QUESTION 1
An engineer is deploying Cisco ISE in a network that contains existing security products from Cisco and other vendors. One of the requirements from the customer is the ability to support TrustSec and enable the sharing of SGTs and policy objects between Cisco ISE and the other security products in production. Which persona type must be enabled on one of the Cisco ISE nodes in the deployment to support the requirement?
A. SXP
B. Policy Service
C. Identity Mapping
D. pxGrid
Correct Answer: D
QUESTION 2
An administrator must configure Cisco ISE to distribute the Cisco Secure Client to Windows systems. The solution must meet these requirements:
1. Users must install Cisco Secure Client before connecting to the network.
2. User endpoints that do not have Cisco Secure Client installed must be redirected to the Client Provisioning Portal.
These configurations were performed:
1. enabled client provisioning
2. uploaded the Cisco Secure Client package
3. downloaded the Cisco Secure Client compliance module
4. created a native supplicant profile
5. created the Cisco Secure Client configuration
6. created the Client Provisioning Portal
7. created an authorization profile for client provisioning
8. configured authorization policies
Which two actions must be performed in Cisco ISE to distribute Cisco Secure Client and complete the configuration? (Choose two.)
A. Configure client provisioning policies.
B. Configure the BYOD portal.
C. Create an authentication profile.
D. Configure remediation actions.
E. Create a posture profile.
Correct Answer: AE
QUESTION 3
Which two services must the administrator enable on the Cisco ISE deployment to ensure that the endpoint is authenticated, profiled, and added to the appropriate endpoint identity group? (Choose two.)
A. TACACS
B. Session
C. RADIUS
D. Posture
E. Profiling
Correct Answer: BE
QUESTION 4
An engineer troubleshoots a new Central Web Authentication guest WLAN on a Cisco AireOS wireless LAN controller. Users authenticate via a self-registration portal on a Cisco ISE. Guest users report these issues:
1. Users can register successfully but are redirected back to the registration page.
2. If a user registers and manually disconnects a device and then reconnects, the user can access the internet.
What must be configured on the wireless LAN controller?
A. From the RADIUS Authentication Servers settings, set Support for CoA to Enabled.
B. From the guest WLAN security settings, set NAC State to ISE NAC.
C. From the RADIUS Authentication Servers settings, configure a longer Server Timeout.
D. From the guest WLAN security settings, disable MAC filtering.
Correct Answer: A
QUESTION 5
An engineer must deploy a WLAN that supports identity networking. The Cisco wireless LAN controller must be configured to pass the VLAN tag for the client traffic returned from the RADIUs server. Which configuration parameter on the Cisco wireless LAN controller must be enabled to meet the requirement?
A. Allow AAA override
B. Change of Authorization
C. CWA redirect ACL
D. FlexConnect
Correct Answer: A
QUESTION 6
An engineer must configure a new authorization policy in Cisco ISE for wireless users. The policy must match a specific SSID name and use standard RADIUS attributes. The wireless LAN controller was already configured. Which RADIUS attribute must be configured to meet the requirement?
A. Radius:Called-Station-lD
B. Radius:Calling-Station-lD
C. Airespace:Airespace-Wlan-ld
D. Airespace:Airespace-SSID
Correct Answer: A
QUESTION 7
Which two external identity stores are supported by Cisco ISE for password types? (Choose two.)
A. RADIUS Token Server
B. SOL
C. LDAP
D. TACACS+ Token Server
E. OBDC
Correct Answer: AC
QUESTION 8
An engineer must configure a posture policy with Cisco Temporal Agent workflow. Which two configurations must the engineer apply to meet the requirement? (Choose two.)
A. Create the posture condition.
B. Create the posture requirements.
C. Configure the Secure Client Posture module.
D. Configure client provisioning resources.
E. Configure the client provisioning policy.
Correct Answer: BE
QUESTION 9
What is the default port used by Cisco ISE for NetFlow version 9 probe?
A. UDP 9996
B. UDP 9997
C. UDP 9998
D. UDP 9999
Correct Answer: A
QUESTION 10
Which Cisco ISE feature enables administrators to enroll a certificate to an endpoint without the need for an external PKI?
A. ISE Internal CA
B. Guest Access
C. Posture Assessment
D. Endpoint Identity Service
Correct Answer: A
QUESTION 11
An engineer must provide network access using a Cisco ISE policy that matches the identity group of endpoints unrecognized by any Cisco ISE profilers and manually adds the endpoints to a new identity group named legacy devices. These configurations were performed on the new endpoint page:
1. configured profiling policy
2. configured the legacy devices identity group
What must be configured next to complete the configuration?
A. endpoint description
B. endpoint operating system
C. endpoint MAC address
D. endpoint device name
Correct Answer: C
QUESTION 12
An administrator must enable helpdesk users to view users’ information on wireless LAN controllers in a Cisco ISE environment. The solution must meet these requirements:
1. Authenticate the helpdesk users against the local ISE database.
2. Allow the helpdesk users to access the Monitor tab for the WLC.
These configurations were performed:
1. added a wireless LAN controller
2. configured user accounts
3. enabled Device Admin Service in Cisco ISE
4. configured a TACACS profile
5. configured a policy set
6. configured an authentication policy
7. configured an authorization policy
Which two actions must be taken in Cisco ISE? (Choose two.)
A. Configure TACACS command sets.
B. Configure an identity group.
C. Configure an authentication profile.
D. Assign the Wireless role in the TACACS profile.
E. Assign the Monitor role in the TACACS profile.
Correct Answer: DE
QUESTION 13
An engineer is assigned to enhance security across the campus network. The task is to enable MAB across all access switches in the network. Which command must be entered on the switch to enable MAB?
A. Switch# authentication port-control auto
B. Switch(config)# mab
C. Switch(config-if)# mab
D. Switch(config)# authentication port-control auto
Correct Answer: C
QUESTION 14
An engineer is deploying Cisco ISE in a network that contains an existing Cisco Secure Firewall ASA. The customer requested that Cisco TrustSec be configured so that Cisco ISE and the firewall can share SGT information. Which protocol must be configured on Cisco ISE to meet the requirement?
A. RADIUS
B. pxGrid
C. PAC
D. SXP
Correct Answer: D
QUESTION 15
A network security administrator wants to integrate Cisco ISE with Active Directory. Which configuration action must the security administrator take to accomplish the task?
A. Remove the ISE machine account from the domain.
B. Remove Cisco ISE user account from the domain.
C. Search Active Directory to see if admin user account exists
D. Join Cisco ISE to the Active Directory domain.
Correct Answer: D
QUESTION 16
An administrator must onboard MacOS endpoints that connect to Cisco switches using the BYOD portal in Cisco ISE. The authentication method must be configured to meet these requirements:
1. Cisco ISE identifies itself by providing its identity certificate to the endpoint.
2. The endpoint validates the Cisco ISE identity certificate.
3. The endpoint provides its endpoint identity certificate, signed by Cisco ISE, to Cisco ISE.
4. Cisco ISE confirms the endpoint certificate validity, and the endpoint is authorized onto the network.
Which protocol must be configured?
A. EAP-TLS
B. EAP-FAST
C. EAP-TTLS
D. EAP-GTC
Correct Answer: A
QUESTION 17
Which component of the 802.1X authentication process provides the identity credentials and communicates using EAP at Layer 2?
A. authenticator
B. supplicant
C. authentication database
D. authentication server
Correct Answer: B
QUESTION 18
An engineer is deploying Cisco ISE into an existing wireless environment for a hospital. The requirement from the customer is that the WLC use Cisco ISE for Central Web Authentication. The company also has a Cisco MSE that is used with the WLC to restrict access to patient records over wireless to the room of the patient only. Which option must be selected in the Authorization Profile on Cisco ISE to support the integration?
A. MAP Location
B. Track Movement
C. Service Template
D. Access Type
Correct Answer: B
QUESTION 19
An engineer is configuring a new Cisco ISE node. Context-sensitive information must be shared between the Cisco ISE and a Cisco ASA. Which persona must be enabled?
A. Administration
B. Policy Service
C. pxGrid
D. Monitoring
Correct Answer: C
QUESTION 20
What is a difference between RADIUS compared to TACACS+?
A. RADIUS has multiprotocol support, and TACACS+ supports only IP.
B. RADIUS uses UDP ports 1812 and 1813, and TACACS+ uses UDP ports 1645 and 1646.
C. RADIUS separates AAA, and TACACS+ combines authentication and authorization.
D. RADIUS encrypts passwords only, and TACACS+ encrypts all packets.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.