2 Flashcards by me myself

An administrator for a small network is configuring Cisco ISE to provide dynamic network access to users. Management needs Cisco ISE to not automatically trigger a CoA whenever a profile change is detected. Instead, the administrator needs to verify the new profile and manually trigger a CoA.
What must be configured in the profiler to accomplish this goal?

A. Session Query
B. No CoA
C. Reauth
D. Port Bounce

B. No CoA

How well did you know this?

Not at all

Perfectly

A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA.
Which action does the CoA perform?

A. It terminates the client session.
B. It applies the downloadable ACL provided in the CoA.
C. It triggers the NAD to reauthenticate the client.
D. It applies new permissions provided in the CoA to the client session.

C. It triggers the NAD to reauthenticate the client.

How well did you know this?

Not at all

Perfectly

A new employee just connected their workstation to a Cisco IP phone. The network administrator wants to ensure that the Cisco IP phone remains online when the user disconnects their workstation from the corporate network.
Which CoA configuration meets this requirement?

A. Reauth
B. Disconnect
C. No CoA
D. Port Bounce

A. Reauth

How well did you know this?

Not at all

Perfectly

An organization is adding new profiling probes to the system to improve profiling on Cisco ISE. The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected.
What must be configured on the network device to accomplish this goal?

A. ICMP
B. WCCP
C. ARP
D. SNMP

D. SNMP

How well did you know this?

Not at all

Perfectly

An administrator is trying to collect metadata information about the traffic going across the network to gain added visibility into the hosts. This information will be used to create profiling policies for devices using Cisco ISE so that network access policies can be used.
What must be done to accomplish this task?

A. Configure the DHCP probe within Cisco ISE.
B. Configure NetFlow to be sent to the Cisco ISE appliance.
C. Configure the RADIUS profiling probe within Cisco ISE.
D. Configure SNMP to be used with the Cisco ISE appliance.

B. Configure NetFlow to be sent to the Cisco ISE appliance.

How well did you know this?

Not at all

Perfectly

There are several devices on a network that are considered critical and need to be placed into the ISE database and a policy used for them. The organization does not want to use profiling.
What must be done to accomplish this goal?

A. Enter the MAC address in the correct Endpoint Identity Group.
B. Enter the IP address in the correct Endpoint Identity Group.
C. Enter the IP address in the correct Logical Profile.
D. Enter the MAC address in the correct Logical Profile.

A. Enter the MAC address in the correct Endpoint Identity Group.

How well did you know this?

Not at all

Perfectly

An administrator is configuring a new profiling policy within Cisco ISE. The organization has several endpoints that are the same device type, and all have the same Block ID in their MAC address. The profiler does not currently have a profiling policy created to categorize these endpoints, therefore a custom profiling policy must be created.
Which condition must the administrator use in order to properly profile an ACME AI Connector endpoint for network access with MAC address 01:41:14:65:50:AB?

A. CDP_cdpCacheDeviceID_CONTAINS_<MAC>
B. MAC_MACAddress_CONTAINS_<MAC>
C. Radius_Called_Station-ID_STARTSWITH_<MAC>
D. MAC_OUI_STARTSWITH_<MAC></MAC></MAC></MAC></MAC>

MAC_OUI_STARTSWITH_<MAC></MAC>

How well did you know this?

Not at all

Perfectly

Users in an organization report issues about having to remember multiple usernames and passwords. The network administrator wants the existing Cisco ISE deployment to utilize an external identity source to alleviate this issue.
Which two requirements must be met to implement this change? (Choose two.)

A. Establish access to one Global Catalog server
B. Ensure that the NAT address is properly configured
C. Provide domain administrator access to Active Directory
D. Configure a secure LDAP connection
E. Enable IPC access over port 80

A. Establish access to one Global Catalog server
C. Provide domain administrator access to Active Directory

How well did you know this?

Not at all

Perfectly

What should be considered when configuring certificates for BYOD?

A. The SAN field is populated with the end user name.
B. The CN field is populated with the endpoint host name.
C. An endpoint certificate is mandatory for the Cisco ISE BYOD.
D. An Android endpoint uses EST, whereas other operating systems use SCEP for enrollment.

B. The CN field is populated with the endpoint host name.

How well did you know this?

Not at all

Perfectly

During BYOD flow, where does a Microsoft Windows PC download the Network Setup Assistant?

A. Microsoft App Store
B. Cisco App Store
C. Cisco ISE directly
D. Native OTA functionality

C. Cisco ISE directly

How well did you know this?

Not at all

Perfectly

What allows an endpoint to obtain a digital certificate from Cisco ISE during a BYOD flow?

A. Application Visibility and Control
B. Supplicant Provisioning Wizard
C. My Devices Portal
D. Network Access Control

B. Supplicant Provisioning Wizard

How well did you know this?

Not at all

Perfectly

Which protocol must be allowed for a BYOD device to access the BYOD portal?

A. HTTPS
B. HTTP
C. SSH
D. SMTP

A. HTTPS

How well did you know this?

Not at all

Perfectly

Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two.)

A. Redirect ACL
B. Connection Type
C. Operating System
D. Windows Settings
E. iOS Settings

B. Connection Type
C. Operating System

How well did you know this?

Not at all

Perfectly

If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

A. Client Provisioning
B. BYOD
C. Guest
D. Block list

D. Block list

How well did you know this?

Not at all

Perfectly

An engineer is configuring a dedicated SSID for onboarding devices.
Which SSID type accomplishes this configuration?

A. hidden
B. guest
C. dual
D. broadcast

B. guest

How well did you know this?

Not at all

Perfectly

An engineer is designing a BYOD environment utilizing Cisco ISE for devices that do not support native supplicants.
Which portal must the security engineer configure to accomplish this task?

A. BYOD
B. Client Provisioning
C. My Devices
D. MDM

C. My Devices

How well did you know this?

Not at all

Perfectly

An employee logs on to the My Devices portal and marks a currently on-boarded device as Lost.
Which two actions occur within Cisco ISE as a result of this action? (Choose two.)

A. BYOD Registration status is updated to No.
B. BYOD Registration status is updated to Unknown.
C. The device access has been denied.
D. Certificates provisioned to the device are not revoked.
E. The device status is updated to Stolen.

C. The device access has been denied.
D. Certificates provisioned to the device are not revoked.

How well did you know this?

Not at all

Perfectly

A network administrator is configuring a secondary Cisco ISE node from the backup configuration of the primary Cisco ISE node to create a high availability pair.
The Cisco ISE CA certificates and keys must be manually backed up from the primary Cisco ISE and copied into the secondary Cisco ISE.
Which command must be issued for this to work?

A. copy certificate ise
B. certificate configure ise
C. import certificate ise
D. application configure ise

D. application configure ise

How well did you know this?

Not at all

Perfectly

A network engineer has been tasked with enabling a switch to support standard web authentication for Cisco ISE. This must include the ability to provision for URL redirection on authentication.
Which two commands must be entered to meet this requirement? (Choose two.)

A. ip http secure-server
B. ip http authentication
C. ip http server
D. ip http redirection
E. ip http secure-authentication

A. ip http secure-server
C. ip http server

How well did you know this?

Not at all

Perfectly

A network administrator notices that after a company-wide shut down, many users cannot connect their laptops to the corporate SSID.
What must be done to permit access in a timely manner?

A. Connect this system as a guest user and then redirect the web auth protocol to log in to the network.
B. Allow authentication for expired certificates within the EAP-TLS section under the allowed protocols.
C. Add a certificate issue from the CA server, revoke the expired certificate, and add the new certificate in system.
D. Authenticate the user’s system to the secondary Cisco ISE node and move this user to the primary with the renewed certificate.

B. Allow authentication for expired certificates within the EAP-TLS section under the allowed protocols.

How well did you know this?

Not at all

Perfectly

Which two endpoint compliance statuses are possible? (Choose two.)

A. compliant
B. valid
C. unknown
D. known
E. invalid

A. compliant
C. unknown

How well did you know this?

Not at all

Perfectly

Which portal is used to customize the settings for a user to log in and download the compliance module?

A. Client Provisioning
B. Client Endpoint
C. Client Profiling
D. Client Guest

A. Client Provisioning

How well did you know this?

Not at all

Perfectly

Which Cisco ISE service allows an engineer to check the compliance of endpoints before connecting to the network?

A. qualys
B. posture
C. personas
D. nexpose

B. posture

How well did you know this?

Not at all

Perfectly

Which two ports must be open between Cisco ISE and the client when you configure posture on Cisco ISE? (Choose two.)

A. TCP 80
B. TCP 8905
C. TCP 8443
D. TCP 8906
E. TCP 443

B. TCP 8905
C. TCP 8443

How well did you know this?

Not at all

Perfectly

What are two components of the posture requirement when configuring Cisco ISE posture? (Choose two.) A. Client Provisioning portal B. remediation actions C. updates D. access policy E. conditions

B. remediation actions D. access policy

Which term refers to an endpoint agent that tries to join an 802.1X-enabled network? A. EAP server B. authenticator C. supplicant D. client

C. supplicant

Which port does Cisco ISE use for native supplicant provisioning of a Windows laptop? A. TCP 8905 B. TCP 8909 C. TCP 443 D. UDP 1812

A. TCP 8905

Drag and drop A Administration B Policy Service C Monitoring D pxGrid 1 provies advanced troubleshooting tools that can be used to effectively manage the network and resources 2 shares context-sensitive information from Cisco ISE to subscribers 3 manages all system-related configuration and configurations that relate to functionallity such a AAA 4 provices, network access, posture, guest access, clientn porivioning and profiling services and evaluates the policies to make a decision

A-3 B-4 C-1 D-2

What must match between Cisco ISE and the network access device to successfully authenticate endpoints? A. shared secret B. profile C. certificate D. SNMP version

A. shared secret

When planning for the deployment of Cisco ISE, an organization's security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment needs to provide an adequate amount of security and visibility for the hosts on the network. Why should the engineer configure MAB in this situation? A. The Cisco switches only support MAB. B. MAB provides the strongest form of authentication available. C. MAB provides user authentication. D. The devices in the network do not have a supplicant.

D. The devices in the network do not have a supplicant.

An organization is implementing Cisco ISE posture services and must ensure that a host-based firewall is in place on every Windows and Mac computer that attempts to access the network. They have multiple vendors' firewall applications for their devices, so the engineers creating the policies are unable to use a specific application check in order to validate the posture for this. What should be done to enable this type of posture check? A. Enable the default application condition to identify the applications installed and validate the firewall app. B. Enable the default firewall condition to check for any vendor firewall application. C. Use a compound condition to look for the Windows or Mac native firewall applications. D. Use the file registry condition to ensure that the firewall is installed and running appropriately.

B. Enable the default firewall condition to check for any vendor firewall application.

An administrator is configuring posture with Cisco ISE and wants to check that specific services are present on the workstations that are attempting to access the network. What must be configured to accomplish this goal? A. Create a compound posture condition using a OPSWAT API version. B. Create an application posture condition using a OPSWAT API version. C. Create a registry posture condition using a non-OPSWAT API version. D. Create a service posture condition using a non-OPSWAT API version.

D. Create a service posture condition using a non-OPSWAT API version.

What is a function of client provisioning? A. It checks the existence, date, and versions of the file on a client. B. It checks a dictionary attribute with a value. C. It ensures that endpoints receive the appropriate posture agents. D. It ensures an application process is running on the endpoint.

C. It ensures that endpoints receive the appropriate posture agents.

A network administrator must use Cisco ISE to check whether endpoints have the correct version of antivirus installed. Which action must be taken to allow this capability? A. Create a Cisco AnyConnect Network Visibility Module configuration profile to send the antivirus information of the endpoints to Cisco ISE. B. Configure Cisco ISE to push the HostScan package to the endpoints to check for the antivirus version. C. Configure a native supplicant profile to be used for checking the antivirus version. D. Create a Cisco AnyConnect configuration within Cisco ISE for the Compliance Module and associated configuration files.

D. Create a Cisco AnyConnect configuration within Cisco ISE for the Compliance Module and associated configuration files.

MacOS users are complaining about having to read through wordy instructions when remediating their workstations to gain access to the network. Which alternate method should be used to tell users how to remediate? A. file distribution B. executable C. message text D. URL link

D. URL link

An engineer tests Cisco ISE posture services on the network and must configure the compliance module to automatically download and install on endpoints. Which action accomplishes this task for VPN users? A. Push the compliance module from Cisco FTD prior to attempting posture. B. Use a compound posture condition to check for the compliance module and download, if needed. C. Configure the compliance module to be downloaded from within the posture policy. D. Create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE.

D. Create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE.

A network administrator is configuring client provisioning resource policies for client machines and must ensure that an agent pop-up is presented to the client when attempting to connect to the network. Which configuration item needs to be added to allow for this? A. a temporal agent that gets installed onto the system B. a remote posture agent proxying the network connection C. the client provisioning URL in the authorization policy D. an API connection back to the client

C. the client provisioning URL in the authorization policy

An employee must access the internet through the corporate network from a new mobile device that does not support native supplicant provisioning provided by Cisco ISE. Which portal must the employee use to provision to the device? A. My Devices B. BYOD C. Personal Device D. Client Provisioning

A. My Devices

Which two task types are included in the Cisco ISE common tasks support for TACACS+ profiles? (Choose two.) A. ASA B. Firepower C. Shell D. WLC E. IOS

C. Shell D. WLC

What are two benefits of TACACS+ versus RADIUS for device administration? (Choose two.) A. TACACS+ has command authorization, and RADIUS does not. B. TACACS+ uses UDP, and RADIUS uses TCP. C. TACACS+ supports 802.1X, and RADIUS supports MAB. D. TACACS+ provides the service type, and RADIUS does not. E. TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

A. TACACS+ has command authorization, and RADIUS does not. E. TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

Which two features must be used on Cisco ISE to enable the TACACS+ feature? (Choose two.) A. Command Sets B. Server Sequence C. Device Administration License D. External TACACS Servers E. Device Admin Service

C. Device Administration License E. Device Admin Service

Which are two characteristics of TACACS+? (Choose two.) A. It separates authorization and authentication functions. B. It combines authorization and authentication functions. C. It uses UDP port 49. D. It encrypts the password only. E. It uses TCP port 49.

A. It separates authorization and authentication functions. E. It uses TCP port 49.

A user reports that the RADIUS accounting packets are not being seen on the Cisco ISE server. Which command is the user missing in the switch's configuration? A. aaa accounting resource default start-stop group radius B. radius-server vsa send accounting C. aaa accounting network default start-stop group radius D. aaa accounting exec default start-stop group radius

C. aaa accounting network default start-stop group radius

Which two responses from the RADIUS server to NAS are valid during the authentication process? (Choose two.) A. access-challenge B. access-accept C. access-request D. access-reserved E. access-response

A. access-challenge B. access-accept

What is a characteristic of the UDP protocol? A. UDP can detect when a server is down. B. UDP can detect when a server is slow. C. UDP offers best-effort delivery. D. UDP offers information about a non-existent server

C. UDP offers best-effort delivery.

Refer to the exhibit. A network engineer is configuring the switch to accept downloadable ACLs from a Cisco ISE server. Which two commands should be run to complete the configuration? (Choose two.) aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius A. radius-server attribute 8 include-in-access-req B. ip device tracking C. dot1x system-auth-control D. radius server vsa send authentication E. aaa authorization auth-proxy default group radius

B. ip device tracking C. dot1x system-auth-control

DRAG DROP - Drag and drop the description from the left onto the protocol on the right that is used to carry out system authentication, authorization, and accounting. Select and Place: TACACS+ OR RADIUS 1.- Combines authentication and authorization 2.- encrypts the entire payload 3.- enctyps only the password field 4.- separates authentication and authorization 5.- primary use is device administration 6.- primary use is network access

TACACS 2, 4, 5 RADIUS 1,3,6

An administrator is configuring Cisco ISE to authenticate users logging into network devices using TACACS+. The administrator is not seeing any of the authentication in the TACACS+ live logs. Which action ensures the users are able to log into the network devices? A. Enable the device administration service in the PSN persona. B. Enable the device administration service in the Administration persona. C. Enable the session services in the Administration persona. D. Enable the service sessions in the PSN persona.

A. Enable the device administration service in the PSN persona.

https://www.examtopics.com/assets/media/exam-media/04307/0007300001.png Refer to the exhibit. An engineer is creating a new TACACS+ command set and cannot use any show commands after logging into the device with this command set authorization. Which configuration is causing this issue? A. The command set is allowing all commands that are not in the command list. B. The wildcard command listed is in the wrong format. C. The command set is working like an ACL and denying every command. D. Question marks are not allowed as wildcards for command sets.

B. The wildcard command listed is in the wrong format. no me queda muy clara :-)

An administrator is migrating device administration access to Cisco ISE from the legacy TACACS+ solution that used only privilege 1 and 15 access levels. The organization requires more granular controls of the privileges and wants to customize access levels 2-5 to correspond with different roles and access needs. Besides defining a new shell profile in Cisco ISE, what must be done to accomplish this configuration? A. Enable the privilege levels in Cisco ISE. B. Enable the privilege levels in the IOS devices. C. Define the command privileges for levels 2-5 in Cisco ISE. D. Define the command privileges for levels 2-5 in the IOS devices.

C. Define the command privileges for levels 2-5 in Cisco ISE.

An administrator is configuring RADIUS on a Cisco switch with a key set to Cisc407294634 but is receiving the error `Authentication failed: 22040 Wrong password or invalid shared secret.` What must be done to address this issue? A. Add the network device as a NAD inside Cisco ISE using the existing key. B. Configure the key on the Cisco ISE instead of the Cisco switch. C. Validate that the key is correct on both the Cisco switch as well as Cisco ISE. D. Use a key that is between eight and ten characters.

C. Validate that the key is correct on both the Cisco switch as well as Cisco ISE.

An administrator needs to give the same level of access to the network devices when users are logging into them using TACACS+. However, the administrator must restrict certain commands based on one of three user roles that require different commands. How is this accomplished without creating too many objects using Cisco ISE? A. Create one shell profile and one command set. B. Create multiple shell profiles and one command set. C. Create multiple shell profiles and multiple command sets. D. Create one shell profile and multiple command sets.

D. Create one shell profile and multiple command sets.

An engineer builds a five-node distributed Cisco ISE deployment. The first two deployed nodes are responsible for the primary and secondary administration and monitoring personas. Which persona configuration is necessary to have the remaining three Cisco ISE nodes serve as dedicated nodes in the Cisco ISE cube that is responsible only for handling the RADIUS and TACACS+ authentication requests, identity lookups, and policy evaluation?

https://www.examtopics.com/assets/media/exam-media/04307/0007700001.png Policy service -> enable session services enable profiling service enable device admin service

What are two differences between the RADIUS and TACACS+ protocols? (Choose two.) A. RADIUS offers multiprotocol support, whereas TACACS+ does not. B. RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol. C. RADIUS enables encryption of all the packets, whereas with TACACS+, only the password is encrypted. D. RADIUS combines authentication and authorization, whereas TACACS+ does not. E. TACACS+ uses TCP port 49, whereas RADIUS uses UDP ports 1812 and 1813.

E. TACACS+ uses TCP port 49, whereas RADIUS uses UDP ports 1812 and 1813. D. RADIUS combines authentication and authorization, whereas TACACS+ does not.

An administrator adds a new network device to the Cisco ISE configuration to authenticate endpoints to the network. The RADIUS test fails after the administrator configures all of the settings in Cisco ISE and adds the proper configurations to the switch. What is the issue? A. The endpoint profile is showing as ''unknown" B. The endpoint does not have the appropriate credentials for network access C. The certificate on the switch is self-signed, not a CA-provided certificate D. The shared secret is incorrect on the switch or on Cisco ISE

D. The shared secret is incorrect on the switch or on Cisco ISE

An administrator enables the profiling service for Cisco ISE to use for authorization policies while in closed mode. When the endpoints connect, they receive limited access so that the profiling probes can gather information and Cisco ISE can assign the correct profiles. They are using the default values within Cisco ISE, but the devices do not change their access due to the new profile. What is the problem? A. The default profiler configuration is set to No CoA for the reauthentication setting. B. In closed mode, profiling does not work unless CDP is enabled. C. The profiler feed is not downloading new information, so the profiler is inactive. D. The profiling probes are not able to collect enough information to change the device profile.

A. The default profiler configuration is set to No CoA for the reauthentication setting.

An engineer is configuring 802.1X and is testing out their policy sets. After authentication, some endpoints are given an access-reject message but are still allowed onto the network. What is causing this issue to occur? A. The authorization results for the endpoints include the Trusted security group tag. B. The authorization results for the endpoints include a dACL allowing access. C. The switch port is configured with authentication event server dead action authorize vlan. D. The switch port is configured with authentication open.

D. The switch port is configured with authentication open.

An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs. An administrator is adding two more PSNs to this deployment but is having problems adding one of them. What is the problem? A. Only five PSNs are allowed to be in the Cisco ISE cube if configured this way. B. One of the new nodes must be designated as a pxGrid node. C. The new nodes must be set to primary prior to being added to the deployment. D. The current PAN is only able to track a max of four nodes.

A. Only five PSNs are allowed to be in the Cisco ISE cube if configured this way. (medium size)

Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.) A. seven PSN nodes with one PxGrid node B. two PSN nodes with one PxGrid node C. five PSN nodes with one PxGrid node D. six PSN nodes: E. three PSN nodes

A. seven PSN nodes with one PxGrid node D. six PSN nodes

An organization wants to enable web-based guest access for both employees and visitors. The goal is to use a single portal for both user types. Which two authentication methods should be used to meet this requirement? (Choose two.) A. LDAP B. MAC-based C. Certificate-based D. LOCAL E. 802.1X

A. LDAP D. LOCAL

A network administrator is currently using Cisco ISE to authenticate devices and users via 802.1X. There is now a need to also authorize devices and users using EAP-TLS. Which two additional components must be configured in Cisco ISE to accomplish this? (Choose two.) A. Certificate Authentication Profile B. EAP Authorization Profile C. Network Device Group D. Common Name attribute that maps to an identity store E. Serial Number attribute that maps to a CA Server

A. Certificate Authentication Profile B. EAP Authorization Profile

https://www.examtopics.com/assets/media/exam-media/04307/0008400001.jpg Refer to the exhibit. An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints. After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan. What must be done for this AAA configuration to allow compliant access to the network? A. Ensure that authorization only mode is not enabled. B. Enable dynamic authorization within the AAA server group. C. Fix the CoA port number. D. Configure the posture authorization so it defaults to unknown status

B. Enable dynamic authorization within the AAA server group.

https://www.examtopics.com/assets/media/exam-media/04307/0008500001.png Refer to the exhibit. An engineer is configuring Cisco ISE for guest services. They would like to have any unregistered guests redirected to the guest portal for authentication, then have a CoA provide them with full access to the network that is segmented via firewalls. Why is the given configuration failing to accomplish this goal? A. The Guest Portal and Guest Access policy lines are in the wrong order. B. The PermitAccess result is not set to restricted access in its policy line. C. The Network_Access_Authentication_Passed condition will not work with guest services for portal access. D. The Guest_Flow condition is not in the line that gives access to the guest portal.

A. The Guest Portal and Guest Access policy lines are in the wrong order.

https://www.examtopics.com/assets/media/exam-media/04307/0008600001.png show authentication sessions Refer to the exhibit. An engineer is configuring a client but cannot authenticate to Cisco ISE. During troubleshooting, the command was issued to display the authentication status of each port. Which command gives additional information to help identify the problem with the authentication? A. show authentication sessions B. show authentication sessions output C. show authentication sessions interface Gi1/0/1 output D. show authentication sessions interface Gi1/0/1 details

D. show authentication sessions interface Gi1/0/1 details

An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two.) A. Session Services B. Profiling Services C. Radius Service D. Posture Services E. Endpoint Attribute Filter

A. Session Services B. Profiling Services

While configuring Cisco TrustSec on Cisco IOS devices, the engineer must set the CTS device ID and password in order for the devices to authenticate with each other. However, after this is complete, the devices are not able to properly authenticate. What issue would cause this to happen even if the device ID and passwords are correct? A. EAP-FAST is not enabled. B. The SGT mappings have not been defined. C. The device aliases are not matching. D. The devices are missing the configuration cts credentials trustsec verify 1.

A. EAP-FAST is not enabled.

An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities. The engineer is configuring new endpoint identity groups as conditions to be used in the AuthZ policies, but noticed that the endpoints are not hitting the correct policies. What must be done in order to get the devices into the right policies? A. Create an AuthZ policy to identify Unknown devices and provide partial network access prior to profiling. B. Add an identity policy to dynamically add the IP address of the devices to their endpoint identity groups. C. Identify the non 802.1X supported device types and create custom profiles for them to profile into. D. Manually add the MAC addresses of the devices to endpoint ID groups in the context visibility database.

D. Manually add the MAC addresses of the devices to endpoint ID groups in the context visibility database.

An engineer is configuring sponsored guest access and needs to limit each sponsored guest to a maximum of two devices. There are other guest services in production that rely on the default guest types. How should this configuration change be made without disrupting the other guest services currently offering three or more guest devices per user? A. Create a Cisco ISE identity group to add users to and limit the number of logins via the group configuration. B. Create an LDAP login for each guest and tag that in the guest portal for authentication. C. Create a new sponsor group and adjust the settings to limit the devices for each guest. D. Create a new guest type and set the maximum number of devices sponsored guests can register.

D. Create a new guest type and set the maximum number of devices sponsored guests can register.

https://www.examtopics.com/assets/media/exam-media/04307/0008900001.png Refer to the exhibit. An administrator is manually adding a device to a Cisco ISE identity group to ensure that it is able to access the network when needed without authentication. Upon testing, the administrator notices that the device never hits the correct authorization policy line using the condition EndPoints-LogicalProfile EQUALS static_list. Why is this occurring? A. The dynamic logical profile is overriding the statically assigned profile. B. The logical profile is being statically assigned instead of the identity group. C. The identity group is being assigned instead of the logical profile. D. The device is changing identity groups after profiling instead of remaining static.

B. The logical profile is being statically assigned instead of the identity group.

An administrator is configuring sponsored guest access using Cisco ISE. Access must be restricted to the sponsor portal to ensure that only necessary employees can issue sponsored accounts, and employees must be classified to do so. What must be done to accomplish this task? A. Modify the sponsor groups assigned to reflect the desired user groups. B. Configure an identity-based access list in Cisco ISE to restrict the users allowed to login. C. Edit the sponsor portal to only accept members from the selected groups. D. Create an authorization rule using the Guest Flow condition to authorize the administrators.

A. Modify the sponsor groups assigned to reflect the desired user groups.

During a 802.1X deployment, an engineer must identify failed authentications without causing problems for the connected endpoint. Which command will successfully achieve this? A. authentication open B. dot1x pae authenticator C. authentication port-control auto D. dot1x system-auth-control

A. authentication open

An engineer is configuring TACACS+ within Cisco ISE for use with a non-Cisco network device. They need to send special attributes in the Access-Accept response to ensure that the users are given the appropriate access. What must be configured to accomplish this? A. custom access conditions for defining the different roles B. shell profiles with custom attributes that define the various roles C. dACLs to enforce the various access policies for the users D. TACACS+ command sets to provide appropriate access

B. shell profiles with custom attributes that define the various roles

An administrator needs to allow guest devices to connect to a private network without requiring usernames and passwords. Which two features must be configured to allow for this? (Choose two.) A. central WebAuth B. device registration WebAuth C. local WebAuth D. self-registered guest portal E. hotspot guest portal

B. device registration WebAuth E. hotspot guest portal

An administrator wants to configure network device administration and is trying to decide whether to use TACACS+ or RADIUS. A reliable protocol must be used that can check command authorization. Which protocol meets these requirements and why? A. RADIUS because it runs over TCP. B. RADIUS because it runs over UDP. C. TACACS+ because it runs over TCP. D. TACACS+ because it runs over UDP.

C. TACACS+ because it runs over TCP.

An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication. The administrator tests the 802.1X authentication for the endpoint and sees that it is authenticating successful. What must be done to ensure that the endpoint is placed into the correct VLAN? A. Configure the switchport access vlan 310 command on the switch port. B. Add VLAN 310 in the common tasks of the authorization profile. C. Ensure that the endpoint is using the correct policy set. D. Ensure that the security group is not preventing the endpoint from being in VLAN 310.

B. Add VLAN 310 in the common tasks of the authorization profile.

An engineer is configuring Cisco ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADIUS for these devices? (Choose two.) A. TACACS+ uses secure EAP-TLS while RADIUS does not. B. TACACS+ is FIPS compliant while RADIUS is not. C. TACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password. D. TACACS+ is designed for network access control while RADIUS is designed for role-based access. E. TACACS+ provides the ability to authorize specific commands while RADIUS does not.

C. TACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password. E. TACACS+ provides the ability to authorize specific commands while RADIUS does not.

An engineer is enabling a newly configured wireless SSID for tablets and needs visibility into which other types of devices are connecting to it. What must be done on the Cisco WLC to provide this information to Cisco ISE? A. enable mDNS snooping B. enable Fast Transition C. enable MAC filtering D. enable IP Device Tracking

D. enable IP Device Tracking

An engineer is configuring a posture policy for Windows 10 endpoints and wants to ensure that users in each AD group have different conditions to meet to be compliant. What must be done to accomplish this task? A. Change the posture requirements to use an AD group for each use case, then use those requirements in the posture policy. B. Identify the users groups needed for different policies and create service conditions to map each one to its posture requirement. C. Configure a simple condition for each AD group and use it in the posture policy for each use case. D. Use the authorization policy within the policy set to group each AD group with their respective posture policy.

B. Identify the users groups needed for different policies and create service conditions to map each one to its posture requirement.

An engineer has been tasked with standing up a new guest portal for customers that are waiting in the lobby. There is a requirement to allow guests to use their social media logins to access the guest network to appeal to more customers. What must be done to accomplish this task? A. Create a sponsored guest portal and enable social media in the external identity sources. B. Create a self-registered guest portal and enable the feature for social media logins. C. Create a hotspot portal and enable social media login for network access. D. Create a sponsor portal to allow guests to create accounts using their social media logins.

B. Create a self-registered guest portal and enable the feature for social media logins.

A Cisco device has a port configured in multi-authentication mode and is accepting connections only from hosts assigned the SGT of SGT_0123456789. The VLAN trunk link supports a maximum of 8 VLANS. What is the reason for these restrictions? A. The device is performing inline tagging without acting as a SXP speaker. B. The device is performing inline tagging while acting as a SXP speaker. C. The IP subnet addresses are dynamically mapped to an SGT. D. The IP subnet addresses are statically mapped to an SGT.

A. The device is performing inline tagging without acting as a SXP speaker.

An administrator is configuring a Cisco WLC for web authentication. Which two client profiling methods are enabled by default if the Apply Cisco ISE Default Settings check box has been selected? (Choose two.) A. LLDP B. CDP C. DHCP D. SNMP E. HTTP

C. DHCP E. HTTP

What is the default port used by Cisco ISE for NetFlow version 9 probe? A. UDP 9996 B. UDP 9997 C. UDP 9998 D. UDP 9999

A. UDP 9996

Which Cisco ISE deployment model provides redundancy by having every node in the deployment configured with the Administration, Policy Service, and Monitoring personas to protect from a complete node failure? A. dispersed B. distributed C. two-node D. hybrid

C. two-node

Which compliance status is set when a matching posture policy has been defined for that endpoint, but all the mandatory requirements during posture assessment are not met? A. unauthorized B. non-compliant C. unknown D. untrusted

B. non-compliant

An engineer is configuring posture assessment for their network access control and needs to use an agent that supports using service conditions as conditions for the assessment. The agent should be run as a background process to avoid user interruption, but when it is run, the user can see it. What is the problem? A. The posture module was deployed using the headend instead of installing it with SCCM. B. The engineer is using the Anyconnect posture agent but should be using the Stealth Anyconnect posture agent. C. The proper permissions were not given to the temporal agent to conduct the assessment. D. The user was in need of remediation so the agent appeared in the notifications.

B. The engineer is using the Anyconnect posture agent but should be using the Stealth Anyconnect posture agent.

Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints? A. large deployment with fully distributed nodes running all personas B. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs C. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs D. small deployment with one primary and one secondary node running all personas

C. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs

What is a restriction of a standalone Cisco ISE node deployment? A. Only the Policy Service persona can be disabled on the node. B. The domain name of the node cannot be changed after installation. C. Personas are enabled by default and cannot be edited on the node. D. The hostname of the node cannot be changed after installation.

C. Personas are enabled by default and cannot be edited on the node.

What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment? A. a primary and secondary PAN and a health check node for the Secondary PAN B. a primary and secondary PAN and no health check nodes C. a primary and secondary PAN and a pair of health check nodes D. a primary and secondary PAN and a health check node for the Primary PAN

D. a primary and secondary PAN and a health check node for the Primary PAN

An engineer is testing low-impact mode for a phased deployment of Cisco ISE. Which type of traffic is denied when a host tries to connect to the network prior to authentication? A. DNS B. EAP C. DHCP D. HTTP

D. HTTP

An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message "Node is Unreachable". What is causing this error? A. The second node is a PAN node. B. No administrative certificate is available for the second node. C. The second node is in standalone mode. D. No admin privileges are available on the second node.

B. No administrative certificate is available for the second node.

DRAG DROP - Drag and drop the configuration steps from the left into the sequence on the right to install two Cisco ISE nodes in a distributed deployment. 1.- Register the secondary node. 2.- Define personas for the secondary node. 3.- Enable Administration and Monitoring personas on the first node. 4.- Configure the first node as the primary node.

3 4 1 2

An engineer wants to learn more about Cisco ISE and deployed a new lab with two nodes. Which two persona configurations allow the engineer to successfully test redundancy of a failed node? (Choose two.) A. Configure one of the Cisco ISE nodes as the Health Check node. B. Configure both nodes with the PAN and MnT personas only. C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary. D. Configure both nodes with the PAN, MnT, and PSN personas. E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.

C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary. E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.

https://img.examtopics.com/300-715/image3.png Refer to the exhibit. Which two configurations are needed on a catalyst switch to add it as a network access device in a Cisco ISE that is being used for 802.1X authentications? (Choose two.) A. radius server ISE1 address ipv4 192.168.255.17 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52 B. tacacs server ISE1 address ipv4 192.168.255.15 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52 C. radius server ISE1 address ipv4 192.168.255.19 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52 D. tacacs server ISE1 address ipv4 192.168.255.18 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52 E. radius server ISE1 address ipv4 192.168.255.16 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52

A. radius server ISE1 address ipv4 192.168.255.17 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52 C. radius server ISE1 address ipv4 192.168.255.19 auth-port 1645 acct-port 1646 key 7 0607542D5F4A0213034C1E0A1F0F2E2122733F3429000D12055A5A52

The security team wants to secure the wired network. A legacy printer on the network with the MAC address 00:43:08:50:64:60 does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address? A. MS-CHAPv2 B. EAP-TLS C. PAP D. Process Host Lookup

D. Process Host Lookup

An organization is using Cisco ISE to provide AAA services to non-Cisco switches with IP phones connected. An engineer needs to use Profiling Services to authorize network access for IP phones that do not support 802.1X. What must be configured to accomplish this goal? A. DHCP B. SNMPTRAP C. SNMPQUERY D. RADIUS

C. SNMPQUERY

Which type of identity store allows for creating single-use access credentials in Cisco ISE? A. OpenLDAP B. Local C. PKI D. RSA SecurID

D. RSA SecurID

A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured? A. closed B. restricted C. monitor D. low-impact

D. low-impact

Which two statements are correct regarding the differences between RADIUS and TACACS+? (Choose two.) A. RADIUS encrypts the entire packet, whereas TACACS+ only encrypts the password field. B. RADIUS primary use is for network access, whereas TACACS+ primary use is for device administration. C. RADIUS combines the authentication and authorization functions, whereas TACACS+ separates them. D. RADIUS uses TCP as the transmission protocol, whereas TACACS+ uses both UDP and TCP protocols. E. RADIUS supports full command logging, whereas TACACS+ does not provide any command logging.

B. RADIUS primary use is for network access, whereas TACACS+ primary use is for device administration. C. RADIUS combines the authentication and authorization functions, whereas TACACS+ separates them.

An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use? A. VLAN to SGT mapping B. IP Address to SGT mapping C. L3IF to SGT mapping D. Subnet to SGT mapping

A. VLAN to SGT mapping

An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal? A. Configure the hotspot portal for guest access and require an access code. B. Configure the sponsor portal with a single account and use the access code as the password. C. Configure the self-registered guest portal to allow guests to create a personal access code. D. Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

A. Configure the hotspot portal for guest access and require an access code.

2 Flashcards

(100 cards)