1 Flashcards by me myself

Which personas can a Cisco ISE node assume?

A. policy service, gatekeeping, and monitoring
B. administration, monitoring, and gatekeeping
C. administration, policy service, and monitoring
D. administration, policy service, gatekeeping

C. administration, policy service, and monitoring

How well did you know this?

Not at all

Perfectly

What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

A. The secondary node restarts.
B. The primary node restarts.
C. Both nodes restart.
D. The primary node becomes standalone.

A. The secondary node restarts.

How well did you know this?

Not at all

Perfectly

DRAG DROP -
Drag the steps to configure a Cisco ISE node as a primary administration node from the left into the correct order on the right.
Select and Place:

Select the check box next to the current node, and then click Edit
. Click Save
Choose Administration > System > Deployment
Click Make Primary

3
1
4
2

How well did you know this?

Not at all

Perfectly

Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)

A. new AD user 802.1X authentication
B. hotspot
C. posture
D. guest AUP
E. BYOD

A. new AD user 802.1X authentication
C. posture

How well did you know this?

Not at all

Perfectly

Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?

A. Cisco Secure Services Client and Cisco Access Control Server
B. Cisco AnyConnect NAM and Cisco Identity Service Engine
C. Cisco AnyConnect NAM and Cisco Access Control Server
D. Windows Native Supplicant and Cisco Identity Service Engine

B. Cisco AnyConnect NAM and Cisco Identity Service Engine

How well did you know this?

Not at all

Perfectly

What is a requirement for Feed Service to work?

A. TCP port 8080 must be opened between Cisco ISE and the feed server.
B. Cisco ISE has access to an internal server to download feed update.
C. Cisco ISE has a base license.
D. Cisco ISE has Internet access to download feed update.

D. Cisco ISE has Internet access to download feed update.

How well did you know this?

Not at all

Perfectly

What is a method for transporting security group tags throughout the network?

A. by embedding the security group tag in the 802.1Q header
B. by the Security Group Tag Exchange Protocol
C. by enabling 802.1AE on every network device
D. by embedding the security group tag in the IP header

B. by the Security Group Tag Exchange Protocol

How well did you know this?

Not at all

Perfectly

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node.
Which persona should be configured with the largest amount of storage in this environment?

A. Monitoring and Troubleshooting
B. Policy Services
C. Primary Administration
D. Platform Exchange Grid

A. Monitoring and Troubleshooting

How well did you know this?

Not at all

Perfectly

In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two.)

A. subscriber
B. primary
C. administration
D. publisher
E. policy service

C. administration
E. policy service

How well did you know this?

Not at all

Perfectly

A network engineer must enforce access control using special tags, without re-engineering the network design.
Which feature should be configured to achieve this in a scalable manner?

A. RBAC
B. dACL
C. SGT
D. VLAN

C. SGT

How well did you know this?

Not at all

Perfectly

A network engineer is configuring a network device that needs to filter traffic based on security group tags using a security policy on a routed interface.
Which command should be used to accomplish this task?

A. cts role-based policy priority-static
B. cts cache enable
C. cts authorization list
D. cts role-based enforcement

D. cts role-based enforcement

How well did you know this?

Not at all

Perfectly

In a Cisco ISE split deployment model, which load is split between the nodes?

A. log collection
B. device admission
C. AAA
D. network admission

C. AAA

How well did you know this?

Not at all

Perfectly

What is the deployment mode when two Cisco ISE nodes are configured in an environment?

A. standalone
B. distributed
C. standard
D. active

B. distributed

How well did you know this?

Not at all

Perfectly

An engineer is testing Cisco ISE policies in a lab environment with no support for a deployment server. In order to push supplicant profiles to the workstations for testing, firewall ports will need to be opened.
From which Cisco ISE persona should this traffic be originating?

A. administration
B. authentication
C. policy service
D. monitoring

C. policy service

How well did you know this?

Not at all

Perfectly

What does a fully distributed Cisco ISE deployment include?

A. PAN and MnT on the same node while PSNs are on their own dedicated nodes.
B. All Cisco ISE personas are sharing the same node.
C. All Cisco ISE personas on their own dedicated nodes.
D. PAN and PSN on the same node while MnTs are on their own dedicated nodes.

C. All Cisco ISE personas on their own dedicated nodes.

How well did you know this?

Not at all

Perfectly

An engineer is configuring 802.1X and wants it to be transparent from the users’ point of view. The implementation should provide open authentication on the switch ports while providing strong levels of security for non-authenticated devices.
Which deployment mode should be used to achieve this?

A. closed
B. high-impact
C. low-impact
D. open

C. low-impact

How well did you know this?

Not at all

Perfectly

A network administrator changed a Cisco ISE deployment from pilot to production and noticed that the JVM memory utilization increased significantly. The administrator suspects this is due to replication between the nodes.
What must be configured to minimize performance degradation?

A. Enable the endpoint attribute filter.
B. Review the profiling policies for any misconfiguration.
C. Ensure that Cisco ISE is updated with the latest profiler feed update.
D. Change the reauthentication interval.

A. Enable the endpoint attribute filter.

How well did you know this?

Not at all

Perfectly

An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate.
What must be done in order to provide the CA this information?

A. Install the Root CA and intermediate CA.
B. Generate the CSR.
C. Download the CA server certificate.
D. Download the intermediate server certificate.

B. Generate the CSR.

How well did you know this?

Not at all

Perfectly

An administrator is adding network devices for a new medical building into Cisco ISE. These devices must be in a network device group that is identifying them as
Medical Switch so that the policies can be made separately for the endpoints connecting through them.
Which configuration item must be changed in the network device within Cisco ISE to accomplish this goal?

A. Change the device profile to Medical Switch.
B. Change the device type to Medical Switch.
C. Change the device location to Medical Switch.
D. Change the model name to Medical Switch.

B. Change the device type to Medical Switch.

How well did you know this?

Not at all

Perfectly

An organization wants to split their Cisco ISE deployment to separate the device administration functionalities from the main deployment. For this to work, the administrator must deregister any nodes that will become a part of the new deployment, but the button for this option is grayed out.
Which configuration is causing this behavior?

A. All of the nodes are actively being synched.
B. All of the nodes participate in the PAN auto failover.
C. One of the nodes is an active PSN.
D. One of the nodes is the Primary PAN.

D. One of the nodes is the Primary PAN.

How well did you know this?

Not at all

Perfectly

A network administrator must configure Cisco ISE Personas in the company to share session information via syslog.
Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

A. admin
B. policy services
C. monitor
D. pxGrid

C. monitor

How well did you know this?

Not at all

Perfectly

What is the maximum number of PSN nodes supported in a medium-sized deployment?

A. two
B. three
C. five
D. eight

C. five

How well did you know this?

Not at all

Perfectly

How is policy services node redundancy achieved in a deployment?

A. by creating a node group
B. by deploying both primary and secondary node
C. by enabling VIP
D. by utilizing RADIUS server list on the NAD

A. by creating a node group

How well did you know this?

Not at all

Perfectly

Which two fields are available when creating an endpoint on the context visibility page of Cisco ISE? (Choose two.)

A. Security Group Tag
B. Endpoint Family
C. Policy Assignment
D. Identity Group Assignment
E. IP Address

C. Policy Assignment
D. Identity Group Assignment

How well did you know this?

Not at all

Perfectly

In which two ways can users and endpoints be classified for TrustSec? (Choose two.) A. VLAN B. dynamic C. QoS D. SGACL E. SXP

A. VLAN B. dynamic

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names? A. MIB B. SID C. MAB D. TGT

B. SID

Which permission is common to the Active Directory Join and Leave operations? A. Remove the Cisco ISE machine account from the domain. B. Search Active Directory to see if a Cisco ISE machine account already exists. C. Set attributes on the Cisco ISE machine account. D. Create a Cisco ISE machine account in the domain if the machine account does not already exist.

B. Search Active Directory to see if a Cisco ISE machine account already exists.

Which interface-level command is needed to turn on 802.1X authentication? A. dot1x system-auth-control B. dot1x pae authenticator C. aaa server radius dynamic-author D. authentication host-mode single-host

B. dot1x pae authenticator

Which RADIUS attribute is used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node? A. session-timeout B. termination-action C. radius-server timeout D. idle-timeout

D. idle-timeout

What does the dot1x system-auth-control command do? A. globally enables 802.1x B. causes a network access switch not to track 802.1x sessions C. enables 802.1x on a network access device interface D. causes a network access switch to track 802.1x sessions

A. globally enables 802.1x

What should be configured on the Cisco ISE authentication policy for unknown MAC addresses/identities for successful authentication? A. continue B. pass C. drop D. reject

A. continue

Which command displays all 802.1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch? A. show authentication sessions interface Gi1/0/x output B. show authentication sessions C. show authentication sessions output D. show authentication sessions interface Gi 1/0/x

B. show authentication sessions

What are two requirements of generating a single certificate in Cisco ISE by using a certificate provisioning portal, without generating a certificate signing request? (Choose two.) A. Enter the IP address of the device. B. Enter the common name. C. Choose the hashing method. D. Locate the CSV file for the device MAC. E. Select the certificate template.

B. Enter the common name. E. Select the certificate template.

Interface: GigabitEthernet2/0/36 MAC Address: 000e.84af.59af Status: Authz Success Domain: DATA Oper host mode: single-host Authorized By: Authentication Server Vlan Policy: 10 Handle: 0xE0000000 Runnable methods list: Method State dotlx Authc Success Refer to the exhibit. Which command is typed within the CLI of a switch to view the troubleshooting output? A. show authentication sessions mac 000e.84af.59af details B. show authentication registrations C. show authentication interface gigabitethernet2/0/36 D. show authentication sessions method

A. show authentication sessions mac 000e.84af.59af details

What gives Cisco ISE an option to scan endpoints for vulnerabilities? A. authentication policy B. authorization profile C. authentication profile D. authorization policy

B. authorization profile

Which two values are compared by the binary comparison function in authentication that is based on Active Directory? A. user-presented certificate and a certificate stored in Active Directory B. MS-CHAPv2 provided machine credentials and credentials stored in Active Directory C. user-presented password hash and a hash stored in Active Directory D. subject alternative name and the common name

A. user-presented certificate and a certificate stored in Active Directory

What happens when an internal user is configured with an external identity store for authentication, but an engineer uses the Cisco ISE admin portal to select an internal identity store as the identity source? A. Authentication is redirected to the internal identity source. B. Authentication is granted. C. Authentication fails. D. Authentication is redirected to the external identity source.

C. Authentication fails.

Which two actions occur when a Cisco ISE server device administrator logs in to a device? (Choose two.) A. The Cisco ISE server queries the internal identity store. B. The device queries the external identity store. C. The device queries the Cisco ISE authorization server. D. The device queries the internal identity store. E. The Cisco ISE server queries the external identity store.

A. The Cisco ISE server queries the internal identity store. E. The Cisco ISE server queries the external identity store.

An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks. Which two requirements should be included in this policy? (Choose two.) A. active username limit B. password expiration period C. access code control D. username expiration date E. minimum password length

B. password expiration period E. minimum password length

An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication. Which access will be denied in this deployment? A. DNS B. DHCP C. EAP D. HTTP

D. HTTP

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two.) A. TELNET: 23 B. HTTPS: 443 C. HTTP: 80 D. LDAP: 389 E. MSRPC:445

D. LDAP: 389 E. MSRPC:445

An engineer is implementing Cisco ISE and needs to configure 802.1X. The port settings are configured for port-based authentication. Which command should be used to complete this configuration? A. aaa authentication dot1x default group radius B. dot1x system-auth-control C. authentication port-control auto D. dot1x pae authenticator

B. dot1x system-auth-control

DRAG DROP - An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right. Select and Place: A uses useradmin and password for authentication B uses certificate for authentication C changes credentials through the admin portal D supports fragmentation after the tunnel is established E uses x509 format F supports auto enrollment for obtaining credentials

peap-mschapv2 A C D PEAP-EAP-TLS B E F

Drag and drop AUTHENTICATOR SUPPLICANT AUTHENTICATOR SERVER A software on the enpoint that communicates with EAP at layer 2 B device that controls phycsical access to the network based on the endpoint authentication status C device that validates the identity of the endpoint and provides results to another device

AUTHENTICATOR B SUPPLICANT A AUTHENTICATOR SERVER C

A network engineer is configuring Cisco TrustSec and needs to ensure that the Security Group Tag is being transmitted between two devices. Where in the Layer 2 frame should this be verified? A. payload B. 802.1 AE header C. CMD field D. 802.1Q field

C. CMD field

A network administrator must configure endpoints using an 802.1X authentication method with EAP identity certificates that are provided by the Cisco ISE. When the endpoint presents the identity certificate to Cisco ISE to validate the certificate, endpoints must be authorized to connect to the network. Which EAP type must be configured by the network administrator to complete this task? A. EAP-TTLS B. EAP-TLS C. EAP-FAST D. EAP-PEAP-MSCHAPv2

B. EAP-TLS

An organization wants to standardize the 802.1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide. What must be configured to accomplish this task? A. dynamic access list within the authorization profile B. extended access-list on the switch for the client C. security group tag within the authorization policy D. port security on the switch based on the client's information

A. dynamic access list within the authorization profile

"Switch(config)# gigabitEthernet1/0/2 Switch(config)# authentication port-control auto Switch(config)# authentication host-mode multi-auth" Refer to the exhibit. In which scenario does this switch configuration apply? A. when allowing a hub with multiple clients connected B. when allowing multiple IP phones to be connected C. when preventing users with hypervisor D. when bypassing IP phone authentication"

A. when allowing a hub with multiple clients connected

"interface GigabitEthernet1/0/1 authentication host-mode multi-auth authentication post-control auto mab dot1x pae authenticator" Refer to the exhibit. Which switch configuration change will allow only one voice and one data endpoint on each port? A. auto to manual B. mab to dot1x C. multi-auth to multi-domain D. multi-auth to single-auth

C. multi-auth to multi-domain

A network security engineer needs to configure 802.1X port authentication to allow a single host to be authenticated for data and another single host to be authenticated for voice. Which command should the engineer run on the interface to accomplish this goal? A. authentication host-mode multi-domain B. authentication host-mode single-host C. authentication host-mode multi-auth D. authentication host-mode multi-host

A. authentication host-mode multi-domain

An administrator connects an HP printer to a dot1x enable port, but the printer is nor accessible. Which feature must the administrator enable to access the printer? A. change of authorization B. MAC authentication bypass C. TACACS authentication D. RADIUS authentication

B. MAC authentication bypass

When configuring an authorization policy, an administrator cannot see specific Active Directory groups present in their domain to be used as a policy condition. However, other groups that are in the same domain are seen. What is causing this issue? A. Cisco ISE's connection to the AD join point is failing. B. Cisco ISE only sees the built-in groups, not user created ones. C. The groups are not added to Cisco ISE under the AD join point. D. The groups are present but need to be manually typed as conditions.

C. The groups are not added to Cisco ISE under the AD join point.

An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability. Which probe must be used to accomplish this task? A. NetFlow probe B. HTTP probe C. RADIUS probe D. network scan probe

C. RADIUS probe

What is an advantage of using EAP-TLS over EAP-MS-CHAPv2 for client authentication? A. EAP-TLS uses a username and password for authentication to enhance security, while EAP-MS-CHAPv2 does not. B. EAP-TLS uses multiple forms of authentication, while EAP-MS-CHAPv2 only uses one. C. EAP-TLS uses a device certificate for authentication to enhance security, while EAP-MS-CHAPv2 does not. D. EAP-TLS secures the exchange of credentials, while EAP-MS-CHAPv2 does not.

C. EAP-TLS uses a device certificate for authentication to enhance security, while EAP-MS-CHAPv2 does not.

What must be configured on the WLC to configure Central Web Authentication using Cisco ISE and a WLC? A. Use the ip access-group webauth in command. B. Use the radius-server vsa send authentication command. C. Set the NAC State option to SNMP NAC. D. Set the NAC State option to RADIUS NAC.

D. Set the NAC State option to RADIUS NAC.

A network administrator is configuring authorization policies in Cisco ISE. There is a requirement to use AD group assignments to control access to network resources. After a recent power failure and Cisco ISE rebooting itself, the AD group assignments no longer work. What is the cause of this issue? A. The AD join point is no longer connected. B. The certificate checks are not being conducted. C. The network devices ports are shut down. D. The AD DNS response time is slow.

A. The AD join point is no longer connected.

Refer to the exhibit. Which component must be configured to apply the SGACL? https://www.examtopics.com/assets/media/exam-media/04307/0003000001.png A. secure server B. host C. egress router D. ingress router

C. egress router

A laptop was stolen and a network engineer added it to the block list endpoint identity group. What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access? A. Select DROP under If Auth fail within the authentication policy. B. Ensure that access to port 8444 is allowed within the ACL. C. Ensure that access to port 8443 is allowed within the ACL. D. Select DenyAccess within the authentication policy.

B. Ensure that access to port 8444 is allowed within the ACL.

When creating a policy within Cisco ISE for network access control, the administrator wants to allow different access restrictions based upon the wireless SSID to which the device is connecting. Which policy condition must be used in order to accomplish this? A. Network Access NetworkDeviceName CONTAINS B. DEVICE Device Type CONTAINS C. Airespace Airespace-Wlan-Id CONTAINS D. Radius Called-Station-ID CONTAINS

D. Radius Called-Station-ID CONTAINS

A company manager is hosting a conference. Conference participants must connect to an open guest SSID and only use a preassigned code that they enter into the guest portal prior to gaining access to the network. How should the manager configure Cisco ISE to accomplish this goal? A. Create logins for each participant to give them sponsored access. B. Create entries in the guest identity group for all participants. C. Create an access code to be entered in the AUP mode. D. Create a registration code to be entered on the portal splash page.

C. Create an access code to be entered in the AUP mode.

An organization has a fully distributed Cisco ISE deployment. When implementing probes, an administrator must scan for unknown endpoints to learn the IP-to- MAC address bindings. The scan is complete on one PSN, but the information is not available on the others. What must be done to make the information available? A. Cisco ISE must be configured to learn the IP-MAC binding of unknown endpoints via RADIUS authentication, not via scanning. B. Cisco ISE must learn the IP-MAC binding of unknown endpoints via DHCP profiling, not via scanning. C. Scanning must be initiated from the MnT node to centrally gather the information. D. Scanning must be initiated from the PSN that last authenticated the endpoint.

D. Scanning must be initiated from the PSN that last authenticated the endpoint.

An administrator is configuring a switch port for use with 802.1X. What must be done so that the port will allow voice and multiple data endpoints? A. Connect a hub to the switch port to allow multiple devices access after authentication. B. Configure the port with the authentication host-mode multi-auth command. C. Connect the data devices to the port, then attach the phone behind them. D. Use the command authentication host-mode multi-domain on the port.

B. Configure the port with the authentication host-mode multi-auth command.

An administrator is troubleshooting an endpoint that is supposed to bypass 802.1X and use MAB. The endpoint is bypassing 802.1X and successfully getting network access using MAB, however the endpoint cannot communicate because it cannot obtain an IP address. What is the problem? A. The endpoint is using the wrong protocol to authenticate with Cisco ISE. B. The 802.1X timeout period is too long. C. The DHCP probe for Cisco ISE is not working as expected. D. An ACL on the port is blocking HTTP traffic.

B. The 802.1X timeout period is too long.

A Cisco ISE administrator must restrict specific endpoints from accessing the network while in closed mode. The requirement is to have Cisco ISE centrally store the endpoints to restrict access from. What must be done to accomplish this task? A. Create a profiling policy for each endpoint with the cdpCacheDeviceId attribute. B. Create a logical profile for each device's profile policy and block that via authorization policies. C. Add each MAC address manually to a blocklist identity group and create a policy denying access. D. Add each IP address to a policy denying access.

C. Add each MAC address manually to a blocklist identity group and create a policy denying access.

An engineer is using profiling to determine what access an endpoint must receive. After configuring both Cisco ISE and the network devices for 802.1X and profiling, the endpoints do not profile prior to authentication. What are two reasons this is happening? (Choose two.) A. Closed mode is restricting the collection of the attributes prior to authentication. B. The HTTP probe is malfunctioning due to closed mode being enabled. C. The SNMP probe is not enabled. D. NetFlow is not enable on the switch, so the attributes will not be collected. E. The switch is collecting the attributes via RADIUS but the probes are not sending them.

A. Closed mode is restricting the collection of the attributes prior to authentication. E. The switch is collecting the attributes via RADIUS but the probes are not sending them.

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.) A. RSA SecurID B. RADIUS Token C. Active Directory D. Internal Database E. LDAP

C. Active Directory E. LDAP

An engineer deploys Cisco ISE and must configure Active Directory to then use information from Active Directory in an authorization policy. Which two components must be configured, in addition to Active Directory groups, to achieve this goal? (Choose two.) A. Identity Source Sequences B. LDAP External Identity Sources C. Active Directory External Identity Sources D. Library Condition for Identity Group: User Identity Group E. Library Condition for External Identity: External Groups

C. Active Directory External Identity Sources E. Library Condition for External Identity: External Groups

Which deployment mode allows for one or more policy service nodes to be used for session failover? A. centralized B. secondary C. standalone D. distributed

D. distributed

A network administrator has just added a front desk receptionist account to the Cisco ISE Guest Service sponsor group. Using the Cisco ISE Guest Sponsor Portal, which guest services can the receptionist provide? A. Keep track of guest user activities. B. Create and manage guest user accounts. C. Configure authorization settings for guest users. D. Authenticate guest users to Cisco ISE.

B. Create and manage guest user accounts.

What is needed to configure wireless guest access on the network? A. endpoint already profiled in ISE B. WEBAUTH ACL for redirection C. Captive Portal Bypass turned on D. valid user account in Active Directory

B. WEBAUTH ACL for redirection

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two.) A. Known B. Monthly C. Daily D. Imported E. Random

D. Imported E. Random

What is a valid guest portal type? A. Sponsor B. Sponsored-Guest C. Captive-Guest D. My Devices

B. Sponsored-Guest

What is the purpose of the ip http server command on a switch? A. It enables the https server for users for web authentication. B. It enables dot1x authentication on the switch. C. It enables MAB authentication on the switch. D. It enables the switch to redirect users for web authentication.

D. It enables the switch to redirect users for web authentication.

Which advanced option within a WLAN must be enabled to trigger Central Web Authentication for Wireless users on AireOS controller? A. DHCP server B. override Interface ACL C. static IP tunneling D. AAA override

D. AAA override

Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication? A. MAB and if user not found, continue B. MAB and if authentication failed, continue C. Dot1x and if authentication failed, continue D. Dot1x and if user not found, continue

A. MAB and if user not found, continue

An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task? A. permit tcp any any eq B. ip http port C. aaa group server radius D. aaa group server radius proxy

A. permit tcp any any eq

An engineer is using Cisco ISE and configuring guest services to allow wireless devices to access the network. Which action accomplishes this task? A. Create the redirect ACL on Cisco ISE and add it to the Cisco ISE Policy. B. Create the redirect ACL on the WLC and add it to the WLC policy. C. Create the redirect ACL on Cisco ISE and add it to the WLC policy. D. Create the redirect ACL on the WLC and add it to the Cisco ISE policy.

D. Create the redirect ACL on the WLC and add it to the Cisco ISE policy.

An engineer is configuring web authentication and needs to allow specific protocols to permit DNS traffic. Which type of access list should be used for this configuration? A. extended ACL B. reflexive ACL C. numbered ACL D. standard ACL

A. extended ACL

An administrator is adding a switch to a network that is running Cisco ISE and is only for IP Phones. The phones do not have the ability to authenticate via 802.1X. Which command is needed on each switch port for authentication? A. dot1x system-auth-control B. enable bypass-MAC C. enable network-authentication D. mab

D. mab

A network engineer needs to ensure that the access credentials are not exposed during the 802.1X authentication among components. Which two protocols should be configured to accomplish this task? (Choose two.) A. PEAP B. EAP-TLS C. EAP-MD5 D. EAP-TTLS E. LEAP

A. PEAP B. EAP-TLS

A network engineer is configuring guest access and notices that when a guest user registers a second device for access, the first device loses access. What must be done to ensure that both devices for a particular user are able to access the guest network simultaneously? A. Use a custom portal to increase the number of logins. B. Create an Adaptive Network Control policy to increase the number of devices. C. Modify the guest type to increase the number of maximum devices. D. Configure the sponsor group to increase the number of logins.

C. Modify the guest type to increase the number of maximum devices.

A Cisco ISE administrator needs to ensure that guest endpoint registrations are only valid for 1 day. When testing the guest policy flow, the administrator sees that the Cisco ISE does not delete the endpoint in the GuestEndpoints identity store after 1 day and allows access to the guest network after that period. Which configuration is causing this problem? A. The Guest Account Purge Policy is set to 15 days. B. The length of access is set to 7 days in the Guest Portal Settings. C. The Endpoint Purge Policy is set to 30 days for guest devices. D. The RADIUS policy set for guest access is set to allow repeated authentication of the same device.

C. The Endpoint Purge Policy is set to 30 days for guest devices.

A network administrator is setting up wireless guest access and has been unsuccessful in testing client access. The endpoint is able to connect to the SSID but is unable to gain access to the guest network through the guest portal. What must be done to identify the problem? A. Use traceroute to ensure connectivity. B. Use context visibility to verify posture status. C. Use the identity group to validate the authorization rules. D. Use the endpoint ID to execute a session trace.

D. Use the endpoint ID to execute a session trace.

An organization is hosting a conference and must make guest accounts for several of the speakers attending. The conference ended two days early but the guest accounts are still being used to access the network. What must be configured to correct this? A. Create an authorization rule denying sponsored guest access. B. Create an authorization rule denying guest access. C. Navigate to the Guest Portal and delete the guest accounts. D. Navigate to the Sponsor Portal and suspend the guest accounts.

D. Navigate to the Sponsor Portal and suspend the guest accounts.

An organization is migrating its current guest network to Cisco ISE and has 1000 guest users in the current database. There are no resources to enter this information into the Cisco ISE database manually. What must be done to accomplish this task efficiently? A. Use an XML file to change the existing format to match that of Cisco ISE. B. Use a CSV file to import the guest accounts. C. Use a JSON file to automate the migration of guest accounts. D. Use SQL to link the existing database to Cisco ISE.

B. Use a CSV file to import the guest accounts.

A customer wants to set up the Sponsor portal and delegate the authentication flow to a third party for added security while using Kerberos. Which database should be used to accomplish this goal? A. local database B. LDAP C. RSA Token Server D. Active Directory

D. Active Directory

Which two default guest portals are available with Cisco ISE? (Choose two.) A. WiFi-access B. self-registered C. central web authentication D. visitor E. sponsored

B. self-registered E. sponsored

What is the minimum certainty factor when creating a profiler policy? A. the minimum number that a predefined condition provides B. the maximum number that a predefined condition provides C. the minimum number that a device certainty factor must reach to become a member of the profile D. the maximum number that a device certainty factor must reach to become a member of the profile

C. the minimum number that a device certainty factor must reach to become a member of the profile

What sends the redirect ACL that is configured in the authorization profile back to the Cisco WLC? A. State attribute B. Class attribute C. Event D. Cisco-av-pair

D. Cisco-av-pair

Which profiling probe collects the user-agent string? A. DHCP B. HTTP C. NMAP D. AD

B. HTTP

Which use case validates a change of authorization? A. An endpoint that is disconnected from the network is discovered. B. Endpoints are created through device registration for the guests. C. An endpoint profiling policy is changed for authorization policy. D. An authenticated, wired EAP-capable endpoint is discovered.

C. An endpoint profiling policy is changed for authorization policy.

Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of? A. block list B. unknown C. allow list D. profiled E. endpoint

B. unknown

What service can be enabled on the Cisco ISE node to identify the types of devices connecting to a network? A. profiling B. central web authentication C. MAB D. posture

A. profiling

Which two probes must be enabled for the ARP cache to function in the Cisco ISE profiling service so that a user can reliably bind the IP addresses and MAC addresses of endpoints? (Choose two.) A. SNMP B. HTTP C. RADIUS D. DHCP E. NetFlow

C. RADIUS D. DHCP

Which two events trigger a CoA for an endpoint when CoA is enabled globally for ReAuth? (Choose two.) A. addition of endpoint to My Devices Portal B. endpoint marked as lost in My Devices Portal C. updating of endpoint dACL D. endpoint profile transition from Apple-device to Apple-iPhone E. endpoint profile transition from Unknown to Windows10-Workstation

D. endpoint profile transition from Apple-device to Apple-iPhone E. endpoint profile transition from Unknown to Windows10-Workstation

Which two ports do network devices typically use for CoA? (Choose two.) A. 19005 B. 443 C. 3799 D. 8080 E. 1700

C. 3799 E. 1700

Which three default endpoint identity groups does Cisco ISE create? (Choose three.) A. endpoint B. unknown C. block list D. profiled E. allow list

B. unknown C. block list D. profiled

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network. Which node should be used to accomplish this task? A. policy service B. monitoring C. primary policy administrator D. pxGrid

C. primary policy administrator

An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types. Which probe should be used to accomplish this task? A. DHCP B. DNS C. NMAP D. RADIUS

A. DHCP

An engineer is configuring Cisco ISE and needs to dynamically identify the network endpoints and ensure that endpoint access is protected. Which service should be used to accomplish this task? A. guest access B. profiling C. posture D. client provisioning

B. profiling

1 Flashcards

(100 cards)