Question

1. Describe the different functions of a RADIUS server?

2. Describe how we use Network Policies?

3. Describe how we use the different NAS type?

4. Describe the different templates with the RADUIS server?

5. What’s the most secure NAP enforcement method?

6. What is the wdsnbp.com file?

Answer 1

A). RADIUS consists of computer user authentication, authorization, and accounting. RADIUS server performs a number of useful services. For example: Authentication, Authorization, and Accounting collectively called AAA.

1. Enhanced security when implemented properly.
2. Enhanced reporting and tracking based on client usernames, even more so when tied into a Lightweight Directory Access Protocol (LDAP) back end such as Active Directory.
3. Ability to direct user groups into a User Profile based on LDAP membership and/or RADIUS attributes. This allows you to place restrictions on specific classes of users.
4. When a user authenticates to a service set identifier (SSID) using RADIUS, that individual session is encrypted uniquely between the user and access point. This means that another user connected to the same SSID cannot sniff the traffic and acquire information because they will have a different encryption key for their connection. With a Pre-shared key (PSK) network, every device connected to the access point is on a “shared encryption” connection so they can all see each other’s traffic if they choose to do so.
5. If you need to de-authorize a particular user or device, having RADIUS makes this much easier because you disconnect a single user or device without having to change the key for everyone or allow that potential security risk of that user re-joining the network with the known access key.
6. You can assign network permissions such as VLAN, firewall policy (including application permissions), Quality of Service (QoS) settings, tunneling policies, schedules — everything within a user profile can be dynamically assigned to users based on their identity. With a pre-shared key, you only get a single user profile that everyone shares. You can assign different permissions based on the attribute returned from the RADIUS server.

B) Network policies are Kubernetes resources that control the traffic between pods and/or network endpoints. They uses labels to select pods and specify the traffic that is directed toward those pods using rules. Most CNI plugins support the implementation of network policies, however, if they don’t and we create a NetworkPolicy, then that resource will be ignored.

The most popular CNI plugins with network policy support are:

• Weave
• Calico
• Cilium
• Kube-router
• Romana

C) NAS is a file-level data storage device attached to an TCP/IP network, usually Ethernet. It typically uses NFS or CIFS protocols, although other choices like HTTP are available. NAS appears to the operating system as a shared folder. Employees access files from the NAS like they do any other file on the network.

D) The RADIUS server template specifies IP addresses, port numbers, and shared key for RADIUS servers. Other parameters such as the format of RADIUS user names, traffic unit, and number of times RADIUS request packets can be retransmitted have default settings and can be modified as required.

Procedure

1. Run system-view

The system view is displayed.

2. Run radius-server template template-name

The RADIUS server template view is displayed.

By default, a RADIUS server template named default is available on the device. The template can be modified but cannot be deleted.

3. Configure RADIUS authentication and accounting servers.

Configuration	Command	Description
Configure RADIUS authentication servers.	radius-server authentication ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] * or radius-server authentication ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *	By default, no RADIUS authentication server is configured.
Configure RADIUS accounting servers.	radius-server accounting ipv4-address port [ vpn-instance vpn-instance-name | source { loopback interface-number | ip-address ipv4-address | vlanif interface-number } | weight weight-value ] * or radius-server accounting ipv6-address port [ source { loopback interface-number | ip-address ipv6-address | vlanif interface-number } | weight weight-value ] *	By default, no RADIUS accounting server is configured.
(Optional) Specify the algorithm for RADIUS server selection.	radius-server algorithm { loading-share | master-backup } [ based-user ]	The default algorithm is master-backup. If the master-backup algorithm is used, the primary and secondary RADIUS authentication or accounting servers are selected based on their weight values. The primary RADIUS server has a higher weight value. If two RADIUS servers have the same weight value, the first configured one is the primary server.

4. Set parameters for interconnection between the device and a RADIUS server.

5.Set the shared key for the RADIUS server.

Procedure	Command	Description
Set the shared key for the RADIUS server.	System view	Return to the system view.	quit	-
Set the shared key for the RADIUS server.	radius-server ip-address { ipv4-address | ipv6-address } shared-key cipher key-string	By default, no global shared key is set for RADIUS servers. If the shared key for the RADIUS server is different from that set on the device, perform this step. When shared keys are set in both the RADIUS server template and system view, the shared key set in the system view takes effect.
Enter the RADIUS server template view.	radius-server template template-name	-
RADIUS server template view	radius-server shared-key cipher key-string	By default, no shared key is set for the RADIUS server. The shared key set on the device must be the same as that set for the RADIUS server.

E) IPsec enforcement is the most secure NAP enforcement method

F) Wdsnbp.com validates the DHCP/PXE response packet and proceeds to download PXEBoot.com.

Thank You........!