QUESTION 101
What is a primary function of RADIUS compared to TACACS?
A. RADIUS supports command authorization, whereas TACACS provides no support for commands.
B. RADIUS supports command accounting, whereas TACACS supports only start/stop accounting.
C. RADIUS supports multiple privilege levels, whereas TACACS supports only one privilege level.
D. RADIUS provides AAA for network access, whereas TACACS provides AAA for device administration.
Correct Answer: D
QUESTION 102
An administrator must configure Cisco ISE to authenticate the administrative superuser to manage a Cisco Adaptive Security Appliance firewall. The solution must meet the requirements.
1. The user must be authenticated against Microsoft AD.
2. The user must have full management administrative access to the Cisco Adaptive Security Appliance firewall.
3. The user must not use the enable command.
The configurations were performed:
1. joined Cisco ISE to AD and retrieved AD groups
2. added the Cisco Adaptive Security Appliance firewall
3. enabled Device Admin Service in Cisco ISE
4. configured TACACS command sets
5. configured a TACACS profile
6. configured an authorization policy
7. configured the Cisco Adaptive Security Appliance firewall for authentication and authorization
Which two actions must be performed in Cisco ISE? (Choose two.)
A. Configure an authentication profile on Cisco ISE
B. Set Default Privilege to 15 and Maximum Privilege to 15 in the TACACS profile.
C. Add all authorized admin commands to the TACACS profile.
D. Select “Permit any command that is not listed below” in the TACACS profile.
E. Set Default Privilege to 1 and Maximum Privilege to 15 in the TACACS profile.
Correct Answer: BD
QUESTION 103
A network engineer must configure BOD using Cisco ISE. In the deployment, the users must be able to submit SR through the end devices. Which two features must be enabled to meet the requirement? (Choose two.)
A. Define a certificate group tag.
B. A certificate provisioning portal must be configured.
C. A new BYOD portal must be created.
D. Add SuperAdmin account into portal admin group.
E. Cisco ISE internal CA service must be enabled.
Correct Answer: BC
QUESTION 104
An endpoint attempts to connect to the network. The security administrator wants to ensure that before authentication, only limited access is provided for services including DHCP and DNS. Full network access is only granted upon successful 802.1X authentication. Which ISE deployment mode should the administrator configure to meet the requirements?
A. low-impact mode
B. open mode
C. monitor mode
D. closed mode
Correct Answer: A
QUESTION 105
An administrator plans to use Cisco ISE to deploy posture policies to assess Microsoft Windows endpoints that run Cisco Secure Client. The administrator wants to minimize the occurrence of messages related to unknow posture profiles if Cisco ISE fails to determine the posture of the endpoint. Secure Client is deployed to all the endpoints, and all the required Cisco ISE authentication, authorization, and posture policy configurations were performed. Which action must be taken next to complete the configuration?
A. Enable Cisco ISE posture on Secure Client configuration.
B. Install the compliance module on the endpoints.
C. Configure a native supplicant on the endpoints to support the posture policies.
D. Install the latest version of the Secure Client client on the endpoints
Correct Answer: A
QUESTION 106
An engineer is configuring a posture policy for Windows 10 endpoints and wants to ensure that users in each AD group have different conditions to meet to be compliant. What must be done to accomplish this task?
A. Identify the users groups needed for different policies and create service conditions to map each one to its posture requirement.
B. Configure a simple condition for each AD group and use it in the posture policy for each use case.
C. Use the authorization policy within the policy set to group each AD group with their respective posture policy.
D. Change the posture requirements to use an AD group for each use case, then use those requirements in the posture policy.
Correct Answer: A
QUESTION 107
An employee must access the internet through the corporate network from a new mobile device that does not support native supplicant provisioning provided by Cisco ISE. Which portal must the employee use to provision to the device?
A. Personal Device
B. BYOD
C. Client Provisioning
D. My Devices
Correct Answer: D
QUESTION 108
An administrator made changes in Cisco ISE and needs to apply new permissions for endpoints that have already been authenticated by sending a CoA packet to the network devices. Which IOS command must be configured on the devices to accomplish this goal?
A. authentication command dlisable-port
B. aaa server radius dynamic-author
C. authentication command bounce-port
D. aaa nas port extended
Correct Answer: B
QUESTION 109
An organization is using Cisco ISE to provide AAA services to non-Cisco switches with IP phones connected. An engineer needs to use Profiling Services to authorize network access for IP phones that do not support 802.1X. What must be configured to accomplish this goal?
A. SNMPQUERY
B. SNMPTRAP
C. RADIUS
D. DHCP
Correct Answer: C
QUESTION 110
An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?
A. Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.
B. Configure the hotspot portal for guest access and require an access code.
C. Configure the self-registered guest portal to allow guests to create a personal access code.
D. Configure the sponsor portal with a single account and use the access code as the password.
Correct Answer: B
QUESTION 111
Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints?
A. small deployment with one primary and one secondary node running all personas
B. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs
C. large deployment with fully distributed nodes running all personas
D. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs
Correct Answer: D
QUESTION 112
What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?
A. a primary and secondary PAN and a pair of health check nodes
B. a primary and secondary PAN and no health check nodes
C. a primary and secondary PAN and a health check node for the Secondary PAN
D. a primary and secondary PAN and a health check node for the Primary PAN
Correct Answer: D
QUESTION 113
What is a valid status of an endpoint attribute during the device registration process?
A. pending
B. DenyAccess
C. unknown
D. block listed
Correct Answer: A
QUESTION 114
What is a restriction of a standalone Cisco ISE node deployment?
A. The hostname of the node cannot be changed after installation.
B. Personas are enabled by default and cannot be edited on the node.
C. Only the Policy Service persona can be disabled on the node.
D. The domain name of the node cannot be changed after installation.
Correct Answer: B
QUESTION 115
An administrator replaced a PSN in the distributed Cisco ISE environment. When endpoints authenticate to it, the devices are not getting the right profiles or attributes and as a result, are not hitting the correct policies. This was working correctly on the previous PSN. Which action must be taken to ensure the endpoints get identified?
A. Verify that the authentication request the PSN is receiving is not malformed.
B. Verify the shared secret used between the switch and the PSN.
C. Verify that the profiling service is running on the new PSN.
D. Verify that the MnT node is tracking the session.
Correct Answer: C
QUESTION 116
An engineer needs to configure a new certificate template in the Cisco ISE Internal Certificate Authority to prevent BYOD devices from needing to re-enroll when their MAC address changes. Which option must be selected in the Subject Alternative Name field?
A. MAC Address and GUID
B. Distinguished Name
C. Common Name
D. Common Name and GUID
Correct Answer: A
QUESTION 117
An administrator is configuring the Native Supplicant Profile to be used with the Cisco ISE posture agents and needs to test the connection using wired devices to determine which profile settings are available. Which two configuration settings should be used to accomplish this task? (Choose two.)
A. authentication mode
B. allowed protocol
C. certificate template
D. security
E. proxy host/IP
Correct Answer: BC
QUESTION 118
The IT manager wants to provide different levels of access to network devices when users authenticate using TACACS+. The company needs specific commands to be allowed based on the Active Directory group membership of the different roles within the IT department. The solution must minimize the number of objects created in Cisco ISE. What must be created to accomplish this task?
A. one shell profile and one command set
B. multiple shell profiles and multiple command sets
C. one shell profile and multiple command sets
D. multiple shell profiles and one command set
Correct Answer: C
QUESTION 119
An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message “Node is Unreachable”. What is causing this error?
A. The second node is a PAN node.
B. The second node is in standalone mode.
C. No administrative certificate is available for the second node.
D. No admin privileges are available on the second node.
Correct Answer: C
QUESTION 120
A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?
A. restricted
B. closed
C. low-impact
D. monitor
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.