Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: wrap60

DumpsWrap Logo

Cisco 300-715 Dumps

Page: 1 / 30
Total 295 questions
Get 300-715 Full Access Download 300-715 PDF

Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE) Questions and Answers

Question 1

A network administrator is setting up wireless guest access and has been unsuccessful in testing client access. The endpoint is able to connect to the SSID but is unable to grant access to the guest network through the guest portal. What must be done to identify the problem?

Options:

A.

Use context visibility to verify posture status.

B.

Use the endpoint ID to execute a session trace.

C.

Use the identity group to validate the authorization rules.

D.

Use traceroute to ensure connectivity.

Question 2

The Cisco Wireless LAN Controller and guest portal must be set up in Cisco ISE. These configurations were performed:

• configured all the required Cisco Wireless LAN Controller configurations

• added the wireless controller to Cisco ISE network devices

• created an endpoint identity group

• configured credentials to be sent by email

• configured the SMTP server

• configured an authorization profile with redirection to the guest portal and redirected the access control list

• configured an authentication policy for MAB users

• created an authorization policy

Which two components would be required to complete the configuration? (Choose two.)

Options:

A.

sponsor group

B.

hotspot guest portal

C.

sponsor portal

D.

self-registered guest portal

E.

guest type

Question 3

There is a need within an organization for a new policy to be created in Cisco ISE. It must validate that a specific anti-virus application is not only installed, but running on a machine before it is allowed access to the network. Which posture condition should the administrator configure in order for this policy to work?

Options:

A.

file

B.

registry

C.

application

D.

service

Question 4

Which two features must be used on Cisco ISE to enable the TACACS. feature? (Choose two)

Options:

A.

Device Administration License

B.

Server Sequence

C.

Command Sets

D.

Enable Device Admin Service

E.

External TACACS Servers

Question 5

Which protocol must be allowed for a BYOD device to access the BYOD portal?

Options:

A.

HTTP

B.

SMTP

C.

HTTPS

D.

SSH

Question 6

A Cisco device has a port configured in multi-authentication mode and is accepting connections only from hosts assigned the SGT of SGT_0422048549 The VLAN trunk link supports a maximum of 8 VLANS What is the reason for these restrictions?

Options:

A.

The device is performing inline tagging without acting as a SXP speaker

B.

The device is performing mime tagging while acting as a SXP speaker

C.

The IP subnet addresses are dynamically mapped to an SGT.

D.

The IP subnet addresses are statically mapped to an SGT

Question 7

An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs An administrator is adding two more PSNs to this deployment but is having problems adding one of them What is the problem?

Options:

A.

The new nodes must be set to primary prior to being added to the deployment

B.

The current PAN is only able to track a max of four nodes

C.

Only five PSNs are allowed to be in the Cisco ISE cube if configured this way.

D.

One of the new nodes must be designated as a pxGrid node

Question 8

Which profiling probe collects the user-agent string?

Options:

A.

DHCP

B.

AD

C.

HTTP

D.

NMAP

Question 9

An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?

Options:

A.

VLAN to SGT mapping

B.

IP Address to SGT mapping

C.

L3IF to SGT mapping

D.

Subnet to SGT mapping

Question 10

A Cisco ISE administrator must restrict specific endpoints from accessing the network while in closed mode. The requirement is to have Cisco ISE centrally store the endpoints to restrict access from. What must be done to accomplish this task''

Options:

A.

Add each MAC address manually to a blocklist identity group and create a policy denying access

B.

Create a logical profile for each device's profile policy and block that via authorization policies.

C.

Create a profiling policy for each endpoint with the cdpCacheDeviceld attribute.

D.

Add each IP address to a policy denying access.

Question 11

Which Cisco ISE service allows an engineer to check the compliance of endpoints before connecting to the network?

Options:

A.

personas

B.

qualys

C.

nexpose

D.

posture

Question 12

Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two)

Options:

A.

Windows Settings

B.

Connection Type

C.

iOS Settings

D.

Redirect ACL

E.

Operating System

Question 13

An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan What must be done for this AAA configuration to allow compliant access to the network?

Options:

A.

Configure the posture authorization so it defaults to unknown status

B.

Fix the CoA port number

C.

Ensure that authorization only mode is not enabled

D.

Enable dynamic authorization within the AAA server group

Question 14

An engineer is configuring Central Web Authentication in Cisco ISE to provide guest access. When an authentication rule is configured in the Default Policy Set for the Wired_MAB or Wireless_MAB conditions, what must be selected for the "if user not found" setting?

Options:

A.

CONTINUE

B.

REJECT

C.

ACCEPT

D.

DROP

Question 15

An engineer is configuring a new Cisco ISE node. The Cisco ISE must make authorization decisions based on the threat and vulnerability attributes received from the threat and vulnerability adapters. Which persona must be enabled?

Options:

A.

Policy Service

B.

Monitoring

C.

pxGrid

D.

Administration

Question 16

An engineer wants to use certificate authentication for endpoints that connect to a wired network integrated with Cisco ISE. The engineer needs to define the certificate field used as the principal username. Which component would be needed to complete the configuration?

Options:

A.

Authorization rule

B.

Authorization profile

C.

Authentication policy

D.

Authentication profile

Question 17

An engineer is configuring posture assessment for their network access control and needs to use an agent that supports using service conditions as conditions for the assessment. The agent should be run as a background process to avoid user interruption but when it is run. the user can see it. What is the problem?

Options:

A.

The engineer is using the "Anyconnect” posture agent but should be using the "Stealth Anyconnect posture agent

B.

The posture module was deployed using the headend instead of installing it with SCCM

C.

The user was in need of remediation so the agent appeared m the notifications

D.

The proper permissions were no! given to the temporal agent to conduct the assessment

Question 18

An engineer must use Cisco ISE to provide network access to endpoints that cannot support 802.1X. The endpoint MAC addresses must be allowlisted by configuring an endpoint identity group. These configurations were performed:

    Configured an identity group named allowlist

    Configured the endpoints to use the MAC address of incompatible 802.1X devices

    Added the endpoints to the allowlist identity group

    Configured an authentication policy for MAB users

What must be configured?

Options:

A.

Authorization profile that has the PermitAccess permission and matches the allowlist identity group

B.

Authentication profile that has the PermitAccess permission and matches the allowlist identity group

C.

Authorization policy that has the PermitAccess permission and matches the allowlist identity group

D.

Logical profile that matches the allowlist identity group based on the configured policy

Question 19

An engineer is unable to use SSH to connect to a switch after adding the required CLI commands to the device to enable TACACS+. The device administration license has been added to Cisco ISE, and the required policies have been created. Which action is needed to enable access to the switch?

Options:

A.

The ip ssh source-interface command needs to be set on the switch

B.

802.1X authentication needs to be configured on the switch.

C.

The RSA keypair used for SSH must be regenerated after enabling TACACS+.

D.

The switch needs to be added as a network device in Cisco ISE and set to use TACACS+.

Question 20

An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?

Options:

A.

Endpoint Identity Group is Blocklist, and the BYOD state is Registered.

B.

Endpoint Identify Group is Blocklist, and the BYOD state is Pending.

C.

Endpoint Identity Group is Blocklist, and the BYOD state is Lost.

D.

Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate.

Question 21

An engineer is configuring ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADUs for these devices? (Choose two.)

Options:

A.

TACACS+ is FIPS compliant while RADIUS is not

B.

TACACS+ is designed for network access control while RADIUS is designed for role-based access.

C.

TACACS+ uses secure EAP-TLS while RADIUS does not.

D.

TACACS+ provides the ability to authorize specific commands while RADIUS does not

E.

TACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password.

Question 22

An engineer is deploying a new Cisco ISE environment for a company. The company wants the deployment to use TACACS+. The engineer verifies that Cisco ISE has a Device Administration license. What must be configured to enable TACACS+ operations?

Options:

A.

Device Administration Work Center

B.

Device Admin service

C.

Device Administration Deployment settings

D.

Device Admin Policy Sets settings

Question 23

Which two responses from the RADIUS server to NAS are valid during the authentication process? (Choose two)

Options:

A.

access-response

B.

access-request

C.

access-reserved

D.

access-accept

E.

access-challenge

Question 24

An engineer is configuring Cisco ISE and needs to dynamically identify the network endpoints and ensure that endpoint access is protected. Which service should be used to accomplish this task?

    Profiling

Options:

A.

Guest access

B.

Client provisioning

C.

Posture

Question 25

An administrator must deploy the Cisco Secure Client posture agent to employee endpoints that access a wireless network by using URL redirection in Cisco ISE. The compliance module must be downloaded from Cisco and uploaded to the Cisco ISE client provisioning resource. What must be used to upload the compliance module?

Options:

A.

Secure Client configuration

B.

agent resources from the local disk

C.

Secure Client posture profile

D.

Client Provisioning Portal

Question 26

What is an advantage of TACACS+ versus RADIUS authentication when reviewing reports in Cisco ISE?

Options:

A.

TACACS+ reduces authentication latency, and RADIUS increases latency by adding additional packet headers.

B.

TACACS+ performs secure communication with IPsec, and RADIUS uses DTLS encryption.

C.

TACACS+ provides command accounting, and RADIUS combines authentication and authorization.

D.

TACACS+ uses SSL certificates, and RADIUS does not have encryption.

Question 27

What is a function of client provisioning?

Options:

A.

It ensures an application process is running on the endpoint.

B.

It checks a dictionary' attribute with a value.

C.

It ensures that endpoints receive the appropriate posture agents

D.

It checks the existence date and versions of the file on a client.

Question 28

as

Refer to the exhibit. An engineer must configure BYOD in Cisco ISE. A single SSID must be used to allow BYOD devices to connect to the network. These configurations have been performed on Wireless LAN Controller already:

RADIUS server

BYOD-Dot1x SSID

Which two configurations must be done in Cisco ISE to meet the requirement? (Choose two.)

Options:

A.

FlexConnect ACL

B.

External identity source

C.

Authentication policy

D.

Redirect ACL

E.

Profiling policy

Question 29

What is a characteristic of the UDP protocol?

Options:

A.

UDP can detect when a server is down.

B.

UDP offers best-effort delivery

C.

UDP can detect when a server is slow

D.

UDP offers information about a non-existent server

Question 30

Which command displays all 802 1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

Options:

A.

show authentication sessions output

B.

Show authentication sessions

C.

show authentication sessions interface Gi 1/0/x

D.

show authentication sessions interface Gi1/0/x output

Question 31

Which are two characteristics of TACACS+? (Choose two)

Options:

A.

It uses TCP port 49.

B.

It combines authorization and authentication functions.

C.

It separates authorization and authentication functions.

D.

It encrypts the password only.

E.

It uses UDP port 49.

Question 32

An administrator is configuring new probes to use with Cisco ISE and wants to use metadata to help profile the endpoints. The metadata must contain traffic information relating to the endpoints instead of industry-standard protocol information Which probe should be enabled to meet these requirements?

Options:

A.

NetFlow probe

B.

DNS probe

C.

DHCP probe

D.

SNMP query probe

Question 33

Which advanced option within a WLAN must be enabled to trigger Central Web Authentication for Wireless users on AireOS controller?

Options:

A.

DHCP server

B.

static IP tunneling

C.

override Interface ACL

D.

AAA override

Question 34

Refer to the exhibit:

as

Which command is typed within the CU of a switch to view the troubleshooting output?

Options:

A.

show authentication sessions mac 000e.84af.59af details

B.

show authentication registrations

C.

show authentication interface gigabitethemet2/0/36

D.

show authentication sessions method

Question 35

Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication?

Options:

A.

MAB and if user not found, continue

B.

MAB and if authentication failed, continue

C.

Dot1x and if user not found, continue

D.

Dot1x and if authentication failed, continue

Question 36

An engineer is configuring a new Cisco ISE node. Context-sensitive information must be shared between the Cisco ISE and a Cisco ASA. Which persona must be enabled?

Options:

A.

Administration

B.

Policy Service

C.

pxGrid

D.

Monitoring

Question 37

What is a difference between TACACS+ and RADIUS in regards to encryption?

Options:

A.

TACACS+ encrypts only the password, whereas RADIUS encrypts the username and password.

B.

TACACS+ encrypts the username and password, whereas RADIUS encrypts only the password.

C.

TACACS+ encrypts the password, whereas RADIUS sends the entire packet in clear text.

D.

TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password.

Question 38

as

Refer to the exhibit. In which scenario does this switch configuration apply?

Options:

A.

when allowing a hub with multiple clients connected

B.

when passing IP phone authentication

C.

when allowing multiple IP phones to be connected

D.

when preventing users with hypervisor

Question 39

An administrator is responsible for configuring network access for a temporary network printer. The administrator must only use the printer MAC address 50:89:65: 18:8: AB for authentication. Which authentication method will accomplish the task?

Options:

A.

Posturing

B.

Profiling

C.

MAB

D.

802.1x

Question 40

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node. Which persona should be configured with the largest amount of storage in this environment?

Options:

A.

policy Services

B.

Primary Administration

C.

Monitoring and Troubleshooting

D.

Platform Exchange Grid

Question 41

An administrator is troubleshooting an endpoint that is supposed to bypass 802 1X and use MAB. The endpoint is bypassing 802.1X and successfully getting network access using MAB. however the endpoint cannot communicate because it cannot obtain an IP address. What is the problem?

Options:

A.

The DHCP probe for Cisco ISE is not working as expected.

B.

The 802.1 X timeout period is too long.

C.

The endpoint is using the wrong protocol to authenticate with Cisco ISE.

D.

An AC I on the port is blocking HTTP traffic

Question 42

An administrator is editing a csv list of endpoints and wants to reprofile some of the devices indefinitely before importing the list into Cisco ISE. Which field and Boolean value must be changed for the devices before the list is reimported?

Options:

A.

Identity Group Assignment field and Static Assignment field set to the value FALSE

B.

Policy Assignment field and Static Assignment field set to the value TRUE

C.

Policy Assignment field and Static Assignment field set to the value FALSE

D.

Identity Group Assignment field and Static Assignment field set to the value TRUE

Question 43

An administrator plans to use Cisco ISE to deploy posture policies to assess Microsoft Windows endpoints that run Cisco Secure Client. The administrator wants to minimize the occurrence of messages related to unknown posture profiles if Cisco ISE fails to determine the posture of the endpoint. Secure Client is deployed to all the endpoints. and all the required Cisco ISE authentication, authorization, and posture policy configurations were performed. Which action must be taken next to complete the configuration?

Options:

A.

Install the latest version of the Secure Client client on the endpoints.

B.

Enable Cisco ISE posture on Secure Client configuration.

C.

Configure a native supplicant on the endpoints to support the posture policies.

D.

Install the compliance module on the endpoints.

Question 44

MacOS users are complaining about having to read through wordy instructions when remediating their workstations to gam access to the network Which alternate method should be used to tell users how to remediate?

Options:

A.

URL link

B.

message text

C.

executable

D.

file distribution

Question 45

Which compliance status is set when a matching posture policy has been defined for that endpomt. but all the mandatory requirements during posture assessment are not met?

Options:

A.

unauthorized

B.

untrusted

C.

non-compliant

D.

unknown

Question 46

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two )

Options:

A.

Random

B.

Monthly

C.

Daily

D.

Imported

E.

Known

Question 47

An organization is implementing Cisco ISE posture services and must ensure that a host-based firewall is in place on every Windows and Mac computer that attempts to access the network They have multiple vendors’ firewall applications for their devices, so the engineers creating the policies are unable to use a specific application check in order to validate the posture for this What should be done to enable this type of posture check?

Options:

A.

Use the file registry condition to ensure that the firewal is installed and running appropriately.

B.

Use a compound condition to look for the Windows or Mac native firewall applications.

C.

Enable the default firewall condition to check for any vendor firewall application.

D.

Enable the default application condition to identify the applications installed and validade the firewall app.

Question 48

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?

Options:

A.

authentication open

B.

pae dot1x enabled

C.

authentication host-mode multi-auth

D.

monitor-mode enabled

Question 49

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network. Which node should be used to accomplish this task?

Options:

A.

PSN

B.

primary PAN

C.

pxGrid

D.

MnT

Question 50

Which two ports do network devices typically use for CoA? (Choose two)

Options:

A.

443

B.

19005

C.

8080

D.

3799

E.

1700

Question 51

An administrator connects an HP printer to a dot1x enable port, but the printer in not accessible Which feature must the administrator enable to access the printer?

Options:

A.

MAC authentication bypass

B.

change of authorization

C.

TACACS authentication

D.

RADIUS authentication

Question 52

Users in an organization report issues about having to remember multiple usernames and passwords. The network administrator wants the existing Cisco ISE deployment to utilize an external identity source to alleviate this issue. Which two requirements must be met to implement this change? (Choose two.)

Options:

A.

Enable IPC access over port 80.

B.

Ensure that the NAT address is properly configured

C.

Establish access to one Global Catalog server.

D.

Provide domain administrator access to Active Directory.

E.

Configure a secure LDAP connection.

Question 53

What is the difference between how RADIUS and TACACS+ handle encryption?

Options:

A.

RADIUS encrypts only the username and password fields, whereas TACACS+ encrypts the entire packet.

B.

RADIUS encrypts the entire packet, whereas TACACS+ only encrypts the password field.

C.

RADIUS only encrypts the password field, whereas TACACS+ encrypts the payload of packet.

D.

RADIUS encrypts the entire packet, whereas TACACS+ encrypts only the username and password fields.

Question 54

An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?

Options:

A.

NMAP

B.

NETFLOW

C.

pxGrid

D.

RADIUS

Question 55

A network administrator must configure Cisco SE Personas in the company to share session information via syslog. Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

Options:

A.

pxGrid

B.

admin

C.

policy services

D.

monitor

Question 56

An engineer is designing a BYOD environment utilizing Cisco ISE for devices that do not support native supplicants Which portal must the security engineer configure to accomplish this task?

Options:

A.

MDM

B.

Client provisioning

C.

My devices

D.

BYOD

Question 57

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the used to accomplish this task?

Options:

A.

policy service

B.

monitoring

C.

pxGrid

D.

primary policy administrator

Question 58

An engineer has been tasked with standing up a new guest portal for customers that are waiting in the lobby. There is a requirement to allow guests to use their social media logins to access the guest network to appeal to more customers What must be done to accomplish this task?

Options:

A.

Create a sponsor portal to allow guests to create accounts using their social media logins.

B.

Create a sponsored guest portal and enable social media in the external identity sources.

C.

Create a self-registered guest portal and enable the feature for social media logins

D.

Create a hotspot portal and enable social media login for network access

Question 59

A network administrator is currently using Cisco ISE to authenticate devices and users via 802 1X There is now a need to also authorize devices and users using EAP-TLS. Which two additional components must be configured in Cisco ISE to accomplish this'? (Choose two.)

Options:

A.

Network Device Group

B.

Serial Number attribute that maps to a CA Server

C.

Common Name attribute that maps to an identity store

D.

Certificate Authentication Profile

E.

EAP Authorization Profile

Question 60

A network engineer must configure a centralized Cisco ISE solution for wireless guest access with users in different time zones. The guest account activation time must be independent of the user time zone, and the guest account must be enabled automatically when the user self-registers on the guest portal.

Which option in the time profile settings must be selected to meet the requirement?

Options:

A.

Select FromFirstLogin from the Account Type dropdown.

B.

Select FromCreation from the Account Type dropdown.

C.

Set the Maximum Account Duration to 1 Day.

D.

Set the Duration field to 24:00:00.

Question 61

What does a fully distributed Cisco ISE deployment include?

Options:

A.

PAN and PSN on the same node while MnTs are on their own dedicated nodes.

B.

PAN and MnT on the same node while PSNs are on their own dedicated nodes.

C.

All Cisco ISE personas on their own dedicated nodes.

D.

All Cisco ISE personas are sharing the same node.

Question 62

An administrator wants to configure network device administration and is trying to decide whether to use TACACS* or RADIUS. A reliable protocol must be used that can check command authorization Which protocol meets these requirements and why?

Options:

A.

TACACS+ because it runs over TCP

B.

RADIUS because it runs over UDP

C.

RADIUS because it runs over TCP.

D.

TACACS+ because it runs over UDP

Question 63

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two)

Options:

A.

TELNET 23

B.

LDAP 389

C.

HTTP 80

D.

HTTPS 443

E.

MSRPC 445

Question 64

What are two requirements of generating a single signing in Cisco ISE by using a certificate provisioning portal, without generating a certificate request? (Choose two )

Options:

A.

Location the CSV file for the device MAC

B.

Select the certificate template

C.

Choose the hashing method

D.

Enter the common name

E.

Enter the IP address of the device

Question 65

An engineer is testing Cisco ISE policies in a lab environment with no support for a deployment server. In order to push supplicant profiles to the workstations for testing, firewall ports will need to be opened. From which Cisco ISE persona should this traffic be originating?

Options:

A.

monitoring

B.

policy service

C.

administration

D.

authentication

Question 66

When planning for the deployment of Cisco ISE, an organization's security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment provide an adequate amount of security and visibility for the hosts on the network. Why should the engineer configure MAB in this situation?

Options:

A.

The Cisco switches only support MAB.

B.

MAB provides the strongest form of authentication available.

C.

The devices in the network do not have a supplicant.

D.

MAB provides user authentication.

Question 67

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names?

Options:

A.

MIB

B.

TGT

C.

OMAB

D.

SID

Question 68

An engineer is deploying a new guest WLAN for a company. The company wants this WLAN to use a sponsored guest portal for secure guest access. The wireless LAN controller must direct the guests to a web page on Cisco ISE for authentication. Which type of authentication must be configured for the guest portal in Cisco ISE?

Options:

A.

EWA

B.

DWA

C.

CWA

D.

web portal

Question 69

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

Options:

A.

Active Directory

B.

RADIUS Token

C.

Internal Database

D.

RSA SecurlD

E.

LDAP

Question 70

An administrator enables the profiling service for Cisco ISE to use for authorization policies while in closed mode. When the endpoints connect, they receive limited access so that the profiling probes can gather information and Cisco ISE can assign the correct profiles. They are using the default values within Cisco ISE. but the devices do not change their access due to the new profile. What is the problem'?

Options:

A.

In closed mode, profiling does not work unless CDP is enabled.

B.

The profiling probes are not able to collect enough information to change the device profile

C.

The profiler feed is not downloading new information so the profiler is inactive

D.

The default profiler configuration is set to No CoA for the reauthentication setting

Question 71

An engineer is configuring sponsored guest access and needs to limit each sponsored guest to a maximum of two devices. There are other guest services in production that rely on the default guest types. How should this configuration change be made without disrupting the other guest services currently offering three or more guest devices per user?

Options:

A.

Create an ISE identity group to add users to and limit the number of logins via the group configuration.

B.

Create a new guest type and set the maximum number of devices sponsored guests can register

C.

Create an LDAP login for each guest and tag that in the guest portal for authentication.

D.

Create a new sponsor group and adjust the settings to limit the devices for each guest.

Question 72

An administrator is configuring posture with Cisco ISE and wants to check that specific services are present on the workstations that are attempting to access the network. What must be configured to accomplish this goal?

Options:

A.

Create a registry posture condition using a non-OPSWAT API version.

B.

Create an application posture condition using a OPSWAT API version.

C.

Create a compound posture condition using a OPSWAT API version.

D.

Create a service posture condition using a non-OPSWAT API version.

Question 73

What is a method for transporting security group tags throughout the network?

Options:

A.

by enabling 802.1AE on every network device

B.

by the Security Group Tag Exchange Protocol

C.

by embedding the security group tag in the IP header

D.

by embedding the security group tag in the 802.1Q header

Question 74

What is the purpose of the ip http server command on a switch?

Options:

A.

It enables the https server for users for web authentication

B.

It enables MAB authentication on the switch

C.

It enables the switch to redirect users for web authentication.

D.

It enables dot1x authentication on the switch.

Question 75

A network administrator must configura endpoints using an 802 1X authentication method with EAP identity certificates that are provided by the Cisco ISE When the endpoint presents the identity certificate to Cisco ISE to validate the certificate, endpoints must be authorized to connect to the network Which EAP type must be configured by the network administrator to complete this task?

Options:

A.

EAP-PEAP-MSCHAPv2

B.

EAP-TTLS

C.

EAP-FAST

D.

EAP-TLS

Question 76

An engineer is working on a switch and must tag packets with SGT values such that it learns via SXP. Which command must be entered to meet this requirement?

Options:

A.

ip source guard

B.

ip dhcp snooping

C.

ip device tracking maximum

D.

ip arp inspection

Question 77

Drag and drop the description from the left onto the protocol on the right that is used to carry out system authentication, authentication, and accounting.

as

Options:

Question 78

A network engineer is in the predeployment discovery phase of a Cisco ISE deployment and must discover the network. There is an existing network management system in the network.

Which type of probe must be configured to gather the information?

Options:

A.

RADIUS

B.

NMAP

C.

NetFlow

D.

SNMP

Question 79

Which two external identity stores are supported by Cisco ISE for password types? (Choose two.)

Options:

A.

LDAP

B.

OBDC

C.

RADIUS Token Server

D.

TACACS+ Token Server

E.

SOL

Question 80

An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?

Options:

A.

Configure the hotspot portal for guest access and require an access code.

B.

Configure the sponsor portal with a single account and use the access code as the password.

C.

Configure the self-registered guest portal to allow guests to create a personal access code.

D.

Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

Question 81

Which RADIUS attribute is used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node?

Options:

A.

session timeout

B.

idle timeout

C.

radius-server timeout

D.

termination-action

Question 82

An administrator made changes in Cisco ISE and needs to apply new permissions for endpoints that have already been authenticated by sending a CoA packet to the network devices. Which IOS command must be configured on the devices to accomplish this goal?

Options:

A.

aaa server radius dynamic-author

B.

authentication command bounce-port

C.

authentication command disable-port

D.

aaa nas port extended

Question 83

An engineer is assigned to enhance security across the campus network. The task is to enable MAB across all access switches in the network. Which command must be entered on the switch to enable MAB?

Options:

A.

Switch# authentication port-control auto

B.

Switch{conflg)# mab

C.

Switch{config-lf) # mab

D.

Switch(config)# authentication port-control auto

Question 84

What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

Options:

A.

The primary node restarts

B.

The secondary node restarts.

C.

The primary node becomes standalone

D.

Both nodes restart.

Question 85

What is a function of client provisioning?

Options:

A.

Client provisioning ensures that endpoints receive the appropriate posture agents.

B.

Client provisioning checks a dictionary attribute with a value.

C.

Client provisioning ensures an application process is running on the endpoint.

D.

Client provisioning checks the existence, date, and versions of the file on a client.

Question 86

An organization wants to split their Cisco ISE deployment to separate the device administration functionalities from the mam deployment. For this to work, the administrator must deregister any nodes that will become a part of the new deployment, but the button for this option is grayed out Which configuration is causing this behavior?

Options:

A.

One of the nodes is an active PSN.

B.

One of the nodes is the Primary PAN

C.

All of the nodes participate in the PAN auto failover.

D.

All of the nodes are actively being synched.

Question 87

Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

Options:

A.

Endpoint

B.

unknown

C.

blacklist

D.

white list

E.

profiled

Question 88

An engineer deploys Cisco ISE and must configure Active Directory to then use information from Active Directory in an authorization policy. Which two components must be configured, in addition to Active Directory groups, to achieve this goat? (Choose two )

Options:

A.

Active Directory External Identity Sources

B.

Library Condition for External Identity. External Groups

C.

Identity Source Sequences

D.

LDAP External Identity Sources

E Library Condition for Identity Group: User Identity Group

Load More 300-715 Questions
Page: 1 / 30
Total 295 questions
Get 300-715 Full Access Download 300-715 PDF