4 Flashcards
4 (36 cards)
Which device acts as an authenticator during the 802.1X authentication process?
A. RADIUS server B. Cisco switch C. LDAP server D. Cisco ISE PSN
B. Cisco switch
An engineer must use certificate authentication for endpoints that connect to a wired network with a Cisco ISE deployment. The engineer must define the certificate field used as the principal username. What is needed to complete the configuration?
A. authorization profile B. authentication policy C. authorization rule D. authentication profile
D. authentication profile
What is a difference between TACACS+ compared to RADIUS? (Choose two.)
A. TACACS+ encrypts only the password, and RADIUS encrypts the entire packet payload. B. TACACS+ uses a connection-oriented transport, and RADIUS uses a connectionless transport. C. TACACS+ supports 802.1X network access control, and RADIUS supports only MAB. D. TACACS+ offers multiple protocol support, and RADIUS supports only IP traffic.
B. TACACS+ uses a connection-oriented transport, and RADIUS uses a connectionless transport.
D. TACACS+ offers multiple protocol support, and RADIUS supports only IP traffic.
A client with MAC address 04:77:10:14:67:AB connects to the network. The client does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE Server to support MAB authentication for this MAC address?
A. Process Host Lookup B. EAP-FAST C. EAP-TTLS D. MS-CHAPv2
A. Process Host Lookup
A network engineer must configure a policy rule to check the endpoint. The policy must ensure disk encryption is enabled and the appropriate antivirus software version is installed. Which configuration must the engineer apply to the rule?
A. dictionary compound condition B. compound posture condition C. simple posture condition D. dictionary simple condition
B. compound posture condition
Which persona configuration feature is used when setting personas in Cisco ISE for a node that will give network access and receive RADIUS requests?
A. pxGrid Node B. Monitoring Node C. Policy Service Node D. Policy Administration Node
C. Policy Service Node
https://img.examtopics.com/300-715/image11.png
Refer to the exhibit. An engineer needs to configure central web authentication on the Cisco Wireless LAN Controller to use Cisco ISE for all guests connected to the wireless network. The components are configured:
- Cisco Wireless LAN Controller
- authorization profile on the Cisco ISE
- authentication rule on the Cisco ISE
What must be configured next on the Cisco ISE?
A. authorization rule B. authorization policy C. accounting profile D. authentication profile
B. authorization policy
An endpoint with the MAC address 04:85:70:26:64:AB attempts to connect to the network. The security administrator wants to ensure that before authentication, only limited access is provided for services including DHCP and DNS Full network access is only granted upon successful 802.1X authentication. Which ISE deployment mode should the administrator configure to meet the requirements?
A. low-impact mode B. closed mode C. monitor mode D. open mode
A. low-impact mode
What is a difference between TACACS+ as compared to RADIUS from an AAA perspective?
A. TACACS+ separates AAA services, whereas RADIUS combines authentication and authorization. B. TACACS+ combines all roles into a single privilege level, whereas RADIUS separates privilege levels. C. TACACS+ supports only Cisco devices, whereas RADIUS supports any RADUIS-compatible device. D. TACACS+ supports only local authentication, whereas RADIUS supports remote authentication.
A. TACACS+ separates AAA services, whereas RADIUS combines authentication and authorization.
A network engineer must configure BYOD using Cisco ISE. In the deployment, the users must be able to submit CSR through the end devices. Which two features must be enabled to meet the requirement? (Choose two.)
A. Define a certificate group tag. B. A new BYOD portal must be created. C. Add SuperAdmin account into portal admin group. D. Cisco ISE internal CA service must be enabled. E. A certificate provisioning portal must be configured.
D. Cisco ISE internal CA service must be enabled.
E. A certificate provisioning portal must be configured.
An administrator must deploy the Cisco Secure Client posture agent to employee endpoints that access a wireless network by using URL redirection in Cisco ISE. The compliance module must be downloaded from Cisco and uploaded to the Cisco ISE client provisioning resource. What must be used to upload the compliance module?
A. Client Provisioning Portal B. Secure Client configuration C. agent resources from the local disk D. Secure Client posture profile
A. Client Provisioning Portal
An administrator must configure Cisco ISE to authenticate the administrative superuser to manage a Cisco Adaptive Security Appliance firewall. The solution must meet the requirements:
- The user must be authenticated against Microsoft AD.
- The user must have full management administrative access to the Cisco Adaptive Security Appliance firewall.
- The user must not use the enable command.
The configurations were performed:
- joined Cisco ISE to AD and retrieved AD groups
- added the Cisco Adaptive Security Appliance firewall
- enabled Device Admin Service in Cisco ISE
- configured TACACS command sets
- configured a TACACS profile
- configured an authorization policy
- configured the Cisco Adaptive Security Appliance firewall for authentication and authorization
Which two actions must be performed in Cisco ISE? (Choose two.)
A. Configure an authentication profile on Cisco ISE. B. Set Default Privilege to 1 and Maximum Privilege to 15 in the TACACS profile. C. Add all authorized admin commands to the TACACS profile. D. Set Default Privilege to 15 and Maximum Privilege to 15 in the TACACS profile. E. Select "Permit any command that is not listed below" in the TACACS profile.
D. Set Default Privilege to 15 and Maximum Privilege to 15 in the TACACS profile.
E. Select “Permit any command that is not listed below” in the TACACS profile.
What is a primary function of RADIUS compared to TACACS?
A. RADIUS provides AAA for network access, whereas TACACS provides AAA for device administration. B. RADIUS supports command accounting, whereas TACACS supports only start/stop accounting. C. RADIUS supports multiple privilege levels, whereas TACACS supports only one privilege level. D. RADIUS supports command authorization, whereas TACACS provides no support for commands.
A. RADIUS provides AAA for network access, whereas TACACS provides AAA for device administration.
Which two external identity stores are supported by Cisco ISE for password types? (Choose two.)
A. TACACS+ Token Server B. RADIUS Token Server C. LDAP D. SQL E. OBDC
B. RADIUS Token Server
C. LDAP
An engineer configures Cisco ISE and Cisco Catalyst switches to enforce Cisco TrustSec policies. The engineer must use a nondisruptive deployment approach for new devices by deploying TrustSec policies in staging, preproduction, and production. Which action must be taken to complete the configuration?
A. Configure Security Group Tag Exchange Protocol on the new devices and integrate the devices in groups with Cisco ISE. B. Configure policy matrices in Cisco ISE and assign the new devices to the policy matrices. C. Integrate the new devices in staging, preproduction, and production network device groups. D. Configure a different security group tag for the new devices in the staging, preproduction, and production stages.
A. Configure Security Group Tag Exchange Protocol on the new devices and integrate the devices in groups with Cisco ISE.
Using the SAML protocol, an administrator must configure the Cisco ISE Sponsor portal to authenticate users with an external Microsoft Active Directory Federation Services server. The configurations were performed:
- created a new SAML identity provider profile in Cisco ISE
- exported the service provider information
- configured all the required Active Directory Federation Services configurations
- imported the Active Directory Federation Services metadata
- configured groups in the new SAML identity provider profile
- added attributes to the new SAML identity provider profile
- configured Advanced Settings in the new SAML identity provider profile
Which two actors must be taken to complete the configuration? (Choose two.)
A. Configure the Sponsor portal HTTPS port for Active Directory Federation Services integration B. Configure an identity source sequence in the Sponsor portal C. Allow Kerberos single sign-on on the Sponsor portal D. Customize the Sponsor portal pages for integration with Active Directory Federation Services E. Add SAML identity provider groups in Sponsor Group Members
B. Configure an identity source sequence in the Sponsor portal
E. Add SAML identity provider groups in Sponsor Group Members
A network administrator must restrict sponsor account privileges for managing guest accounts on Cisco ISE for a new account that is being created. Sponsor groups currently exist for each business unit. The new sponsor that is being added must be restricted to only managing guest accounts created by sponsors from the same sponsor group. In which group must the new sponsor account be configured?
A. GROUP_ACCOUNTS B. OWN_ACCOUNTS C. ALL_ ACCOUNTS D. ALL_EMPLOYEES
B. OWN_ACCOUNTS
Drag and drop the steps of the onboarding process from the left into the order they authenticate on the right. Not all options are used.
The employee connects to the open ssid before the provisioning process, and the employee must connect to th ecoporate ssid after the process
the authentication used to connect tot he coporate SSID is used for single sing-on to the onboarding and provisioning process.
the employee must configure the supplicant on the device to connect to the corpotate SSID
A change of authorization is used to provide full access after the provisioning process without requiren the employee to reconnect to the network
SINGLE SSID
the authentication used to connect tot he coporate SSID is used for single sing-on to the onboarding and provisioning process.
the employee must configure the supplicant on the device to connect to the corpotate SSID
A change of authorization is used to provide full access after the provisioning process without requiren the employee to reconnect to the network
An engineer must configure a posture policy with Cisco Temporal Agent workflow. Which two configurations must the engineer apply to meet the requirement? (Choose two.)
A. Configure the Secure Client Posture module. B. Configure the client provisioning policy. C. Create the posture requirements. D. Create the posture condition. E. Configure client provisioning resources.
C. Create the posture requirements.
D. Create the posture condition.
Which nodes are supported in a distributed Cisco ISE deployment?
A. Monitoring nodes for PxGrid services B. Policy Service nodes for session failover C. Policy Service nodes for automatic failover D. Administration nodes for session failover
B. Policy Service nodes for session failover
A network security administrator must integrate Cisco ISE with Active Directory. The administrator must carry out a join operation. Which action must the security administrator take?
A. Search Active Directory to see if admin user account exists B. Remove the ISE machine account from the domain C. Join Cisco ISE to the Active Directory domain D. Remove Cisco ISE user account from the domain.
C. Join Cisco ISE to the Active Directory domain
An engineer is deploying Cisco ISE in a network that contains an existing Cisco Secure Firewall ASA. The customer requested that Cisco TrustSec be configured so that Cisco ISE and the firewall can share SGT information. Which protocol must be configured on Cisco ISE to meet the requirement?
A. RADUIS B. pxGrid C. PAC D. SXP
D. SXP
Which component of the 802.1X authentication process provides the identity credentials and communicates using EAP at Layer 2?
A. authentication server B. authenticator C. authentication database D. supplicant
D. supplicant
An engineer is configuring a new Cisco ISE node. The Cisco ISE must make authorization decisions based on the threat and vulnerability attributes received from the threat and vulnerability adapters. Which persona must be enabled?
A. pxGrid B. Policy Service C. Administration D. Monitoring
A. pxGrid
