Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

300-715 Questions and Answers

Question # 6

What must be configured on the WLC to configure Central Web Authentication using Cisco ISE and a WLC?

A.

Set the NAC State option to SNMP NAC.

B.

Set the NAC State option to RADIUS NAC.

C.

Use the radius-server vsa send authentication command.

D.

Use the ip access-group webauth in command.

Full Access
Question # 7

An administrator is configuring a new profiling policy within Cisco ISE The organization has several endpoints that are the same device type and all have the same Block ID in their MAC address. The profiler does not currently have a profiling policy created to categorize these endpoints. therefore a custom profiling policy must be created Which condition must the administrator use in order to properly profile an ACME Al Connector endpoint for network access with MAC address ?

A.

MAC_OUI_STARTSWITH_

B.

CDP_cdpCacheDevicelD_CONTAINS_

C.

MAC_MACAddress_CONTAINS_

D.

Radius Called Station-ID STARTSWITH

Full Access
Question # 8

A network security engineer needs to configure 802.1X port authentication to allow a single host to be authenticated for data and another single host to be authenticated for voice. Which command should the engineer run on the interface to accomplish this goal?

A.

authentication host-mode single-host

B.

authentication host-mode multi-auth

C.

authentication host-mode multi-host

D.

authentication host-mode multi-domain

Full Access
Question # 9

Refer to the exhibit. In which scenario does this switch configuration apply?

A.

when allowing a hub with multiple clients connected

B.

when passing IP phone authentication

C.

when allowing multiple IP phones to be connected

D.

when preventing users with hypervisor

Full Access
Question # 10

A network security administrator needs a web authentication configuration when a guest user connects to the network with a wireless connection using these steps:

. An initial MAB request is sent to the Cisco ISE node.

. Cisco ISE responds with a URL redirection authorization profile if the user's MAC address is unknown in the endpoint identity store.

. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

Which authentication must the administrator configure on Cisco ISE?

A.

device registration WebAuth

B.

WLC with local WebAuth

C.

wired NAD with local WebAuth

D.

NAD with central WebAuth

Full Access
Question # 11

An engineer must use Cisco ISE to provide network access to endpoints that cannot support 802.1X. The endpoint MAC addresses must be allowlisted by configuring an endpoint identity group. These configurations were performed:

    Configured an identity group named allowlist

    Configured the endpoints to use the MAC address of incompatible 802.1X devices

    Added the endpoints to the allowlist identity group

    Configured an authentication policy for MAB users

What must be configured?

A.

Authorization profile that has the PermitAccess permission and matches the allowlist identity group

B.

Authentication profile that has the PermitAccess permission and matches the allowlist identity group

C.

Authorization policy that has the PermitAccess permission and matches the allowlist identity group

D.

Logical profile that matches the allowlist identity group based on the configured policy

Full Access
Question # 12

Which protocol must be allowed for a BYOD device to access the BYOD portal?

A.

HTTP

B.

SMTP

C.

HTTPS

D.

SSH

Full Access
Question # 13

An engineer needs to configure a new certificate template in the Cisco ISE Internal Certificate Authority to prevent BYOD devices from needing to re-enroll when their MAC address changes. Which option must be selected in the Subject Alternative Name field?

A.

Common Name and GUID

B.

MAC Address and GUID

C.

Distinguished Name

D.

Common Name

Full Access
Question # 14

Which statement about configuring certificates for BYOD is true?

A.

An Android endpoint uses EST, whereas other operating systems use SCEP for enrollment

B.

The SAN field is populated with the end user name.

C.

An endpoint certificate is mandatory for the Cisco ISE BYOD

D.

The CN field is populated with the endpoint host name

Full Access
Question # 15

An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability. Which probe must be used to accomplish this task?

A.

HTTP probe

B.

NetFlow probe

C.

network scan probe

D.

RADIUS probe

Full Access
Question # 16

A network engineer is in the predeployment discovery phase o! a Cisco ISE deployment and must discover the network. There is an existing network management system in the network. Which type of probe must be configured to gather the information?

A.

NetFlow

B.

RADIUS

C.

SNMP

D.

NMAP

Full Access
Question # 17

An engineer is configuring a new Cisco ISE node. Context-sensitive information must be shared between the Cisco ISE and a Cisco ASA. Which persona must be enabled?

A.

Administration

B.

Policy Service

C.

pxGrid

D.

Monitoring

Full Access
Question # 18

Which Cisco ISE deployment model provides redundancy by having every node in the deployment configured with the Administration. Policy Service, and Monitoring personas to protect from a complete node failure?

A.

distributed

B.

dispersed

C.

two-node

D.

hybrid

Full Access
Question # 19

Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two)

A.

Windows Settings

B.

Connection Type

C.

iOS Settings

D.

Redirect ACL

E.

Operating System

Full Access
Question # 20

What is a function of client provisioning?

A.

It ensures an application process is running on the endpoint.

B.

It checks a dictionary' attribute with a value.

C.

It ensures that endpoints receive the appropriate posture agents

D.

It checks the existence date and versions of the file on a client.

Full Access
Question # 21

An organization has a fully distributed Cisco ISE deployment When implementing probes, an administrator must scan for unknown endpoints to learn the IP-to-MAC address bindings. The scan is complete on one FPSN. but the information is not available on the others. What must be done to make the information available?

A.

Scanning must be initiated from the PSN that last authenticated the endpoint

B.

Cisco ISE must learn the IP-MAC binding of unknown endpoints via DHCP profiling, not via scanning

C.

Scanning must be initiated from the MnT node to centrally gather the information

D.

Cisco ISE must be configured to learn the IP-MAC binding of unknown endpoints via RADIUS authentication, not via scanning

Full Access
Question # 22

An engineer is using Cisco ISE and configuring guest services to allow wireless devices to access the network. Which action should accomplish this task?

A.

Create the redirect ACL on the WLC and add it to the WLC policy

B.

Create the redirect ACL on the WLC and add it to the Cisco ISE policy.

C.

Create the redirect ACL on Cisco ISE and add it to the WLC policy

D.

Create the redirect ACL on Cisco ISE and add it to the Cisco ISE Policy

Full Access
Question # 23

An engineer is deploying Cisco ISE in a network that contains an existing Cisco Secure Firewall ASA. The customer requested that Cisco TrustSec be configured so that Cisco ISE and the firewall can share SGT information.

Which protocol must be configured on Cisco ISE to meet the requirement?

A.

PAC

B.

SXP

C.

RADIUS

D.

pxGrid

Full Access
Question # 24

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is to ensure that the authentication procedure is disabled on the ports but still allows all endpoints to connect to the network. Which port-control option must the engineer configure?

A.

pae-disabled

B.

force-unauthorized

C.

auto

D.

force-authorized

Full Access
Question # 25

Refer to the exhibit. An engineer needs to configure central web authentication on the Cisco Wireless LAN Controller to use Cisco ISE for all guests connected to the wireless network. The components are configured already:

• Cisco Wireless LAN Controller is fully configured

• authorization profile on the Cisco ISE

• authentication policy on the Cisco ISE

Which component would be configured next on Cisco ISE?

A.

authorization policy

B.

authentication profile

C.

accounting profile

D.

authorization rule

Full Access
Question # 26

Which compliance status is set when a matching posture policy has been defined for that endpomt. but all the mandatory requirements during posture assessment are not met?

A.

unauthorized

B.

untrusted

C.

non-compliant

D.

unknown

Full Access
Question # 27

An administrator must deploy the Cisco Secure Client posture agent to employee endpoints that access a wireless network by using URL redirection in Cisco ISE. The compliance module must be downloaded from Cisco and uploaded to the Cisco ISE client provisioning resource. What must be used to upload the compliance module?

A.

Secure Client configuration

B.

agent resources from the local disk

C.

Secure Client posture profile

D.

Client Provisioning Portal

Full Access
Question # 28

An administrator must provide wired network access to unidentified Cisco devices that fail 802.1X authentication. Cisco ISE profiling services must be configured to gather Cisco Discovery Protocol and LLDP endpoint information from a Cisco switch. These configurations were performed:

• configured switches to accept SNMP queries from Cisco ISE

• enabled Cisco Discovery Protocol and LLDP on the switches

• added the switch as a NAD to Cisco ISE

What must be enabled to complete the configuration?

A.

SNMP traps on the switch

B.

SNMP MIBs in Cisco ISE

C.

SNMP Trap probe in Cisco ISE

D.

SNMP Query probe in Cisco ISE

Full Access
Question # 29

An organization wants to enable web-based guest access for both employees and visitors The goal is to use a single portal for both user types Which two authentication methods should be used to meet this requirement? (Choose two )

A.

LDAP

B.

802 1X

C.

Certificate-based

D.

LOCAL

E.

MAC based

Full Access
Question # 30

What is a function of client provisioning?

A.

Client provisioning ensures that endpoints receive the appropriate posture agents.

B.

Client provisioning checks a dictionary attribute with a value.

C.

Client provisioning ensures an application process is running on the endpoint.

D.

Client provisioning checks the existence, date, and versions of the file on a client.

Full Access
Question # 31

A customer wants to set up the Sponsor portal and delegate the authentication flow to a third party for added security while using Kerberos Which database should be used to accomplish this goal?

A.

RSA Token Server

B.

Active Directory

C.

Local Database

D.

LDAP

Full Access
Question # 32

A user reports that the RADIUS accounting packets are not being seen on the Cisco ISE server.

Which command is the user missing in the switch’s configuration?

A.

radius-server vsa send accounting

B.

aaa accounting network default start-stop group radius

C.

aaa accounting resource default start-stop group radius

D.

aaa accounting exec default start-stop group radios

Full Access
Question # 33

Which portal is used to customize the settings for a user to log in and download the compliance module?

A.

Client Profiling

B.

Client Endpoint

C.

Client Provisioning

D.

Client Guest

Full Access
Question # 34

A network administrator is currently using Cisco ISE to authenticate devices and users via 802 1X There is now a need to also authorize devices and users using EAP-TLS. Which two additional components must be configured in Cisco ISE to accomplish this'? (Choose two.)

A.

Network Device Group

B.

Serial Number attribute that maps to a CA Server

C.

Common Name attribute that maps to an identity store

D.

Certificate Authentication Profile

E.

EAP Authorization Profile

Full Access
Question # 35

MacOS users are complaining about having to read through wordy instructions when remediating their workstations to gam access to the network Which alternate method should be used to tell users how to remediate?

A.

URL link

B.

message text

C.

executable

D.

file distribution

Full Access
Question # 36

A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?

A.

RADIUS

B.

DLTS

C.

Portal

D.

Admin

Full Access
Question # 37

In which two ways can users and endpoints be classified for TrustSec?

(Choose Two.)

A.

VLAN

B.

SXP

C.

dynamic

D.

QoS

E.

SGACL

Full Access
Question # 38

An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?

A.

Install the Root CA and intermediate CA.

B.

Generate the CSR.

C.

Download the intermediate server certificate.

D.

Download the CA server certificate.

Full Access
Question # 39

What is a characteristic of the UDP protocol?

A.

UDP can detect when a server is down.

B.

UDP offers best-effort delivery

C.

UDP can detect when a server is slow

D.

UDP offers information about a non-existent server

Full Access
Question # 40

A company manager is hosting a conference. Conference participants must connect to an open guest SSID and only use a preassigned code that they enter into the guest portal prior to gaining access to the network. How should the manager configure Cisco ISE to accomplish this goal?

A.

Create entries in the guest identity group for all participants.

B.

Create an access code to be entered in the AUP page.

C.

Create logins for each participant to give them sponsored access.

D.

Create a registration code to be entered on the portal splash page.

Full Access
Question # 41

An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task?

A.

permit tcp any any eq

B.

aaa group server radius proxy

C.

ip http port

D.

aaa group server radius

Full Access
Question # 42

An enterprise uses a separate PSN for each of its four remote sites. Recently, a user reported receiving an "EAP-TLS authentication failed" message when moving between remote sites. Which configuration must be applied on Cisco ISE?

A.

Use a third-party certificate on the network device.

B.

Add the device to all PSN nodes in the deployment.

C.

Renew the expired certificate on one of the PSN.

D.

Configure an authorization profile for the end users.

Full Access
Question # 43

Users in an organization report issues about having to remember multiple usernames and passwords. The network administrator wants the existing Cisco ISE deployment to utilize an external identity source to alleviate this issue. Which two requirements must be met to implement this change? (Choose two.)

A.

Enable IPC access over port 80.

B.

Ensure that the NAT address is properly configured

C.

Establish access to one Global Catalog server.

D.

Provide domain administrator access to Active Directory.

E.

Configure a secure LDAP connection.

Full Access
Question # 44

If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

A.

Client Provisioning

B.

Guest

C.

BYOD

D.

Blacklist

Full Access
Question # 45

Which three default endpoint identity groups does cisco ISE create? (Choose three)

A.

Unknown

B.

whitelist

C.

end point

D.

profiled

E.

blacklist

Full Access
Question # 46

An administrator needs to give the same level of access to the network devices when users are logging into them using TACACS+ However, the administrator must restrict certain commands based on one of three user roles that require different commands How is this accomplished without creating too many objects using Cisco ISE?

A.

Create one shell profile and multiple command sets.

B.

Create multiple shell profiles and multiple command sets.

C.

Create one shell profile and one command set.

D.

Create multiple shell profiles and one command set

Full Access
Question # 47

A network engineer needs to ensure that the access credentials are not exposed during the 802.1x authentication among components. Which two protocols should complete this task?

A.

PEAP

B.

EAP-MD5

C.

LEAP

D.

EAP-TLS

E.

EAP-TTLS

Full Access
Question # 48

An engineer is configuring sponsored guest access and needs to limit each sponsored guest to a maximum of two devices. There are other guest services in production that rely on the default guest types. How should this configuration change be made without disrupting the other guest services currently offering three or more guest devices per user?

A.

Create an ISE identity group to add users to and limit the number of logins via the group configuration.

B.

Create a new guest type and set the maximum number of devices sponsored guests can register

C.

Create an LDAP login for each guest and tag that in the guest portal for authentication.

D.

Create a new sponsor group and adjust the settings to limit the devices for each guest.

Full Access
Question # 49

Which two default guest portals are available with Cisco ISE? (Choose two.)

A.

visitor

B.

WIFI-access

C.

self-registered

D.

central web authentication

E.

sponsored

Full Access
Question # 50

Drag and drop the description from the left onto the protocol on the right that is used to carry out system authentication, authentication, and accounting.

Full Access
Question # 51

An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks. Which two requirement complete this policy? (Choose two)

A.

minimum password length

B.

active username limit

C.

access code control

D.

gpassword expiration period

E.

username expiration date

Full Access
Question # 52

Refer to the exhibit.

An organization recently implemented network device administration using Cisco ISE. Upon testing the ability to access all of the required devices, a user in the Cisco ISE group IT Admins is attempting to login to a device in their organization's finance department but is unable to. What is the problem?

A.

The IT training rule is taking precedence over the IT Admins rule.

B.

The authorization conditions wrongly allow IT Admins group no access to finance devices.

C.

The finance location is not a condition in the policy set.

D.

The authorization policy doesn't correctly grant them access to the finance devices.

Full Access
Question # 53

An engineer is configuring posture assessment for their network access control and needs to use an agent that supports using service conditions as conditions for the assessment. The agent should be run as a background process to avoid user interruption but when it is run. the user can see it. What is the problem?

A.

The engineer is using the "Anyconnect” posture agent but should be using the "Stealth Anyconnect posture agent

B.

The posture module was deployed using the headend instead of installing it with SCCM

C.

The user was in need of remediation so the agent appeared m the notifications

D.

The proper permissions were no! given to the temporal agent to conduct the assessment

Full Access
Question # 54

Refer to the exhibit.

An engineer is configuring a client but cannot authenticate to Cisco ISE During troubleshooting, the show authentication sessions command was issued to display the authentication status of each port Which command gives additional information to help identify the problem with the authentication?

A.

show authentication sessions

B.

show authentication sessions Interface Gil/0/1 output

C.

show authentication sessions interface Gi1/0/1 details

D.

show authentication sessions output

Full Access
Question # 55

A network administrator must configure Cisco SE Personas in the company to share session information via syslog. Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

A.

pxGrid

B.

admin

C.

policy services

D.

monitor

Full Access
Question # 56

An engineer is deploying a new guest WLAN for a company. The company wants this WLAN to use a sponsored guest portal for secure guest access. The wireless LAN controller must direct the guests to a web page on Cisco ISE for authentication. Which type of authentication must be configured for the guest portal in Cisco ISE?

A.

EWA

B.

DWA

C.

CWA

D.

web portal

Full Access
Question # 57

An engineer is configuring 802.1X and is testing out their policy sets. After authentication, some endpoints are given an access-reject message but are still allowed onto the network. What is causing this issue to occur?

A.

The switch port is configured with authentication event server dead action authorize vlan.

B.

The authorization results for the endpoints include a dACL allowing access.

C.

The authorization results for the endpoints include the Trusted security group tag.

D.

The switch port is configured with authentication open.

Full Access
Question # 58

What is the Microsoft security policy recommendation (or fast user switching in Cisco ISE?

A.

Disable BYOD posture agent.

B.

Enable fast user switching.

C.

Disable fast user switching.

D.

Enable Cisco Secure Client posture agent.

Full Access
Question # 59

A network engineer is configuring a Cisco Wireless LAN Controller in order to find out more information about the devices that are connecting. This information must be sent to Cisco ISE to be used in authorization policies. Which profiling mechanism must be configured in the Cisco Wireless LAN Controller to accomplish this task?

A.

DNS

B.

CDP

C.

DHCP

D.

ICMP

Full Access
Question # 60

An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two )

A.

Session Services

B.

Endpoint Attribute Filter

C.

Posture Services

D.

Profiling Services

E.

Radius Service

Full Access
Question # 61

Which default "guest type" is included with Cisco ISE?

A.

visitors

B.

sponsor

C.

guest

D.

contractor

Full Access
Question # 62

What is the default port used by Cisco ISE for NetFlow version 9 probe?

A.

UDP 9996

B.

UDP 9997

C.

UDP 9998

D.

UDP 9999

Full Access
Question # 63

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two)

A.

TELNET 23

B.

LDAP 389

C.

HTTP 80

D.

HTTPS 443

E.

MSRPC 445

Full Access
Question # 64

An administrator plans to use Cisco ISE to deploy posture policies to assess Microsoft Windows endpoints that run Cisco Secure Client. The administrator wants to minimize the occurrence of messages related to unknown posture profiles if Cisco ISE fails to determine the posture of the endpoint. Secure Client is deployed to all the endpoints. and all the required Cisco ISE authentication, authorization, and posture policy configurations were performed. Which action must be taken next to complete the configuration?

A.

Install the latest version of the Secure Client client on the endpoints.

B.

Enable Cisco ISE posture on Secure Client configuration.

C.

Configure a native supplicant on the endpoints to support the posture policies.

D.

Install the compliance module on the endpoints.

Full Access
Question # 65

Which controller option allows a user to switch from the provisioning SSID to the employee SSID after registration?

A.

User Idle Timeout

B.

Fast SSID Change

C.

AP SSID Fallback

D.

AAA Override

Full Access
Question # 66

An engineer needs to export a file in CSV format, encrypted with the password C1$c0438563935, and contains users currently configured in Cisco ISE. Drag and drop the steps from the left into the sequence on the right to complete this task.

Full Access
Question # 67

Which two features should be used on Cisco ISE to enable the TACACS+ feature? (Choose two )

A.

External TACACS Servers

B.

Device Admin Service

C.

Device Administration License

D.

Server Sequence

E.

Command Sets

Full Access
Question # 68

The IT manager wants to provide different levels of access to network devices when users authenticate using TACACS+. The company needs specific commands to be allowed based on the Active Directory group membership of the different roles within the IT department. The solution must minimize the number of objects created in Cisco ISE. What must be created to accomplish this task?

A.

one shell profile and one command set

B.

multiple shell profiles and one command set

C.

one shell profile and multiple command sets

D.

multiple shell profiles and multiple command sets

Full Access
Question # 69

A network administrator is configuring a new access switch to use with Cisco ISE for network access control. There is a need to use a centralized server for the reauthentication timers. What must be configured in order to accomplish this task?

A.

Configure Cisco ISE to replace the switch configuration with new timers.

B.

Configure Cisco ISE to block access after a certain period of time.

C.

Issue the authentication timer reauthenticate server command on the switch.

D.

Issue the authentication periodic command on the switch.

Full Access
Question # 70

An engineer wants to use certificate authentication for endpoints that connect to a wired network integrated with Cisco ISE. The engineer needs to define the certificate field used as the principal username. Which component would be needed to complete the configuration?

A.

Authorization rule

B.

Authorization profile

C.

Authentication policy

D.

Authentication profile

Full Access
Question # 71

In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two )

A.

publisher

B.

administration

C.

primary

D.

policy service

E.

subscriber

Full Access
Question # 72

What are two benefits of TACACS+ versus RADIUS for device administration? (Choose two )

A.

TACACS+ supports 802.1X, and RADIUS supports MAB

B.

TACACS+ uses UDP, and RADIUS uses TCP

C.

TACACS+ has command authorization, and RADIUS does not.

D.

TACACS+ provides the service type, and RADIUS does not

E.

TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

Full Access
Question # 73

A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA Which action does the CoA perform?

A.

It terminates the client session

B.

It applies the downloadable ACL provided in the CoA

C.

It applies new permissions provided in the CoA to the client session.

D.

It triggers the NAD to reauthenticate the client

Full Access
Question # 74

Wireless network users authenticate to Cisco ISE using 802.1X through a Cisco Catalyst switch. An engineer must create an updated configuration to assign a security group tag to the user's traffic using inline tagging to prevent unauthenticated users from accessing a restricted server. The configurations were performed:

• configured Cisco ISE as a Cisco TrustSec AAA server

• configured the switch as a RADIUS device in Cisco ISE

• configured the wireless LAN controller as a TrustSec device in Cisco ISE

• created a security group tog for the wireless users

• created a certificate authentication profile

■ created an identity source sequence

• assigned an appropriate security group tag to the wireless users

• defined security group access control lists to specify an egress policy

• enforced the access control lists on the TrustSec policy matrix in Cisco ISE

• configured TrustSec on the switch

• configured TrustSec on the wireless LAN controller

Which two actions must be taken to complete the configuration? (Choose two.)

A.

Configure Security Group Tag Exchange Protocol on the wireless LAN controller.

B.

Configure Security Group Tag Exchange Protocol to distribute IP to security group tags on Cisco ISE.

C.

Configure inline tag propagation on the switch and wireless LAN controller.

D.

Create static IP-to-SGT mapping for the restricted web server.

E.

Configure Security Group Tag Exchange Protocol on the switch.

Full Access
Question # 75

An engineer must use Cisco ISE to provide network access to endpoints that cannot support 802.1X. The endpoint MAC addresses must be allowlisted by configuring an endpoint identity group. These configurations were performed:

• configured an identity group named allowlist

• configured the endpoints to use the MAC address of incompatible 802.1X devices

• added the endpoints to the allowlist identity group

• configured an authentication policy for MAB users

What must be configured?

A.

authorization profile that has the PermitAccess permission and matches the allowlist identity group

B.

logical profile that matches the allowlist identity group based on the configured policy

C.

authentication profile that has the PermitAccess permission and matches the allowlist identity group authorization policy that has the PermitAccess permission and matches the allowlist identity group

D.

authorization policy that has the PermitAccess permission and matches the allowtist identity group

Full Access
Question # 76

An engineer needs to configure a compliance policy on Cisco ISE to ensure that the latest encryption software is running on the C drive of all endpoints. Drag and drop the configuration steps from the left into the sequence on the right to accomplish this task.

Full Access
Question # 77

An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?

A.

Endpoint Identity Group is Blocklist, and the BYOD state is Registered.

B.

Endpoint Identify Group is Blocklist, and the BYOD state is Pending.

C.

Endpoint Identity Group is Blocklist, and the BYOD state is Lost.

D.

Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate.

Full Access
Question # 78

An administrator is configuring the Native Supplicant Profile to be used with the Cisco ISE posture agents and needs to test the connection using wired devices to determine which profile settings are available. Which two configuration settings should be used to accomplish this task? (Choose two.)

A.

authentication mode

B.

proxy host/IP

C.

certificate template

D.

security

E.

allowed protocol

Full Access
Question # 79

An administrator is configuring a switch port for use with 802 1X What must be done so that the port will allow voice and multiple data endpoints?

A.

Configure the port with the authentication host-mode multi-auth command

B.

Connect the data devices to the port, then attach the phone behind them.

C.

Use the command authentication host-mode multi-domain on the port

D.

Connect a hub to the switch port to allow multiple devices access after authentication

Full Access
Question # 80

What does the dot1x system-auth-control command do?

A.

causes a network access switch not to track 802.1x sessions

B.

globally enables 802.1x

C.

enables 802.1x on a network access device interface

D.

causes a network access switch to track 802.1x sessions

Full Access
Question # 81

An engineer is tasked with placing a guest access anchor controller in the DMZ. Which two ports or port sets must be opened up on the firewall to accomplish this task? (Choose two.)

A.

UDP port 1812 RADIUS

B.

TCP port 161

C.

TCP port 514

D.

UDP port 79

E.

UDP port 16666

Full Access
Question # 82

Which command displays all 802 1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

A.

show authentication sessions output

B.

Show authentication sessions

C.

show authentication sessions interface Gi 1/0/x

D.

show authentication sessions interface Gi1/0/x output

Full Access
Question # 83

An engineer is enabling a newly configured wireless SSID for tablets and needs visibility into which other types of devices are connecting to it. What must be done on the Cisco WLC to provide this information to Cisco ISE9

A.

enable IP Device Tracking

B.

enable MAC filtering

C.

enable Fast Transition

D.

enable mDNS snooping

Full Access
Question # 84

An administrator is troubleshooting an endpoint that is supposed to bypass 802 1X and use MAB. The endpoint is bypassing 802.1X and successfully getting network access using MAB. however the endpoint cannot communicate because it cannot obtain an IP address. What is the problem?

A.

The DHCP probe for Cisco ISE is not working as expected.

B.

The 802.1 X timeout period is too long.

C.

The endpoint is using the wrong protocol to authenticate with Cisco ISE.

D.

An AC I on the port is blocking HTTP traffic

Full Access
Question # 85

What is the deployment mode when two Cisco ISE nodes are configured in an environment?

A.

distributed

B.

active

C.

standalone

D.

standard

Full Access
Question # 86

Which Cisco ISE solution ensures endpoints have the latest version of antivirus updates installed before being allowed access to the corporate network?

A.

Threat Services

B.

Profiling Services

C.

Provisioning Services

D.

Posture Services

Full Access
Question # 87

What is a requirement for Feed Service to work?

A.

TCP port 3080 must be opened between Cisco ISE and the feed server

B.

Cisco ISE has a base license.

C.

Cisco ISE has access to an internal server to download feed update

D.

Cisco ISE has Internet access to download feed update

Full Access
Question # 88

Which use case validates a change of authorization?

A.

An authenticated, wired EAP-capable endpoint is discovered

B.

An endpoint profiling policy is changed for authorization policy.

C.

An endpoint that is disconnected from the network is discovered

D.

Endpoints are created through device registration for the guests

Full Access