Cisco Certified Internetwork Expert (CCIE) Practice Test

What protocol-port pair must be allowed access through the ASA firewall when a user authenticates to a TACACS+ server that accesses Active Directory?

• A. DNS over TCP 53
• B. Global catalog over UDP 3268
• C. LDAP over UDP 389
• D. TACACS+ over TCP 49

The correct answer is: LDAP over UDP 389

The correct protocol-port pair that must be allowed access through the ASA firewall for a user authenticating to a TACACS+ server that accesses Active Directory is TACACS+ over TCP 49. TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol used for remote authentication and is specifically designed to provide centralized authentication for users who connect to network services. When TACACS+ is used in conjunction with Active Directory to authenticate users, the communication takes place over TCP port 49. This port is designated for TACACS+ traffic, which includes both the authentication requests from the user and the responses from the TACACS+ server. In contrast, while options like DNS, LDAP, and global catalog services are related to different aspects of network management and directory services, they do not directly pertain to TACACS+ authentication. DNS is primarily used for domain name resolution, LDAP (Lightweight Directory Access Protocol) is used for directory services over TCP or UDP port 389, and the global catalog over port 3268 is used for specific queries across multiple Active Directory domains. These services may be part of the broader context of user management but are not directly involved in the TACACS+ authentication process. Thus, TACACS+ over TCP