Labour Day Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

 
Home > Cisco > CCNP Security > 300-715

300-715 Implementing and Configuring Cisco Identity Services Engine (SISE) Question and Answers

Question # 4

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names?

A.

MIB

B.

TGT

C.

OMAB

D.

SID

Full Access
Question # 5

In a Cisco ISE split deployment model, which load is split between the nodes?

A.

AAA

B.

network admission

C.

log collection

D.

device admission

Full Access
Question # 6

An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?

A.

NMAP

B.

NETFLOW

C.

pxGrid

D.

RADIUS

Full Access
Question # 7

Refer to the exhibit:

Which command is typed within the CU of a switch to view the troubleshooting output?

A.

show authentication sessions mac 000e.84af.59af details

B.

show authentication registrations

C.

show authentication interface gigabitethemet2/0/36

D.

show authentication sessions method

Full Access
Question # 8

What are two differences between the RADIUS and TACACS+ protocols'? (Choose two.)

A.

RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol

B.

TACACS+uses TCP port 49. whereas RADIUS uses UDP ports 1812 and 1813.

C.

RADIUS offers multiprotocol support, whereas TACACS+ does not

D.

RADIUS combines authentication and authorization, whereas TACACS+ does not

E.

RADIUS enables encryption of all the packets, whereas with TACACS+. only the password is encrypted.

Full Access
Question # 9

An engineer is enabling a newly configured wireless SSID for tablets and needs visibility into which other types of devices are connecting to it. What must be done on the Cisco WLC to provide this information to Cisco ISE9

A.

enable IP Device Tracking

B.

enable MAC filtering

C.

enable Fast Transition

D.

enable mDNS snooping

Full Access
Question # 10

What does a fully distributed Cisco ISE deployment include?

A.

PAN and PSN on the same node while MnTs are on their own dedicated nodes.

B.

PAN and MnT on the same node while PSNs are on their own dedicated nodes.

C.

All Cisco ISE personas on their own dedicated nodes.

D.

All Cisco ISE personas are sharing the same node.

Full Access
Question # 11

Which compliance status is set when a matching posture policy has been defined for that endpomt. but all the mandatory requirements during posture assessment are not met?

A.

unauthorized

B.

untrusted

C.

non-compliant

D.

unknown

Full Access
Question # 12

Which two default guest portals are available with Cisco ISE? (Choose two.)

A.

visitor

B.

WIFI-access

C.

self-registered

D.

central web authentication

E.

sponsored

Full Access
Question # 13

An engineer is tasked with placing a guest access anchor controller in the DMZ. Which two ports or port sets must be opened up on the firewall to accomplish this task? (Choose two.)

A.

UDP port 1812 RADIUS

B.

TCP port 161

C.

TCP port 514

D.

UDP port 79

E.

UDP port 16666

Full Access
Question # 14

A network administrator is configuring authorization policies on Cisco ISE There is a requirement to use AD group assignments to control access to network resources After a recent power failure and Cisco ISE rebooting itself, the AD group assignments no longer work What is the cause of this issue?

A.

The AD join point is no longer connected.

B.

The AD DNS response is slow.

C.

The certificate checks are not being conducted.

D.

The network devices ports are shut down.

Full Access
Question # 15

A laptop was stolen and a network engineer added it to the block list endpoint identity group What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access?

A.

Select DenyAccess within the authorization policy.

B.

Ensure that access to port 8443 is allowed within the ACL.

C.

Ensure that access to port 8444 is allowed within the ACL.

D.

Select DROP under If Auth fail within the authentication policy.

Full Access
Question # 16

What is a function of client provisioning?

A.

Client provisioning ensures that endpoints receive the appropriate posture agents.

B.

Client provisioning checks a dictionary attribute with a value.

C.

Client provisioning ensures an application process is running on the endpoint.

D.

Client provisioning checks the existence, date, and versions of the file on a client.

Full Access
Question # 17

An administrator is configuring TACACS+ on a Cisco switch but cannot authenticate users with Cisco ISE. The configuration contains the correct key of Cisc039712287. but the switch is not receiving a response from the Cisco ISE instance What must be done to validate the AAA configuration and identify the problem with the TACACS+ servers?

A.

Check for server reachability using the test aaa group tacacs+ admin legacy command.

B.

Test the user account on the server using the test aaa group radius server CUCS user admin pass legacy command.

C.

Validate that the key value is correct using the test aaa authentication admin legacy command.

D.

Confirm the authorization policies are correct using the test aaa authorization admin drop legacy command.

Full Access
Question # 18

An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?

A.

the Reauth CoA option in the Cisco ISE system profiling settings enabled

B.

an endpoint profiling policy with the No CoA option enabled

C.

an endpoint profiling policy with the Port Bounce CoA option enabled

D.

the Port Bounce CoA option in the Cisco ISE system profiling settings enabled

Full Access
Question # 19

An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message "Node is Unreachable". What is causing this error?

A.

The second node is a PAN node.

B.

No administrative certificate is available for the second node.

C.

The second node is in standalone mode.

D.

No admin privileges are available on the second node.

Full Access
Question # 20

A network security engineer needs to configure 802.1X port authentication to allow a single host to be authenticated for data and another single host to be authenticated for voice. Which command should the engineer run on the interface to accomplish this goal?

A.

authentication host-mode single-host

B.

authentication host-mode multi-auth

C.

authentication host-mode multi-host

D.

authentication host-mode multi-domain

Full Access
Question # 21

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two )

A.

Random

B.

Monthly

C.

Daily

D.

Imported

E.

Known

Full Access
Question # 22

What is a difference between TACACS+ and RADIUS in regards to encryption?

A.

TACACS+ encrypts only the password, whereas RADIUS encrypts the username and password.

B.

TACACS+ encrypts the username and password, whereas RADIUS encrypts only the password.

C.

TACACS+ encrypts the password, whereas RADIUS sends the entire packet in clear text.

D.

TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password.

Full Access
Question # 23

An engineer is configuring sponsored guest access and needs to limit each sponsored guest to a maximum of two devices. There are other guest services in production that rely on the default guest types. How should this configuration change be made without disrupting the other guest services currently offering three or more guest devices per user?

A.

Create an ISE identity group to add users to and limit the number of logins via the group configuration.

B.

Create a new guest type and set the maximum number of devices sponsored guests can register

C.

Create an LDAP login for each guest and tag that in the guest portal for authentication.

D.

Create a new sponsor group and adjust the settings to limit the devices for each guest.

Full Access
Question # 24

Which interface-level command is needed to turn on 802 1X authentication?

A.

Dofl1x pae authenticator

B.

dot1x system-auth-control

C.

authentication host-mode single-host

D.

aaa server radius dynamic-author

Full Access
Question # 25

What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

A.

a primary and secondary PAN and a health check node for the Secondary PAN

B.

a primary and secondary PAN and no health check nodes

C.

a primary and secondary PAN and a pair of health check nodes

D.

a primary and secondary PAN and a health check node for the Primary PAN

Full Access
Question # 26

What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

A.

The primary node restarts

B.

The secondary node restarts.

C.

The primary node becomes standalone

D.

Both nodes restart.

Full Access
Question # 27

Refer to the exhibit. In which scenario does this switch configuration apply?

A.

when allowing a hub with multiple clients connected

B.

when passing IP phone authentication

C.

when allowing multiple IP phones to be connected

D.

when preventing users with hypervisor

Full Access
Question # 28

A user is attempting to register a BYOD device to the Cisco ISE deployment, but needs to use the onboarding policy to request a digital certificate and provision the endpoint. What must be configured to accomplish this task?

A.

A native supplicant provisioning policy to redirect them to the BYOD portal for onboarding

B.

The Cisco AnyConnect provisioning policy to provision the endpoint for onboarding

C.

The BYOD flow to ensure that the endpoint will be provisioned prior to registering

D.

The posture provisioning policy to give the endpoint all necessary components prior to registering

Full Access
Question # 29

What should be considered when configuring certificates for BYOD?

A.

An endpoint certificate is mandatory for the Cisco ISE BYOD

B.

An Android endpoint uses EST whereas other operation systems use SCEP for enrollment

C.

The CN field is populated with the endpoint host name.

D.

The SAN field is populated with the end user name

Full Access
Question # 30

An administrator is configuring new probes to use with Cisco ISE and wants to use metadata to help profile the endpoints. The metadata must contain traffic information relating to the endpoints instead of industry-standard protocol information Which probe should be enabled to meet these requirements?

A.

NetFlow probe

B.

DNS probe

C.

DHCP probe

D.

SNMP query probe

Full Access
Question # 31

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

A.

Active Directory

B.

RADIUS Token

C.

Internal Database

D.

RSA SecurlD

E.

LDAP

Full Access
Question # 32

An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan What must be done for this AAA configuration to allow compliant access to the network?

A.

Configure the posture authorization so it defaults to unknown status

B.

Fix the CoA port number

C.

Ensure that authorization only mode is not enabled

D.

Enable dynamic authorization within the AAA server group

Full Access
Question # 33

Which use case validates a change of authorization?

A.

An authenticated, wired EAP-capable endpoint is discovered

B.

An endpoint profiling policy is changed for authorization policy.

C.

An endpoint that is disconnected from the network is discovered

D.

Endpoints are created through device registration for the guests

Full Access
Question # 34

Which two fields are available when creating an endpoint on the context visibility page of Cisco IS? (Choose two)

A.

Policy Assignment

B.

Endpoint Family

C.

Identity Group Assignment

D.

Security Group Tag

E.

IP Address

Full Access
Question # 35

An organization wants to standardize the 802 1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide What must be configured to accomplish this task?

A.

security group tag within the authorization policy

B.

extended access-list on the switch for the client

C.

port security on the switch based on the client's information

D.

dynamic access list within the authorization profile

Full Access
Copyright myexamcollection.com. All Right Reserved.