3 Flashcards by me myself

Which two actions must be verified to confirm that the internet is accessible via guest access when configuring a guest portal? (Choose two.)

A. The guest device successfully associates with the correct SSID.
B. The guest user gets redirected to the authentication page when opening a browser.
C. The guest device has internal network access on the WLAN.
D. The guest device can connect to network file shares.
E. Cisco ISE sends a CoA upon successful guest authentication.

B. The guest user gets redirected to the authentication page when opening a browser.
E. Cisco ISE sends a CoA upon successful guest authentication.

How well did you know this?

Not at all

Perfectly

An administrator made changes in Cisco ISE and needs to apply new permissions for endpoints that have already been authenticated by sending a CoA packet to the network devices. Which IOS command must be configured on the devices to accomplish this goal?

A. aaa server radius dynamic-author
B. authentication command bounce-port
C. authentication command disable-port
D. aaa nas port extended

A. aaa server radius dynamic-author

How well did you know this?

Not at all

Perfectly

An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?

A. NMAP
B. NETFLOW
C. pxGrid
D. RADIUS

B. NETFLOW

How well did you know this?

Not at all

Perfectly

An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?

A. the Reauth CoA option in the Cisco ISE system profiling settings enabled
B. an endpoint profiling policy with the No CoA option enabled
C. an endpoint profiling policy with the Port Bounce CoA option enabled
D. the Port Bounce CoA option in the Cisco ISE system profiling settings enabled

A. the Reauth CoA option in the Cisco ISE system profiling settings enabled

How well did you know this?

Not at all

Perfectly

An administrator replaced a PSN in the distributed Cisco ISE environment. When endpoints authenticate to it, the devices are not getting the right profiles or attributes and as a result, are not hitting the correct policies. This was working correctly on the previous PSN. Which action must be taken to ensure the endpoints get identified?

A. Verify that the MnT node is tracking the session.
B. Verify the shared secret used between the switch and the PSN.
C. Verify that the profiling service is running on the new PSN.
D. Verify that the authentication request the PSN is receiving is not malformed.

C. Verify that the profiling service is running on the new PSN.

How well did you know this?

Not at all

Perfectly

An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?

A. Endpoint Identity Group is Blocklist, and the BYOD state is Registered.
B. Endpoint Identify Group is Blocklist, and the BYOD state is Pending.
C. Endpoint Identity Group is Blocklist, and the BYOD state is Lost.
D. Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate.

A. Endpoint Identity Group is Blocklist, and the BYOD state is Registered.

How well did you know this?

Not at all

Perfectly

An engineer needs to configure a new certificate template in the Cisco ISE Internal Certificate Authority to prevent BYOD devices from needing to re-enroll when their MAC address changes. Which option must be selected in the Subject Alternative Name field?

A. Common Name and GUID
B. MAC Address and GUID
C. Distinguished Name
D. Common Name

B. MAC Address and GUID

How well did you know this?

Not at all

Perfectly

A user changes the status of a device to stolen in the My Devices Portal of Cisco ISE. The device was originally onboarded in the BYOD wireless Portal without a certificate. The device is found later, but the user cannot re-onboard the device because Cisco ISE assigned the device to the Blocklist endpoint identity group. What must the user do in the My Devices Portal to resolve this issue?

A. Manually remove the device from the Blocklist endpoint identity group.
B. Change the device state from Stolen to Not Registered.
C. Change the BYOD registration attribute of the device to None.
D. Delete the device, and then re-add the device.

D. Delete the device, and then re-add the device.

How well did you know this?

Not at all

Perfectly

A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?

A. RADIUS
B. DLTS
C. Portal
D. Admin

C. Portal

How well did you know this?

Not at all

Perfectly

An engineer needs to configure a compliance policy on Cisco ISE to ensure that the latest encryption software is running on the C drive of all endpoints. Drag and drop the configuration steps from the left into the sequence on the right to accomplish this task.

select posture and disk encryption condition
access the disk encryption condition window
select the encryption settings
access policy elements and conditions

access policy elements and conditions
select posture and disk encryption condition
access the disk encryption condition window
select the encryption settings

How well did you know this?

Not at all

Perfectly

What is a valid status of an endpoint attribute during the device registration process?

A. block listed
B. pending
C. unknown
D. DenyAccess

B. pending

How well did you know this?

Not at all

Perfectly

An administrator is configuring the Native Supplicant Profile to be used with the Cisco ISE posture agents and needs to test the connection using wired devices to determine which profile settings are available. Which two configuration settings should be used to accomplish this task? (Choose two.)

A. authentication mode
B. proxy host/IP
C. certificate template
D. security
E. allowed protocol

C. certificate template
E. allowed protocol

How well did you know this?

Not at all

Perfectly

Which Cisco ISE solution ensures endpoints have the latest version of antivirus updates installed before being allowed access to the corporate network?

A. Threat Services
B. Profiling Services
C. Provisioning Services
D. Posture Services

D. Posture Services

How well did you know this?

Not at all

Perfectly

An administrator is configuring posture assessment in Cisco ISE for the first time. Which two components must be uploaded to Cisco ISE to use Anyconnect for the agent configuration in a client provisioning policy? (Choose two.)

A. Anyconnect network visibility module
B. Anyconnect compliance module
C. AnyConnectProfile.xml file
D. AnyConnectProfile.xsd file
E. Anyconnect agent image

B. Anyconnect compliance module
E. Anyconnect agent image

How well did you know this?

Not at all

Perfectly

What is a difference between TACACS+ and RADIUS in regards to encryption?

A. TACACS+ encrypts only the password, whereas RADIUS encrypts the username and password.
B. TACACS+ encrypts the username and password, whereas RADIUS encrypts only the password.
C. TACACS+ encrypts the password, whereas RADIUS sends the entire packet in clear text.
D. TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password.

D. TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password.

How well did you know this?

Not at all

Perfectly

What is a difference between RADIUS and TACACS+?

A. RADIUS uses connection-oriented transport, and TACACS+ uses best-effort delivery.
B. RADIUS offers multiprotocol support, and TACACS+ supports only IP traffic.
C. RADIUS combines authentication and authorization functions, and TACACS+ separates them.
D. RADIUS supports command accounting, and TACACS+ does not.

C. RADIUS combines authentication and authorization functions, and TACACS+ separates them.

How well did you know this?

Not at all

Perfectly

An engineer is unable to use SSH to connect to a switch after adding the required CLI commands to the device to enable TACACS+. The device administration license has been added to Cisco ISE, and the required policies have been created. Which action is needed to enable access to the switch?

A. The ip ssh source-interface command needs to be set on the switch
B. 802.1X authentication needs to be configured on the switch.
C. The RSA keypair used for SSH must be regenerated after enabling TACACS+.
D. The switch needs to be added as a network device in Cisco ISE and set to use TACACS+.

D. The switch needs to be added as a network device in Cisco ISE and set to use TACACS+.

How well did you know this?

Not at all

Perfectly

An engineer needs to export a file in CSV format, encrypted with the password C1$c0438563935, and contains users currently configured in Cisco ISE. Drag and drop the steps from the left into the sequence on the right to complete this task.

Click Export Selected, click key, and enter the password.
Click Administration, and then clic Identity Management.
Click Start Export, and then click OK.
Click Identities, click users, and then select the list of users.

Click Administration, and then clic Identity Management.
Click Identities, click users, and then select the list of users.
Click Export Selected, click key, and enter the password.
Click Start Export, and then click OK.

How well did you know this?

Not at all

Perfectly

The IT manager wants to provide different levels of access to network devices when users authenticate using TACACS+. The company needs specific commands to be allowed based on the Active Directory group membership of the different roles within the IT department. The solution must minimize the number of objects created in Cisco ISE. What must be created to accomplish this task?

A. one shell profile and one command set
B. multiple shell profiles and one command set
C. one shell profile and multiple command sets
D. multiple shell profiles and multiple command sets

C. one shell profile and multiple command sets

How well did you know this?

Not at all

Perfectly

What are two differences of TACACS+ compared to RADIUS? (Choose two.)

A. TACACS+ uses a connectionless transport protocol, whereas RADIUS uses a connection-oriented transport protocol.
B. TACACS+ encrypts the full packet payload, whereas RADIUS only encrypts the password.
C. TACACS+ only encrypts the password, whereas RADIUS encrypts the full packet payload.
D. TACACS+ uses a connection-oriented transport protocol, whereas RADIUS uses a connectionless transport protocol.
E. TACACS+ supports multiple sessions per user, whereas RADIUS supports one session per user.

B. TACACS+ encrypts the full packet payload, whereas RADIUS only encrypts the password.
D. TACACS+ uses a connection-oriented transport protocol, whereas RADIUS uses a connectionless transport protocol.

How well did you know this?

Not at all

Perfectly

Which two authentication protocols are supported by RADIUS but not by TACACS+? (Choose two.)

A. MSCHAPv1
B. PAP
C. EAP
D. CHAP
E. MSCHAPV2

C. EAP
E. MSCHAPV2

How well did you know this?

Not at all

Perfectly

An engineer configured posture assessment for their network access control with the goal of using an agent that supports using service conditions for the assessment. The agent should run as a background process to avoid user interruption, but the user can see it when it is run. What is the problem?

A. The selected posture agent does not support the engineer's goal.
B. The posture module was deployed using the headend instead of installing it with SCCM.
C. The proper permissions were not given to the temporal agent to conduct the assessment.
D. The user required remediation so the agent appeared in the notifications.

A. The selected posture agent does not support the engineer’s goal.

How well did you know this?

Not at all

Perfectly

An engineer is deploying Cisco ISE to use 802.1X authentication for controlling access to the company’s wired network. The request from company management is to minimize the impact on users during the rollout of 802.1X on the company switches. Which mode must be used first in a phased 802.1X deployment to fulfill this request?

A. Monitor
B. Open
C. Low-impact
D. Closed

A. Monitor

How well did you know this?

Not at all

Perfectly

An engineer needs to create a Self-Registered Guest Portal in Cisco ISE in which guest users receive their passwords via SMS. Which two settings must be configured to accomplish this task? (Choose two.)

A. Choose the SMS provider previously configured as a SMS gateway under the Registration Form Settings.
B. Select SMS for the Send Credential upon notification setting under Registration Form Settings.
C. Choose the SMS provider previously configured as a SMS gateway under Device Registration Settings.
D. Select Allow employees to use personal devices and SMS for notifications under BYOD.
E. Select SMS for the Send Credential upon notification setting under the Login Page Settings.

A. Choose the SMS provider previously configured as a SMS gateway under the Registration Form Settings.
B. Select SMS for the Send Credential upon notification setting under Registration Form Settings.

How well did you know this?

Not at all

Perfectly

https://img.examtopics.com/300-715/image7.png Refer to the exhibit. Which checkbox must be enabled to allow Cisco ISE to publish group membership information for active users that can be shared with Cisco Firepower devices? A. Enable Passive Identity Service B. Enable SXP Service C. Enable Device Admin Service D. pxGrid

D. pxGrid

To configure BYOD using Cisco ISE. an administrator is considering issuing certificates to the devices connecting to provide a better user experience. External CA servers cannot be used for this purpose because everything must be local to the Cisco ISE. What must be done to accomplish this? A. Use the captive portal network assistant to issue certificates to the endpoints as they authenticate. B. Use ISE as a sub CA for the BYOD portal and redirect users to the Root CA for certificate issuance. C. Configure the Cisco ISE Internal CA to issue certificates to each endpoint connecting to the BYOD network. D. Configure MS SCEP so that endpoints can query their local AD server for the correct certificate.

C. Configure the Cisco ISE Internal CA to issue certificates to each endpoint connecting to the BYOD network.

An engineer must configure an HTTP probe on a Cisco ISE virtual appliance running on VMWare using a dedicated interface for profiling. The interface is assigned to the VM Network port group. The engineer is logged into the hypervisor with a user account that only provides access to the Cisco ISE VM and the network settings for the VM. Which security setting must be changed for this interface to accept SPAN traffic? A. Set Promiscuous mode to inherit from vSwitch in the Port Group properties. B. Set Promiscuous mode to inherit from Port Group in the vSwitch properties. C. Set Promiscuous mode to Accept in the Port Group properties. D. Set Promiscuous mode to Accept in the vSwitch properties.

C. Set Promiscuous mode to Accept in the Port Group properties.

An administrator is configuring MAB and needs to create profiling policies to support devices that do not match the built-in profiles. Which two steps must the administrator take in order to use these new profiles in authorization policies? (Choose two.) A. Edit the authorization policy to give the profiles as a result of the authentication and authorization results B. Use the profiling policies as the matching conditions in each authorization policy C. Modify the endpoint identity group to feed the profiling policies into and match the parent group in the policy D. Configure the profiling policy to make a matching identity group and use the group in the authorization policy E. Feed the profiling policies into a logical profile and use the logical profile in the authorization policy

D. Configure the profiling policy to make a matching identity group and use the group in the authorization policy E. Feed the profiling policies into a logical profile and use the logical profile in the authorization policy

An administrator must enable scanning for specific endpoints when they attempt to access the network. The scanning must be triggered as a result of successful authentication. Which action accomplishes this task? A. Modify the authorization policy to send init_endpoint_scan as a result to the authenticator. B. Create an authorization profile with scanning enabled and add it to the authorization policy that the endpoints will hit. C. Add an entry in the authentication conditions to allow only scanned endpoints access, then redirect everything else to the portal to initiate the scan. D. Configure the endpoint scanning probe to profile the endpoint correctly and assign it a risk score.

B. Create an authorization profile with scanning enabled and add it to the authorization policy that the endpoints will hit.

A network engineer responsible for the switching environment must provision a new switch to properly propagate security group tags within the TrustSec inline method. Which CLI command must the network engineer enter on the switch to globally enable the tagging of SGTs? A. cts sxp enable B. cts manual C. cts role-based sgt-map D. cts role-based enforcement

B. cts manual

Due to a recent network incident, all access to network devices must be centrally logged and tracked in Cisco ISE. On which nodes must the Device Admin service be enabled? A. one PAN B. each PSN C. each PAN D. one PSN

B. each PSN

A client connects to a network and the authenticator device learns the MAC address 04:49:23:86:34:AB of this client. After the MAC address is learned, the 802.1 x authentication process begins on this port. Which ISE deployment mode restricts all traffic initially, applies a rule for access control if 802.1x authentication is successful, and can be configured to grant only limited access if 802.1 x authentication is unsuccessful? A. open mode B. monitor mode C. closed mode D. low-impact mode

C. closed mode

https://img.examtopics.com/300-715/image8.png A. Insert a new rule above the basic_authenticated_access rule and name the rule WEbauth B. use the central web authetntication authorization profile C. Drill down to the default policy set D. From work centers, click network access and then click policy sets E. for the conditions select wired_mab and wireless_mab and ensure that the OR operator is used with the conditions

D C A E B

An organization has a SGACL locally configured on a switch port, but when a user in the Executives group connects to the network, they receive a different level of network access than expected. When Cisco ISE pushes SGACLs to the switch after the authorization phase, how does the switch decide which access to grant the user? A. Dynamically downloaded policies override local policies in all cases. B. Local policies override dynamically downloaded policies in all cases. C. The policies are merged, but local policies receive priority. D. The policies are merged, but dynamically downloaded policies receive priority.

A. Dynamically downloaded policies override local policies in all cases.

An administrator is configuring endpoint profiling and needs to enable CoA for devices that change profiles. Which two actions must be taken to accomplish this goal? (Choose two.) A. Ensure that the firewall is not blocking port 1700 B. Define "reauth" in the default CoA action to be used C. Use an API to detect when profile changes occur and send instructions to ISE to provide a CoA D. Modify the RADIUS endpoint attribute filters to send CoA actions as the profiles change E. Enable the CoA policy and create rules for each type

A. Ensure that the firewall is not blocking port 1700 B. Define "reauth" in the default CoA action to be used

A Cisco ISE administrator is setting up Central Web Authentication to be used for user endpoint authentication. The client cannot reach the guest portal to log in and gain access, but DNS is functioning properly and the guest portal is enabled. What else must be configured to gain access? A. Allow port TCP/8443 on the firewall. B. Configure HTTP to HTTPS redirection. C. Configure the guest portal to listen on TCP/8443. D. Allow redirection from any client IP range.

A. Allow port TCP/8443 on the firewall.

An administrator is configuring an AD domain to be used with authentication for endpoints and users within Cisco ISE. Which two steps are required to configure this to be used as an external identity store? (Choose two.) A. Add an Authentication Joint Point. B. Configure Authentication Domains. C. Configure Active Directory Schema. D. Configure Active Directory Domains. E. Add an Active Directory Join Point.

D. Configure Active Directory Domains. E. Add an Active Directory Join Point.

A network engineer is attempting to terminate and reinitialize wireless user sessions individually by using the Live Sessions tab in Cisco ISE. Cisco ISE and the Cisco WLC are separated by a firewall. Which port must be allowed on the firewall so that the network engineer can perform this function from Cisco ISE? A. TCP port 8443 B. UDP port 5246 C. UDP port 1700 D. TCP port 3791

C. UDP port 1700

An engineer is configuring Central Web Authentication in Cisco ISE to provide guest access. When an authentication rule is configured in the Default Policy Set for the Wired_MAB or Wireless_MAB conditions, what must be selected for the “if user not found” setting? A. ACCEPT B. DROP C. REJECT D. CONTINUE

D. CONTINUE

A network engineer is configuring a new certificate template on the internal CA within Cisco ISE to provision certificates to BYOD devices that must be enrolled in the network. What must be configured in the SAN field of the certificate to identify the devices after enrollment? A. MAC address B. email address C. user principal name D. common name

A. MAC address Most Voted

An engineer is configuring a new Cisco ISE node. The Device Admin service must run on this node to handle authentication requests for network device access via TACACS+. Which persona must be enabled on this node to perform this function? A. pxGrid B. Administration C. Policy Service D. Monitoring

C. Policy Service

An engineer has been tasked with using Cisco ISE to restrict network access at the switchport level using 802.1X authentication. Users who fail 802.1X authentication should e redirected via web redirection and have their access restricted via an ACL. What must be configured in Cisco ISE to accomplish this task? A. an authorization profile B. an authorization rule C. an authentication policy D. an authentication profile

A. an authorization profile

A Cisco ISE engineer is creating certificate authentication profile to be used with machine authentication for the network. The engineer wants to be able to compare the user-presented certificate with a certificate stored in Active Directory. What must be done to accomplish this? A. Add the subject alternative name and the common name to the CAP B. Use MS-CHAPv2 since it provides machine credentials and matches them to credentials stored in Active Directory. C. Configure the user-presented password hash and a hash stored in Active Directory for comparison. D. Enable the option for performing binary comparison.

D. Enable the option for performing binary comparison.

Which two statements regarding Zero Touch Provisioning (ZTP) on Cisco ISE are correct? (Choose two.) A. All passwords must be encrypted in the configuration file B. ZTP cannot be used if ICMP is blocked C. ZTP is only supported on VMWare D. ZTP is only supported on virtual appliances E. Linux is required to create the configuration image

D. ZTP is only supported on virtual appliances E. Linux is required to create the configuration image Most Voted

An administrator needs to add a new third party network device to be used with Cisco ISE for Guest and BYOD authorizations. Which two features must be configured under Network Device Profile to achieve this? (Choose two.) A. TACACS B. SNMP community C. CoA Type D. dACL E. URL Redirect

C. CoA Type E. URL Redirect

Which two probes provide IP-to-MAC address binding information to the ARP cache in Cisco ISE? (Choose two.) A. HTTP B. RADIUS C. DHCP D. DNS E. NetFlow

B. RADIUS C. DHCP

When configuring Active Directory groups, an administrator is attempting to retrieve a group that has a name that is ambiguous with another group. What must be done so that the correct group is returned? A. Use the SID as the identifier for the group. B. Configure MAB to utilize one group, and 802 1xto utilize the conflicting group. C. Select both groups, and use a TCT pointer to identity the appropriate one. D. Utilize MIB entries to identify the desired group.

A. Use the SID as the identifier for the group.

An administrator has manually added the MAC address of a wireless device to the Blocklist Identity Group for testing. When the device connects to the wireless network it triggers the Wireless Block List Default rule, but the device is still allowed to access the wireless network. What additional step must be taken to resolve tissue? A. Disable URL redirection on the Authorization Profile. B. Enable SNMP with read and write access on the Cisco WLC. C. Create an ACL named BLOCKHOLE on the Cisco WLC. D. Change the Access Type under the Authorization Profile lo ACCESS_REJECT.

B. Enable SNMP with read and write access on the Cisco WLC.

What is the difference between how RADIUS and TACACS+ handle encryption? A. RADIUS encrypts only the username and password fields, whereas TACACS+ encrypts the entire packet. B. RADIUS only encrypts the password field, whereas TACACS+ encrypts the entire packet. C. RADIUS encrypts the entire packet, whereas TACACS+ encrypts only the username and password fields. D. RADIUS encrypts the entire packet, whereas TACACS+ only encrypts the password field.

B. RADIUS only encrypts the password field, whereas TACACS+ encrypts the entire packet.

Which CLI command must be configured on the switchport to immediately run the MAB process if a non-802 1X capable endpoint connects to the port? A. authentication order mab dot1x B. dot1x pae authenticator C. authentication fallback D. access-session port-control auto

A. authentication order mab dot1x

The security engineer for a company has recently deployed Cisco ISE to perform centralized authentication of all network device logins using TACACSs+ against the local AD domain. Some of the other network engineers are having a hard time remembering to enter their AD account password instead of the local admin password that they have used for years. The security engineer wants to change the password prompt to “Use Local AD Password:” as a way of providing a hint to the network engineers when logging in. Under which page in Cisco ISE would this change be made? A. Work Centers> Device Administration Ext Id Sources>Advanced Settings B. The password prompt cannot be changed on a Cisco IOS device C. Work Centers> Device Administration> Network Resources> Network Devices D. Work Centers> Device Administration> Settings> Connection Settings

D. Work Centers> Device Administration> Settings> Connection Settings

The 300 GB OVA templates for VMs are sufficient for which two dedicated Cisco ISE node types? (Choose two.) A. Administration B. Log Collector C. pxGrid D. Policy Service E. Monitoring

C. pxGrid D. Policy Service

A network engineer has recently configured a remote branch router to authenticate to a centralized Cisco ISE server behind the corporate firewall using TACACS+. After making this configuration change, the engineer opened another SSH session to the router in order to verity that login attempts are now being sent to Cisco ISE, however that login attempt was unsuccessful. There are no connection attempts showing in the TACACS live log in Cisco ISE and the firewall administrator has verified that they see syslog and SNMP traffic destinated for the IP address of Cisco ISE, but no TACACS+ traffic. Which misconfiguration is the cause of the failed login? A. The router is missing a route to the Cisco ISE server. B. The tacacs source-interface command on the router references the wrong interface. C. No hosts have been defined under the aaa server group on the router. D. The shared secret entered on the router for the Cisco ISE server is incorrect.

C. No hosts have been defined under the aaa server group on the router.

A user recently had their laptop stolen. IT has ordered a replacement device for the user and was able to obtain the MAC address of the device 04.57:47:34 35 0A from the vendor before it shipped. Which statement regarding adding MAC addresses to Cisco ISE is correct? A. MAC addresses can only be manually imported using a .csv file and the import option. B. MAC addresses can only be manually imported using the REST API. C. MAC addresses can only be allowed after the device has connected to the network. D. MAC addresses can be manually added using the + sign under Context Visibility > Endpoints.

D. MAC addresses can be manually added using the + sign under Context Visibility > Endpoints.

Which two tasks must be completed when configuring the Cisco ISE BYOD Portal? (Choose two.) A. Enable policy services. B. Create endpoint identity groups. C. Customize device portal. D. Provision external identity sources. E. Deploy client provisioning portal.

A. Enable policy services. B. Create endpoint identity groups.

An administrator is configuring posture assessment in Cisco ISE for the first time. Which two components must be uploaded to Cisco ISE to use Secure Client for the agent configuration in a client provisioning policy? (Choose two.) A. SecureClientProtie.xsd file B. Secure Client compliance module C. Secure Client agent image D. SecureClientProfie.xml file E. Secure Client network visibility module

B. Secure Client compliance module C. Secure Client agent image

Which Cisco ISE module contains a list of vendor names, product names, and attributes provided by OPSWAT? A. Compliance Module B. Client Provisioning Module C. Endpoint Security Module D. Posture Module

A. Compliance Module

A new Cisco ISE infrastructure is being built to provide network access control. If Cisco Discovery Protocol is used, what information is being gathered in relation to profiling with Cisco ISE? A. IdentityGroup B. device ID C. RADIUS session attributes D. DHCP session attributes

B. device ID

A customer requires a Cisco ISE deployment where quests must log in to a webpage with unique credentials in the form username. User1 and Password: A463646808. Which deployment should the customer use? A. mobile number field using the guest page B. hotspot portal authentication C. single credentials login to guest portal D. captcha protection self-registration

C. single credentials login to guest portal

A security engineer has a new TrustSec project and must create a few static security group tag classifications as proof of concept. Which two classifications must the engineer configure? (Choose two.) A. switch ID B. MAC address C. VLAN D. user ID E. interface

C. VLAN E. interface

An engineer is configuring a new switch to deploy in the campus network. The task is to configure TACACS+ and RADIUS authentication using the new switch and Cisco ISE. What is the procedure for adding this new switch on the network resources page? A. network devices profiles > add B. default device > add C. network devices > add D. network devices groups > add

C. network devices > add

Which file setup method is supported by ZTP on physical appliances? A. cfg B. iso C. img D. ova

C. img

What is configured to enforce the blocklist permissions and deny access to clients in the blocklist to protect against a lost or stolen device obtaining access to the network? A. My Devices portal B. blocklist portal C. Authentication rule D. Authorization rule

D. Authorization rule

An administrator in a health facility must assign a medical device to a static profiling policy. Under which settings group must it be configured? A. user-defined exception actions B. CoA under global settings C. global profiling settings D. system-defined exceptions actions

A. user-defined exception actions

An engineer must configure guest access on Cisco ISE for company visitors. Which step must be taken on the Cisco ISE PSNs before a guest portal is configured? A. Install SSL certificates B. Create a node group C. Enable profiling services D. Enable session services

D. Enable session services

A network engineer is configuring a portal on Cisco ISE for employees. Employees must use this portal when registering personal devices with native supplicants. For onboarding devices connected with Cisco switches and Cisco wireless LAN controllers, the internal CA must be used. Which portal type must the engineer configure? A. Personal Device portal B. Client Provisioning portal C. Bring Your Own Device portal D. My Devices portal

C. Bring Your Own Device portal

An engineer must configure web redirection for guests to a portal where no authentication is required and an Acceptable Use Policy must be accepted by the guest before network access is allowed. Which type of guest portal must be configured in Cisco ISE to meet the requirement? A. Sponsored B. Self Registered C. Hotspot D. Custom

C. Hotspot

A network engineer is in the predeployment discovery phase of a Cisco ISE deployment and must discover the network. There is an existing NMS in the network. Which type of probe must be configured to gather the information? A. SNMP B. NMAP C. NetFlow D. RADIUS

A. SNMP

An engineer must organize endpoints in a Cisco ISE identity management store to improve the operational management of IP phone endpoints. The endpoints must meet these requirements: * classify endpoints for finance, sales, and marketing departments * tag each endpoint as profiled Which action organizes the endpoints? A. Add a tag for the endpoints of each department and use the identity group filter. B. Create an endpoint identity group for each department with the profiled parent group. C. Add a tag for the endpoints of each department and add an endpoint to profiled group. D. Create an endpoint identity group for each department with the IP phone parent group.

B. Create an endpoint identity group for each department with the profiled parent group.

A network engineer must remove a device that has been allowlisted. How should the engineer remove it manually on Cisco ISE? A. Administration > Identity Management > Endpoint Identity Groups > Profiled B. Administration > Identity Management > Groups > Endpoint Identity Groups C. Administration > Identity Management > Groups > Endpoint Identity Groups > Profiled D. Administration > Identity Management > Endpoint Identity Groups

B. Administration > Identity Management > Groups > Endpoint Identity Groups

An engineer is adding a new network device to be used with 802.1X authentication. After configuring the device, the engineer notices that no endpoints that connect to the switch are able to authenticate. What is the problem? A. The command dot1x system-auth-control is not configured on the switch. B. The switch’s supplicant is unable to establish a connection to Cisco ISE. C. The command dot1x critical vlan 40 is not configured on the switch ports. D. The endpoint firewalls are blocking the EAPoL traffic.

A. The command dot1x system-auth-control is not configured on the switch.

A user is attempting to register a BYOD device to the Cisco ISE deployment but needs to use the onboarding policy to request a digital certificate and provision the endpoint. What must be configured to accomplish this task? A. The BYOD flow to ensure that the endpoint is provisioned prior to registering. B. The Cisco Secure Client provisioning policy to provision the endpoint for onboarding. C. A native supplicant provisioning policy to redirect the user to the BYOD portal for onboarding. D. The posture provisioning policy to give the endpoint the required components prior to registering.

C. A native supplicant provisioning policy to redirect the user to the BYOD portal for onboarding.

Which platform does a Windows-based device download the Network Assistant from? A. Microsoft app store B. Cisco ISE C. native OS D. Cisco download site

B. Cisco ISE

An administrator must provide administrative access to the helpdesk users on production Cisco IOS routers. The solution must meet these requirements: * Authenticate the users against Microsoft AD. * Validate IOS commands run by users. These configurations have been performed: * joined Cisco ISE to AD * retrieved AD groups * added a router to Cisco ISE * enabled Device Admin Service in Cisco ISE * configured an authorization policy * configured the routers for authentication and authorization Which two components must be configured? (Choose two.) A. TACACS command sets B. authentication profile C. authorization profile D. TACACS profile E. access control list to filter the IOS commands

A. TACACS command sets D. TACACS profile

An engineer must create an authentication policy in Cisco ISE to allow wired printers that lack support for 802.1X onto the network. What must the RadiusFlowType be set to in the policy to meet the requirement? A. MAB B. Wired_MAB C. Compliant_Devices D. Compliance_Unknown_Device

B. Wired_MAB

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure? A. monitor-mode enabled B. authentication host-mode multi-auth C. authentication open D. pae dot1x enabled

C. authentication open

An engineer wants to preselect AD groups to be used in the access policy after integrating Cisco ISE with an active directory. Which configuration steps must the engineer take to assign groups to the AD on the identity management page? A. external identity sources > active directory > groups B. user identity groups > groups C. external identity sources > groups > active directory D. groups > user identity groups

A. external identity sources > active directory > groups

An enterprise uses a separate PSN for each of its four remote sites. Recently, a user reported receiving an "EAP-TLS authentication failed" message when moving between remote sites. Which configuration must be applied on Cisco ISE? A. Use a third-party certificate on the network device. B. Add the device to all PSN nodes in the deployment. C. Configure an authorization profile for the end users. D. Renew the expired certificate on one of the PSN.

D. Renew the expired certificate on one of the PSN.

An engineer must configure posture updates. The task is to ensure the latest set of predefined checks and operating system information is updated. The checks must take place regularly. Where in the Cisco ISE interface would the engineer make the necessary changes to the compliance module? A. Administration > System > Settings > Updates > Posture B. Administration > System > Settings > Updates > Schedule C. Administration > System > Settings > Posture > Updates D. Administration > System > Settings > Posture > Updates > Schedule

C. Administration > System > Settings > Posture > Updates

An engineer must develop a policy that utilizes AD group membership on Cisco ISE. Which type of policy element must the engineer configure to create an AD group within a policy? A. conditions B. results C. dictionaries D. smart conditions

A. conditions

An engineer is working on a switch and must tag packets with SGT values such that it learns via SXP. Which command must be entered to meet this requirement? A. ip source guard B. ip arp inspection C. ip device tracking maximum D. ip dhcp snooping

C. ip device tracking maximum

Which file extension is required when deploying Cisco ISE using a ZTP configuration file in Microsoft Hyper-V? A. .txt B. .img C. .tar D. .iso

D. .iso

A network engineer must enable a profiling probe. The profiling must take details through the Active Directory. Where in the Cisco ISE interface would the engineer enable the probe? A. Administration > Deployment > System > Profiling B. Policy > Deployment > System > Profiling C. Policy > Policy Elements > Profiling D. Administration > System > Deployment > Profiling

D. Administration > System > Deployment > Profiling

Guest users report repeated prompts to authenticate with the portal when connecting to a wireless network. An administrator must configure Cisco ISE to reduce the number of prompts. The solution must meet the requirements: * Users must be authenticated once. * When reconnecting to the visitor network, users do not need to be redirected to the login page. Which action completes the configuration? A. Configure an authorization profile to send a redirection access control list only for unauthenticated users. B. Configure the Wi-Fi Guest Access policy to allow the GuestEndpoint group. C. Configure an authorization rule for guest flow to bypass authenticated MAC address. D. Configure an authentication rule for MAC Authentication Bypass users to add an authenticated MAC address in an identity group.

C. Configure an authorization rule for guest flow to bypass authenticated MAC address.

A network is going through major hardware upgrades and is using Cisco ISE for network access control. Network devices are being added and removed regularly and the Cisco ISE administrators want to track new network devices. Which probe must be enabled to provide this visibility for Cisco ISE? A. DHCP SPAN B. SNMP query C. SNMP trap D. NetFlow

C. SNMP trap

A network security administrator needs a web authentication configuration when a guest user connects to the network with a wireless connection using these steps: * An initial MAB request is sent to the Cisco ISE node. * Cisco ISE responds with a URL redirection authorization profile if the user's MAC address is unknown in the endpoint identity store. * The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL. Which authentication must the administrator configure on Cisco ISE? A. wired NAD with local WebAuth B. WLC with local WebAuth C. NAD with central WebAuth D. device registration WebAuth

C. NAD with central WebAuth

A network engineer received alerts from the monitoring platform that a switch port exists with multiple sessions. RADIUS CoA using Cisco ISE must be used to address the issue. Which RADIUS CoA configuration must be used? A. port bounce B. no CoA C. exception D. reauth

D. reauth

The security team identified a rogue endpoint with MAC address 00:47:44:40:54:1A attached to the network. Which action must security engineer take within Cisco ISE to effectively restrict network access for this endpoint? A. Create authentication policy to force reauthentication. B. Configure access control list on network switches to block traffic. C. Add MAC address to the endpoint quarantine list. D. Implement authentication policy to deny access.

C. Add MAC address to the endpoint quarantine list.

An administrator must configure Cisco ISE to authenticate a user accessing a Cisco Adaptive Security Appliance firewall using SSH. The solution must meet these requirements: * The local Cisco ISE database must be used for user authentication * ASA commands run by users must be validated The configurations were performed: * added the Cisco Adaptive Security Appliance firewall * configured user accounts * enabled Device Admin Service in Cisco ISE * configured a TACACS profile * configured an authorization policy * configured the Cisco Adaptive Security Appliance firewall for authentication and authorization Which two actions must be taken in Cisco ISE? (Choose two.) A. Enable local authentication. B. Configure a user identity group. C. Configure an authentication profile. D. Configure TACACS command sets. E. Configure an authorization profile.

B. Configure a user identity group. D. Configure TACACS command sets.

Which nodes are supported in a distributed Cisco ISE deployment? (Choose two.) A. Policy Service nodes for session failover B. Administration nodes for session failover C. Monitoring nodes for PxGrid services D. Policy Service nodes for automatic failover

A. Policy Service nodes for session failover D. Policy Service nodes for automatic failover

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is to ensure that the authentication procedure is disabled on the ports but still allows all endpoints to connect to the network. Which port-control option must the engineer configure? A. pae-disabled B. auto C. force-authorized D. force-unauthorized

C. force-authorized

An engineer wants to ease the management of endpoint identity groups from the Cisco ISE GUI. From the Identity Management menu in Cisco ISE, the engineer must be able to list the endpoint identity groups with a name that contains Android. Which task must the engineer perform? A. Create and save a quick filter with name equals Android as the criteria. B. Create an identity group named Android and set the parent group to profiled. C. Create and save an advanced filter with name equals Android as the criteria. D. Create an identity group named Android and populate the group with Android devices only.

C. Create and save an advanced filter with name equals Android as the criteria.

Which controller option allows a user to switch from the provisioning SSID to the employee SSID after registration? A. User Idle Timeout B. AAA Override C. Fast SSID Change D. AP SSID Fallback

C. Fast SSID Change

An engineer must use Cisco ISE profiler services to provide network access to Cisco IP phones that cannot support 802.1X. Cisco ISE is configured to use the access switch device sensor information system-description and platform-type to profile Cisco IP phones and allow access. Which two protocols must be configured on the switch to complete the configuration? (Choose two.) A. SNMP B. EAPOL C. LLDP D. STP E. CDP

C. LLDP E. CDP

A network administrator is configuring a new access switch to use with Cisco ISE for network access control. There is a need to use a centralized server for the reauthentication timers. What must be configured in order to accomplish this task? A. Issue the authentication timer reauthenticate server command on the switch. B. Configure Cisco ISE to block access after a certain period of time. C. Configure Cisco ISE to replace the switch configuration with new timers. D. Issue the authentication periodic command on the switch.

A. Issue the authentication timer reauthenticate server command on the switch.

A network engineer must configure a centralized Cisco ISE solution for wireless guest access with users in different time zones. The guest account activation time must be independent of the user time zone, and the guest account must be enabled automatically when the user self-registers on the guest portal. Which option in the time profile settings must be selected to meet the requirement? A. Select FromFirstLogin from the Account Type dropdown. B. Select FromCreation from the Account Type dropdown. C. Set the Maximum Account Duration to 1 Day. D. Set the Duration field to 24:00:00.

A. Select FromFirstLogin from the Account Type dropdown.

An administrator must configure Cisco ISE profiling services and the Cisco switch device sensor feature to provide user access using the AD-Join-Point and AD-Operating-System attributes from the Active Directory Probe. These configurations were performed: * configured all the required Cisco Wireless LAN Controller configurations * enabled Active Directory probes * configured a custom profiling policy * joined Cisco ISE to Active Directory * configured the authorization rule with full access permission Which two actions complete the configuration? (Choose two.) A. Configure an identity group for endpoints. B. Enable the SNMP probe. C. Configure a profiling logical profile. D. Configure custom profiling conditions. E. Enable the RADIUS probe.

D. Configure custom profiling conditions. E. Enable the RADIUS probe.

A network engineer must create a guest portal for wireless guests on Cisco ISE. The guest users must not be able to create accounts; however, the portal should require a username and password to connect. Which portal type must be created in Cisco ISE to meet the requirements? A. Custom Guest Portal B. Sponsored Guest Access C. Self Registered Guest Access D. Hotspot Guest Access

B. Sponsored Guest Access

A technician must configure MAB on an access switch. Due to a protocol error, the engineer discovers that MAB cannot authenticate. For MAB to function, which protocol must be enabled in the authorized protocol lists? A. EAP-TLS B. MS-CHAPv2 C. Process Host Lookup D. CHAP

C. Process Host Lookup

A network engineer is configuring a Cisco WLC in order to find out more information about the devices that are connecting. This information must be sent to Cisco ISE to be used in authorization policies. Which profiling mechanism must be configured in the Cisco WLC to accomplish this task? A. SNMP B. CDP C. DNS D. DHCP

D. DHCP

3 Flashcards

(100 cards)