QUESTION 81
A network engineer is configuring a Cisco Wireless LAN Controller in order to find out more information about the devices that are connecting. This information must be sent to Cisco ISE to be used in authorization policies. Which profiling mechanism must be configured in the Cisco Wireless LAN Controller to accomplish this task?
A. SNMP
B. DNS
C. CDP
D. DHCP
Correct Answer: D
QUESTION 82
Which device acts as an authenticator during the 802.1X authentication process?
A. LDAP server
B. RADIUS server
C. Cisco switch
D. Cisco ISE PSN
Correct Answer: C
QUESTION 83
An engineer wants to use certificate authentication for endpoints that connect to a wired network integrated with Cisco ISE. The engineer needs to define the certificate field used as the principal username. Which component would be needed to complete the configuration?
A. authorization profile
B. authentication policy
C. authentication profile
D. authorization rule
Correct Answer: B
QUESTION 84
An administrator must configure Cisco ISE profiling services and the Cisco switch device sensor feature to provide user access using the AD-Join-Point and AD-Operating-System attributes from the Active Directory Probe. These configurations were performed:
1. configured all the required Cisco Wireless LAN Controller configurations
2. enabled Active Directory probes
3. configured a custom profiling policy
4. joined Cisco ISE to Active Directory
5. configured the authorization rule with full access permission
Which two actions complete the configuration? (Choose two.)
A. Configure custom profiling conditions.
B. Configure an identity group for endpoints.
C. Enable the SNIMP probe.
D. Configure a profiling logical profile.
E. Enable the RADIUS probe.
Correct Answer: BE
QUESTION 85
A network engineer must create a guest portal for wireless guests on Cisco ISE. The guest users must not be able to create accounts; however, the portal should require a username and password to connect Which portal type must be created in Cisco ISE to meet the requirements?
A. Custom Guest Portal
B. Hotspot Guest Access
C. Sponsored Guest Access
D. Self Registered Guest Access
Correct Answer: C
QUESTION 86
A network engineer must configure a centralized Cisco ISE solution for wireless guest access with users in different time zones. The guest account activation time must be independent of the user time zone, and the guest account must be enabled automatically when the user self-registers on the guest portal. Which option in the time profile settings must be selected to meet the requirement?
A. Set the Maximum Account Duration to 1 Day.
B. Select FromCreation from the Account Type dropdown.
C. Set the Duration field to 24:00:00.
D. Select FromFirstLogin from the Account Type dropdown.
Correct Answer: D
QUESTION 87
An engineer is starting to implement a wired 802.1X project throughout the campus. The task is to ensure that the authentication procedure is disabled on the ports but still allows all endpoints to connect to the network. Which port-control option must the engineer configure?
A. force-unauthorized
B. pae-disabled
C. auto
D. force-authorized
Correct Answer: D
QUESTION 88
An engineer wants to ease the management of endpoint identity groups from the Cisco ISE GUI. From the Identity Management menu in Cisco ISE, the engineer must be able to list the endpoint identity groups with a name that contains Android. Which task must the engineer perform?
A. Create an identity group named Android and set the parent group to profiled.
B. Create and save a quick filter with name equals Android as the criteria.
C. Create and save an advanced filter with name equals Android as the criteria.
D. Create an identity group named Android and populate the group with Android devices only.
Correct Answer: D
QUESTION 89
Which controller option allows a user to switch from the provisioning SSID to the employee SSID after registration?
A. AP SSID Fallback
B. Fast SSID Change
C. User Idle Timeout
D. AAA Override
Correct Answer: D
QUESTION 90
A client connects to the network The client does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE Server to support MAB authentication for this MAC address?
A. MS-CHAPv2
B. EAP-TTLS
C. EAP-FAST
D. Process Host Lookup
Correct Answer: D
QUESTION 91
An administrator must configure Cisco ISE to authenticate a user accessing a Cisco Adaptive Security. Appliance firewall using SSH. The solution must meet these requirements:
1. The local Cisco ISE database must be used for user authentication.
2. ASA commands run by users must be validated.
The configurations were performed:
1. added the Cisco Adaptive Security Appliance firewall
2. configured user accounts
3. enabled Device Admin Service in Cisco ISE
4. configured a TACACS profile
5. configured an authorization policy
6. configured the Cisco Adaptive Security Appliance firewall for authentication and authorization
Which two actions must be taken in Cisco ISE? (Choose two.)
A. Configure an authentication profile.
B. Enable local authentication.
C. Configure a user identity group.
D. Configure TACACS command sets.
E. Configure an authorization profile.
Correct Answer: DE
QUESTION 92
A technician must configure MAB on an access switch. Due to a protocol error, the engineer discovers that MAB cannot authenticate. For MAB to function, which protocol must be enabled in the authorized protocol lists?
A. EAP-TLS
B. CHAP
C. MS-CHAPv2
D. Process Host Lookup
Correct Answer: D
QUESTION 93
A network engineer must configure a policy rule to check the endpoint. The policy must ensure disk encryption is enabled and the appropriate antivirus software version is installed. Which configuration must the engineer apply to the rule?
A. compound posture condition
B. dictionary compound condition
C. dictionary simple condition
D. simple posture condition
Correct Answer: A
QUESTION 94
Using the SAML protocol, an administrator must configure the Cisco ISE Sponsor portal to authenticate users with an external Microsoft Active Directory Federation Services server. The configurations were performed:
1. created a new SAML identity provider profile in Cisco ISE
2. exported the service provider information
3. configured all the required Active Directory Federation Services configurations
4. imported the Active Directory Federation Services metadata
5. configured groups in the new SAML identity provider profile
6. added attributes to the new SAML identity provider profile
7. configured Advanced Settings in the new SAML identity provider profile
Which two actions must be taken to complete the configuration? (Choose two.)
A. Configure the Sponsor portal HTTPS port for Active Directory Federation Services integration.
B. Add SAML identity provider groups in Sponsor Group Members.
C. Allow Kerberos single sign-on on the Sponsor portal.
D. Configure an identity source sequence in the Sponsor portal.
E. Customize the Sponsor portal pages for integration with Active Directory Federation Services.
Correct Answer: BD
QUESTION 95
An administrator must deploy the Cisco Secure Client posture agent to employee endpoints that access a wireless network by using URL redirection in Cisco ISE. The compliance module must be downloaded from Cisco and uploaded to the Cisco ISE client provisioning resource. What must be used to upload the compliance module?
A. agent resources from the local disk
B. Secure Client configuration
C. Client Provisioning Portal
D. Secure Client posture profile
Correct Answer: A
QUESTION 96
An engineer must use Cisco ISE profiler services to provide network access to Cisco IP phones that cannot support 802.1X. Cisco ISE is configured to use the access switch device sensor information system-description and platform-type to profile Cisco IP phones and allow access. Which two protocols must be configured on the switch to complete the configuration? (Choose two.)
A. EAPOL
B. STP
C. LLDP
D. CDP
E. SNMP
Correct Answer: DE
QUESTION 97
Which persona configuration feature is used when setting personas in Cisco ISE for a node that will give network access and receive RADIUS requests?
A. Policy Administration Node
B. Policy Service Node
C. pxGrid Node
D. Monitoring Node
Correct Answer: B
QUESTION 98
A network administrator must restrict sponsor account privileges for managing guest accounts on Cisco ISE for a new account that is being created. Sponsor groups currently exist for each business unit. The new sponsor that is being added must be restricted to only managing guest accounts created by sponsors from the same sponsor group. In which group must the new sponsor account be configured?
A. ALL_EMPLOYEES
B. GROUP_ACCOUNTS
C. OWN_ACCOUNTS
D. ALL_ACCOUNTS
Correct Answer: B
QUESTION 99
What is a difference between TACACS+ as compared to RADIUS from an AAA perspective?
A. TACACS+ supports only Cisco devices, whereas RADIUS supports any RADUIS-compatible device.
B. TACACS+ separates AAA services, whereas RADIUS combines authentication and authorization.
C. TACACS+ combines all roles into a single privilege level, whereas RADIUS separates privilege levels.
D. TACACS+ supports only local authentication, whereas RADIUS supports remote authentication.
Correct Answer: B
QUESTION 100
An engineer configures Cisco IS and Cisco Catalyst switches to enforce Cisco TrustSec policies. The engineer must use a nondisruptive deployment approach for new devices by deploying TrustSec policies in staging, preproduction, and production. Which action must be taken to complete the configuration?
A. Configure Security Group Tag Exchange Protocol on the new devices and integrate the devices in groups with Cisco ISE.
B. Integrate the new devices in staging, preproduction, and production network device groups.
C. Configure a different security group tag for the new devices in the staging, preproduction, and production stages.
D. Configure policy matrices in Cisco ISE and assign the new devices to the policy matrices
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.