QUESTION 61
A network engineer is configuring a Cisco Wireless LAN Controller in order to find out more information about the devices that are connecting. This information must be sent to Cisco ISE to be used in authorization policies for profling. Which protocol must be configured in the Cisco Wireless LAN Controller to accomplish this task?
A. CDP
B. DNS
C. DHCP
D. ICMP
Correct Answer: C
QUESTION 62
An administrator must restrict access to the IP address of an application based on the browser version of the endpoint. Cisco ISE profiling services and guest portal access must be configured to capture the user-agent information of the endpoint from a Cisco switch using the Device Sensor feature. These configurations were performed:
1. added the switch to Cisco ISE
2. configured device sensor on the switch
3. enabled Cisco ISE portal access
4. configured the user endpoint to connect to the Cisco ISE portal
Which type of probe must be enabled next to complete the configuration?
A. DHCP
B. RADIUS
C. SNMP
D. NetFlow
Correct Answer: B
QUESTION 63
An engineer is configuring a Sponsor portal in Cisco ISE. The authentication flow must go to an external source that uses Kerberos. Which type of external database must be used to meet the requirement?
A. SAML
B. LDAP
C. RADIUS
D. Active Directory
Correct Answer: D
QUESTION 64
An engineer must create an authentication policy in Cisco ISE to allow wired printers that lack support for 802.1X onto the network What must the RadiusFlowType be set to in the policy to meet the requirement?
A. MAB
B. Compliant_Devices
C. Compliance_Unknown_Devices
D. Wired_MAB
Correct Answer: D
QUESTION 65
An enterprise uses a separate PSN for each of its four remote sites. Recently. a user reported receiving an “EAP-TLS authentication failed” message when moving between remote sites. Which configuration must be applied on Cisco ISE?
A. Configure an authorization profile for the end users.
B. Use a third-party certificate on the network device.
C. Add the device to all PSN nodes in the deployment.
D. Renew the expired certificate on one of the PSN.
Correct Answer: D
QUESTION 66
A network engineer must enable a profiling probe. The profiling must take details through the Active Directory. Where in the Cisco ISE interface would the engineer enable the probe?
A. Administration > Deployment > System > Profiling
B. Policy > Deployment > System > Profiling
C. Administration > System > Deployment > Profiling
D. Policy > Policy Elements > Profiling
Correct Answer: C
QUESTION 67
A network engineer must remove a device that has been whitelisted manually. How should the engineer remove it from Cisco ISE endpoint database?
A. Administration > Identity Management > Groups > Endpoint Identity Groups > Profiled
B. Administration > Identity Management > Endpoint Identity Groups
C. Administration > Identity Management > Endpoint Identity Groups > Profiled
D. Administration > Identity Management > Groups > Endpoint Identity Groups
Correct Answer: D
QUESTION 68
A network security administrator needs a web authentication configuration when a guest user connects to the network with a wireless connection using these steps:
1. An initial MAB request is sent to the Cisco ISE node.
2. Cisco ISE responds with a URL redirection authorization profile if the user’s MAC address is unknown in the endpoint identity store.
3. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
Which authentication must the administrator configure on Cisco ISE?
A. wired NAD with local WebAuth
B. NAD with central WebAuth
C. WLC with local WebAuth
D. device registration WebAuth
Correct Answer: B
QUESTION 69
A network is going through major hardware upgrades and is using Cisco ISE for network access control. Network devices are being added and removed regularly and the Cisco ISE administrators want to track new network devices. Which probe must be enabled to provide this visibility for Cisco ISE?
A. SNMP trap
B. SNMP query
C. DHCP SPAN
D. NetFlow
Correct Answer: A
QUESTION 70
The security team identified a rogue endpoint attached to the network. Which action must security engineer take within Cisco ISE to effectively restrict network access for this endpoint?
A. Implement authentication policy to deny access.
B. Configure access control list on network switches to block traffic.
C. Create authentication policy to force reauthentication.
D. Add MAC address to the endpoint quarantine list.
Correct Answer: D
QUESTION 71
Guest users report repeated prompts to authenticate with the portal when connecting to a wireless network An administrator must configure Cisco ISE to reduce the number of prompts. The solution must meet the requirements:
1. Users must be authenticated once.
2. When reconnecting to the visitor network, users do not need to be redirected to the login page.
Which action completes the configuration?
A. Configure an authentication rule for MAC Authentication Bypass users to add an authenticated MAC address in an identity group.
B. Configure an authorization rule for guest flow to bypass authenticated MAC address.
C. Configure the Wi-Fi Guest Access policy to allow the GuestEndpoint group.
D. Configure an authorization profile to send a redirection access control list only for unauthenticated users.
Correct Answer: C
QUESTION 72
Which file extension is required when deploying Cisco ISE using a ZTP configuration file in Microsoft Hyper-V?
A. .tar
B. .txt
C. .ing
D. .iso
Correct Answer: D
QUESTION 73
An engineer wants to preselect AD groups to be used in the access policy after integrating Cisco ISE with an active directory. Which configuration steps must the engineer take to assign groups to the AD on the identity management page?
A. external identity sources > active directory > groups
B. user identity groups > groups
C. groups > user identity groups
D. external identity sources > groups > active directory
Correct Answer: A
QUESTION 74
An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?
A. authentication host-mode multi-auth
B. monitor-mode enabled
C. pae dot1x enabled
D. authentication open
Correct Answer: D
QUESTION 75
An administrator must provide administrative access to the helpdesk users on production Cisco IOS routers. The solution must meet these requirements:
1. Authenticate the users against Microsoft AD.
2. Validate IOS commands run by users.
These configurations have been performed:
1. joined Cisco ISE to AD
2. retrieved AD groups
3. added a router to Cisco ISE
4. enabled Device Admin Service in Cisco ISE
5. configured an authorization policy
6. configured the routers for authentication and authorization
Which two components must be configured? (Choose two.)
A. access control list to filter the IOS commands
B. TACACS command sets
C. TACACS profile
D. authorization profile
E. authentication profile
Correct Answer: BC
QUESTION 76
A network engineer received alerts from the monitoring platform that a switch port exists with multiple sessions. RADIUS CoA using Cisco ISE must be used to address the issue. Which RADIUS CoA configuration must be used?
A. port bounce
B. exception
C. reauth
D. noCoA
Correct Answer: C
QUESTION 77
An engineer is working on a switch and must tag packets with SGT values such that it learns via SXP. Which command must be entered to meet this requirement?
A. ip arp inspection
B. ip source guard
C. ip device tracking maximum
D. ip dhcp snooping
Correct Answer: D
QUESTION 78
An engineer must develop a policy that utilizes AD group membership on Cisco ISE. Which type of policy element must the engineer configure to create an AD group within a policy?
A. dictionaries
B. smart conditions
C. conditions
D. results
Correct Answer: C
QUESTION 79
Which nodes are supported in a distributed Cisco ISE deployment?
A. Policy Service nodes for automatic failover
B. Policy Service nodes for session failover
C. Administration nodes for session failover
D. Monitoring nodes for PxGrid services
Correct Answer: A
QUESTION 80
A network administrator is configuring a new access switch to use with Cisco ISE for network access control. There is a need to use a centralized server for the reauthentication timers. What must be configured in order to accomplish this task?
A. Configure Cisco ISE to replace the switch configuration with new timers.
B. Issue the authentication timer reauthenticate server command on the switch.
C. Issue the authentication periodic command on the switch.
D. Configure Cisco ISE to block access after a certain period of time.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.