QUESTION 181
A network engineer responsible for the switching environment must provision a new switch to properly propagate security group tags within the TrustSec inline method. Which CLI command must the network engineer enter on the switch to globally enable the tagging of SGTs?
A. cts role-based sgt-map
B. cts role-based enforcement
C. cts manual
D. cts sxp enable
Correct Answer: D
QUESTION 182
An administrator is configuring endpoint profiling and needs to enable Co for devices that change profiles. Which two actions must be taken to accomplish this goal? (Choose two.)
A. Ensure that the firewall is not blocking port 1700
B. Modify the RADIUS endpoint attribute filters to send Co actions as the profiles change
C. Use an API to detect when profile changes occur and send instructions to ISE to provide a CoA
D. Define “reauth” in the default Co action to be used
E. Enable the CoA policy and create rules for each type
Correct Answer: AD
QUESTION 183
An engineer is configuring Central Web Authentication in Cisco ISE to provide guest access. When an authentication rule is configured in the Default Policy Set for the Wired_MAB or Wireless_MAB conditions, what must be selected for the ‘if user not found” setting?
A. DROP
B. REJECT
C. ACCEPT
D. CONTINUE
Correct Answer: D
QUESTION 184
An administrator is configuring MAB and needs to create profiling policies to support devices that do not match the built-in profiles. Which two steps must the administrator take in order to use these new profiles in authorization policies? (Choose two.)
A. Use the profiling policies as the matching conditions in each authorization policy
B. Configure the profiling policy to make a matching identity group and use the group in the authorization policy
C. Edit the authorization policy to give the profiles as a result of the authentication and authorization results
D. Modify the endpoint identity group to feed the profiling policies into and match the parent group in the policy
E. Feed the profiling policies into a logical profile and use the logical profile in the authorization policy
Correct Answer: BD
QUESTION 185
An engineer needs to create a Self-Registered Guest Portal in Cisco ISE in which guest users receive their passwords via SMS. Which two settings must be configured to accomplish this task? (Choose two.)
A. Select SMS for the Send Credential upon notification setting under the Login Page Settings.
B. Choose the SMS provider previously configured as a SMS gateway under the Registration Form Settings.
C. Choose the SMS provider previously configured as a SMS gateway under Device Registration Settings.
D. Select SMS for the Send Credential upon notification setting under Registration Form Settings.
E. Select Allow employees to use personal devices and SMS for notifications under BYOD.
Correct Answer: BD
QUESTION 186
A Cisco ISE administrator is setting up Central Web Authentication to be used for user endpoint authentication. The client cannot reach the guest portal to log in and gain access, but DNS is functioning properly and the guest portal is enabled. What else must be configured to gain access?
A. Allow port TCP/8443 on the firewall.
B. Configure HTTP to HTTPS redirection.
C. Allow redirection from any client IP range.
D. Configure the guest portal to listen on TCP/8443.
Correct Answer: C
QUESTION 187
An organization has a SACL locally configured on a switch port, but when a user in the Executives group connects to the network, they receive a different level of network access than expected. When Cisco ISE pushes SGACLs to the switch after the authorization phase, how does the switch decide which access to grant the user?
A. The policies are merged, but local policies receive priority.
B. Local policies override dynamically downloaded policies in all cases.
C. The policies are merged, but dynamically downloaded policies receive priority.
D. Dynamically downloaded policies override local policies in all cases.
Correct Answer: C
QUESTION 188
A client connects to a network and the authenticator device learns the MAC address of this client. After the MAC address is learned, the 802.1x authentication process begins on this port. Which ISE deployment mode restricts all traffic initially, applies a rule for access control if 802.1x authentication is successful, and can be configured to grant only limited access if 802.1x authentication is unsuccessful?
A. monitor mode
B. low-impact mode
C. open mode
D. closed mode
Correct Answer: B
QUESTION 189
An administrator is migrating device administration access to Cisco ISE from the legacy TACACS+ solution that used only privilege 1 and 15 access levels. The organization requires more granular controls of the privileges and wants to customize access levels 2-5 to correspond with different roles and access needs. Besides defining a new shell profile in Cisco ISE, what must be done to accomplish this configuration?
A. Enable the privilege levels in Cisco ISE.
B. Enable the privilege levels in the IOS devices.
C. Define the command privileges for levels 2-5 in the IOS devices.
D. Define the command privileges for levels 2-5 in Cisco ISE.
Correct Answer: C
QUESTION 190
An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication. The administrator tests the 802.1× authentication for the endpoint and sees that it is authenticating successfully. What must be done to ensure that the endpoint is placed into the correct VLAN?
A. Ensure that the security group is not preventing the endpoint from being in VLAN 310.
B. Configure the switchport access vlan 310 command on the switch port.
C. Ensure that the endpoint is using the correct policy set.
D. Add VLAN 310 in the common tasks of the authorization profile.
Correct Answer: D
QUESTION 191
An administrator is configuring a switch port for use with 802.1X What must be done so that the port will allow voice and multiple data endpoints?
A. Connect a hub to the switch port to allow multiple devices access after authentication.
B. Connect the data devices to the port, then attach the phone behind them.
C. Configure the port with the authentication host-mode multi-auth command.
D. Use the command authentication host-mode multi-domain on the port.
Correct Answer: C
QUESTION 192
A network administrator is currently using Cisco ISE to authenticate devices and users via 802.1X. There is now a need to also authorize devices and users using EAP-TLS. Which two additional components must be configured in Cisco ISE to accomplish this? (Choose two.)
A. Network Device Group
B. Certificate Authentication Profile
C. Common Name attribute that maps to an identity store
D. EAP Authorization Profile
E. Serial Number attribute that maps to a CA Server
Correct Answer: BC
QUESTION 193
Users in an organization report issues about having to remember multiple usernames and passwords. The network administrator wants the existing Cisco ISE deployment to utilize an external identity source to alleviate this issue. Which two requirements must be met to implement this change? (Choose two.)
A. Ensure that the NAT address is properly configured.
B. Provide domain administrator access to Active Directory.
C. Configure a secure LDAP connection.
D. Establish access to one Global Catalog server.
E. Enable IPC access over port 80.
Correct Answer: BD
QUESTION 194
An organization is migrating its current guest network to Cisco ISE and has 1000 guest users in the current database. There are no resources to enter this information into the Cisco ISE database manually. What must be done to accomplish this task efficiently?
A. Use a JSON file to automate the migration of guest accounts
B. Use a CSV file to import the guest accounts.
C. Use an XML file to change the existing format to match that of Cisco ISE
D. Use SQL to link the existing database to Cisco ISE
Correct Answer: B
QUESTION 195
An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two.)
A. Posture Services
B. Session Services
C. Profiling Services
D. Endpoint Attribute Filter
E. Radius Service
Correct Answer: BC
QUESTION 196
An administrator is configuring Cisco ISE to authenticate users logging into network devices using TACACS+. The administrator is not seeing any of the authentication in the TACACS+ live logs. Which action ensures the users are able to log into the network devices?
A. Enable the device administration service in the PSN persona.
B. Enable the service sessions in the PSN persona.
C. Enable the session services in the Administration persona.
D. Enable the device administration service in the Administration persona.
Correct Answer: A
QUESTION 197
Which compliance status is set when a matching posture policy has been defined for that endpoint, but all the mandatory requirements during posture assessment are not met?
A. non-compliant
B. unknown
C. unauthorized
D. untrusted
Correct Answer: A
QUESTION 198
An engineer has been tasked with standing up a new guest portal for customers that are waiting in the lobby. There is a requirement to allow guests to use their social media logins to access the guest network to appeal to more customers What must be done to accomplish this task?
A. Create a sponsor portal to allow guests to create accounts using their social media logins.
B. Create a self-registered guest portal and enable the feature for social media logins.
C. Create a hotspot portal and enable social media login for network access.
D. Create a sponsored guest portal and enable social media in the external identity sources.
Correct Answer: B
QUESTION 199
A network administrator is setting up wireless guest access and has been unsuccessful in testing client access. The endpoint is able to connect to the SSID but is unable to gain access to the guest network through the guest portal. What must be done to identify the problem?
A. Use the endpoint ID to execute a session trace
B. Use traceroute to ensure connectivity.
C. Use context visibility to verify posture status.
D. Use the ident ty group to validate the authorization rules
Correct Answer: A
QUESTION 200
A Cisco ISE administrator needs to ensure that guest endpoint registrations are only valid for 1 day. When testing the guest policy flow, the administrator sees that the Cisco ISE does not delete the endpoint in the GuestEndpoints identity store after 1 day and allows access to the guest network after that period. Which configuration is causing this problem?
A. The Endpoint Purge Policy is set to 30 days for guest devices.
B. The Guest Account Purge Policy is set to 15 days.
C. The length of access is set to 7 days in the Guest Portal Settings.
D. The RADIUS policy set for guest access is set to allow repeated authentication of the same device.
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.