ExamTopics Flashcards

Question 1

Q

Which personas can a Cisco ISE node assume?

A. policy service, gatekeeping, and monitoring

B. administration, monitoring, and gatekeeping

C. administration, policy service, and monitoring

D. administration, policy service, gatekeeping

Answer

A

C. administration, policy service, and monitoring

Verified correct

The persona or personas of a node determine the services provided by a node. An ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. The menu options that are available through the administrative user interface are dependent on the role and personas that an ISE node assumes. See Cisco ISE Nodes and Available Menu Options for more information.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

Question 2

Q

What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

A. The secondary node restarts

B. The primary node restarts

C. Both nodes restart

D. The primary node becomes standalone

Answer

A

A. The secondary node restarts

Verified

Question 3

Q

DRAG DROP -
Drag the steps to configure a Cisco ISE node as a primary administration node from the left into the correct order on the right.
Select and Place:

Question 4

Q

Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)

A. new AD user 802.1X authentication

B. hotspot

C. posture

D. guest AUP

E. BYOD

Answer

A

A. new AD user 802.1X authentication

C. posture

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011.html#ID57

Question 5

Q

Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?

A. Cisco Secure Services Client and Cisco Access Control Server

B. Cisco AnyConnect NAM and Cisco Identity Service Engine

C. Cisco AnyConnect NAM and Cisco Access Control Server

D. Windows Native Supplicant and Cisco Identity Service Engine

Answer

A

B. Cisco AnyConnect NAM and Cisco Identity Service Engine

Verified

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html

Question 6

Q

What is a requirement for Feed Service to work?

A. TCP port 8080 must be opened between Cisco ISE and the feed server.

B. Cisco ISE has access to an internal server to download feed update.

C. Cisco ISE has a base license.

D. Cisco ISE has Internet access to download feed update.

Answer

A

D. Cisco ISE has Internet access to download feed update.

Verified

Question 7

Q

What is a method for transporting security group tags throughout the network?

A. by embedding the security group tag in the 802.1Q header

B. by the Security Group Tag Exchange Protocol

C. by enabling 802.1AE on every network device

D. by embedding the security group tag in the IP header

Answer

A

B. by the Security Group Tag Exchange Protocol

Verified

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Cisco TrustSec Policies Configuration [Cisco Identity Services Engine] - Cisco

Question 8

Q

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node.
Which persona should be configured with the largest amount of storage in this environment?

A. Monitoring and Troubleshooting

B. Policy Services

C. Primary Administration

D. Platform Exchange Grid

Answer

A

A. Monitoring and Troubleshooting

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_011.html

Question 9

Q

In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two.)

A. subscriber

B. primary

C. administration

D. publisher

E. policy service

Answer

A

C. administration

E. policy service

Verified

The Administration, Policy Service, and Monitoring personas will be enabled by default in a standalone ISE node. You must first configure a primary Administration ISE node and then register secondary nodes to set up a distributed deployment.

Question 10

Q

A network engineer must enforce access control using special tags, without re-engineering the network design. Which feature should be configured to achieve this in a scalable manner?

A. RBAC

B. dACL

C. SGT

D. VLAN

Answer

A

C. SGT

Verified

Security Group Tags allow an organization to create policies based on a user’s, device’s, or server’s role in the network providing a layer of abstraction in security policies based on an SGT as opposed to IP Addresses in ACLs.

Enforcement – Is the process where a TrustSec or role-based policy which can be either locally defined or more commonly defined within Cisco ISE, is acted upon and traffic between a Source SGT and Destination SGT is either permitted or denied. Enforcement is carried out through the use of a Security Group ACL or SGACL on switches or through security policies on an ASA or IOS firewall commonly referenced as a Security Group Firewall or SG-FW

Question 11

Q

A network engineer is configuring a network device that needs to filter traffic based on security group tags using a security policy on a routed interface. Which command should be used to accomplish this task?

A. cts role-based policy priority-static

B. cts cache enable

C. cts authorization list

D. cts role-based enforcement

Answer

A

D. cts role-based enforcement

Verified

Switch(config-if)# cts role-based enforcement
- Enables Cisco TrustSec SGACL policy enforcement on routed interfaces
  - https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html

Question 12

Q

In a Cisco ISE split deployment model, which load is split between the nodes?

A. log collection

B. device admission

C. AAA

D. network admission

Answer

A

C. AAA

Verified

Split Deployments in Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor the secondary nodes handle all AAA requests during normal network operations because this workload is distributed between the two nodes.

The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. In addition, splitting the load provides better loading while the functional status of the secondary node is maintained during the course of normal network operations. In split Cisco ISE deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions in the event of a failure. If you have two Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector

Question 13

Q

How is policy services node redundancy achieved in a deployment?

A. by creating a node group

B. by deploying both primary and secondary node

C. by enabling VIP

D. by utilizing RADIUS server list on the NAD

Answer

A

A. by creating a node group

Verified

High Availability in Policy Service Nodes

To detect node failure and to reset all URL-redirected sessions on the failed node, two or more PSNs can be placed in the same node group. When a node that belongs to a node group fails, another node in the same node group issues a Change of Authorization (CoA) for all URL-redirected sessions on the failed node.

All the nodes within the same node group should be configured on the network access device (NAD) as RADIUS clients and authorized for CoA, because any one of them can issue a CoA request for the sessions that are established through any node in the node group. If you are not using a load balancer, the nodes in a node group should be the same as, or a subset of, the RADIUS servers and clients configured on the NAD. These nodes should also be configured as RADIUS servers.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_setup_cisco_ise.html#ID64

Question 14

Q

Which two fields are available when creating an endpoint on the context visibility page of Cisco ISE? (Choose two.)

A. Security Group Tag

B. Endpoint Family

C. Policy Assignment

D. Identity Group Assignment

E. IP Address

Answer

A

C. Policy Assignment

D. Identity Group Assignment

Verified

Looked at our ISE server

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html

Question 15

Q

In which two ways can users and endpoints be classified for TrustSec? (Choose two.)

A. VLAN

B. dynamic

C. QoS

D. SGACL

E. SXP

Answer

A

A. VLAN

B. dynamic

Verified

Because “Static” and “Dynamic” are the two ways

VLAN = STATIC

802.1x, MAB, or web authentication = DYNAMIC

Classification

In order to use SGTs within your infrastructure, your devices must support SGTs. All Cisco switches and wireless controllers embedded with Cisco TrustSec technology support the assignment of SGTs. An SGT can be assigned dynamically or statically. Dynamic classification occurs via an authentication sequence, via 802.1x, MAB, or web authentication. When authentication isn’t available, static classification methods are necessary. In static classification the tag maps to some thing (an IP, subnet, VLAN, or interface) rather than relying on an authorization from the Cisco ISE. This process of assigning the SGT is defined as “classification.” These classifications are then transported deeper into the network for policy enforcement.

https://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf

Question 16

Q

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names?

A. MIB

B. SID

C. MAB

D. TGT

Answer

A

B. SID

Verified

Ambiguous Identity Resolution

If the user or machine name received by Cisco ISE is ambiguous, that is, it is not unique, it can cause problems for users when they try to authenticate. Identity clashes occur in cases when the user does not have a domain markup, or when there are multiple identities with the same username in more than one domain. For example, userA exists on domain1 and another userA exists on domain2. You can use the identity resolution setting to define the scope for the resolution for such users. Cisco highly recommends you to use qualified names such as UPN or NetBIOS. Qualified name reduces chances of ambiguity and increases performance by reducing delays.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

Question 17

Q

Which permission is common to the Active Directory Join and Leave operations?

A. Remove the Cisco ISE machine account from the domain.

B. Search Active Directory to see if a Cisco ISE machine account already exists.

C. Set attributes on the Cisco ISE machine account.

D. Create a Cisco ISE machine account in the domain if the machine account does not already exist.

Answer

A

B. Search Active Directory to see if a Cisco ISE machine account already exists.

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

tab -> Active Directory Account Permissions Required to Perform Various Operations

Question 18

Q

Which interface-level command is needed to turn on 802.1X authentication?

A. dot1x system-auth-control

B. dot1x pae authenticator

C. aaa server radius dynamic-author

D. authentication host-mode single-host

Answer

A

B. dot1x pae authenticator

Verified

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sg/configuration/guide/conf/dot1x.html

Question 19

Q

Which RADIUS attribute is used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node?

A. session-timeout

B. termination-action

C. radius-server timeout

D. idle-timeout

Answer

A

D. idle-timeout

Verified

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392385

Inactivity Timer

When the inactivity timer is enabled, the switch monitors the activity from authenticated endpoints. When the inactivity timer expires, the switch removes the authenticated session.

The inactivity timer for MAB can be statically configured on the switch port, or it can be dynamically assigned using the RADIUS idle-timeout attribute (Attribute 28). Cisco recommends setting the timer using the RADIUS attribute because this approach lets gives you control over which endpoints are subject to this timer and the length of the timer for each class of endpoints. For example, endpoints that are known to be quiet for long periods of time can be assigned a longer inactivity timer value than chatty endpoints.

The inactivity timer is an indirect mechanism that the switch uses to infer that a endpoint has disconnected. An expired inactivity timer cannot guarantee that a endpoint has disconnected. Therefore, a quiet endpoint that does not send traffic for long periods of time, such as a network printer that services occasional requests but is otherwise silent, may have its session cleared even though it is still connected. That endpoint must then send traffic before it can be authenticated again and have access to the network.

Question 20

Q

What does the dot1x system-auth-control command do?

A. globally enables 802.1x

B. causes a network access switch not to track 802.1x sessions

C. enables 802.1x on a network access device interface

D. causes a network access switch to track 802.1x sessions

Answer

A

A. globally enables 802.1x

Verified

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/dot1x.html

Question 21

Q

What should be configured on the Cisco ISE authentication policy for unknown MAC addresses/identities for a successful authentication?

A. continue

B. pass

C. drop

D. reject

Answer

A

A. continue

Question 22

Q

Which command displays all 802.1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

A. show authentication sessions interface Gi1/0/x output

B. show authentication sessions

C. show authentication sessions output

D. show authentication sessions interface Gi 1/0/x

Answer

A

B. show authentication sessions

Verified

ET community

Question 23

Q

What are two requirements of generating a single certificate in Cisco ISE by using a certificate provisioning portal, without generating a certificate signing request?

A. Enter the IP address of the device.

B. Enter the common name.

C. Choose the hashing method.

D. Locate the CSV file for the device MAC.

E. Select the certificate template.

(Choose two.)

Answer

A

B. Enter the common name

E. Select the certificate template.

Verified

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

Question 24

Q

Refer to the exhibit. Which command is typed within the CLI of a switch to view the troubleshooting output?

A. show authentication sessions mac 000e.84af.59af details

B. show authentication registrations

C. show authentication interface gigabitethernet2/0/36

D. show authentication sessions method

Answer

A

A. show authentication sessions mac 000e.84af.59af details

Verified

show authentication sessions [handle handle-number | interface type number | mac mac-address | method method-name interface type number | session-id session-id]

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-xe-3se-3850-cr-book_chapter_01.html#wp3404908137

Question 25

Q

What gives Cisco ISE an option to scan endpoints for vulnerabilities?

A. authentication policy

B. authorization profile

C. authentication profile

D. authorization policy

Answer

A

B. authorization profile

Verified

Configure Authorization Profile The authorization profile in Cisco ISE now includes an option to scan endpoints for vulnerabilities. You can choose to run the scan periodically and also specify the time interval for these scans. After you define the authorization profile, you can apply it to an existing authorization policy rule or create a new authorization policy rule.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010100.html

Question 26

Q

Which two values are compared by the binary comparison function in authentication that is based on Active Directory?

A. user-presented certificate and a certificate stored in Active Directory

B. MS-CHAPv2 provided machine credentials and credentials stored in Active Directory

C. user-presented password hash and a hash stored in Active Directory

D. subject alternative name and the common name

Answer

A

D. subject alternative name and the common name

Verified

A is the correct answer. Always perform binary comparison—This option always performs the binary comparison of the client certificate to the certificate on account in the identity store (Active Directory or LDAP).

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-ADIntegration.html

Question 27

Q

What happens when an internal user is configured with an external identity store for authentication, but an engineer uses the Cisco ISE admin portal to select an internal identity store as the identity source?

A. Authentication is redirected to the internal identity source.

B. Authentication is granted.

C. Authentication fails.

D. Authentication is redirected to the external identity source.

Answer

A

C. Authentication fails.

Verified

If an internal user is configured with an external identity store for authentication, while logging in to the ISE Admin portal, the internal user must select the external identity store as the Identity Source. Authentication will fail if Internal Identity Source is selected.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_overview.html

Question 28

Q

Which two actions occur when a Cisco ISE server device administrator logs in to a device? (Choose two.)

A. The Cisco ISE server queries the internal identity store.

B. The device queries the external identity store.

C. The device queries the Cisco ISE authorization server.

D. The device queries the internal identity store.

E. The Cisco ISE server queries the external identity store.

Answer

A

C. The device queries the Cisco ISE authorization server.

E. The Cisco ISE server queries the external identity store.

C seems correct but not sure about E as it could be internal or external

ambiguous and needs further research

When a device administrator logs on to a device, the device queries the Cisco ISE server, which in turn queries an internal or external identity store, to validate the details of the device administrator. When the validation is done by the Cisco ISE server, the device informs the Cisco ISE server of the final outcome of each session or command authorization operation for accounting and auditing purposes.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_device_admin.html#concept_9B1DD5A7AD9C445AAC764722E6E7D32A

Question 29

Q

An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks. Which two requirements should be included in this policy? (Choose two.)

A. active username limit

B. password expiration period

C. access code control

D. username expiration date

E. minimum password length

Answer

A

B. password expiration period

E. minimum password length

Verified

Question 30

Q

An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication. Which access will be denied in this deployment?

A. DNS

B. DHCP

C. EAP

D. HTTP

Answer

A

D. HTTP

Not verified

Question 31

Q

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two.)

A. TELNET: 23

B. HTTPS: 443

C. HTTP: 80

D. LDAP: 389

E. MSRPC:445

Answer

A

D. LDAP: 389

E. MSRPC:445

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

Question 32

Q

An engineer is implementing Cisco ISE and needs to configure 802.1X. The port settings are configured for port-based authentication. Which command should be used to complete this configuration?

A. aaa authentication dot1x default group radius

B. dot1x system-auth-control

C. authentication port-control auto

D. dot1x pae authenticator

Answer

A

B. dot1x system-auth-control

Verified

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html#wp6241455730

Question 33

Q

A network administrator has just added a front desk receptionist account to the Cisco ISE Guest Service sponsor group. Using the Cisco ISE Guest Sponsor Portal, which guest services can the receptionist provide?

A. Keep track of guest user activities.

B. Create and manage guest user accounts.

C. Configure authorization settings for guest users.

D. Authenticate guest users to Cisco ISE.

Answer

A

B. Create and manage guest user accounts.

Verified

Your Role as a Sponsor

As a sponsor, you are responsible for using the Sponsor portal to create and manage guest accounts for authorized visitors to your organization. These accounts enable visitors to access your company’s network or provide access to the Internet. When creating these accounts, follow your company guidelines for providing network access to visitors. Cisco ISE saves the entire guest process for auditing and reporting purposes, which your company can use to verify that only authorized visitors have been granted network access.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/sponsor_guide/b_spons_SponsorPortalUserGuide_21/Support_Guests.html

Question 34

Q

What is needed to configure wireless guest access on the network?

A. endpoint already profiled in ISE

B. WEBAUTH ACL for redirection

C. Captive Portal Bypass turned on

D. valid user account in Active Directory

Answer

A

B. WEBAUTH ACL for redirection

Verified

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Question 35

Q

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two.)

A. Known

B. Monthly

C. Daily

D. Imported

E. Random

Answer

A

D. Imported

E. Random

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/sponsor_guide/b_spons_SponsorPortalUserGuide_20/Create_Guest___Accounts.html#task_5AD3C531980C4597A43A442F37EF2DFE

Question 36

Q

What is a valid guest portal type?

A. Sponsor

B. Sponsored-Guest

C. Captive-Guest

D. My Devices

Answer

A

B. Sponsored-Guest

Verified

https://www.kareemccie.com/2020/04/ise-guest-portals.html

Question 37

Q

What is the purpose of the ip http server command on a switch?

A. It enables the https server for users for web authentication.

B. It enables dot1x authentication on the switch.

C. It enables MAB authentication on the switch.

D. It enables the switch to redirect users for web authentication.

Answer

A

D. It enables the switch to redirect users for web authentication.

Verified

https://www.packetmischief.ca/2012/02/09/cisco-ise-and-ip-http-server/

Question 38

Q

Which advanced option within a WLAN must be enabled to trigger Central Web Authentication for Wireless users on the AireOS controller?

A. DHCP server

B. override Interface ACL

C. static IP tunneling

D. AAA override

Answer

A

D. AAA override

Verified

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/ b_cg74_CONSOLIDATED_chapter_010110111.html

Question 39

Q

Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication?

A. MAB and if user not found, continue

B. MAB and if authentication failed, continue

C. Dot1x and if authentication failed, continue

D. Dot1x and if user not found, continue

Answer

A

A. MAB and if user not found, continue

Verified

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Question 40

Q

An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task?

A. permit tcp any any eq

B. ip http port

C. aaa group server radius

D. aaa group server radius proxy

Answer

A

B. ip http port

Verified

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

Question 41

Q

An engineer is using Cisco ISE and configuring guest services to allow wireless devices to access the network. Which action accomplishes this task?

A. Create the redirect ACL on Cisco ISE and add it to the Cisco ISE Policy.

B. Create the redirect ACL on the WLC and add it to the WLC policy.

C. Create the redirect ACL on Cisco ISE and add it to the WLC policy.

D. Create the redirect ACL on the WLC and add it to the Cisco ISE policy.

Answer

A

D. Create the redirect ACL on the WLC and add it to the Cisco ISE policy

Not verified

Question 42

Q

An engineer is configuring web authentication and needs to allow specific protocols to permit DNS traffic. Which type of access list should be used for this configuration?

A. extended ACL

B. reflexive ACL

C. numbered ACL

D. standard ACL

Answer

A

A. extended ACL

Verified

Standard ACL

Checks ACL source address
Permits or denies entire protocol suite

Extended ACL

Checks source and destination address
Generally permits or denies specific protocols and applications
Source and destination TCP and UDP ports
Protocol type (IP, ICMP, UDP, TCP or protocol number)

Question 43

Q

An administrator is adding a switch to a network that is running Cisco ISE and is only for IP Phones. The phones do not have the ability to authenticate via 802.1X. Which command is needed on each switch port for authentication?

A. dot1x system-auth-control

B. enable bypass-MAC

C. enable network-authentication

D. mab

Answer

A

D. mab

Not verified

Question 44

Q

A network engineer needs to ensure that the access credentials are not exposed during the 802.1X authentication among components. Which two protocols should be configured to accomplish this task? (Choose two.)

A. PEAP

B. EAP-TLS

C. EAP-MD5

D. EAP-TTLS

E. LEAP

Answer

A

A. PEAP

B. EAP-TLS

Verified

Cisco book

Question 45

Q

What is the minimum certainty factor when creating a profiler policy?

A. the minimum number that a predefined condition provides

B. the maximum number that a predefined condition provides

C. the minimum number that a device certainty factor must reach to become a member of the profile

D. the maximum number that a device certainty factor must reach to become a member of the profile

Answer

A

C. the minimum number that a device certainty factor must reach to become a member of the profile

Verified

Certainty Factor

The minimum certainty metric in the profiling policy evaluates the matching profile for an endpoint. Each rule in an endpoint profiling policy has a minimum certainty metric (an integer value) associated to the profiling conditions. The certainty metric is a measure that is added for all the valid rules in an endpoint profiling policy, which measures how each condition in an endpoint profiling policy contributes to improve the overall classification of endpoints.

The certainty metric for each rule contributes to the overall matching of the endpoint profiles into a specific category of endpoints. The certainty metric for all the valid rules are added together to form the matching certainty. It must exceed the minimum certainty factor that is defined in an endpoint profiling policy. By default, the minimum certainty factor for all new profiling policy rules and predefined profiling policies is 10.

Question 46

Q

What sends the redirect ACL that is configured in the authorization profile back to the Cisco WLC?

A. State attribute

B. Class attribute

C. Event

D. Cisco-av-pair

Answer

A

D. Cisco-av-pair

Verified

https://community.cisco.com/t5/network-access-control/ise-airespace-acl-wlc-problem/td-p/2110491

Question 47

Q

Which profiling probe collects the user-agent string?

A. DHCP

B. HTTP

C. NMAP

D. AD

Answer

A

B. HTTP

Verified

HTTP Probe

In HTTP probe, the identification string is transmitted in an HTTP request-header field User-Agent, which is an attribute that can be used to create a profiling condition of IP type, and to check the web browser information. The profiler captures the web browser information from the User-Agent attribute along with other HTTP attributes from the request messages and adds them to the list of endpoint attributes.

Cisco ISE listens to communication from the web browsers on both port 80 and port 8080. Cisco ISE provides many default profiles, which are built in to the system to identify endpoints based on the User-Agent attribute.

HTTP probe is enabled by default. Multiple ISE services such as CWA, Hotspot, BYOD, MDM, and Posture rely on URL-redirection of the client’s web browser. The redirected traffic includes the RADIUS session ID of the connected endpoint. When a PSN terminates these URL-redirected flows, it has visibility into the decrypted HTTPS data. Even when the HTTP probe is disabled on the PSN, the node will parse the browser user agent string from the web traffic and correlate the data to the endpoint based on its associated session ID. When browser strings are collected through this method, the source of the data is listed as Guest Portal or CP (Client Provisioning) rather than HTTP Probe.

Question 48

Q

Which use case validates a change of authorization?

A. An endpoint that is disconnected from the network is discovered.

B. Endpoints are created through device registration for the guests.

C. An endpoint profiling policy is changed for authorization policy.

D. An authenticated, wired EAP-capable endpoint is discovered.

Answer

A

C. An endpoint profiling policy is changed for authorization policy

Verified

An endpoint profiling policy has changed and the policy is used in an authorization policy—When an endpoint profiling policy changes and the policy is included in a logical profile that is used in an authorization policy. The endpoint profiling policy may change due to the profiling policy match or when an endpoint is statically assigned to an endpoint profiling policy, which is associated with a logical profile. In both cases, the profiling service issues a CoA, only when the endpoint profiling policy is used in an authorization policy.

Question 49

Q

Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

A. block list

B. unknown

C. allow list

D. profiled

E. endpoint

Answer

A

B. unknown

Verified

Policy Assignment

If you do not have a matching profiling policy, you can assign an unknown profiling policy. The endpoint is therefore profiled as Unknown. The endpoint that does not match any profile is grouped within the Unknown identity group. The endpoint profiled to the Unknown profile requires that you create a profile with an attribute or a set of attributes collected for that endpoint.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html

Question 50

Q

What service can be enabled on the Cisco ISE node to identify the types of devices connecting to a network?

A. profiling

B. central web authentication

C. MAB

D. posture

Answer

A

A. profiling

Verified

The profiling service in Cisco Identity Services Engine (ISE) identifies the devices that connect to your network and their location. The endpoints are profiled based on the endpoint profiling policies configured in Cisco ISE. Cisco ISE then grants permission to the endpoints to access the resources in your network based on the result of the policy evaluation.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html

Question 51

Q

Which two probes must be enabled for the ARP cache to function in the Cisco ISE profiling service so that a user can reliably bind the IP addresses and MAC addresses of endpoints? (Choose two.)

A. SNMP

B. HTTP

C. RADIUS

D. DHCP

E. NetFlow

Answer

A

C. RADIUS

D. DHCP

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html

Question 52

Q

Which two events trigger a CoA for an endpoint when CoA is enabled globally for ReAuth? (Choose two.)

A. addition of endpoint to My Devices Portal

B. endpoint marked as lost in My Devices Portal

C. updating of endpoint dACL

D. endpoint profile transition from Apple-device to Apple-iPhone

E. endpoint profile transition from Unknown to Windows10-Workstation

Answer

A

D. endpoint profile transition from Apple-device to Apple-iPhone

E. endpoint profile transition from Unknown to Windows10-Workstation

Not verified

Question 53

Q

Which two ports do network devices typically use for CoA? (Choose two.)

A. 19005

B. 443

C. 3799

D. 8080

E. 1700

Answer

A

C. 3799

E. 1700

Verified

https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points

Question 54

Q

Which three default endpoint identity groups does Cisco ISE create? (Choose three.)

A. endpoint

B. unknown

C. block list

D. profiled

E. allow list

Answer

A

B. unknown

C. block list

D. profiled

Verified

Endpoint Identity Groups

An endpoint identity group is used to group all the identified endpoints on your network according to their profiles. Cisco ISE creates the following three identity groups in the system: Blacklist, Profiled, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1203054

Question 55

Q

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network. Which node should be used to accomplish this task?

A. policy service

B. monitoring

C. primary policy administrator

D. pxGrid

Answer

A

A. policy service

Verified

Configuring Profiler Policies [Cisco Identity Services Engine] - Cisco Systems The profiler service collects attributes of endpoints from the network devices and the network, classifies endpoints in a specific group according to their profiles, and stores endpoints with their matched profiles in the Cisco ISE database.

Question 56

Q

An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types. Which probe should be used to accomplish this task?

A. DHCP

B. DNS

C. NMAP

D. RADIUS

Answer

A

A. DHCP

Verified

The DHCP probe in your Cisco ISE deployment, when enabled, allows the Cisco ISE profiler service to re-profile endpoints based only on new requests of INIT-REBOOT, and SELECTING message types. Though other DHCP message types are processed such as RENEWING, and REBINDING, they are not used for profiling endpoints. Any attribute parsed out of DHCP packets is mapped to endpoint attributes.

Question 57

Q

An engineer is configuring Cisco ISE and needs to dynamically identify the network endpoints and ensure that endpoint access is protected. Which service should be used to accomplish this task?

A. guest access

B. profiling

C. posture

D. client provisioning

Answer

A

B. profiling

Verified

Question 58

Q

What should be considered when configuring certificates for BYOD?

A. The SAN field is populated with the end user name.

B. The CN field is populated with the endpoint hostname.

C. An endpoint certificate is mandatory for the Cisco ISE BYOD.

D. An Android endpoint uses EST, whereas other operating systems use SCEP for enrollment.

Answer

A

C. An endpoint certificate is mandatory for the Cisco ISE BYOD

Verified

Question 59

Q

During BYOD flow, where does a Microsoft Windows PC download the Network Setup Assistant?

A. Microsoft App Store

B. Cisco App Store

C. Cisco ISE directly

D. Native OTA functionality

Answer

A

C. Cisco ISE directly

Verified

Endpoint Onboarding

When leveraging ISE for BYOD, there are a few actions that the endpoint needs to perform, which includes starting the communication with the proper ISE node via the BYOD portal, creating digital certificate pairs, submitting certificate signing request, and configuring network profile. Some O/S has provisions for such functions natively while others require downloading and running an application temporarily to assist with the flow. Aside from Apple mobile devices (iOS), ISE leverages Network Setup Assistant (NSA or AKA Supplicant Provisioning Wizard (SPW)) to ease the BYOD flow for the users. NSA is an application that is downloaded to the endpoint either from the ISE itself or from the app store for each of the endpoint types. NSA assists the user to generate certificate pairs, install the signed certificate, and configure network and proxy settings on the endpoint.

https://ciscocustomer.lookbookhq.com/iseguidedjourney/BYOD-configuration

Question 60

Q

What allows an endpoint to obtain a digital certificate from Cisco ISE during a BYOD flow?

A. Application Visibility and Control

B. Supplicant Provisioning Wizard

C. My Devices Portal

D. Network Access Control

Answer

A

B. Supplicant Provisioning Wizard

Verified

Aside from Apple mobile devices (iOS), ISE leverages Network Setup Assistant (NSA or AKA Supplicant Provisioning Wizard (SPW)) to ease the BYOD flow for the users. NSA is an application that is downloaded to the endpoint either from the ISE itself or from app store for each of the endpoint types. NSA assists the user to generate certificate pair, install signed certificate, and configure network and proxy settings on the endpoint.

Question 61

Q

Which protocol must be allowed for a BYOD device to access the BYOD portal?

A. HTTPS

B. HTTP

C. SSH

D. SMTP

Answer

A

A. HTTPS

Not verified

Question 62

Q

Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two.)

A. Redirect ACL

B. Connection Type

C. Operating System

D. Windows Settings

E. iOS Settings

Answer

A

B. Connection Type

C. Operating System

Verified

Personal Devices on a Corporate Network (BYOD)

When supporting personal devices on a corporate network, you must protect network services and enterprise data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE provides the tools you need to allow employees to securely use personal devices on a corporate network.

Guests can automatically register their devices when logging in to the Guest portals. Guests can register additional devices up to the maximum limit that you define in their guest type. These devices are registered into endpoint identity groups based on the portal configuration.

Guests can add their personal devices to the network by running the native supplicant provisioning (Network Setup Assistant), or by adding their devices to the My Devices portal. You can create native supplicant profiles, which determine the proper native supplicant provisioning wizard to use, based on the operating system.

Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add these devices manually; or you can configure BYOD rules to register these devices.

Question 63

Q

If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

A. Client Provisioning

B. BYOD

C. Guest

D. Blocklist

Answer

A

D. Blocklist

Verified

Blacklist Portal—Provide information about personal devices that are block-listed and cannot be used to gain access to the network.

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010000.html

Question 64

Q

Which two endpoint compliance statuses are possible? (Choose two.)

A. compliant

B. valid

C. unknown

D. known

E. invalid

Answer

A

A. compliant

C. unknown

Verified

When successfully postured, Cisco ISE allows clients to transition from unknown to compliant mode

Answer 64

A

A. Client Provisioning

Verified

Client provisioning resources are downloaded to endpoints after the endpoint connects to the network. Client provisioning resources consist of compliance and posture agents for desktops, and native supplicant profiles for phones and tablets. Client provisioning policies assign these provisioning resources to endpoints to start a network session.

Answer 65

A

B. posture

Verified

Answer 66

A

B. TCP 8905

C. TCP 8443

Verified

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/
Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Answer 67

A

B. remediation actions

E. conditions

Verified

https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

Check the video:

“Posture Requirements”

Answer 68

A

C. supplicant

Verified

Answer 69

A

B. TCP 8909

Verified

Open up TCP port 8909 and UDP port 8909 to enable installation of Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard. For more information about port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide.

Answer 70

A

A. shared secret

Verified

When Cisco ISE receives a RADIUS request from a network device, it looks for the corresponding device definition to retrieve the shared secret that is configured. If it finds the device definition, it obtains the shared secret that is configured on the device and matches it against the shared secret in the request to authenticate access. If it does not find the device definition, it obtains the shared secret from the default network device and processes the request. If the shared secrets match, network access is granted. A passed authentication report is generated. If they do not match, a reject response is sent to the device. A failed authentication report is generated, which provides the failure reason.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_network_devices.html

Answer 71

A

D. The devices in the network do not have a supplicant

Not verified

Answer 72

A

C. Shell

D. WLC

Verfied

Common Tasks Settings

In the Cisco ISE GUI, click the Menu icon ( ) and chooseWork Centers > Device Administration > Policy Elements > Results > TACACS Profiles > Add to view the common tasks settings window. The Common Task Types are Shell, WLC, Nexus, and Generic.

Answer 73

A

A. TACACS+ has command authorization, and RADIUS does not.

E. TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

Verified

TACACS+ Command Sets

Command sets enforce the specified list of commands that can be executed by a device administrator. When a device administrator issues operational commands on a network device, Cisco ISE is queried to determine whether the administrator is authorized to issue these commands. This is also referred to as command authorization.

Answer 74

A

C. Device Administration License

E. Device Admin Service

Verified

A Device Administration license allows you to use TACACS services on a Policy Service node. In high-availability standalone deployment, a Device Administration license permits you to use TACACS services on a single Policy Service node in the high-availability pair.

You should check the Enable Device Admin Service check box in the Administration > System Deployment > General Settings page to enable TACACS+ operations. Ensure that this option is enabled in each PSN in a deployment.

Answer 75

A

A. It separates authorization and authentication functions.

E. It uses TCP port 49.

Verified

The TACACS Ports field allows you to enter a maximum of four TCP ports, which are comma- separated and port values range from 1 to 65535. Cisco ISE nodes and their interfaces listen for TACACS+ requests on the specified ports and you must ensure that the specified ports are not used by other services. The default TACACS+ port value is 49.

TACACS+ Authorization: Happens after a successful TACACS+ authentication.

Answer 76

A

C. aaa accounting network default start-stop group radius

Not verified

Answer 77

A

A. access-challenge

B. access-accept

Not verified

Answer 78

A

C. UDP offers best-effort delivery.

Verified

Answer 79

A

B. ip device tracking

C. dot1x system-auth-control

D. radius server vsa send authentication

Verified, but not sure if it is C or D?

Brainscape's Knowledge GenomeTM

ExamTopics Flashcards

Brainscape's Knowledge Genome^TM