ccnp wireless iauws (642-737) certification prep

Cisco 642-737

Implementing Advanced Cisco Unified Wireless

Security v2.0Version: 6.1

QUESTION NO: 1 Which statement describes the major difference between PEAP and EAP-FAST clientauthentication? A. EAP-FAST requires a backend AAA server, and PEAP does not. B. EAP-FAST is a Cisco-only proprietary protocol, whereas PEAP is an industry-standardprotocol. C. PEAP requires a server-side certificate, while EAP-FAST does not require certificates. D. PEAP authentication protocol requires a client certificate, and EAP-FAST requires a securepassword.

Answer: C

Explanation:

QUESTION NO: 2 Which one best describes the EAP Identity Request frame when a wireless client is connecting toa Cisco WLC v7.0-based AP WLAN? A. sourced from the Cisco ACS Server to the client B. sourced from the client to the Cisco ACS Server C. sourced from the WLC to the client D. sourced from the client to the WLC E. sourced from the AP to the client F. sourced from the client to the AP

Answer: C

Explanation:

QUESTION NO: 3 What are the four packet types that are used by EAP? (Choose four.) A. EAP Type B. EAP Request C. EAP Identity D. EAP Response

Cisco 642-737 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

E. EAP Success F. EAP Failure G. EAP Authentication

Answer: B,D,E,F

Explanation:

QUESTION NO: 4 When a supplicant and AAA server are configured to use PEAP, which mechanism is used by theclient to authenticate the AAA server in Phase One? A. PMK B. shared secret keys C. digital certificate D. PAC

Answer: C

Explanation:

QUESTION NO: 5 Which EAP types are supported by MAC 10.7 for authentication to a Cisco Unified WirelessNetwork? A. LEAP and EAP-Fast only B. EAP-TLS and PEAP only C. LEAP, EAP-TLS, and PEAP only D. LEAP, EAP-FAST, EAP-TLS, and PEAP

Answer: D

Explanation:

QUESTION NO: 6 What are two of the benefits that the Cisco AnyConnect v3.0 provides to the administrator forclient WLAN security configuration? (Choose two.)

Cisco 642-737 Exam


A. Provides a reporting mechanism for rouge APs B. Prevents a user from adding any WLANs C. Hides the complexity of 802.1X and EAP configuration D. Supports centralized or distributed client architectures E. Provides concurrent wired and wireless connectivity F. Allows users to modify but not delete admin-created profiles

Answer: C,D

Explanation:

QUESTION NO: 7 When using the Standalone Profile Editor in the Cisco AnyConnect v3.0 to create a new NAMprofile, which two statements describe the profile becoming active? (Choose two.) A. selects the new profile from NAM B. selects "Network Repair" from NAM C. becomes active after a save of the profile name D. ensures use of "configuration.xml" as the profile name E. ensures use of "config.xml" as the profile name F. ensures use of "nam.xml" as the profile name

Answer: B,D

Explanation:

QUESTION NO: 8 Which two parameters can directly affect client roaming decisions? (Choose two.) A. SNR B. RSSI C. MFP status D. RF fingerprinting E. RRM

Answer: A,B

Explanation:

Cisco 642-737 Exam


QUESTION NO: 9 Which three parameters can be communicated between a Cisco WLC v7.0 and Cisco CompatibleExtensions v4-enabled client to improve a secure roaming connection? (Choose three.) A. minimum SNR B. transition time C. scan threshold D. hysteresis E. PER F. MIC errors

Answer: B,C,D

Explanation:

QUESTION NO: 10 Which three Cisco WLC v7.0 CLI family of commands would be appropriate to troubleshoot awireless client failure for connection to an AP? (Choose three.) A. debug capwap B. debug mac addr C. debug ccxdiag D. debug dhcp E. debug ap F. debug dtls G. debug aaa

Answer: B,D,G

Explanation:

QUESTION NO: 11 What is the best method to verify AP parameters that are seen from a wireless client? A. WCS debug commands B. ACS log files C. WCS show commands

Cisco 642-737 Exam


D. AP debug commands E. packet analyzers

Answer: E

Explanation:

QUESTION NO: 12 Employees are allowed to start bringing their own wireless devices to work for use on the802.11a/b/g/n WLAN when using their existing credentials. However, they are experiencingissues. Which two items are the most probable cause of these issues? (Choose two.) A. incorrect IP address B. supplicant or driver C. incorrect user name D. wrong wireless band E. application issues

Answer: B,E

Explanation:

QUESTION NO: 13 Employees adjust their wireless laptop for work at the office and when away from the office. Whatare the two most likely security issues for an employee laptop when connected at the corporateWLAN? (Choose two.) A. loading a freeware customer contact application B. configuring a static IP address C. updating the driver D. adding a coffee shop wireless HotSpot

Answer: A,C

Explanation:

QUESTION NO: 14

Cisco 642-737 Exam


Which two options are supported when deploying wireless NAC out-of-band implementations?(Choose two.) A. Cisco NAS in virtual gateway mode B. WLANs with allow AAA override enabled C. Cisco NAC Guest Server integration with the Cisco NAM D. dynamic VLAN mappings on the Cisco NAS, which is based on the returned RADIUS attributesfrom the Cisco Secure ACS E. autonomous APs

Answer: A,C

Explanation:

QUESTION NO: 15 When deploying wireless Cisco NAC OOB operations, which appliance performs VLAN mappingsto map the quarantine VLANs to the access VLANs? A. Cisco NAC Appliance Manager B. Cisco NAC Appliance Server C. Cisco NAC Guest Server D. Cisco Wireless LAN Controller E. the Layer 3 switch that connects the Cisco WLC to the Cisco NAC appliances

Answer: B

Explanation:

QUESTION NO: 16 Wireless NAC single sign-on uses which type of RADIUS records to notify the Cisco NACAppliance Manager about the authenticated wireless clients? A. accounting records B. authentication records C. authentication and accounting records D. preauthentication records

Answer: A

Cisco 642-737 Exam


Explanation:

QUESTION NO: 17 Refer to the exhibit.

Viewing the Controller > Interfaces configuration screen, which statement about the nac-vlaninterface configuration is true?

Cisco 642-737 Exam


A. Wireless client traffic that is outbound on VLAN 176 will be switched to the trusted interface onthe Cisco NAC Appliance Server. B. Wireless client traffic that is outbound on VLAN 175 will be switched to the trusted interface onthe Cisco NAC Appliance Server. C. 10.10.175.1 is the IP address of the trusted interface on the Cisco NAC Appliance Server. D. 10.10.175.1 is the IP address of the untrusted interface on the Cisco NAC Appliance Server. E. VLAN 175 is the access VLAN. F. VLAN 176 traffic from the client will bypass the Cisco NAC Appliance Server.

Answer: E

Explanation:

QUESTION NO: 18 When configuring the WLC for single sign-on for the NAC, which device is used for the RADIUSaccounting IP address? A. Cisco NAC Appliance Manager B. Cisco NAC Appliance Server C. Cisco NAC Guest Server D. Cisco ACS E. Cisco WCS

Answer: A

Explanation:

QUESTION NO: 19 Which option verifies that a wireless client has authenticated to a WLAN when performing NACusing the Cisco NAC Appliance Manager and Server? A. Cisco CAM OOB Management > Devices > Discovered Clients B. Cisco CAS OOB Management > Devices > Discovered Clients C. Cisco CAM Monitor > View Online Users D. Cisco CAS Monitor > View Online Users

Answer: C

Explanation:

Cisco 642-737 Exam


QUESTION NO: 20 802.1X AP supplicant credentials have been enabled and configured on a Cisco WLC v7.0 in boththe respective Wireless>AP>Global Configuration location and AP>Credentials tab locations.What describes the 802.1X AP authentication process when connected via Ethernet to a switch? A. Only WLC AP global credentials are used. B. Only AP credentials are used. C. WLC global AP credentials are used first; upon failure, the AP credentials are used. D. AP credentials are used first; upon failure, the WLC global credentials are used.

Answer: B

Explanation:

QUESTION NO: 21 Which two statements best describe the local authentication configuration options for a Cisco WLCv7.0 and local mode AP? (Choose two.) A. LEAP and EAP-FAST only B. LEAP, EAP-FAST, EAP-PEAP, and EAP-TLS only C. LEAP, EAP-FAST, EAP-PEAP, EAP-TLS, and EAP-MD5 D. EAP-FAST with PAC provision only E. EAP-FAST with PAC or certificate provision

Answer: B,E

Explanation:

QUESTION NO: 22 Client Management Frame Protection is supported on which Cisco Compatible Extensions versionclients? A. v2 and later B. v3 and later C. v4 and later

Cisco 642-737 Exam


D. v5 only

Answer: D

Explanation:

QUESTION NO: 23 Which three items must be configured on a Cisco WLC v7.0 to allow implementation of isolatedbonding network? (Choose three.) A. RADIUS server IP address B. DHCP IP address C. SNMP trap receiver IP address D. interface name E. SNMP community name F. ACL name

Answer: A,D,F

Explanation:

QUESTION NO: 24 Which three WLAN polices can be controlled by using the Cisco IBNS on the Cisco WLC andCisco Secure ACS? (Choose three.) A. QoS setting B. VLAN C. EAP type D. ACL E. authentication priority order F. NAC state

Answer: A,B,D

Explanation:

QUESTION NO: 25

Cisco 642-737 Exam


Which attribute on the Cisco WLC v7.0 does RADIUS IETF attribute "Tunnel-Private-Group ID"assign? A. ACL B. DSCP C. QoS D. VLAN

Answer: D

Explanation:

QUESTION NO: 26 How do you configure the Cisco Secure ACS v4.2 and Cisco WLC v7.0 to provide the mostflexibility for the management of authorized access on the WLC? A. Local management user defined on the WLC B. The WLC configured for RADIUS and the Cisco Secure ACS configured for RADIUS (CiscoAirespace) C. The WLC configured for RADIUS and the Cisco Secure ACS configured for RADIUS (IETF) D. The WLC configured for TACACS+ and the Cisco Secure ACS configured for TACACS+ (CiscoAirespace) E. The WLC configured for TACACS+ and the Cisco Secure ACS configured for TACACS+ (CiscoIOS)

Answer: E

Explanation:

QUESTION NO: 27 The Cisco WLC v7.0 is configured for external 802.1X and EAP by using the WPA2 association ofwireless clients when using the Cisco Secure ACS v4.2. Which two items are required in the CiscoSecure ACS network configuration to enable correct AAA? (Choose two.) A. AP IP address B. WLC virtual IP address C. WLC management IP address D. WLC AP management IP address

Cisco 642-737 Exam


E. hostname matching the WLC case-sensitive name F. authentication using RADIUS G. authentication using TACACS+

Answer: C,F

Explanation:

QUESTION NO: 28 The Cisco WLC v7.0 is configured for external authentication of the management access to theWLC itself using the Cisco Secure ACS v4.2. The management user is limited to read access forall menu options except for full read/write access to the WLAN menu options. Which two items are required in the Cisco Secure ACS network configuration to enable correctAAA? (Choose two.) A. AP IP address B. WLC virtual IP address C. WLC management IP address D. WLC AP management IP address E. hostname matching the WLC case-sensitive name F. authentication using RADIUS G. authentication using TACACS+

Answer: C,G

Explanation:

QUESTION NO: 29 Configuring the Cisco Secure ACS with a self-signed certificate supports which requirement? A. when no user certificate is required B. when a CA-signed certificate is required for the user C. when a self-signed certificate Class 4 is required for the user D. when a self-signed certificate Class 0 is required for the user

Answer: A

Explanation:

Cisco 642-737 Exam


QUESTION NO: 30 When implementing certificates through the use of a CA, how is the certificate of client A validatedby client B when received? A. verifying the client A certificate using the client A private key B. verifying the client A certificate using the client A public key C. verifying the client A certificate using the client B private key D. verifying the client A certificate using the client B public key E. verifying the client A certificate using the CA private key F. verifying the client A certificate using the CA public key

Answer: F

Explanation:


What does this Cisco Secure ACS v4.2 log indicate? A. The WLC is not configured as a client in the Cisco Secure ACS. B. The WLC is not configured as a server in the Cisco Secure ACS. C. Incorrect authentication exists between the WLC and Cisco Secure ACS. D. The wireless client is not configured as a client in the Cisco Secure ACS. E. Incorrect authentication exists between the wireless client and Cisco Secure ACS.

Cisco 642-737 Exam


Answer: A

Explanation:

QUESTION NO: 32 Authentication is failing between a client and the RADIUS server. Which WLC troubleshootingcommand set might be useful to assist in troubleshooting the issue? A. show local-auth B. debug ldap C. debug aaa local-auth D. debug dot1X event

Answer: D

Explanation:

QUESTION NO: 33 The Cisco NAC Guest Server is configured as which kind of device on the wireless controller? A. external web authentication server B. RADIUS server C. SNMP trap receiver D. anchor controller E. AAA client

Answer: B

Explanation:

QUESTION NO: 34 Which two statements about the sponsor accounts on the Cisco NAC Guest Server are true?(Choose two.) A. The sponsor login to the Cisco NAC Guest Server is at https://NGS-IP-Address/admin tocreate, view, and edit guest accounts.

Cisco 642-737 Exam


B. The Cisco NAC Guest Server can authenticate the sponsors using the local database or viaMicrosoft Active Directory or LDAP or RADIUS servers. C. Sponsoring user groups is the method by which to assign permissions to the sponsors. D. Guest roles provide a way to give different levels of access to different sponsor accounts. E. Sponsor accounts require admin privileges to generate reports.

Answer: B,C

Explanation:

QUESTION NO: 35 Which two statements are true about configuring a wired guest LAN feature? (Choose two.) A. Create a WLAN on the anchor controller only B. Select the management interface as the egress interface to reach the anchor controller C. Require an anchor controller to implement D. Select the interface that you created as the guest LAN interface in the ingress interface menu E. Configure on any controller from version 5.2 forward

Answer: B,D

Explanation:


Cisco 642-737 Exam


What is the 1.1.1.1 IP address? A. the controller virtual interface IP address B. the controller management IP address C. the controller AP-manager IP address D. the RADIUS server IP address E. the lightweight AP IP address F. the wireless client IP address

Answer: A

Explanation:

QUESTION NO: 37 When configuring guest WLAN access, which two statements are true? (Choose two.) A. The SSID that is defined for the guest WLAN on the foreign controllers must be the same asthat defined on the anchor controller. B. The foreign controllers must be defined with an ingress interface and an egress interface in theguest WLAN. C. The foreign and anchor controllers must be configured in a mobility group for the foreigncontrollers to be able to initiate EoIP tunnels to one or more anchor controllers. D. The mobility domain name of the anchor controller should be the same as what is configuredfor the foreign controllers.

Answer: A,C

Explanation:

QUESTION NO: 38 Which statement correctly describes the relationship between the foreign and anchor controllerswhen used for guest access? A. The foreign controller will load balance in round-robin fashion starting with the highest IPaddress anchor controller to the lowest IP address anchor controller. B. The foreign controller will load balance in round-robin fashion starting with the lowest IPaddress anchor controller to the highest IP address anchor controller. C. The foreign controller will load balance in round-robin fashion starting with the highest MAC

Cisco 642-737 Exam


address anchor controller to the lowest MAC address anchor controller. D. The foreign controller will load balance in round-robin fashion starting with the lowest MACaddress anchor controller to the highest MAC address anchor controller.

Answer: B

Explanation:

QUESTION NO: 39 Which two descriptions of mpings and epings are true? (Choose two.) A. mpings run over UDP port 16666. B. mpings run over UDP port 16667, and epings run over port 16666. C. epings run over EoIP. D. mpings test mobility data packet reachability, and epings test mobility control packetreachability. E. mpings run over the management interface, and epings run over the virtual interface. F. mpings and epings are useful tools for troubleshooting WLC-to-AP communications.

Answer: A,C

Explanation:

QUESTION NO: 40 Which two firewall ports must be opened for the anchor controller to operate properly with aforeign controller for guest access? (Choose two.) A. ports 16666 and 16667 for controller traffic B. port 97 for EoIP traffic C. port 80 for HTTP traffic D. port 69 for TFTP traffic

Answer: A,B

Explanation:

QUESTION NO: 41

Cisco 642-737 Exam


Which one of the options is responsible for multiple requirements for account data protection suchas with credit cards? A. ISO B. IEEE C. IETF D. Wi-Fi Alliance E. PCI F. HIPAA G. GLBA

Answer: E

Explanation:

QUESTION NO: 42 Which one of the following best describes the implementation of VLAN pooling on a Cisco WLCv7.0? A. Allows a single WLAN ID to be mapped to multiple SSIDs B. Allows a single SSID to be mapped to multiple WLAN IDs C. Allows a single WLAN ID to be mapped to multiple interfaces D. Allows a single interface to be mapped to multiple WLAN IDs

Answer: C

Explanation:

QUESTION NO: 43 A Cisco WLC v7.0 has been only initially configured through the console setup CLI wizard. A newAP has just finished association with the controller. What is the default mode of remote access tothe AP? A. HTTPS B. HTTP C. SSH D. Telnet E. access is disabled

Cisco 642-737 Exam


Answer: E

Explanation:

QUESTION NO: 44 Which two tools help to provide PCI compliance reports? (Choose two.) A. WLC B. WCS C. MSE D. Ekahau Site Survey E. AirMagnet WiFi Analyzer

Answer: B,E

Explanation:

QUESTION NO: 45 Which four attack categories can the Cisco WLC v7.0 IDS detect using the 17 standardsignatures? (Choose four.) A. broadcast deauthentication attacks B. Wellenreiter and NetStumbler attacks C. management frame floods and EAPOL floods D. fragmentation attacks E. NULL probe response attacks F. RF jamming attacks

Answer: A,B,C,E

Explanation:

QUESTION NO: 46 The Cisco Unified Wireless Network solution, which is based on version 7.0, provides which threewired-side tracing techniques? (Choose three.)

Cisco 642-737 Exam


A. switch port tracing B. adaptive wIPS C. RLDP D. autocontainment E. rogue detector F. H-REAP

Answer: A,C,E

Explanation:


What is the effect of setting Client Exclusion to Enabled and set to a Timeout Value of 0 secondsin a Cisco WLC v7.0? A. Excluded clients must be manually removed from the excluded list. B. Client exclusion will not occur. C. Client exclusion timeout will be determined by the IDS module. D. Clients will only be disconnected and not excluded.

Answer: A

Explanation:

Cisco 642-737 Exam


QUESTION NO: 48 Which wireless attack can cause most client wireless adapters to lock up? A. management frame flood B. NULL probe response C. EAPOL flood D. RF jamming E. disassociation flood F. deauthentication flood

Answer: B

Explanation:

QUESTION NO: 49 The NetStumbler tool is an example of which wireless attack type? A. denial of service B. information gathering C. hijacking D. eavesdropping

Answer: B

Explanation:

QUESTION NO: 50 Which device performs the definition of rules and requirements for posture assessment of awireless client when implementing a NAC appliance solution? A. Cisco NAC Guest Server B. Cisco Secure Access Control System C. Cisco 802.1X supplicant D. Cisco NAC Appliance Agent E. Cisco NAC Appliance Manager F. Cisco NAC Appliance Server G. Cisco IPS Appliance

Cisco 642-737 Exam


Answer: E

Explanation:

QUESTION NO: 51 Which NAC component performs device compliance checks as users attempt to access thenetwork? A. Cisco NAC Guest Server B. Cisco Secure Access Control System C. Cisco 802.1X supplicant D. Cisco NAC Appliance Agent E. Cisco NAC Appliance Manager F. Cisco NAC Appliance Server G. Cisco IPS Appliance

Answer: D

Explanation:

QUESTION NO: 52 Which protocol port(s) need open access when deploying NAC appliances to communicate withthe Cisco WLC v7.0 to move an authenticated user from the quarantine VLAN to the accessVLAN? A. UDP 16666 B. UDP 514 C. UDP 5246 and 5247 D. UDP 161 and 162 E. TCP 443

Answer: D

Explanation:

QUESTION NO: 53 Which two firewall protocol port(s) need open access for secure management access to an anchor

Cisco 642-737 Exam


WLC for guest access? (Choose two.) A. TCP 22 B. TCP 23 C. TCP 80 D. TCP 8080 E. TCP 443 F. UDP 123

Answer: A,E

Explanation:

QUESTION NO: 54 An IPS appliance is being integrated into the Cisco Unified Wireless Network solution inpromiscuous mode. Which two parameters are required when configuring a Cisco WLC v7.0 forthe addition of the IPS appliance services? (Choose two.) A. WLAN > AAA Override is enabled B. WLAN > P2P Blocking is enabled C. WLAN > Client Exclusion is enabled D. WLAN > NAC State is enabled E. Security > RADIUS accounting IP address F. Security > Sensors IP address

Answer: C,F

Explanation:

QUESTION NO: 55 How is the MSE enabled to support wIPS service? A. CLI console or SSH session with the MSE B. HTTPS with the MSE C. HTTPS with the Cisco WCS to enable the MSE and WLC(s) D. HTTPS with WLC(s) to enable locally and the IP address of MSE

Answer: C

Cisco 642-737 Exam


Explanation:

QUESTION NO: 56 A wireless client has finished 802.1X and EAP using WPA2 with a controller-based AP networkusing a central AAA server. How is unicast encryption implemented on the client? A. The client uses the PMK that is sent from the AAA server that is derived from EAPauthentication. B. The client uses the PTK that is sent from the WLC, which was derived from the PMK that issent from the AAA server. C. The client uses the PTK that is derived from EAP authentication. D. The client uses the PMK that is derived from a four-way handshake with the AP. E. The client uses the PTK that is derived from a four-way handshake with the AP.

Answer: E

Explanation:

QUESTION NO: 57 Which key is used to encrypt unicast traffic between the supplicant and the AP after EAPauthentication has completed? A. PMK B. GTK C. PTK D. OKC E. PSK

Answer: C

Explanation:

QUESTION NO: 58 What does the Cisco WLC v7.0 use to encrypt broadcast and multicast frames that are sent to awireless client?

Cisco 642-737 Exam


A. PMK B. GTK C. PTK D. OKC E. PSK

Answer: B

Explanation:

QUESTION NO: 59 When using the Microsoft WLAN AutoConfig feature, which 802.1X authentication method is notsupported natively by Windows 7? A. EAP-TLS B. EAP-FAST C. PEAP with MS-CHAPv2 D. PEAP with GTC

Answer: B

Explanation:

QUESTION NO: 60 Many employees are bringing their own devices to work such as those running Apple iOS foriPhones and iPads. Which three statements correctly describe authentication for these devices? (Choose three.) A. supports only broadcast networks B. supports broadcast and hidden networks C. supports only pre-shared key (pass phrase) D. supports most EAP types such as EAP-FAST, EAP-TLS, and PEAP E. supports WPA only F. supports WEP, WPA, and WPA2

Answer: B,D,F

Explanation:

Cisco 642-737 Exam


QUESTION NO: 61 What are the three methods that a Cisco AnyConnect v3.0 profile can be applied to a clientdevice? (Choose three.) A. Cisco ASA version 8.2 and later can instruct users to open a specific page on the ASA webinterface, from where NAM and user profiles can be downloaded. B. The DHCP option for using a TFTP server automates where NAM and user profiles can bedownloaded. C. The administrator can manually copy the profile to the correct location on the client PC. D. The administrator can also use the predeploy installer (MSI on Windows) with the generatedprofiles. E. When loaded, the Posture Module can verify and request the user to load the latest profile. F. The administrator can use the Cisco AnyConnect v3.0 server feature to allow clients toauthenticate with the AAA server and then download the appropriate profile to their client PC.

Answer: A,C,D

Explanation:

QUESTION NO: 62 Which two statements describe the use of NAM by the Cisco AnyConnect v3.0? (Choose two.) A. removes Cisco Secure Services Client v5.X but retains the configuration for NAM B. removes Cisco Secure Services Client v5.X software and configuration for a clean install C. installs on Windows, Mac, and Linux D. installs on Windows only E. requires a license F. requires a profile editor to allow a user to add WLANs

Answer: A,D

Explanation:

QUESTION NO: 63 Which two statements describe the secure roaming process of a client between APs that arecontrolled by a Cisco WLC v7.0? (Choose two.)

Cisco 642-737 Exam


A. determined by client algorithms B. determined by the WLC and AP infrastructure C. the WLC can only request a client roam using Cisco Compatible Extensions v3 and above D. the WLC can only request a client roam using Cisco Compatible Extensions v4 and above E. only implemented for VoWLAN

Answer: A,D

Explanation:

QUESTION NO: 64 Which two fast roaming algorithms will allow a WLAN client to roam to a new AP and re-establisha new session key without a full reauthentication of the WLAN client? (Choose two.) A. PMK B. PTK C. MIC D. GTK E. CKM F. PKC

Answer: E,F

Explanation:

QUESTION NO: 65 Which statement correctly describes the usage of the debug command in a Cisco Unified WirelessNetwork? A. Debug is enabled until manual shut off. B. Debug is available on the WLC serial console and web interface. C. Debug is a restricted command and is not available in the AP CLI. D. Debug is a message logging severity 7.

Answer: D

Explanation:

Cisco 642-737 Exam


QUESTION NO: 66 Which Cisco WLC v7.0 CLI family of commands helps to verify the PAC status for clientassociation when using local-EAP? A. debug group B. debug dot1X C. show local-auth D. debug aaa E. debug capwap

Answer: D

Explanation:

QUESTION NO: 67 Employees are allowed to starting bringing their own laptops to work. Which option can helpprovide a temporal user device vulnerability check when using the Java applet or ActiveX? A. Cisco NAC Server B. Cisco NAC Guest Server C. Cisco NAC Manager D. Cisco NAC Windows Agent E. Cisco NAC Web Agent F. Cisco ACS

Answer: E

Explanation:

QUESTION NO: 68 Employees are allowed to starting bringing their own laptops to work. Which option can helpprovide a persistent user device check against unexpected issues of security risk application andlack of appropriate patches or updates inclusive of registry keys? A. Cisco NAC Server B. Cisco NAC Guest Server C. Cisco NAC Manager

Cisco 642-737 Exam


D. Cisco NAC Windows Agent E. Cisco NAC Web Agent F. Cisco ACS

Answer: D

Explanation:

QUESTION NO: 69 When deploying wireless Cisco NAC OOB operations, which device signals the WLC to switch auser from a quarantine VLAN to an access VLAN? A. Cisco NAC Appliance Manager B. Cisco NAC Appliance Server C. Cisco NAC Guest Server D. Cisco ACS E. Cisco WCS

Answer: A

Explanation:

QUESTION NO: 70 When do NAC out-of-band deployments require user traffic to traverse through the Cisco NACServer? A. posture assessment only B. 802.1X and EAP authentication and remediation C. posture assessment and remediation D. 802.1X and EAP authentication, posture assessment, and remediation

Answer: C

Explanation:

QUESTION NO: 71 For wireless NAC out-of-band operations, which protocol is used between the Cisco NAC

Cisco 642-737 Exam


Appliance Manager and the wireless controller to switch the wireless client from the quarantineVLAN to the access VLAN after the client has passed the NAC authentication and postureassessment process? A. RADIUS B. TACACS+ C. SNMP D. SSL E. EAP

Answer: C

Explanation:

QUESTION NO: 72 When configuring the WLC for NAC out-of-band, which device will be used for SNMP trap receiverIP address entries? A. Cisco NAC Appliance Manager B. Cisco NAC Appliance Server C. Cisco NAC Guest Server D. Cisco ACS E. Cisco WCS

Answer: A

Explanation:

QUESTION NO: 73 Which three of the items listed are required configuration parameters for the WLC to enable NACout-of-band single sign-on when implementing NAC appliances? (Choose three.) A. EAP authentication B. web authentication C. SNMP D. RADIUS accounting E. WLAN > SNMP NAC enabled F. WLAN > RADIUS NAC enabled

Cisco 642-737 Exam


Answer: C,D,E

Explanation:

QUESTION NO: 74 Which option verifies that a wireless client has associated but is not yet authenticated to a WLANwhen performing NAC using the Cisco NAC Appliance Manager and Server? A. Cisco CAM OOB Management > Devices > Discovered Clients B. Cisco CAS OOB Management > Devices > Discovered Clients C. Cisco CAM Monitor > View Online Users D. Cisco CAS Monitor > View Online Users

Answer: A

Explanation:

QUESTION NO: 75 Which EAP protocol(s) can be used by a controller-based AP on Ethernet for 802.1Xauthentication to a switch? A. EAP-LEAP B. EAP-FAST C. EAP-PEAP D. EAP-TLS E. 802.1X and EAP are not supported on AP-wired Ethernet

Answer: B

Explanation:

QUESTION NO: 76 Which option correctly lists the EAP protocol(s) that can be configured on an autonomous AP forlocal authentication? A. MAC

Cisco 642-737 Exam


B. LEAP and EAP-FAST C. MAC, LEAP, and EAP-FAST D. MAC, EAP-FAST, EAP-PEAP, and EAP-TLS

Answer: C

Explanation:

QUESTION NO: 77 Which two statements best describe the local authentication configuration options for a H-REAPusing H-REAP groups in the Cisco WLC v7.0? (Choose two.) A. LEAP and EAP-FAST only B. LEAP, EAP-FAST, EAP-PEAP, and EAP-TLS only C. LEAP, EAP-FAST, EAP-PEAP, EAP-TLS, and EAP-MD5 D. EAP-FAST with PAC provision only E. EAP-FAST with PAC or certificate provision

Answer: A,D

Explanation:

QUESTION NO: 78 Cisco Client MFP is supported on which modes of LWAPP and CAPWAP APs? A. Local, H-REAP, and Bridge B. Local, H-REAP, and Monitor C. Local, H-REAP, and Rogue Detector D. Sniffer, H-REAP, and Bridge

Answer: A

Explanation:

QUESTION NO: 79 Which three RADIUS IETF attributes should be enabled on the Cisco Secure ACS v4.2 whenimplementing IBN for VLAN assignment to the Cisco WLC v7.0? (Choose three.)

Cisco 642-737 Exam


A. [064] Tunnel-Type B. [065] Tunnel-Medium-Type C. [066] Tunnel-Client-Endpoint D. [067] Tunnel-Server-Endpoint E. [069] Tunnel-Password F. [081] Tunnel-Private-Group-ID G. [082] Tunnel-Private-User-ID

Answer: A,B,F

Explanation:

QUESTION NO: 80 Which answer best describes the implementation of IBN using the Cisco WLC v7.0 and CiscoSecure ACS v4.2? A. Configure the ACS for AAA override and attributes. Configure the WLC for RADIUS server. B. Configure the ACS for AAA override and attributes. Configure the WLC for RADIUS server andattributes. C. Configure the ACS for attributes. Configure the WLC for RADIUS server and AAA override. D. Configure the ACS for attributes. Configure the WLC for RADIUS server, AAA override, andattributes.

Answer: D

Explanation:

QUESTION NO: 81 What are the two must commonly used RADIUS (Cisco Airespace) attributes that are configured inthe Cisco Secure ACS v4.2 for IBN implementation with the Cisco WLC v7.0? (Choose two.) A. QoS level B. DSCP C. 802.1P tag D. security type E. ACL name F. EAP type G. NAC state

Cisco 642-737 Exam


Answer: A,E

Explanation:

QUESTION NO: 82 How should the Cisco Secure ACS v4.2 and the Cisco WLC v7.0 be configured to supportwireless client authentication? A. The WLC configured for RADIUS and the Cisco Secure ACS configured for RADIUS (CiscoAirespace) B. The WLC configured for RADIUS and the Cisco Secure ACS configured for RADIUS (IETF) C. The WLC configured for TACACS+ and the Cisco Secure ACS configured for TACACS+ (CiscoAirespace) D. The WLC configured for TACACS+ and the Cisco Secure ACS configured for TACACS+ (CiscoIOS)

Answer: A

Explanation:

QUESTION NO: 83 When using a controller-based AP network, which type of entry is configured in the Cisco SecureACS? A. AAA client using the AP IP address B. AAA server using the AP IP address C. AAA client using the WLC IP address D. AAA server using the WLC IP address

Answer: A

Explanation:

QUESTION NO: 84 Which two entries can be used in the Cisco Secure ACS AAA network configuration setup for IPaddress 192.168.1.1 to provide RADIUS authentication for the network node? (Choose two.)

Cisco 642-737 Exam


A. 192.168.1.1-10 B. 192.168.1.0 C. 192.168.1.0 0.0.0.255 D. 192.168.1.255 E. 192.168.1.*

Answer: A,E

Explanation:

QUESTION NO: 85 In which three places can certificates be used in a WLAN to provide secure communications?(Choose three.) A. between client and AP B. between AP and WLC C. between client and WLC D. between client and RADIUS server E. between WLC and RADIUS server

Answer: B,C,D

Explanation:

QUESTION NO: 86 Which two EAP type(s) require a client certificate? (Choose two.) A. LEAP B. PEAP C. EAP-FAST D. EAP-TLS E. EAP-MD5

Answer: C,D

Explanation:

QUESTION NO: 87

Cisco 642-737 Exam


What is the maximum number of ACLs that can be applied to a Cisco WLC v7.0 interface? A. 1 B. 16 C. 32 D. 64

Answer: A

Explanation:


What does this Cisco Secure ACS v4.2 log indicate? A. The WLC is not configured as a client in the Cisco Secure ACS. B. The WLC is not configured as a server in the Cisco Secure ACS. C. Incorrect authentication exists between the WLC and Cisco Secure ACS. D. The wireless client is not configured as a client in the Cisco Secure ACS. E. Incorrect authentication exists between the wireless client and Cisco Secure ACS.

Answer: C

Explanation:

QUESTION NO: 89

Cisco 642-737 Exam


Refer to the exhibit.

Why is the client failing to authenticate with the AAA server? A. excessive number of authentication attempts for username B. incorrect read/write credentials for username C. incorrect IP address being sent by client D. incorrect authentication for username

Answer: D

Explanation:

QUESTION NO: 90 The Cisco NAC Guest Server has integration with which two other Cisco devices to support guestservices? (Choose two.) A. Cisco NAC Appliance Agent B. Cisco NAC Appliance Server C. Cisco NAC Appliance Manager D. Cisco NAC Profiler E. Cisco WLC F. Cisco WCS

Answer: C,E

Explanation:

Cisco 642-737 Exam


QUESTION NO: 91 Which statement about the Cisco NAC Guest Server that is deployed in wireless guest accessimplementations is true? A. The Cisco NAC Guest Server integrates with the Cisco WCS through the RADIUS protocol. B. The Cisco NAC Guest Server can be used in place of Cisco WCS Lobby Ambassadorfunctionality for guest provisioning and reporting. The Cisco WCS is still needed for WLANmanagement. C. The Cisco WLC acts as the guest accounts provisioning portal, and the Cisco NAC GuestServer acts as the captive portal capturing web requests from preassigned "guest ports" andrequesting authentication. D. Guest accounts on the Cisco NAC Guest Server can be created using the Cisco WCS LobbyAmbassador feature.

Answer: B

Explanation:

QUESTION NO: 92 What is the default authentication protocol that is used for web authentication? A. MD5-CHAP B. CHAP C. PAP D. LEAP

Answer: C

Explanation:

QUESTION NO: 93 A wireless client has a browser with a manually configured proxy. The Cisco WLC v7.0 has beenconfigured for basic WLAN Layer 3 web pass through with the remaining default configuration.Which two statements are true when the client attempts to connect to a WLAN for guest accessusing web authentication? (Choose two.)

Cisco 642-737 Exam


A. The WLC allows access if the client is requesting a globally resolvable DNS address. B. The WLC allows access if it is configured for WebAuth Proxy. C. The WLC allows access for a client request to ports 80 or 8080 only. D. Access requires DHCP with option 252. E. Access requires DHCP with option 150.

Answer: B,D

Explanation:

QUESTION NO: 94 Which statement correctly describes a wireless client connection to the Cisco WLC v7.0 that isconfigured for web guest access? A. The client associates to the anchor controller and authenticates to the anchor controller. B. The client associates to the anchor controller and authenticates to the foreign controller. C. The client associates to the foreign controller and authenticates to the anchor controller. D. The client associates to the foreign controller and authenticates to the foreign controller.

Answer: C

Explanation:

QUESTION NO: 95 How many tunnels can a Cisco WLC v7.0 anchor? A. 63 B. 64 C. 71 D. 72 E. 253 F. 254

Answer: C

Explanation:

QUESTION NO: 96

Cisco 642-737 Exam


What does the eping mobility_peer_IP_address command do? A. It tests EoIP connectivity via port 97 though the management interface. B. It tests EoIP connectivity via port 97 though the AP manager interface. C. It tests UDP connectivity via port 16666 through the management interface. D. It tests UDP connectivity via port 16666 through the AP manager interface.

Answer: A

Explanation:

QUESTION NO: 97 Which two things should you verify if the Cisco NAC Guest Server is configured on the networkand the client cannot access the guest network? (Choose two.) A. The controller can ping the Cisco NAC Guest Server. B. The controller can mping and eping the Cisco NAC Guest Server. C. AAA override is enabled on the guest WLAN. D. Controllers and the Cisco NAC Guest Server are in the same mobility group.

Answer: A,C

Explanation:

QUESTION NO: 98 Which one of the options is related to U.S. Federal Trade Commission safeguard rules for financialinstitutions to protect customer information? A. ISO B. IEEE C. IETF D. Wi-Fi Alliance E. PCI F. HIPAA G. GLBA

Answer: G

Explanation:

Cisco 642-737 Exam


QUESTION NO: 99 A network administrator is assigning a one-to-one association for VLAN to wireless WLAN orSSID. Given the implementation of a Cisco 2500 Series controller using v7.0, how many WLANscan be created? A. 8 B. 16 C. 32 D. 64 E. 128 F. 254 G. 512

Answer: B

Explanation:

QUESTION NO: 100 Which group provides the complete set of options for user roles in an autonomous AP? A. Read-only B. Read-only and Read-write C. Read-only, Read-write, and Lobby-admin D. Read-only, Read-write, and Monitor E. Read-only, Read-write, and ALL F. Read-only, Read-write, Lobby-admin, and ALL

Answer: B

Explanation:

QUESTION NO: 101 Given a proper configuration of the Cisco WLC v7.0, what is the default username, password, andenable password to remotely access an associated AP?

Cisco 642-737 Exam


A. admin, admin, and Cisco B. admin, cisco, and Cisco C. none, cisco, and Cisco D. none, Cisco, and Cisco E. Cisco, Cisco, and Cisco F. lightweight APs do not allow remote access

Answer: E

Explanation:

QUESTION NO: 102 What is the default security level that is used for syslog messages to a Cisco WLC v7.0-bufferedlog? A. Alerts B. Errors C. Warnings D. Notification E. Informational F. Disabled

Answer: B

Explanation:

QUESTION NO: 103 Which three products are required to produce Cisco Clean Air Security reports? (Choose three.) A. WLC v7.0 B. WCS v7.0 C. MSE v7.0 D. Spectrum Expert v4.0 E. 1260 AP F. 3500 AP

Answer: A,B,F

Explanation:

Cisco 642-737 Exam


QUESTION NO: 104 Which four conditions can be used in rules to classify rogue APs on a Cisco WLC v7.0? (Choosefour.) A. managed SSID B. RSSI C. EAP type D. no encryption E. encryption method F. duration

Answer: A,B,D,F

Explanation:


Cisco 642-737 Exam


A WLAN with the SSID "Enterprise" is configured. Which rogue will be marked as malicious? A. a rogue with no clients, broadcasting the SSID "Enterprise" heard at -50dBm B. a rogue with two clients, broadcasting the SSID "Employee" heard at -50dBm C. a rogue with two clients, broadcasting the SSID "Enterprise" heard at -50dBm D. a rouge with two clients, broadcasting the SSID "Enterprise" heard at -80dBm

Answer: C

Explanation:

QUESTION NO: 106 Which two situations permit the Cisco WCS v7.0 to successfully trace a rogue to a switch port?(Choose two.) A. The rogue is broadcasting an infrastructure SSID. B. The rogue has a client that is associated. C. The wired MAC address of the rogue is equal to or +1/-1 of the wireless MAC address of therogue. D. The rogue is on the same switch as a CAPWAP AP. E. The rogue has been identified using RLDP.

Answer: B,C

Explanation:

QUESTION NO: 107 Which two attacks represent a social engineering attack? (Choose two.) A. using AirMagnet Wi-Fi Analyzer to search for hidden SSIDs B. calling the IT helpdesk and asking for network information C. spoofing the MAC address of an employee device D. entering a business and posing as IT support staff

Answer: B,D

Explanation:

Cisco 642-737 Exam


QUESTION NO: 108 Which type of attack is a result of a WLAN being overwhelmed by 802.1X authentication requests? A. NetStumbler attack B. EAPOL flood signature C. management flood signatures D. broadcast deauthentication frame signatures E. NULL probe response signatures

Answer: B

Explanation:

QUESTION NO: 109 Which type of attack is characterized by an evil twin? A. DoS B. man in the middle C. jamming D. eavesdropping

Answer: B

Explanation:

QUESTION NO: 110 Which device performs the enforcement of posture assessment for a wireless client whenimplementing a NAC appliance solution? A. Cisco NAC Guest Server B. Cisco Secure Access Control System C. Cisco 802.1X supplicant D. Cisco NAC Appliance Agent E. Cisco NAC Appliance Manager F. Cisco NAC Appliance Server G. Cisco IPS Appliance

Cisco 642-737 Exam


Answer: F

Explanation:

QUESTION NO: 111 Which device provides IDS and IPS protection in a Cisco Unified Wireless Network againstwireless clients with viruses and worms? A. Cisco NAC Guest Server B. Cisco Secure Access Control System C. Cisco WLC D. Cisco WCS E. Cisco NAC Appliance Manager F. Cisco NAC Appliance Server G. Cisco IPS Appliance

Answer: G

Explanation:

QUESTION NO: 112 Which protocol port(s) need open access for communication between the MSE and WLC? A. UDP 16666 and 16667 B. UDP 5247 and 5264 C. UDP 161 and 162 D. UDP 16113 E. TCP 16113

Answer: E

Explanation:

QUESTION NO: 113 Which protocol port needs open access for the Cisco WLC v7.0 using an external AAA server forchecking administrative privileges for menu access?

Cisco 642-737 Exam


A. UDP 1812 B. UDP 1813 C. UDP 1645 D. UDP 1646 E. TCP 49 F. TCP 443

Answer: E

Explanation:

QUESTION NO: 114 IPS appliance traffic monitoring has been configured in a Cisco WLC v7.0 with default parameters.Which statement correctly describes the results when malicious traffic is detected from a wirelessclient? A. The WLC immediately notifies the IPS appliance. B. The IPS appliance immediately notifies the WLC. C. The WLC polls the IPS for the status every 60 seconds. D. The IPS initiates updates to the WLC every 60 seconds.

Answer: C

Explanation:

QUESTION NO: 115 When deploying wIPS, which protocol is used to communicate between the Cisco WLC v7.0 andthe MSE? A. SNMP B. HTTPS C. CAPWAP D. SOAP and XML E. NMSP

Answer: E

Explanation:

Cisco 642-737 Exam


QUESTION NO: 116 DRAG DROP

Answer:

Explanation:


Cisco 642-737 Exam


Answer:

Explanation:

Cisco 642-737 Exam



Answer:

Cisco 642-737 Exam


Explanation:


Answer:

Cisco 642-737 Exam


Explanation:


Cisco 642-737 Exam


Answer:

Explanation:

QUESTION NO: 121 What NAC appliance component is configured to create user roles, meet remediationrequirements, and handle checking for device compliance? A. NGS B. NAA C. NAS D. NAM

Answer: D

Explanation:

Cisco 642-737 Exam


QUESTION NO: 122 On a newly configured wireless network, client data is not reaching the foreign controller when aclient needs to roam. What port(s) should be verified as open? A. IP Protocol 97 B. UDP port 166666 C. TCP ports 443 and 80 D. UDP ports 161 and 162

Answer: A

Explanation:

QUESTION NO: 123 On a newly configured wireless network intercontroller communication is failing. Which two portsshould be verified as open? (Choose two.) A. IP Protocol 97 B. UDP port 16666 C. TCP port 443 D. UDP port 161 E. UDP port 162 F. TCP port 80

Answer: A,B

Explanation:

QUESTION NO: 124 A network IPS has been added to a WLC. How long will clients be excluded, if the IPS and WLCclient exclusion settings are left at the default setting? A. 30 seconds B. 60 seconds C. 30 minutes D. 60 minutes

Cisco 642-737 Exam


Answer: B

Explanation:

QUESTION NO: 125 An engineer is going to enable EAP on a new WLAN and is ensuring he has the necessarycomponents. What component uses EAP and 802.1x to pass user authentication to theauthenticator? A. AP B. Controller C. Supplicant D. AAA Server

Answer: C

Explanation:

QUESTION NO: 126 An engineer would like to use an EAP supplicant that uses PKI to authenticate the WLAN networkand client, as well as a client certificate. What EAP method can be used? A. PEAPv1 B. PEAPv0 C. EAP-FAST D. EAP-TLS

Answer: D

Explanation:

QUESTION NO: 127 What two settings must be selected under the wireless properties security tab to configure EAP-TLS on a Microsoft Windows client? (Choose two.) A. 802.1X B. Shared C. WPA2-Personal D. WPA2-Enterprise

Cisco 642-737 Exam


E. Network Security Key F. Smart Card or other certificate G. Protected EAP

Answer: D,F

Explanation:

QUESTION NO: 128 An engineer is configuring EAP-FAST for a Windows 7 client with an Intel wireless card. Whatoption can be used for automatic PAC delivery? A. LEAP B. TTLS C. GTC D. SIM E. PKI

Answer: C

Explanation:

QUESTION NO: 129 An engineer is configuring a Cisco AnyConnect client. What module is selected to allow forreporting and diagnostics? A. NAM B. Posture C. Telemetry D. VPN E. DART

Answer: E

Explanation:

QUESTION NO: 130 An engineer is creating a Cisco AnyConnect profile for NAM. What menu will allow the client tofind a hidden SSID to which to connect?

Cisco 642-737 Exam


A. Client Policy B. Authentication Policy C. Networks D. Network Groups

Answer: C

Explanation:

QUESTION NO: 131 Clients are continually bouncing between APs when a client is on or near the border of two APs.What RF parameter should be adjusted? A. Minimum RSSI B. Hysteresis C. Adaptive Scan Threshold D. Transition Time

Answer: B

Explanation:

QUESTION NO: 132 Wireless client voice calls are being degraded during roaming using a Cisco 7925 series phone ona wireless network. What mechanism can resolve the issue? A. CCKM B. 802.11r C. PKC D. 802.11i

Answer: A

Explanation:

QUESTION NO: 133 An engineer is troubleshooting a client failing web authentication and checks the Policy ManagerState in WCS. What status shows that the client completed the 802.11 process without errors?

Cisco 642-737 Exam


A. WEBAUTH_REQD B. RUN C. START D. DHCP_REQD E. DHCP_RECD

Answer: A

Explanation:

QUESTION NO: 134 An engineer is troubleshooting failing authentication on a controller using an external RADIUSserver. What family of commands is used to troubleshoot the issue? A. debug ldap B. debug aaa C. debug aaa local-auth D. debug dot1x

Answer: B

Explanation:

QUESTION NO: 135 An engineer has narrowed down an authentication issue to the client laptop. What three itemsshould be verified for EAP-TLS authentication? (Choose three.) A. The user account is the same in the certificate. B. The Subject Key Identifier is configured correctly. C. The client certificate is formatted as X.509 version 3. D. Validate server certificate is disabled. E. The supplicant is configured correctly. F. The client certificate has a valid expiration date.

Answer: A,C,E

Explanation:

QUESTION NO: 136

Cisco 642-737 Exam


An engineer has found that many PCs on the network are still using Windows XP. What wirelesssecurity feature would be missing from the base operating system? A. WPA2 B. WEP C. MFP D. CCXv5

Answer: A

Explanation:

QUESTION NO: 137 A company has installed 27 Cisco CAS devices across their network and administration hasbecome difficult. What Cisco NAC component could ease administration? A. CAM B. NAA C. NAC Web Agent D. Super CAM

Answer: D

Explanation:

QUESTION NO: 138 A user is connecting to the network with a wireless client using Cisco NAC. What three stepsoccur as part of a SSO VPN authentication process? (Choose three.) A. The client performs an 802.1X EAP authentication through the WLC to the Cisco Secure ACS. B. The client is redirected to the Cisco CAS and is presented with a web login page. C. The client is transferred to the quarantine VLAN and verified by the Cisco CAS. D. The WLC forwards a RADIUS accounting start record to the Cisco CAM. E. The Cisco CAS queries the Cisco CAM to verify the user is on the list of online users. F. The Cisco CAM sends an SNMP update to the controller about the client state.

Answer: A,D,E

Explanation:

Cisco 642-737 Exam


QUESTION NO: 139 A network engineer is configuring NAC out-of-band integration on the Wireless LAN Controller.What two configuration options are required? (Choose two.) A. dynamic interface tied to quarantine VLAN B. enable guest-lan nac C. AP groups D. enable NAC State E. configure quarantine VLAN on interface as 0

Answer: A,D

Explanation:

QUESTION NO: 140 An engineer is configuring NAC on a Wireless LAN Controller. What two CLI commands arerequired to create NAC out-of-band integration for SSID Cisco? (Choose two.) A. config interface quarantine vlan Cisco 10 B. config interface quarantine vlan Cisco 0 C. config wlan nac enable Cisco D. config guest-lan nac enable Cisco E. config wlan apgroup nac wlan Cisco F. config wlan apgroup nac guest-lan Cisco

Answer: A,C

Explanation:

QUESTION NO: 141 An engineer is troubleshooting user authentications on the Cisco CAM and is viewing the wirelessclients under the discovered clients tab. What client information can be gathered from this screen? A. authentication status B. association status C. EAP type D. NAC state

Answer: B

Cisco 642-737 Exam


Explanation:

QUESTION NO: 142 In what three modes of operation do Lightweight Access Points participate in InfrastructureManagement Frame Protection? (Choose three.) A. local B. monitor C. FlexConnect D. Bridge E. SE-Connect F. Sniffer

Answer: A,C,D

Explanation:

QUESTION NO: 143 An engineer is configuring client MFP. What WLAN Layer 2 security must be selected to use clientMFP? A. 802.1x B. Static WEP C. WPA + WPA2 D. CKIP

Answer: C

Explanation:

QUESTION NO: 144 A WLAN is configured for AAA override. Valid user authentications are failing due to a customACL. What are two reasons the authentication could fail? (Choose two.) A. The ACL returned does not exist on the WLC. B. The name of the ACL on the WLC is not spelled correctly. C. The interface referred to in the returned ACL does not exist on the WLC.

Cisco 642-737 Exam


D. The ACL returned to the WLC prevents the end user device from receiving a DHCP address. E. The ACL name attribute has not been configured on the Cisco Secure ACS

Answer: A,B

Explanation:

QUESTION NO: 145 An engineer is adding client entries with the controller addresses to ACS. What IP address formatwould be used to add the class C network 192.168.1.0 in a single entry? A. 192.168.1.0/24 B. 192.168.1.0 255.255.255.0 C. 192.168.1.* D. 192.168.1.0-255 E. 192.168.1.0-192.168.1.255

Answer: C

Explanation:

QUESTION NO: 146 Customer wants to configure Wireless client authentication using digtial certificates with PKI. Whathappens after the signer encrypts the hash with the private key of the signer during thecertification signature process? A. The verifier obtains the public key of the signer. B. The encrypted hash is appended to the document as the signature. C. The verifier decrypts the signature of the signer using the public key. D. The verifier makes a hash of the received document and compares it to the decrypted signaturehash.

Answer: B

Explanation:

QUESTION NO: 147 An engineer needs to block SSH traffic going to the WLC, which does not originate on themanagement interface. Where should the ACL be applied to accomplish this with the least

Cisco 642-737 Exam


configuration? A. CPU B. Management interface C. WLAN interfaces D. SSID

Answer: A

Explanation:

QUESTION NO: 148 An engineer is troubleshooting the authentication interaction between a WLAN controller and theauthentication server. Which two debug commands should be utilized? (Choose two.) A. debug client <MACAddress> B. debug mobility handoff enable C. debug aaa all enable D. debug pem state E. debug locp event enable

Answer: A,C

Explanation:

QUESTION NO: 149 What device will authenticate the user when a sponsor creates a guest account on the CiscoNGS? A. WLAN controller B. Cisco ACS C. Cisco NGS D. active directory server

Answer: C

Explanation:

QUESTION NO: 150

Cisco 642-737 Exam


A lobby ambassador is creating guest access accounts. At which two locations can the accountsbe stored? (Choose two.) A. NAC guest server B. Active directory C. WLAN controller D. WCS E. ACS

Answer: C,D

Explanation:

QUESTION NO: 151 An engineer is configuring the guest WLAN to redirect to a created login page uploaded to thecontroller. Which three CLI commands are required if the guest WLAN is on WLAN 2? (Choosethree.) A. config wlan security web-auth enable 2 B. config wlan custom-web global enable 2 C. config wlan custom-web webauth-type customized 2 D. config wlan custom-web login-page login.html 2 E. config wlan custom-web webauth-type internal 2 F. config wlan custom-web login-page customized 2

Answer: A,C,D

Explanation:

QUESTION NO: 152 An engineer creating a configuration file to upload to a controller would like the guest WLAN to beset for L3 authentication only. What command must be included in the configuration file? A. config wlan security web-auth enable 2 B. config wlan security wpa wpa2 disable 2 C. config wlan security web-auth server-precedence 2 local radius ldap D. config wlan custom-web global enable 2

Answer: A

Explanation:

Cisco 642-737 Exam


QUESTION NO: 153 An engineer is configuring the anchor controller for a guest network. What setting in the guestWLAN can be different from the foreign controllers? A. VLAN B. radio policy C. QOS setting D. WLAN advanced settings

Answer: A

Explanation:

QUESTION NO: 154 All users on one of the two guest WLANs are failing to connect after a configuration change wasmade to a controller. What is the cause of the outage? A. The interface or VLAN of the anchor controller and foreign controller no longer match. B. The configuration of the failing WLAN no longer matches the foreign controllers. C. The address of the NAC guest server has been changed. D. The DHCP server on the foreign controller was changed.

Answer: B

Explanation:

QUESTION NO: 155 What three items can be found on the Wireless Control System PCI DSS Compliance Report?(Choose three.) A. all authentication and encryption violations B. all ACL violations and reports C. all IDS threats D. detailed association history for clients connected to the network E. all SSIDs not using Client Exclusion F. all access points that have rogue detection enabled

Cisco 642-737 Exam


Answer: A,C,D

Explanation:

QUESTION NO: 156 An engineer is segmenting WLAN traffic by security options after the client has received an IPaddress. Which two security options are possible? (Choose two.) A. web policy B. Cisco Key Integrity Protocol C. PSK D. 802.1x E. VPN pass-through

Answer: A,E

Explanation:

QUESTION NO: 157 An engineer is configuring 802.1x authentication on an autonomous AP. What two configurationcommands must be included on the AP if the RADIUS server IP is 10.9.4.9? (Choose two.) A. radius-server host 10.9.4.9 auth-port 1812 acct-port 1813 key Cisco123 B. aaa new-model C. aaa authorization D. aaa attribute list 10.9.4.9 E. aaa group server radius 10.9.4.9

Answer: A,B

Explanation:

QUESTION NO: 158 An engineer has configured passive fallback mode for RADIUS with default timer settings. Whatwill occur when the primary RADIUS fails then recovers? A. RADIUS requests will be sent to the secondary RADIUS server until the secondary fails torespond.

Cisco 642-737 Exam


B. The controller will immediately revert back after it receives a RADIUS probe from the primaryserver. C. After the inactive time expires the controller will send RADIUS to the primary. D. Once RADIUS probe messages determine the primary controller is active the controller willrevert back to the primary RADIUS.

Answer: C

Explanation:

QUESTION NO: 159 What is the default SYSLOG level in a wireless LAN controller? A. alert B. notification C. error D. informational E. debugging

Answer: C

Explanation:

QUESTION NO: 160 An engineer is configuring IDS signatures and sets Bcast deauth to enabled and immediatelybegins to see Broadcast deauthentication frame alerts. What Cisco recommended solution wouldresolve this issue? A. disable Bcast deauth B. disable Broadcast SSID on the WLAN C. enable MFP on the WLAN D. locate and disable the attacker

Answer: C

Explanation:

QUESTION NO: 161 Client adapters on the wireless network are locking up and a packet capture shows many

Cisco 642-737 Exam


management frames with no SSID element. What signature should the engineer enable for theWLC to report this issue in the future? A. Deauth flood B. Null probe resp 2 C. EAPOL flood D. Wellenreiter

Answer: B

Explanation:

QUESTION NO: 162 The controller is reporting an IDS signature 'deauth flood' attack and it has been determined thatthe default settings are too sensitive for the environment. What signature details should beadjusted to only trigger the alert on a certain amount of client packets within a certain period oftime? A. Measurement Interval and Quiet Time B. Signature Frequency and Signature MAC Frequency C. Measurement Interval and Signature MAC Frequency D. Quiet Time and Signature Frequency

Answer: C

Explanation:

QUESTION NO: 163 When creating a custom rogue classification, what three conditions would be added to alert on aspecific internal SSID with more than 5 clients at -80db? (Choose three.) A. SSID B. RSSI C. SNR D. duration E. client-count F. managed-ssid

Answer: B,E,F

Explanation:

Cisco 642-737 Exam


QUESTION NO: 164 Many users report being disconnected from the WLAN and WCS shows events for broadcastdeauthentication frames. What security feature mitigates the issue? A. WPA2 B. MFP C. IDS D. ACL E. IPS

Answer: B

Explanation:

QUESTION NO: 165 An engineer enabled client exclusion in the WLAN, but still sees a client failing EAP authenticationevery few seconds in the log. What other setting must be enabled for the exclusion to function? A. Excessive 802.11 Association Failures B. Excessive 802.11 Authentication Failures C. Excessive 802.1X Authentication Failures D. IP Theft or IP Reuse E. Excessive Web Authentication Failures

Answer: C

Explanation:

Cisco 642-737 Exam


ccnp wireless iauws (642-737) certification prep

Documents