SISE 300-715 - 2.0 Policy Enforcement

Question 1

What is the GUI path to configure Certificate Management?

Answer 1

Administration > System > Certificates

Question 2

CSR

Answer 2

Certificate Signing Request
ISE can generate a Base-64 encoded certificate request which is used to request a signed certificate from a certificate authority.

Question 3

What is the GUI path to configure External Identity Sources?

Answer 3

Administration > Identity Management > External Identity Sources

Question 4

What is the GUI path to configure Certificate Authentication Profiles?

Answer 4

Administration > Identity Management > External Identity Management > Certificate Authorization Profile

Question 5

CAP

Answer 5

Certificate Authentication Profile
Used by ISE as the identity source for certificate-based authentications. It defines which field of an x.509 certificate will be the Principle Username x.509 Attribute.

Question 6

What are the four authorization host modes?

Answer 6

Single-Host Mode
Multidomain Authentication Host Mode
Multi-Authentication Host Mode
Multihost Mode

Question 7

Single-Host Mode

Answer 7

An interface configured for authentication in single-host mode will allow only a single device to be authentication onto the network at a time. If multiple devices are detected on the interface, the switch will put the interface into an err-disabled state.

Question 8

Multidomain Authentication Host Mode

Answer 8

This host mode was created specifically for IP telephony. Multidomain authentication allows one device to connect to each of the two switchport domains – one device can connect to the DATA domain, and one device can connect to the VOICE domain.

Question 9

Multi-Authentication Host Mode

Answer 9

Multiple hosts are individually authenticated onto the network. This host mode is used when there are multiple devices connecting to a single shared interface through a hub or bridge such as an unmanaged switch. Authorized devices are allowed onto the network as normal; packets from unauthorized devices are dropped and the interface remains in the connected state. This allows each device to be granted a specific VLAN ID according to its endpoint identity profile configured in ISE.

Question 10

Multihost Mode

Answer 10

The first device to the network will be submitted to ISE for authentication. If that device is authenticated, then the interface will allow multiple other devices to access the network without requiring separate authentication of each device. All connected devices will share the VLAN ID of the authenticated device.

Question 11

What is the interface configuration command to enable MAB?

Answer 11

mab

Question 12

What is the interface configuration command to enable authentication?

Answer 12

authentication port-control auto

Question 13

What is the interface configuration command to specify and authentication method order?

Answer 13

authentication order [method_1] [method_2] etc…

Applicable methods include dot1x and mab.

Question 14

What is the interface configuration command to specify the authentication host mode?

Answer 14

authentication host-mode [type]

Applicable host-mode types are multi-auth, multi-domain, multi-host, and single-host.

Question 15

What is the privileged command to view authentication sessions on a specific interface?

Answer 15

show authentication sessions interface [type][number]

i.e., show auth sess int gi4/0/8

Question 16

What is the privileged command to view authentication session details for a specific MAC address?

Answer 16

show authentication sessions mac [mac_addr] details

Question 17

OCSP

Answer 17

Online Certificate Status Protocol
A protocol which can be used by ISE to get near-real time updates of X.509 certificate status changes from the issuing certificate authority (CA). Created as an alternative to Certificate Revocation Lists (CRLs). OCSP messages are typically communicated over HTTP.

Question 18

What two methods can ISE use to verify the revocation status of a certificate?

Answer 18

Certificate Revocation Lists, and

Online Certificate Status Protocol

Question 19

When presented with a certificate from an endpoint which was issued by a subordinate CA, which CA does ISE trust?

Answer 19

x.509 certificates provide a hierarchy which enables scale deployments. A certificate authority can belong to a full tree of CAs, all stemming from the root CA.
With a properly configured hierarchical certificate authority structure, ISE will trust all CAs in the path.

Question 20

What is the GUI path to configure Network Device Groups?

Answer 20

Administration > Network Resources > Network Device Groups

Question 21

What is the GUI path to configure Network Devices?

Answer 21

Administration > Network Resources > Network Devices

Question 22

NAD

Answer 22

Network Access Device
NADs include switches, wireless LAN controllers, and VPN concentrators. They are used to enforce ISE policies on endpoints.

Question 23

NDG

Answer 23

Network Device Group
A logical grouping of Network Access Devices by type, location, deployment stage, or any other logical grouping an organization might want.

Question 24

What is the GUI path to configure Local User Identity Groups?

Answer 24

Administration > Identity Management > Groups > User Identity Groups

Question 25

What is the GUI path to configure Local Endpoint Groups?

Answer 25

Administration > Identity Management > Groups > Endpoint Identity Groups

Question 26

What is the GUI path to configure Local Users?

Answer 26

Administration > Identity Management > Identities > Users

Question 27

What is the GUI path to configure Active Directory as an External Identity Source?

Answer 27

Administration > Identity Management > External Identity Sources > Active Directory