www.passsecuritylabs.

com Final Release D 1:05-Jan-2018

Diagnostics Lab
D1
Real Labs
v5

www.passsecuritylabs.com

www.passseclabs.com 1 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w
w
w
.p
as
ss
ec

THIS PAGE IS INTENTIONALLY LEFT BLANK

ur
it yl
ab
s.
co
m

www.passseclabs.com 2 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Pass Security Labs Policies:

w

1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
w
address; account will get locked and we will not unlock it for any reasons.

2. The workbook does not have print access; kindly do not request to enable to print access.
.p

3. One will be provided with free updates up to 90 days from the date of purchase, post that one need
to renew his/her account to access the latest update. Post 90 days the workbooks will cease to open.
as

4. If one wish to renew their subscription/account, you need to renew within 90 days or before the
account gets expired. Post 90 days one can renew their account however the renewal will be
ss
considered has a new purchase. Hence we encourage one to renew within 90 days of the purchase.

5. The renewal cost is 1999 USD if one pay within 90 days, if one fail to renew then the cost will be
equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
ec

client)

6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
ur
workbooks with others, and if the system detects the share, the account will be banned and we will not
entertain any explanation of any sort.
it
7. For any queries regarding Questions/Solutions, you can contact us on email @
[email protected] or skype @ cciesecuritylabs. Response time to any of the queries is 24
yl

hours.
ab
8. We do require CSCO ID, CCIE number and Official email id for security purposes. One should have
CCIE written passed and CCIE lab should be booked within 90 days. We do not sell without these
details. We do background verification of the details provided, so request to give us the correct CSCO
ID and official email id.
s.

9. The workbooks are in secured pdf format and delivered via email.
co

10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.
m

11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only

12. We do not provide Refund in any circumstances once the product is sold.
www.passseclabs.com 3 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
renewals. Old clients will continue with the old Policies until the accounts get expired.
w

14. If there is any update, one will receive the update automatically on their registered email-id.
w
15. For any future update you can check our update page on www.passsecuritylabs.com
.p
as
ss
ec
ur
it yl
ab
s.
co
m

www.passseclabs.com 4 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Diagnostic Guideline
w
1. In Total, you have 10 Questions that relate to support ticket scenarios.
2. You must diagnose the problem and answer the questions.
3. You have a fixed time of 60 minutes (one hour) to complete this section.
w

4. Carefully read the incident stem and the question before selecting your answers.
.p
o For each incident, read the question, email exchange and the provided resources to identify the
issue.
as

5. Select the answers that fulfill the requirements that are described for each incident.
6. All Questions are independent from each other, In another words, the resolution of one question
does not depend on the resolution of any other question.
ss
7. Each question is worth one point.

Note:
 The Final score of this section is combined with the Troubleshooting and the Configuration
ec

sections to comprise your final Pass or Fail status on the CCIE Security Lab exam.
 The Candidate is required to achieve a minimum score in all three sections of the lab exam as
well as achieve a minimum overall score (Sum of all three sections score). In order to pass the
ur

CCIE Security certification.

it yl
ab
s.
co
m

www.passseclabs.com 5 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Tips and Tricks

w

 Use the Web interface features in Order to minimize scrolling when browsing between Resources
Provided
w

o The left-Menu is always visible and providers one-click access to any resources
.p
o Open resources either in a popup or inline on the main web page.

 Answers are automatically recorded even if the final submit button was not hit on time.
as

 Carefully read the stem and all the question options before go through the resources provided.
 Understand the problems asked.
 There is only possible solution.
ss
ec
ur
it yl
ab
s.
co
m

www.passseclabs.com 6 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 1:
w
Authentication issue
w
David from Acme Inc. has opened a service request with Cisco TAC. He describes the problem as “I am
trying to authenticate a Windows 7 laptop using 802.1x against a Cisco ISE server. The laptop is
connected to a Cisco 3560-X. The user resides in Active Directory. All authentication attempts are
.p

failing with a “RADIUS request dropped” error. We verified that the password is being correctly typed.

Network diagram and email exchange between the TAC engineer and customer are provided for the
as

analysis

With all the information available to you, what is the cause of the authentication failure?
ss

Select an answer:
ec

o RADIUS shared key is incorrect

o Incompatible Switch code
o Crypto-Map not applied for site-1 on GM3
o Wrong EAP type is being used
ur

o Encryption error between ISE and Active Directory

o Shared secret between Windows and Switch is incorrect
o UDP port 1812 is blocked between the switch and ISE
it yl
ab

Answer: A
s.
co
m

www.passseclabs.com 7 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 2:
w
Redirection Issue
w
David from Acme Inc. has opened a service request with Cisco TAC. He describes the problem as “We
are trying to implement Guest access on our switches using ISE and Central Web Authentication. We
have configured ISE and the Switches according to Cisco’s guides but when he end user opens a
.p

browser, they do not get redirected to the ISE guest portal. We need help in troubleshooting this”.

Network diagram, screen shots and email exchange between the TAC engineer and customer are
as

provided for the analysis.

With all the information available to you, what is the cause of this problem?
ss

Select an answer:
ec
o ISE is configured on the wrong port for the portal
o Incompatible Switch code
o The downloadable ACL does not allow traffic to UDP port 53
o URL redirect only works when the original request is to internet site.
ur

o The URL redirect ACL does not allow access to cisco.com

o The machine is authorized in the wrong domain
it yl
Answer: C
ab
s.
co
m

www.passseclabs.com 8 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 3:
w
Authentication Issue
w
David from Acme Inc. has opened a service request with Cisco TAC. He describes the problem as “I am
trying to authenticate a Window 7 laptop using 802.1x against a Cisco ISE server. The Laptop is
.p
connected to a Cisco 3560-X. The authentication attempts keep failing with error 5400.”

Network diagram, screen shots and email exchange between the TAC engineer and customer are
as
provided for the analysis.

With all the information available to you, what is the cause of this problem?
ss

Select an Answer:

o Self-signed certificates cannot be used for EAP authentication

ec

o Enable EAP-TLS on the “Default Network Access” allowed protocol object

o Dot1x priority is incorrect in switch interface configuration
o Client is rejecting the EAP protocol proposed by the ISE server
ur
o The self-signed certificate needs to be trusted on the end point
it

Answer: E
yl
ab
s.
co
m

www.passseclabs.com 9 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 4:
w
Network Accessibility Issue
w
David from Acme Inc. has opened a service request with Cisco TAC. He describes the problem as “We
are trying to implement Guest access on our switches using ISE and Central Web Authenticate. We
.p
have configured ISE and the Switches according to Cisco’s guides but even after a successful
authentication, the guest user is redirect back again and again to the guest portal page. They do not
get access to the network.”
as

Network diagram screen shots and email exchange between the TAC engineer and customer are
provided for the analysis with all the information available to you, what is the cause of this problem?
ss

Select an answer:

o Switch is not able to accept new policies due to a defect.

ec

o Guest credentials are incorrect

o The guest account is set to activate at a later date and time
o The switch is not configured to accept RADIUS CoA message from ISE
ur
o Wrong authorization result is applied to guest authorization policy
it

Answer:E
yl
ab
s.
co
m

www.passseclabs.com 10 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 5:
w
Profiling issue
w
David from Acme Inc. has opened a service request with Cisco TAC. He describes the problem as “We
are trying to implement profiling so as to use its results as a mean to authorize devices. For testing , we
are using a window 7 laptop and ISE is not able to profile it as such. The device shows up as an intel-
.p

device instead of a Window 7 Workstation”.

Network diagram, screen shots and email exchange between the TAC engineer and customer are
as

provided for the analysis with all the information available to you, what is the cause of this problem?
ss
Select an answer:

o Not enough probes have been enabled to profile a Window machine

o ISE’s IP address is missing under VLAN1 as an ip helper-address
ec
o Feed service has corrupted the profiling policies
o Device sensor configuration is incomplete
o User needs to be redirected to guest portal to profile correctly
ur

Answer:A
it yl
ab
s.
co
m

www.passseclabs.com 11 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 6:
w
Command Authorization issue
w
David from Acme Inc. has opened a service request with Cisco TAC. He describes the problem as “We
are trying to implement TACACS authentication and command authorization on our Cisco switches
with cisco ISE as the server. We have configured ISE and the switch as per the user guide but we are
.p

having problems with command authorization. All authorized users should be able to use any show
command but they are not able to”.
as

Network diagram, screen shots and email exchange between the TAC engineer and customer are
provided for the analysis with all the information available to you, what is the cause of this problem?
ss

Select an answer:

o “Permit any command that is not listed below” should be enabled on the command set
ec
o “Auto Command” should be set to “show” in the TACACS profile
o The user is authorized at privilege level 5 where show commands are not available
o The impact deny in the default authorization rule is causing command authorization failure
o Command set has wrong argument for the show command
ur

Answer:E
it yl
ab
s.
co
m

www.passseclabs.com 12 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 7:
w
Performance issue
w
Johnny X from customerNet Inc. has opened a service request with Cisco TAC. He describes the
problem as “intermittent performance issue when users trying to access the internet through WSA”
.p

Network diagram, screen shots and email exchange between the TAC engineer and customer are
provided for the analysis with all the information available to you, what is the cause of this problem?
as

Select an answer:

o Destination server is responding slower than usual

ss

o One of the DNS servers might be root cause of the issue

o Network issues, and disabled PMTU discovery
o Too many requests per seconds (overloaded appliance)
ec
o Chrome browser usage influence the performance, change the browser and test again
o L4 traffic monitoring feature is on and causing the performance issues
ur
Answer:F
it yl
ab
s.
co
m

www.passseclabs.com 13 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 8:
w
Access issue
w
Johnny X from CustomerNet Inc. has opened a service request with Cisco TAC. He describes the
problem as “intermittent “issues with access to specific HTTPS sites”.
.p

Network diagram and email exchange between the TAC engineer and customer are provided for the
analysis
as

With all the information available to you, what is the cause of the authentication failure?
ss
Select an answer:

o Test using openssl tool from other client, issue might be because site uses SSL v3 protocol only,
and client tries to negotiate using TLS 1.2.
ec
o Disable upstream proxy and try if the site works again
o One of the DNS servers might be root cause of the issue
o Test and check if server name extensions is enabled on WSA
o Test with another browser, and collect the logs again
ur
o Configure default decryption policy pass-through affected sites
o Make sure to export WSA’s ROOT CA certificate and import it to test PCs Trusted Root
Certificate Authorities store
o Configure default access policy pass-through affected sites
it yl

Answer:F
ab
s.
co
m

www.passseclabs.com 14 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 9:
w
WSA TLS Decryption Issue
w
Johnny X from CustomerNet Inc. has opened a service request with Cisco TAC. He describes the
problem as Unable to access a website.
.p

Network diagram, screen shots and email exchange between the TAC engineer and customer are
provided for the analysis.
as

With all the information available to you, what is the cause of this problem?
ss
Select an answer:

o It seems to be a browser error as this Cipher is not supported in the browser of the client. Try another
browser
ec
o TLS 1.2 is not supported on the Server and needs to be disabled so we can Fallback to TLS 1.0
o The intermediate certificate is not send by the server and needs to be imported
o When establishing the connection, the “SEED-SHA” cipher needs to be enabled on the appliance
o Destination server requires a client certificate.
ur
it
Answer:C
yl
ab
s.
co
m

www.passseclabs.com 15 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w

Task Number 10:

w
ESA Rejecting Emails
w
Johnny X from CustomerNet Inc. has opened a service request with Cisco TAC. He describes the
problem as “External senders are not able to send emials”.
.p

--------------------------------------------------------------------------------------------------------------------------------------

Network diagram, outputs and email exchange between the TAC engineer and customer are provided
as

for the analysis

With all the information available to you, What is most likely to be the root cause of the ESA rejecting
ss
many senders?

Select an answer:
ec

o The Default parameter for concurrent connections is very low with a value of “10”. Increase this value to
“100”
o The email contains Malware and the Outbreakfilter is putting it in Quarantine
ur
o The email contains a malicious URL and is blocked by a Contenfilter named: “CFDefangMaliciousUrls”
o The Sender needs to be resolvable via DNS and this is not the case. Check your DNS server
o Senderbase was never contacted and therefore, the Reputation Filtering is causing issues.
it
o The sbrs score of “none” is included in the “BLACKLIST”. Remove this setting and add the sbrs score of
“none” to the SUSPECTLIST.
yl

Answer:F
ab
s.
co
m

www.passseclabs.com 16 www.ccieseclabs.com
 www.passsecuritylabs.com Final Release D 1:05-Jan-2018
w
w
w
.p
as
ss
ec

THANKS FOR USING www.passsecuritylabs.com WORKBOOKS

ur
it yl
ab
s.
co
m

www.passseclabs.com 17 www.ccieseclabs.com