Big Cyber Monday Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Examstrust Logo
examstrust mcafee
  1. Home
  2. Cisco
  3. CCNP Security
  4. 300-715 - Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Cisco 300-715 Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE) Exam Practice Test

Page: 1 / 30
Total 299 questions
Get 300-715 Full Access Download 300-715 PDF

Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE) Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$42  $139.99
Add to Cart

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$55.5  $184.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$36  $119.99
Add to Cart
Question 1

Which term refers to an endpoint agent that tries to join an 802 1X-enabled network?

Options:

A.

EAP server

B.

supplicant

C.

client

D.

authenticator

Question 2

A user misplaces a personal phone and wants to blacklist the device from accessing the company network. The company uses Cisco ISE for corporate and BYOD device authentication. Which action must the user take in Cisco ISE?

Options:

A.

Sign in to the BYOD portal and mark the device as Lost.

B.

Sign in to the My Devices portal and mark the device as Lost.

C.

Sign in to the My Devices portal and mark the device as Irrecoverable.

D.

Sign in to the BYOD portal and mark the device as Irrecoverable.

Question 3

If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

Options:

A.

Client Provisioning

B.

Guest

C.

BYOD

D.

Blacklist

Question 4

What is an advantage of using EAP-TLS over EAP-MS-CHAPv2 for client authentication?

Options:

A.

EAP-TLS uses a username and password for authentication to enhance security, while EAP-MS-CHAPv2 does not.

B.

EAP-TLS secures the exchange of credentials, while EAP-MS-CHAPv2 does not.

C.

EAP-TLS uses a device certificate for authentication to enhance security, while EAP-MS-CHAPv2 does not.

D.

EAP-TLS uses multiple forms of authentication, while EAP-MS-CHAPv2 only uses one.

Question 5

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network. Which node should be used to accomplish this task?

Options:

A.

PSN

B.

primary PAN

C.

pxGrid

D.

MnT

Question 6

An administrator needs to allow guest devices to connect to a private network without requiring usernames and passwords. Which two features must be configured to allow for this? (Choose two.)

Options:

A.

hotspot guest portal

B.

device registration WebAuth

C.

central WebAuth

D.

local WebAuth

E.

self-registered guest portal

Question 7

The IT manager wants to provide different levels of access to network devices when users authenticate using TACACS+. The company needs specific commands to be allowed based on the Active Directory group membership of the different roles within the IT department. The solution must minimize the number of objects created in Cisco ISE. What must be created to accomplish this task?

Options:

A.

one shell profile and one command set

B.

multiple shell profiles and one command set

C.

one shell profile and multiple command sets

D.

multiple shell profiles and multiple command sets

Question 8

A Cisco ISE administrator must restrict specific endpoints from accessing the network while in closed mode. The requirement is to have Cisco ISE centrally store the endpoints to restrict access from. What must be done to accomplish this task''

Options:

A.

Add each MAC address manually to a blocklist identity group and create a policy denying access

B.

Create a logical profile for each device's profile policy and block that via authorization policies.

C.

Create a profiling policy for each endpoint with the cdpCacheDeviceld attribute.

D.

Add each IP address to a policy denying access.

Question 9

A user is attempting to register a BYOD device to the Cisco ISE deployment, but needs to use the onboarding policy to request a digital certificate and provision the endpoint. What must be configured to accomplish this task?

Options:

A.

A native supplicant provisioning policy to redirect them to the BYOD portal for onboarding

B.

The Cisco AnyConnect provisioning policy to provision the endpoint for onboarding

C.

The BYOD flow to ensure that the endpoint will be provisioned prior to registering

D.

The posture provisioning policy to give the endpoint all necessary components prior to registering

Question 10

A Cisco ISE administrator needs to ensure that guest endpoint registrations are only valid for 1 day. When testing the guest policy flow, the administrator sees that the Cisco ISE does not delete the endpoint in the Guest Endpoints identity store after one day and allows access to the guest network after that period. Which configuration is causing this problem?

Options:

A.

The RADIUS policy set for guest access is set to allow repeated authentication of the same device.

B.

The length of access is set to 7 days in the Guest Portal Settings.

C.

The Endpoint Purge Policy is set to 30 days for guest devices.

D.

The Guest Account Purge Policy is set to 15 days.

Question 11

A network engineer must configure a policy rule to check the endpoint. The policy must ensure disk encryption is enabled and the appropriate antivirus software version is installed. Which configuration must the engineer apply to the rule?

Options:

A.

dictionary simple condition

B.

simple posture condition

C.

dictionary compound condition

D.

compound posture condition

Question 12

An administrator made changes in Cisco ISE and needs to apply new permissions for endpoints that have already been authenticated by sending a CoA packet to the network devices. Which IOS command must be configured on the devices to accomplish this goal?

Options:

A.

aaa server radius dynamic-author

B.

authentication command bounce-port

C.

authentication command disable-port

D.

aaa nas port extended

Question 13

Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

Options:

A.

Endpoint

B.

unknown

C.

blacklist

D.

white list

E.

profiled

Question 14

A laptop was stolen and a network engineer added it to the block list endpoint identity group What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access?

Options:

A.

Select DenyAccess within the authorization policy.

B.

Ensure that access to port 8443 is allowed within the ACL.

C.

Ensure that access to port 8444 is allowed within the ACL.

D.

Select DROP under If Auth fail within the authentication policy.

Question 15

What is an advantage of TACACS+ versus RADIUS authentication when reviewing reports in Cisco ISE?

Options:

A.

TACACS+ reduces authentication latency, and RADIUS increases latency by adding additional packet headers.

B.

TACACS+ performs secure communication with IPsec, and RADIUS uses DTLS encryption.

C.

TACACS+ provides command accounting, and RADIUS combines authentication and authorization.

D.

TACACS+ uses SSL certificates, and RADIUS does not have encryption.

Question 16

Which nodes are supported in a distributed Cisco ISE deployment?

Options:

A.

Policy Service nodes for session failover

B.

Monitoring nodes for PxGrid services

C.

Administration nodes for session failover

D.

Policy Service nodes for automatic failover

Question 17

Which three default endpoint identity groups does cisco ISE create? (Choose three)

Options:

A.

Unknown

B.

whitelist

C.

end point

D.

profiled

E.

blacklist

Question 18

Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.)

Options:

A.

three PSN nodes

B.

seven PSN nodes with one PxGrid node

C.

five PSN nodes with one PxGrid node

D.

two PSN nodes with one PxGrid node

E.

six PSN nodes

Question 19

An engineer is designing a new distributed deployment for Cisco ISE in the network and is considering failover options for the admin nodes. There is a need to ensure that an admin node is available for configuration of policies at all times. What is the requirement to enable this feature?

Options:

A.

one primary admin and one secondary admin node in the deployment

B.

one policy services node and one secondary admin node

C.

one policy services node and one monitoring and troubleshooting node

D.

one primary admin node and one monitoring and troubleshooting node

Question 20

Which CLI command must be configured on the switchport to immediately run the MAB process if a non-802.1X capable endpoint connects to the port?

Options:

A.

authentication order mab dot1x

B.

authentication fallback

C.

dot1x pae authenticator

D.

access-session port-control auto

Question 21

Which interface-level command is needed to turn on 802 1X authentication?

Options:

A.

Dofl1x pae authenticator

B.

dot1x system-auth-control

C.

authentication host-mode single-host

D.

aaa server radius dynamic-author

Question 22

Which RADIUS attribute is used to dynamically assign the inactivity active timer for MAB users from the Cisco ISE node'?

Options:

A.

radius-server timeout

B.

session-timeout

C.

idle-timeout

D.

termination-action

Question 23

What is a difference between RADIUS and TACACS+?

Options:

A.

RADIUS uses connection-oriented transport, and TACACS+ uses best-effort delivery.

B.

RADIUS offers multiprotocol support, and TACACS+ supports only IP traffic.

C.

RADIUS combines authentication and authorization functions, and TACACS+ separates them.

D.

RADIUS supports command accounting, and TACACS+ does not.

Question 24

An administrator is configuring posture with Cisco ISE and wants to check that specific services are present on the workstations that are attempting to access the network. What must be configured to accomplish this goal?

Options:

A.

Create a registry posture condition using a non-OPSWAT API version.

B.

Create an application posture condition using a OPSWAT API version.

C.

Create a compound posture condition using a OPSWAT API version.

D.

Create a service posture condition using a non-OPSWAT API version.

Question 25

An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability. Which probe must be used to accomplish this task?

Options:

A.

HTTP probe

B.

NetFlow probe

C.

network scan probe

D.

RADIUS probe

Question 26

Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints?

Options:

A.

large deployment with fully distributed nodes running all personas

B.

medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs

C.

medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs

D.

small deployment with one primary and one secondary node running all personas

Question 27

A new employee just connected their workstation to a Cisco IP phone. The network administrator wants to ensure that the Cisco IP phone remains online when the user disconnects their Workstation from the corporate network Which CoA configuration meets this requirement?

Options:

A.

Port Bounce

B.

Reauth

C.

NoCoA

D.

Disconnect

Question 28

An engineer is unable to use SSH to connect to a switch after adding the required CLI commands to the device to enable TACACS+. The device administration license has been added to Cisco ISE, and the required policies have been created. Which action is needed to enable access to the switch?

Options:

A.

The ip ssh source-interface command needs to be set on the switch

B.

802.1X authentication needs to be configured on the switch.

C.

The RSA keypair used for SSH must be regenerated after enabling TACACS+.

D.

The switch needs to be added as a network device in Cisco ISE and set to use TACACS+.

Question 29

Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)

Options:

A.

hotspot

B.

new AD user 802 1X authentication

C.

posture

D.

BYOD

E.

guest AUP

Question 30

An administrator is configuring the Native Supplicant Profile to be used with the Cisco ISE posture agents and needs to test the connection using wired devices to determine which profile settings are available. Which two configuration settings should be used to accomplish this task? (Choose two.)

Options:

A.

authentication mode

B.

proxy host/IP

C.

certificate template

D.

security

E.

allowed protocol

Question 31

An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication The administrator tests the 802.1X authentication for the endpoint and sees that it is authenticating successfully What must be done to ensure that the endpoint is placed into the correct VLAN?

Options:

A.

Configure the switchport access vlan 310 command on the switch port

B.

Ensure that the security group is not preventing the endpoint from being in VLAN 310

C.

Add VLAN 310 in the common tasks of the authorization profile

D.

Ensure that the endpoint is using The correct policy set

Question 32

An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?

Options:

A.

the Reauth CoA option in the Cisco ISE system profiling settings enabled

B.

an endpoint profiling policy with the No CoA option enabled

C.

an endpoint profiling policy with the Port Bounce CoA option enabled

D.

the Port Bounce CoA option in the Cisco ISE system profiling settings enabled

Question 33

An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs An administrator is adding two more PSNs to this deployment but is having problems adding one of them What is the problem?

Options:

A.

The new nodes must be set to primary prior to being added to the deployment

B.

The current PAN is only able to track a max of four nodes

C.

Only five PSNs are allowed to be in the Cisco ISE cube if configured this way.

D.

One of the new nodes must be designated as a pxGrid node

Question 34

An administrator is configuring a new profiling policy within Cisco ISE The organization has several endpoints that are the same device type and all have the same Block ID in their MAC address. The profiler does not currently have a profiling policy created to categorize these endpoints. therefore a custom profiling policy must be created Which condition must the administrator use in order to properly profile an ACME Al Connector endpoint for network access with MAC address ?

Options:

A.

MAC_OUI_STARTSWITH_

B.

CDP_cdpCacheDevicelD_CONTAINS_

C.

MAC_MACAddress_CONTAINS_

D.

Radius Called Station-ID STARTSWITH

Question 35

An engineer needs to configure a compliance policy on Cisco ISE to ensure that the latest encryption software is running on the C drive of all endpoints. Drag and drop the configuration steps from the left into the sequence on the right to accomplish this task.

Options:

Question 36

An engineer is migrating users from MAB to 802.1X on the network. This must be done during normal business hours with minimal impact to users. Which CoA method should be used?

Options:

A.

Port Bounce

B.

Port Shutdown

C.

Session Termination

D.

Session Reauthentication

Question 37

What does the dot1x system-auth-control command do?

Options:

A.

causes a network access switch not to track 802.1x sessions

B.

globally enables 802.1x

C.

enables 802.1x on a network access device interface

D.

causes a network access switch to track 802.1x sessions

Question 38

A network engineer must enable a profiling probe. The profiling must take details through the Active Directory. Where in the Cisco ISE interface would the engineer enable the probe?

Options:

A.

Policy > Policy Elements > Profiling

B.

Administration > Deployment > System > Profiling

C.

Policy > Deployment > System > Profiling

D.

Administration > System > Deployment > Profiling

Question 39

NO: 37

In which two ways can users and endpoints be classified for TrustSec?

(Choose Two.)

Options:

A.

VLAN

B.

SXP

C.

dynamic

D.

QoS

E.

SGACL

Question 40

The Cisco Wireless LAN Controller and guest portal must be set up in Cisco ISE. These configurations were performed:

• configured all the required Cisco Wireless LAN Controller configurations

• added the wireless controller to Cisco ISE network devices

• created an endpoint identity group

• configured credentials to be sent by email

• configured the SMTP server

• configured an authorization profile with redirection to the guest portal and redirected the access control list

• configured an authentication policy for MAB users

• created an authorization policy

Which two components would be required to complete the configuration? (Choose two.)

Options:

A.

sponsor group

B.

hotspot guest portal

C.

sponsor portal

D.

self-registered guest portal

E.

guest type

Question 41

An engineer must use Cisco ISE profiler services to provide network access to Cisco IP phones that cannot support 802.1X. Cisco ISE is configured to use the access switch device sensor information — system-description and platform-type — to profile Cisco IP phones and allow access.

Which two protocols must be configured on the switch to complete the configuration? (Choose two.)

Options:

A.

LLDP

B.

CDP

C.

EAPOL

D.

SNMP

E.

STP

Question 42

An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?

Options:

A.

Configure the hotspot portal for guest access and require an access code.

B.

Configure the sponsor portal with a single account and use the access code as the password.

C.

Configure the self-registered guest portal to allow guests to create a personal access code.

D.

Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

Question 43

Which two probes must be enabled for the ARP cache to function in the Cisco ISE profile service so that a user can reliably bind the IP address and MAC addresses of endpoints? (Choose two.)

Options:

A.

NetFlow

B.

SNMP

C.

HTTP

D.

DHCP

E.

RADIUS

Question 44

An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task?

Options:

A.

permit tcp any any eq

B.

aaa group server radius proxy

C.

ip http port

D.

aaa group server radius

Question 45

What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

Options:

A.

a primary and secondary PAN and a health check node for the Secondary PAN

B.

a primary and secondary PAN and no health check nodes

C.

a primary and secondary PAN and a pair of health check nodes

D.

a primary and secondary PAN and a health check node for the Primary PAN

Question 46

An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two )

Options:

A.

Session Services

B.

Endpoint Attribute Filter

C.

Posture Services

D.

Profiling Services

E.

Radius Service

Question 47

Which protocol must be allowed for a BYOD device to access the BYOD portal?

Options:

A.

HTTP

B.

SMTP

C.

HTTPS

D.

SSH

Question 48

An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?

Options:

A.

VLAN to SGT mapping

B.

IP Address to SGT mapping

C.

L3IF to SGT mapping

D.

Subnet to SGT mapping

Question 49

Refer to the exhibit.

An engineer is creating a new TACACS* command set and cannot use any show commands after togging into the device with this command set authorization Which configuration is causing this issue?

Options:

A.

Question marks are not allowed as wildcards for command sets.

B.

The command set is allowing all commands that are not in the command list

C.

The wildcard command listed is in the wrong format

D.

The command set is working like an ACL and denying every command.

Question 50

An administrator replaced a PSN in the distributed Cisco ISE environment. When endpoints authenticate to it, the devices are not getting the right profiles or attributes and as a result, are not hitting the correct policies. This was working correctly on the previous PSN. Which action must be taken to ensure the endpoints get identified?

Options:

A.

Verify that the MnT node is tracking the session.

B.

Verify the shared secret used between the switch and the PSN.

C.

Verify that the profiling service is running on the new PSN.

D.

Verify that the authentication request the PSN is receiving is not malformed.

Question 51

An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?

Options:

A.

Install the Root CA and intermediate CA.

B.

Generate the CSR.

C.

Download the intermediate server certificate.

D.

Download the CA server certificate.

Question 52

An engineer is configuring posture assessment for their network access control and needs to use an agent that supports using service conditions as conditions for the assessment. The agent should be run as a background process to avoid user interruption but when it is run. the user can see it. What is the problem?

Options:

A.

The engineer is using the "Anyconnect” posture agent but should be using the "Stealth Anyconnect posture agent

B.

The posture module was deployed using the headend instead of installing it with SCCM

C.

The user was in need of remediation so the agent appeared m the notifications

D.

The proper permissions were no! given to the temporal agent to conduct the assessment

Question 53

An administrator is configuring a Cisco ISE posture agent in the client provisioning policy and needs to ensure that the posture policies that interact with clients are monitored, and end users are required to comply with network usage rules Which two resources must be added in Cisco ISE to accomplish this goal? (Choose two)

Options:

A.

AnyConnect

B.

Supplicant

C.

Cisco ISE NAC

D.

PEAP

E.

Posture Agent

Question 54

What is needed to configure wireless guest access on the network?

Options:

A.

endpoint already profiled in ISE

B.

WEBAUTH ACL for redirection

C.

valid user account in Active Directory

D.

Captive Portal Bypass turned on

Question 55

Refer to the exhibit. In which scenario does this switch configuration apply?

Options:

A.

when allowing a hub with multiple clients connected

B.

when passing IP phone authentication

C.

when allowing multiple IP phones to be connected

D.

when preventing users with hypervisor

Question 56

An engineer is configuring Cisco ISE for guest services They would like to have any unregistered guests redirected to the guest portal for authentication then have a CoA provide them with full access to the network that is segmented via firewalls Why is the given configuration failing to accomplish this goal?

Options:

A.

The Guest Flow condition is not in the line that gives access to the quest portal

B.

The Network_Access_Authentication_Passed condition will not work with guest services for portal access.

C.

The Permit Access result is not set to restricted access in its policy line

D.

The Guest Portal and Guest Access policy lines are in the wrong order

Question 57

An adminístrator is migrating device administration access to Cisco ISE from the legacy TACACS+ solution that used only privilege 1 and 15 access levels. The organization requires more granular controls of the privileges and wants to customize access levels 2-5 to correspond with different roles and access needs. Besides defining a new shell profile in Cisco ISE. what must be done to accomplish this configuration?

Options:

A.

Enable the privilege levels in Cisco ISE

B.

B. Enable the privilege levels in the IOS devices.

C.

Define the command privileges for levels 2-5 in the IOS devices

D.

Define the command privileges for levels 2-5 in Cisco ISE

Question 58

Refer to the exhibit.

An organization recently implemented network device administration using Cisco ISE. Upon testing the ability to access all of the required devices, a user in the Cisco ISE group IT Admins is attempting to login to a device in their organization's finance department but is unable to. What is the problem?

Options:

A.

The IT training rule is taking precedence over the IT Admins rule.

B.

The authorization conditions wrongly allow IT Admins group no access to finance devices.

C.

The finance location is not a condition in the policy set.

D.

The authorization policy doesn't correctly grant them access to the finance devices.

Question 59

An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?

Options:

A.

NMAP

B.

NETFLOW

C.

pxGrid

D.

RADIUS

Question 60

Which Cisco ISE service allows an engineer to check the compliance of endpoints before connecting to the network?

Options:

A.

personas

B.

qualys

C.

nexpose

D.

posture

Question 61

An engineer is assigned to enhance security across the campus network. The task is to enable MAB across all access switches in the network. Which command must be entered on the switch to enable MAB?

Options:

A.

Switch# authentication port-control auto

B.

Switch{conflg)# mab

C.

Switch{config-lf) # mab

D.

Switch(config)# authentication port-control auto

Question 62

Which two actions occur when a Cisco ISE server device administrator logs in to a device? (Choose two)

Options:

A.

The device queries the internal identity store

B.

The Cisco ISE server queries the internal identity store

C.

The device queries the external identity store

D.

The Cisco ISE server queries the external identity store.

E.

The device queries the Cisco ISE authorization server

Question 63

Which compliance status is set when a matching posture policy has been defined for that endpomt. but all the mandatory requirements during posture assessment are not met?

Options:

A.

unauthorized

B.

untrusted

C.

non-compliant

D.

unknown

Question 64

Which two fields are available when creating an endpoint on the context visibility page of Cisco IS? (Choose two)

Options:

A.

Policy Assignment

B.

Endpoint Family

C.

Identity Group Assignment

D.

Security Group Tag

E.

IP Address

Question 65

An employee logs on to the My Devices portal and marks a currently on-boarded device as ‘Lost’.

Which two actions occur within Cisco ISE as a result oí this action? (Choose two)

Options:

A.

Certificates provisioned to the device are not revoked

B.

BYOD Registration status is updated to No

C.

The device access has been denied

D.

BYOD Registration status is updated to Unknown.

E.

The device status is updated to Stolen

Question 66

What should be considered when configuring certificates for BYOD?

    An endpoint certificate is mandatory for the Cisco ISE BYOD

Options:

A.

An Android endpoint uses EST whereas other operation systems use SCEP for enrollment

B.

The CN field is populated with the endpoint host name.

C.

The SAN field is populated with the end user name

Question 67

An administrator is responsible for configuring network access for a temporary network printer. The administrator must only use the printer MAC address 50:89:65: 18:8: AB for authentication. Which authentication method will accomplish the task?

Options:

A.

Posturing

B.

Profiling

C.

MAB

D.

802.1x

Question 68

What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

Options:

A.

The primary node restarts

B.

The secondary node restarts.

C.

The primary node becomes standalone

D.

Both nodes restart.

Question 69

An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message "Node is Unreachable". What is causing this error?

Options:

A.

The second node is a PAN node.

B.

No administrative certificate is available for the second node.

C.

The second node is in standalone mode.

D.

No admin privileges are available on the second node.

Question 70

An organization wants to split their Cisco ISE deployment to separate the device administration functionalities from the mam deployment. For this to work, the administrator must deregister any nodes that will become a part of the new deployment, but the button for this option is grayed out Which configuration is causing this behavior?

Options:

A.

One of the nodes is an active PSN.

B.

One of the nodes is the Primary PAN

C.

All of the nodes participate in the PAN auto failover.

D.

All of the nodes are actively being synched.

Question 71

An administrator is configuring RADIUS on a Cisco switch with a key set to Cisc403012128 but is receiving the error “Authentication failed: 22040 Wrong password or invalid shared secret. “what must be done to address this issue?

Options:

A.

Add the network device as a NAD inside Cisco ISE using the existing key.

B.

Configure the key on the Cisco ISE instead of the Cisco switch.

C.

Use a key that is between eight and ten characters.

D.

Validate that the key is correct on both the Cisco switch as well as Cisco ISE.

Question 72

An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types. Which probe should be used to accomplish this task?

Options:

A.

MMAP

B.

DNS

C.

DHCP

D.

RADIUS

Question 73

Which two endpoint compliance statuses are possible? (Choose two.)

Options:

A.

unknown

B.

known

C.

invalid

D.

compliant

E.

valid

Question 74

An engineer must configure guest access on Cisco ISE for company visitors. Which step must be taken on the Cisco ISE PSNs before a guest portal is configured?

Options:

A.

Enable profiling services.

B.

Install SSL certificates.

C.

Create a node group.

D.

Enable session services.

Question 75

An administrator enables the profiling service for Cisco ISE to use for authorization policies while in closed mode. When the endpoints connect, they receive limited access so that the profiling probes can gather information and Cisco ISE can assign the correct profiles. They are using the default values within Cisco ISE. but the devices do not change their access due to the new profile. What is the problem'?

Options:

A.

In closed mode, profiling does not work unless CDP is enabled.

B.

The profiling probes are not able to collect enough information to change the device profile

C.

The profiler feed is not downloading new information so the profiler is inactive

D.

The default profiler configuration is set to No CoA for the reauthentication setting

Question 76

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node. Which persona should be configured with the largest amount of storage in this environment?

Options:

A.

policy Services

B.

Primary Administration

C.

Monitoring and Troubleshooting

D.

Platform Exchange Grid

Question 77

An engineer is configuring Central Web Authentication in Cisco ISE to provide guest access. When an authentication rule is configured in the Default Policy Set for the Wired_MAB or Wireless_MAB conditions, what must be selected for the "if user not found" setting?

Options:

A.

CONTINUE

B.

REJECT

C.

ACCEPT

D.

DROP

Question 78

What gives Cisco ISE an option to scan endpoints for vulnerabilities?

Options:

A.

authorization policy

B.

authentication policy

C.

authentication profile

D.

authorization profile

Question 79

What is the purpose of the ip http server command on a switch?

Options:

A.

It enables the https server for users for web authentication

B.

It enables MAB authentication on the switch

C.

It enables the switch to redirect users for web authentication.

D.

It enables dot1x authentication on the switch.

Question 80

Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication?

Options:

A.

MAB and if user not found, continue

B.

MAB and if authentication failed, continue

C.

Dot1x and if user not found, continue

D.

Dot1x and if authentication failed, continue

Question 81

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two )

Options:

A.

Random

B.

Monthly

C.

Daily

D.

Imported

E.

Known

Question 82

A Cisco ISE administrator must authenticate users against Microsoft Active Directory. The solution must meet these requirements:

    Users and computers must be authenticated.

    User groups must be retrieved during authentication.

Which protocol must be added to the allowed protocols on the policy to authenticate the users?

Options:

A.

EAP-GTC

B.

EAP-TLS

C.

LEAP

D.

MS-CHAPv2

Question 83

An administrator is configuring TACACS+ on a Cisco switch but cannot authenticate users with Cisco ISE. The configuration contains the correct key of Cisc039712287. but the switch is not receiving a response from the Cisco ISE instance What must be done to validate the AAA configuration and identify the problem with the TACACS+ servers?

Options:

A.

Check for server reachability using the test aaa group tacacs+ admin legacy command.

B.

Test the user account on the server using the test aaa group radius server CUCS user admin pass legacy command.

C.

Validate that the key value is correct using the test aaa authentication admin legacy command.

D.

Confirm the authorization policies are correct using the test aaa authorization admin drop legacy command.

Question 84

An administrator adds a new network device to the Cisco ISE configuration to authenticate endpoints to the network. The RADIUS test fails after the administrator configures all of the settings in Cisco ISE and adds the proper configurations to the switch. What is the issue"?

Options:

A.

The endpoint profile is showing as "unknown."

B.

The endpoint does not have the appropriate credentials for network access.

C.

The shared secret is incorrect on the switch or on Cisco ISE.

D.

The certificate on the switch is self-signed not a CA-provided certificate.

Question 85

A network engineer is in the predeployment discovery phase o! a Cisco ISE deployment and must discover the network. There is an existing network management system in the network. Which type of probe must be configured to gather the information?

Options:

A.

NetFlow

B.

RADIUS

C.

SNMP

D.

NMAP

Question 86

An administrator is configuring a new profiling policy in Cisco ISE for a printer type that is missing from the profiler feed The logical profile Printers must be used in the authorization rule and the rule must be hit. What must be done to ensure that this configuration will be successful^

Options:

A.

Create a new logical profile for the new printer policy

B.

Enable the EndPoints:EndPointPolicy condition in the authorization policy.

C.

Add the new profiling policy to the logical profile Printers.

D.

Modify the profiler conditions to ensure that it goes into the correct logical profile

Question 87

An engineer must use Cisco ISE to provide network access to endpoints that cannot support 802.1X. The endpoint MAC addresses must be allowlisted by configuring an endpoint identity group. These configurations were performed:

    Configured an identity group named allowlist

    Configured the endpoints to use the MAC address of incompatible 802.1X devices

    Added the endpoints to the allowlist identity group

    Configured an authentication policy for MAB users

What must be configured?

Options:

A.

Authorization profile that has the PermitAccess permission and matches the allowlist identity group

B.

Authentication profile that has the PermitAccess permission and matches the allowlist identity group

C.

Authorization policy that has the PermitAccess permission and matches the allowlist identity group

D.

Logical profile that matches the allowlist identity group based on the configured policy

Question 88

MacOS users are complaining about having to read through wordy instructions when remediating their workstations to gam access to the network Which alternate method should be used to tell users how to remediate?

Options:

A.

URL link

B.

message text

C.

executable

D.

file distribution

Question 89

A network administrator must configure Cisco SE Personas in the company to share session information via syslog. Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

Options:

A.

pxGrid

B.

admin

C.

policy services

D.

monitor

Load More 300-715 Questions
Page: 1 / 30
Total 299 questions
Get 300-715 Full Access Download 300-715 PDF