QUESTION 21
An administrator must configure Cisco ISE to send Co requests to a Cisco switch using SNMP. These configurations were performed:
1. enabled SNMP on the switch
2. added the switch to Cisco ISE
3. configured a network device profile
4. configured the NAD port detection method
5. configured the operation to be performed on the switch port
6. configured an authorization profile
Which two configurations must be performed to send the Co requests? (Choose two.)
A. Configure SNMP authentication in Cisco ISE.
B. Configure a network device group.
C. Configure the switch SNMP settings of the NAD.
D. Configure the SNMP server in Cisco ISE.
E. Select the Co type as SNMP in the network device profile.
Correct Answer: CD
QUESTION 22
An engineer is configuring a new Cisco ISE node. The Cisco ISE must make authorization decisions based on the threat and vulnerability attributes received from the threat and vulnerability adapters. Which persona must be enabled?
A. pxGrid
B. Monitoring
C. Administration
D. Policy Service
Correct Answer: D
QUESTION 23
When creating a policy within Cisco ISE for network access control, the administrator wants to allow different access restrictions based upon the wireless SSID to which the device is connecting. Which policy condition must be used in order to accomplish this?
A. Airespace Airespace-Wlan-ld CONTAINS <SSID Name>
B. DEVICE Device Type CONTAINS <SSID Name>
C. Network Access NetworkDeviceName CONTAINS <SSID Name>
D. Radius Called-Station-ID CONTAINS <SSID Name>
Correct Answer: D
QUESTION 24
An administrator must provide wired network access to unidentified Cisco devices that fail 802.1X authentication. Cisco ISE profiling services must be configured to gather Cisco Discovery Protocol and LLDP endpoint information from a Cisco switch. These configurations were performed:
1. configured switches to accept SNMP queries from Cisco ISE
2. enabled Cisco Discovery Protocol and LLDP on the switches
3. added the switch as a NAD to Cisco ISE
What must be enabled to complete the configuration?
A. SNMP Query probe in Cisco ISE
B. SNMP Trap probe in Cisco ISE
C. SNMP MIBs in Cisco ISE
D. SNMP traps on the switch
Correct Answer: A
QUESTION 25
A network administrator adds network access devices to Cisco ISE. After a security breach, the management team mandates that all network devices must comply with certain standards. All network devices must authenticate through Cisco ISE. Some devices use nondefault CoA ports. What must be configured in Cisco ISE?
A. network device profile with a port specified
B. network device with a port specified
C. network access manager with a port specified
D. network device group with a port specified
Correct Answer: A
QUESTION 26
Which two VMware features are supported on a Cisco ISE virtual appliance? (Choose two.)
A. VM hardware version 7+
B. multivendor integration
C. OVF support
D. VM cold migration
E. VM snapshots
Correct Answer: CE
QUESTION 27
The Cisco Wireless LAN Controller and guest portal must be set up in Cisco ISE. These configurations were performed:
1. configured all the required Cisco Wireless LAN Controller configurations
2. added the wireless controller to Cisco ISE network devices
3. created an endpoint identity group
4. configured credentials to be sent by email
5. configured the SMTP server
6. configured an authorization profile with redirection to the guest portal and redirected the access control list
7. configured an authentication policy for MAB users
8. created an authorization policy
Which two components must be created to complete the configuration? (Choose two.)
A. sponsor group
B. sponsor portal
C. self-registered guest portal
D. guest type
E. hotspot guest portal
Correct Answer: CD
QUESTION 28
An administrator is deploying IOT connector that requires network access. New custom profiling policy must be configured in Cisco ISE in order to properly profile the connector. Which condition must be configured to meet the requirement?
A. DHCP_dhepCacheDevicelD_CONTAINS_<MAC ADDRESS>
B. MAC_OUI_ENDSWITH_<MAC ADDRESS>
C. MAC_MACAddress_CONTAINS_<MAC ADDRESS>
D. Radius_Called_Station-ID_ENDSSWITH_<MAC ADDRESS>
Correct Answer: D
QUESTION 29
Wireless network users authenticate to Cisco ISE using 802.1X through a Cisco Catalyst switch. An engineer must create an updated configuration to assign a security group tag to the user’s traffic using inline tagging to prevent unauthenticated users from accessing a restricted server. The configurations were performed:
1. configured Cisco ISE as a Cisco TrustSec AAA server
2. configured the switch as a RADIUS device in Cisco ISE
3. configured the wireless LAN controller as a TrustSec device in Cisco ISE
4. created a security group tag for the wireless users
5. created a certificate authentication profile
6. created an identity source sequence
7. assigned an appropriate security group tag to the wireless users
8. defined security group access control lists to specify an egress policy
9. enforced the access control lists on the TrustSec policy matrix in Cisco ISE
10. configured TrustSec on the switch
11. configured TrustSec on the wireless LAN controller
Which two actions must be taken to complete the configuration? (Choose two.)
A. Configure Security Group Tag Exchange Protocol on the wireless LAN controller.
B. Configure Security Group Tag Exchange Protocol on the switch.
C. Configure Security Group Tag Exchange Protocol to distribute IP to security group tags on Cisco ISE
D. Configure inline tag propagation on the switch and wireless LAN controller.
E. Create static IP-to-SGT mapping for the restricted web server.
Correct Answer: DE
QUESTION 30
What is the Microsoft security policy recommendation for fast user switching in Cisco ISE?
A. Enable Cisco Secure Client posture agent.
B. Disable fast user switching.
C. Disable BOYD posture agent.
D. Enable fast user switching.
Correct Answer: B
QUESTION 31
A network engineer must define a Redirect ACL on a Cisco Wireless LAN Controller. The ACL must force unknown users to authenticate via a captive portal located on a Cisco ISE PSN on another network segment separated by a firewall. Which port must be permitted in the firewall to allow traffic between the Cisco Wireless LAN Controller and Cisco ISE?
A. TCP port 8445
B. UDP port 1812
C. TCP port 8443
D. UDP port 1645
Correct Answer: C
QUESTION 32
An engineer is configuring a new secure WLAN on a Cisco AireOS wireless LAN controller that has user authentication performed on a standalone Cisco IS instance. The engineer wants to collect User-Agent attributes from the ISE for each user session on the secure WLAN. Which two configurations must be performed on the WLAN? (Choose two.)
A. Set DHCP Addr. Assignment to Required.
B. Set Aironet IE to Enabled.
C. Enable RADIUS-based HTTP profiling.
D. Enable local-based DHCP profiling.
E. Enable RADIUS-based DHCP profiling.
Correct Answer: CE
QUESTION 33
An engineer must onboard secure Windows 11 laptops of directors on the BYOD portal by using Cisco ISE. Corporate security policies require the Cisco ISE internal CA to use an ECC certificate rather than the standard RSA certificate. What must be configured in Cisco ISE?
A. Windows 11 laptop with an ECC certificate as the minimal requirement
B. key type of ECC in the Cisco ISE internal CA settings
C. key type of ECC on the Cisco ISE EAP authentication certificate template
D. key type of ECC in the Cisco ISE system certificates
Correct Answer: B
QUESTION 34
What is a difference between TACACS+ and RADIUS protocol traffic?
A. TACAS+ encrypts passwords only, and RADIUS encrypts the entire packet payload.
B. TACACS+ uses UDP at the transport layer, and RADIUS uses TCP at the transport layer.
C. TACACS+ supports IP traffic only at the network layer, and RADIUS supports multiple protocols.
D. TACACS+ separates each AAA function, and RADIUS combines authentication and authorization.
Correct Answer: D
QUESTION 35
An engineer must use Cisco ISE to provide network access to endpoints that cannot support 802.1X. The endpoint MAC addresses must be allowlisted by configuring an endpoint identity group. These configurations were performed:
1. configured an identity group named allowlist
2. configured the endpoints to use the MAC address of incompatible 802.1X devices
3. added the endpoints to the allowlist identity group
4. configured an authentication policy for MAB users
What must be configured?
A. authorization policy that has the PermitAccess permission and matches the allowlist identity group
B. authentication profile that has the PermitAccess permission and matches the allowlist identity group
C. logical profile that matches the allowlist identity group based on the configured policy
D. authorization profile that has the PermitAccess permission and matches the allowlist identity group
Correct Answer: A
QUESTION 36
An administrator is responsible for configuring network access for a temporary network printer. The administrator must only use the printer MAC address AB for authentication. Which authentication method will accomplish the task?
A. Posturing
B. 802.1X
C. Profiling
D. MAB
Correct Answer: D
QUESTION 37
An administrator is editing a csv list of endpoints and wants to reprofile some of the devices indefinitely before importing the list into Cisco ISE. Which field and Boolean value must be changed for the devices before the list is reimported?
A. Identity Group Assignment field and Static Assignment field set to the value TRUE
B. Policy Assignment field and Static Assignment field set to the value FALSE
C. Identity Group Assignment field and Static Assignment field set to the value FALSE
D. Policy Assignment field and Static Assignment field set to the value TRUE
Correct Answer: A
QUESTION 38
Which default “guest type” is included with Cisco ISE?
A. visitors
B. sponsor
C. contractor
D. guest
Correct Answer: C
QUESTION 39
What is a difference between RADIUS versus TACACS+ with regards to packet encryption?
A. RADIUS encrypts the entire body of the packet, and TACACS+ encrypts the username and password in the access-request packet.
B. TACACS+ encrypts the entire body of the packet, and RADIUS encrypts only the password in the access-request packet.
C. RADIUS encrypts the entire body of the packet, and TACACS+encrypts only the password in the access-request packet.
D. TACACS+ encrypts the entire body of the packet, and RADIUS encrypts the username and password in the access-request packet.
Correct Answer: B
QUESTION 40
A Cisco ISE administrator must authenticate users against Microsoft Active Directory. The solution must meet these requirements:
1. Users and computers must be authenticated.
2. User groups must be retrieved during authentication.
Which protocol must be added to the allowed protocols on the policy to authenticate the users?
A. MS-CHAPv2
B. EAP-TLS
C. EAP-GTC
D. LEAP
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.