation. In the 642-736 exam resources, you will cover every field and category in CCNP Wireless helping to ready you for your successful Cisco Certification.
Free Demo Download
Pass4sure offers free demo for 642-736 exam (Implementing Advanced Cisco Unified Wireless Security (IAUWS)). You can check out the interface, question quality and usability of our practice exams before you decide to buy it.

Q&A V3.20

www.PassGuide.com

(C) Copyright 2006-2009 CertBible Tech LTD,All Rights Reserved.
Important Note
Please Read Carefully

Study Tips

This product will provide you questions and answers carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.

Go through the entire document at least twice so that you make sure that you are not
missing anything.

Latest Version

We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 120 days after the purchase. You should check your
member zone at PassGuide an update 3-4 days before the scheduled exam date.

Feedback

If you spot a possible improvement then please let us know. We always interested in
improving product quality.
Feedback should be send to feedback@passguide.com. You should include the following:
Exam number, version, page number, question number, and your login ID.
Our experts will answer your mail promptly.

Be Prepared. Be Confident. Get Certified.
————————————————————————————————————————-
Sales and Support Manager
Sales Team: sales@passguide.com Support Team: support@passguide.com
———————————————————————————————————————

Copyright

Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is
being distributed by you, CertBible reserves the right to take legal action against you
according to the International Copyright Laws.
Q: 1 What is the purpose of looking for anomalous behavior on a WLAN infrastructure?
A. identifying new attack tools
B. auditing employee’s bandwidth usage
C. identifying attacks using signature matching
D. improving performance by load balancing

Answer: A

Q: 2 As of controller release v5.2, which two statements about wired guest access support are true? (Choose two.)
A. It is not supported on the Cisco 2100 Series Controllers.
B. No more than three wired guest access LANs can be configured on a controller.
C. Layer 3 web authentication and passthrough are not supported.
D. Wired guest access cannot be configured in a dual-controller configuration that uses an anchor controller and a foreign controller.
E. The wired guest access ports must be in the same Layer 2 network as the foreign controller.

Answer: A, E

Q: 3 The wireless client can roam faster on the Cisco Unified Wireless Network infrastructure when which condition is met?
A. EAP-FAST is used for client authentication on the wireless network.
B. Cisco Centralized Key Management is used for Fast Secure Roaming.
C. QoS is being used on the WLAN to control which client packets get through the network faster.
D. RRM protocol is used between multiple APs that the client associates to while roaming.

Answer: B

Q: 4 Which option best describes an evil twin attack?
A. a rouge access point broadcasting a trusted SSID
B. a rogue access point broadcasting any SSID
C. a rouge ad-hoc with the SSID “Free WiFi”
D. a rouge access point spreading malware upon client connection

Answer: A

Q: 5 Which two configuration parameters does NAC OOB require on a SSID/WLAN? (Choose two.)
A. WMM enabled on the WLAN
B. open authentication on the WLAN
C. AAA override configuration on the WLAN
D. 802.1x configuration on the WLAN

Answer: B, D

Q: 6 Which two 802.11 frame types can be used in a virtual carrier (big NAV) attack? (Choose two.)
A. association
B. ACK
C. CTS
D. beacon
E. de-authentication

Answer: B, C

Q: 7 When adding the foreign controller as a mobility group member in the guest anchor controller, which statement is true?
A. The mobility group name on the guest anchor controller must match the mobility group name on the foreign controller.
B. The mobility group member IP address and MAC address belong to the management interface of the foreign controller.
C. To successfully add the foreign controller as a mobility group member in the guest anchor controller, all the parameters defined in the WLAN Security, QoS, and Advanced tabs must be configured identically in both the anchor and foreign controller.
D. In the guest anchor controller GUI, WLANs > Mobility Anchors page, use the Switch IP Address (Anchor) drop-down menu to select the IP address corresponding to the management interface of the anchor controller.

Answer: B

Q: 8 Drop Answer & Explanation Correct Answer
Explanations
No more information available

Answer: Check unicerts eEngine, Download from Member Center

Q: 9 For wireless NAC out-of-band operations, which protocol is used between the Cisco NAC Appliance Manager and the wireless controller to switch the wireless client from the quarantine VLAN to the access VLAN after the client passed the NAC authentication/posture assessment process?
A. RADIUS
B. TACACS+
C. SNMP
D. SSL
E. EAP

Answer: C

Q: 10 Which WLAN option, when enabled, allows different wireless clients to be connected to different VLANs based on the returned RADIUS attributes from the AAA server?
A. H-REAP
B. override interface ACL
C. NAC state
D. Cisco CKM
E. auth-proxy
F. allow AAA override

Answer: F

Q: 11 Which two statements about the EAP-FAST client-server authentication protocol are true? (Choose two.)
A. EAP-FAST establishes secure tunnel between the client and the server using certificates.
B. PAC can be distributed manually (out-of-band provisioning) or automatically (in-band provisioning).
C. EAP-FAST protocol uses PAC keys to establish secure encrypted tunnels between client and server.
D. Secure passwords are used to generate PAC key for creating secure TTLS tunnel between the client and the server.

Answer: B, C

Q: 12 When deploying guest WLAN access using the anchor controller, which is used to transport the guest data traffic between the foreign and anchor controllers?
A. UDP port 16666
B. UDP port 16667
C. IP protocol 97
D. UDP port 161
E. UDP port 162

Answer: C

Q: 13 What are the configuration steps, in order, for implementing wireless guest users using the foreign and anchor controllers approach?
A. 1) RF mobility group
2) lobby ambassador
3) SSID
B. 1) mobility domain name
2) mobility group
3) web portal
C. 1) anchor controller
2) WLAN
3) local guest server
4) lobby administrator
D. 1) anchor controller
2) mobility group
3) guest WLAN
4) guest account management

Answer: D

Q: 14 When troubleshooting clients on the Diagnostic channel, which two statements are true? (Choose two.)
A. When turning the Diagnostic channel on the WLAN, the WLAN becomes disabled.
B. Only clients with Cisco Compatible Extensions enabled can be used for troubleshooting on the Diagnostic channel.
C. Up to two WLAN can be turned on with Diagnostic channel at the same time.
D. Only Cisco-manufactured wireless cards are available for the Diagnostic channel troubleshooting.

Answer: A, B

Q: 15 Which ports are used by CAPWAP?
A. UDP 12222 and 12223
B. UDP 5246 and 5247
C. UDP 16666 and 16667
D. UDP 161 and 162
E. TCP 12222 and 12223
F. TCP 16666 and 16667

Answer: B