CCNP 300-715 SISE 1 to 50 Q

Q1. An engineer is designing a BYOD environment utilizing Cisco ISE for devices that do not support native supplicants. Which portal must the security engineer configure to accomplish this task?. Client Provisioning. MDM. My Devices. BYOD.

Q2. An organization wants to enable web-based guest access for both employees and visitors. The goal is to use a single portal for both user types. Which two authentication methods should be used to meet this requirement? (Choose two.). 802.1X. LOCAL. MAC-based. LDAP. E. Certificate-based.

Q3. A network administrator is configuring a secondary Cisco ISE node from the backup configuration of the primary Cisco ISE node to create a high availability pair. The Cisco ISE CA certificates and keys must be manually backed up from the primary Cisco ISE and copied into the secondary Cisco ISE. Which command must be issued for this to work?. import certificate ise. copy certificate ise. application configure ise. certificate configure ise.

Q4. An administrator is troubleshooting an endpoint that is supposed to bypass 802.1X and use MAB. The endpoint is bypassing 802.1X and successfully getting network access using MAB, however the endpoint cannot communicate because it cannot obtain an IP address. What is the problem?. An ACL on the port is blocking HTTP traffic. The 802.1X timeout period is too long. The endpoint is using the wrong protocol to authenticate with Cisco ISE. The DHCP probe for Cisco ISE is not working as expected.

Q5. An engineer deploys Cisco ISE and must configure Active Directory to then use information from Active Directory in an authorization policy. Which two components must be configured, in addition to Active Directory groups, to achieve this goal? (Choose two.). Active Directory External Identity Sources. Identity Source Sequences. Library Condition for External Identity: External Groups. LDAP External Identity Sources. E. Library Condition for Identity Group: User Identity Group.

Q6. An engineer tests Cisco ISE posture services on the network and must configure the compliance module to automatically download and install on endpoints. Which action accomplishes this task for VPN users?. Configure the compliance module to be downloaded from within the posture policy. Create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE. Push the compliance module from Cisco FTD prior to attempting posture. Use a compound posture condition to check for the compliance module and download, if needed.

Q7. An administrator is configuring a Cisco WLC for web authentication. Which two client profiling methods are enabled by default if the Apply Cisco ISE Default Settings check box has been selected? (Choose two.). DHCP. SNMP. LLDP. HTTP. CDP.

Q8. An engineer is configuring sponsored guest access and needs to limit each sponsored guest to a maximum of two devices. There are other guest services in production that rely on the default guest types. How should this configuration change be made without disrupting the other guest services currently offering three or more guest devices per user?. Create an ISE identity group to add users to and limit the number of logins via the group configuration. Create a new sponsor group and adjust the settings to limit the devices for each guest. Create a new guest type and set the maximum number of devices sponsored guests can register. Create an LDAP login for each guest and tag that in the guest portal for authentication.

Q9. An administrator needs to allow guest devices to connect to a private network without requiring usernames and passwords. Which two features must be configured to allow for this? (Choose two.). self-registered guest portal. device registration WebAuth. hotspot guest portal. local WebAuth. central WebAuth.

Q10. A network administrator must configure endpoints using an 802.1X authentication method with EAP identity certificates that are provided by the Cisco ISE. When the endpoint presents the identity certificate to Cisco ISE to validate the certificate, endpoints must be authorized to connect to the network. Which EAP type must be configured by the network administrator to complete this task?. EAP-TTLS. EAP-TLS. EAP-PEAP-MSCHAPv2. EAP-FAST.

Q11. An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities. The engineer is configuring new endpoint identity groups as conditions to be used in the AuthZ policies, but noticed that the endpoints are not hitting the correct policies. What must be done in order to get the devices into the right policies?. Identify the non 802.1X supported device types and create custom profiles for them to profile into. Create an AuthZ policy to identify Unknown devices and provide partial network access prior to profiling. Add an identity policy to dynamically add the IP address of the devices to their endpoint identity groups. Manually add the MAC addresses of the devices to endpoint ID groups in the context visibility database.

Q12. An engineer is configuring a dedicated SSID for onboarding devices. Which SSID type accomplishes this configuration?. broadcast. dual. guest. hidden.

Q13. An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability. Which probe must be used to accomplish this task?. A. HTTP probe. B. NetFlow probe. C. network scan probe. D. RADIUS probe.

Q14. An engineer builds a five-node distributed Cisco ISE deployment. The first two deployed nodes are responsible for the primary and secondary administration and monitoring personas. Which persona configuration is necessary to have the remaining three Cisco ISE nodes serve as dedicated nodes responsible only for handling the RADIUS and TACACS+ authentication requests, identity lookups, and policy evaluation?. A. Roles: Admin, Monitor, PSN. B. Roles: PSN only. C. Roles: Monitor, PSN.

Q15. A laptop was stolen and a network engineer added it to the block list endpoint identity group. What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access?. A. Ensure that access to port 8444 is allowed within the ACL. B. Select DenyAccess within the authorization policy. C. Select DROP under If Auth fail within the authentication policy. D. Ensure that access to port 8443 is allowed within the ACL.

Q16. While configuring Cisco TrustSec on Cisco IOS devices, the engineer must set the CTS device ID and password in order for the devices to authenticate with each other. However, after this is complete, the devices are not able to properly authenticate. What issue would cause this to happen even if the device ID and passwords are correct?. A. EAP-FAST is not enabled. B. The devices are missing the configuration cts credentials trustsec verify 1. C. The device aliases are not matching. D. The SGT mappings have not been defined.

Q17. An administrator is adding network devices for a new medical building into Cisco ISE. These devices must be in a network device group that is identifying them as "Medical Switch" so that the policies can be made separately for the endpoints connecting through them. Which configuration item must be changed in the network device within Cisco ISE to accomplish this goal?. A. Change the device location to Medical Switch. B. Change the device profile to Medical Switch. C. Change the model name to Medical Switch. D. Change the device type to Medical Switch.

Q18. An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two.). A. Radius Service. B. Endpoint Attribute Filter. C. Session Services. D. Posture Services. E. Profiling Services.

Q19. An administrator is configuring Cisco ISE to authenticate users logging into network devices using TACACS+. The administrator is not seeing any of the authentication in the TACACS+ live logs. Which action ensures the users are able to log into the network devices?. A. Enable the device administration service in the Administration persona. B. Enable the session services in the Administration persona. C. Enable the device administration service in the PSN persona. D. Enable the service sessions in the PSN persona.

Q20. Which compliance status is set when a matching posture policy has been defined for that endpoint, but all the mandatory requirements during posture assessment are not met?. A. unauthorized. B. untrusted. C. non-compliant. D. unknown.

Q21. An engineer has been tasked with standing up a new guest portal for customers that are waiting in the lobby. There is a requirement to allow guests to use their social media logins to access the guest network to appeal to more customers. What must be done to accomplish this task?. A. Create a sponsor portal to allow guests to create accounts using their social media logins. B. Create a sponsored guest portal and enable social media in the external identity sources. C. Create a hotspot portal and enable social media login for network access. D. Create a self-registered guest portal and enable the feature for social media logins.

Q23. [IMAGE] An administrator is manually adding a device to a Cisco ISE identity group to ensure that it is able to access the network when needed without authentication. Upon testing, the administrator notices that the device never hits the correct authorization policy line using the condition EndPoints-LogicalProfile EQUALS static_list. Why is this occurring?. A. The dynamic logical profile is overriding the statically assigned profile. B. The device is changing identity groups after profiling instead of remaining static. C. The identity group is being assigned instead of the logical profile. D. The logical profile is being statically assigned instead of the identity group.

Q24. [IMAGE] Refer to the exhibit. Which two configurations are needed on a catalyst switch to add it as a network access device in a Cisco ISE that is being used for 802.1X authentications? (Choose two.). A. tacacs server ISE1 key 7 XXXXX address ipv4 192.168.255.19 auth-port 1645 acct-port 1646. B. radius server ISE1 key 7 XXXXX address ipv4 192.168.255.16 auth-port 1645 acct-port 1646. C. radius server ISE1 key 7 XXXXX address ipv4 192.168.255.18 auth-port 1645 acct-port 1646. D. radius server ISE1 key 7 XXXXX address ipv4 192.168.255.17 auth-port 1645 acct-port 1646. E. tacacs server ISE1 key 7 XXXXX address ipv4 192.168.255.15 auth-port 1645 acct-port 1646.

Q25. A Cisco ISE administrator needs to ensure that guest endpoint registrations are only valid for 1 day. When testing the guest policy flow, the administrator sees that the Cisco ISE does not delete the endpoint in the GuestEndpoints identity store after 1 day and allows access to the guest network after that period. Which configuration is causing this problem?. A. The Endpoint Purge Policy is set to 30 days for guest devices. B. The length of access is set to 7 days in the Guest Portal Settings. C. The Guest Account Purge Policy is set to 15 days. D. The RADIUS policy set for guest access is set to allow repeated authentication of the same device.

Q26. An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs. An administrator is adding two more PSNs to this deployment but is having problems adding one of them. What is the problem?. A. One of the new nodes must be designated as a pxGnid node. B. Only five PSNs are allowed to be in the Cisco ISE cube if configured this way. C. The current PAN is only able to track a max of four nodes. D. The new nodes must be set to primary prior to being added to the deployment.

Q27. An engineer is configuring Cisco ISE for guest services. They would like to have any unregistered guests redirected to the guest portal for authentication, then have a CoA provide them with full access to the network that is segmented via firewalls. Why is the given configuration failing to accomplish this goal?. A. The Network_Access_Authentication_Passed condition will not work with guest services for portal access. B. The Guest Flow condition is not in the line that gives access to the quest portal. C. The Guest Portal and Guest Access policy lines are in the wrong order. D. The Permit Access result is not set to restricted access in its policy line.

Q28. What is a difference between TACACS+ and RADIUS in regards to encryption?. A. TACACS+ encrypts the password, whereas RADIUS sends the entire packet in clear text. B. TACACS+ encrypts only the password, whereas RADIUS encrypts the username and password. C. TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password. D. TACACS+ encrypts the username and password, whereas RADIUS encrypts only the password.

Q29. An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?. A. Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate. B. Endpoint Identify Group is Blocklist, and the BYOD state is Pending. C. Endpoint Identity Group is Blocklist, and the BYOD state is Registered. D. Endpoint Identity Group is Blocklist, and the BYOD state is Lost.

Q30. The security team wants to secure the wired network. A legacy printer on the network does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address?. A. MS-CHAPv2. B. PAP. C. EAP-TLS. D. Processo Host Lookup.

Q31. An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?. A. NETFLOW. B. pxGrid. C. NMAP. D. RADIUS.

Q32. An engineer is unable to use SSH to connect to a switch after adding the required CLI commands to the device to enable TACACS+. The device administration license has been added to Cisco ISE, and the required policies have been created. Which action is needed to enable access to the switch?. A. The switch needs to be added as a network device in Cisco ISE and set to use TACACS+. B. The ip ssh source-interface command needs to be set on the switch. C. The RSA keypair used for SSH must be regenerated after enabling TACACS+. D. 802.1X authentication needs to be configured on the switch.

Q33. Which type of identity store allows for creating single-use access credentials in Cisco ISE?. A. Local. B. PKI. C. RSA SecurID. D. OpenLDAP.

Q34. What is a difference between RADIUS and TACACS+?. A. RADIUS combines authentication and authorization functions, and TACACS+ separates them. B. RADIUS supports command accounting, and TACACS+ does not. C. RADIUS uses connection-oriented transport, and TACACS+ uses best-effort delivery. D. RADIUS offers multiprotocol support, and TACACS+ supports only IP traffic.

Q35. What are two differences of TACACS+ compared to RADIUS? (Choose two.). A. TACACS+ encrypts the full packet payload, whereas RADIUS only encrypts the password. B. TACACS+ uses a connection-oriented transport protocol, whereas RADIUS uses a connectionless transport protocol. B. TACACS+ uses a connectionless transport protocol, whereas RADIUS uses a connectio-oriented transport protocol. D. TACACS+ only encrypts the password, whereas RADIUS encrypts the full packet payload. C. TACACS+ supports multiple sessions per user, whereas RADIUS supports one session per user.

Q36. A user changes the status of a device to stolen in the My Devices Portal of Cisco ISE. The device was originally onboarded in the BYOD wireless Portal without a certificate. The device is found later, but the user cannot re-onboard the device because Cisco ISE assigned the device to the Blocklist endpoint identity group. What must the user do in the My Devices Portal to re-onboard?. A. Manually remove the device from the Blocklist endpoint identity group. B. Delete the device, and then re-add the device. C. Change the device state from Stolen to Not Registered. D. Change the BYOD registration attribute of the device to None.

Q37. Which Cisco ISE solution ensures endpoints have the latest version of antivirus updates installed before being allowed access to the corporate network?. A. Profiling Services. B. Provisioning Services. C. Posture Services. D. Threat Services.

Q38. An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?. A. the Port Bounce CoA option in the Cisco ISE system profiling settings enabled. B. an endpoint profiling policy with the No CoA option enabled. C. the Reauth CoA option in the Cisco ISE system profiling settings enabled. D. an endpoint profiling policy with the Port Bounce CoA option enabled.

Q39. An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?. A. VLAN to SGT mapping. B. L3IF to SGT mapping. C. IP Address to SGT mapping. D. Subnet to SGT mapping.

Q40. An ISE administrator must change the inactivity timer for MAB endpoints to terminate the authentication session whenever a switch port that is connected to an IP phone does not detect packets from the device for 60 minutes. Which action must be taken to accomplish this task?. A. Add the authentication timer reauthenticate server command to the switchport. B. Configure the session-timeout to be 3600 seconds on Cisco ISE. C. Change the idle-timeout on the Radius server to 3600 seconds for IP Phone endpoints. D. Add the authentication timer inactivity 3600 command to the switchport.

Q41. An engineer is testing low-impact mode for a phased deployment of Cisco ISE. Which type of traffic is denied when a host tries to connect to the network prior to authentication?. A. EAP. B. HTTP. C. DHCP. D. DNS.

Q42. A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?. A. DLTS. B. RADIUS. C. Portal. D. Admin.

Q43. Which two actions must be verified to confirm that the internet is accessible via guest access when configuring a guest portal? (Choose two.). A. Cisco ISE sends a CoA upon successful guest authentication. B. The guest device can connect to network file shares. C. The guest device has internal network access on the WLAN. D. The guest user gets redirected to the authentication page when opening a browser. E. The guest device successfully associates with the correct SSID.

Q44. Refer to the exhibit. Which checkbox must be enabled to allow Cisco ISE to publish group membership information for active users that can be shared with Cisco Firepower devices?. A. Enable Passive Identity Service. B. Enable SXP Service. C. Enable Device Admin Service. D. pxGrid.

Q45. An administrator must enable scanning for specific endpoints when they attempt to access the network. The scanning must be triggered as a result of successful authentication. Which action accomplishes this task?. A. Modify the authorization policy to send init_endpoint_scan as a result to the authenticator. B. Configure the endpoint scanning probe to profile the endpoint correctly and assign it a risk score. C. Add an entry in the authentication conditions to allow only scanned endpoints access, then redirect everything else to the portal. D. Create an authorization profile with scanning enabled and add it to the authorization policy that the endpoints will hit.

Q46. An engineer is configuring a new Cisco ISE node. The Device Admin service must run on this node to handle TACACS+ requests. Which persona must be enabled?. A. pxGrid. B. Administration. C. Policy Service. D. Monitoring.

Q47. A network engineer is attempting to terminate and reinitialize wireless user sessions individually using the Live Sessions tab in Cisco ISE. ISE and WLC are separated by a firewall. Which port must be allowed?. A. TCP/8443. B. TCP/3791. C. UDP/1700. D. UDP/5246.

Q48. To propagate SGTs inline with TrustSec, which CLI command globally enables tagging on a switch?. A. cts role-based enforcement. B. cts sxp enable. C. cts role-based sgt-map. D. cts manual.

Q49. Endpoint profiling must trigger CoA when the profile changes. Which two actions are required? (Choose two.). A. Ensure that the firewall is not blocking port 1700. B. Use an API to detect profile changes and instruct ISE to send CoA. C. Modify RADIUS endpoint attribute filters to send CoA when profiles change. D. Define "reauth" as the default CoA action. E. Enable the CoA policy and create rules for each profile.

Q50. In CWA for guest access, when creating the Wired_MAB or Wireless_MAB auth rule, what should 'If user not found' be set to?. A. CONTINUE. B. ACCEPT. C. REJECT. D. DROP.