QUESTION 121
An engineer wants to learn more about Cisco ISE and deployed a new lab with two nodes. Which two persona configurations allow the engineer to successfully test redundancy of a failed node? (Choose two.)
A. Configure both nodes with the PAN, MnT, and PSN personas.
B. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.
C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary.
D. Configure both nodes with the PAN and MnT personas only.
E. Configure one of the Cisco ISE nodes as the Health Check node.
Correct Answer: AC
QUESTION 122
An administrator is configuring posture assessment in Cisco ISE for the first time. Which two components must be uploaded to Cisco ISE to use Secure Client for the agent configuration in a client provisioning policy? (Choose two.)
A. Secure Client network visibility module
B. Secure Client compliance module
C. SecureClientProfile.xsd file
D. Secure Client agent image
E. SecureClientProfile.xml file
Correct Answer: BD
QUESTION 123
Which two authentication protocols are supported by RADIUS but not by TACACS+? (Choose two.)
A. MSCHAPv2
B. CHAP
C. MSCHAPv1
D. PAP
E. EAP
Correct Answer: AE
QUESTION 124
A network engineer is configuring a new certificate template on the internal CA within Cisco ISE to provision certificates to BYOD devices that must be enrolled in the network. What must be configured in the SAN field of the certificate to identify the devices after enrollment?
A. user principal name
B. MAC address
C. common name
D. email address
Correct Answer: B
QUESTION 125
An administrator is configuring an AD domain to be used with authentication for endpoints and users within Cisco ISE. Which two steps are required to configure this to be used as an external identity store? (Choose two.)
A. Configure Active Directory Schema.
B. Add an Authentication Joint Point.
C. Configure Authentication Domains.
D. Add an Active Directory Join Point.
E. Configure Active Directory Domains
Correct Answer: DE
QUESTION 126
Due to a recent network incident, all access to network devices must be centrally logged and tracked in Cisco ISE. On which nodes must the Device Admin service be enabled?
A. each PSN
B. each PAN
C. one PSN
D. one PAN
Correct Answer: A
QUESTION 127
To configure BYOD using Cisco ISE, an administrator is considering issuing certificates to the devices connecting to provide a better user experience. Extemal CA servers cannot be used for this purpose because everything must be local to the Cisco ISE. What must be done to accomplish this?
A. Configure the Cisco ISE Internal CA to issue certificates to each endpoint connecting to the BYOD network.
B. Use ISE as a sub CA for the BYOD portal and redirect users to the Root CA for certificate issuance
C. Configure MS SCEP so that endpoints can query their local AD server for the correct certificate.
D. Use the captive portal network assistant to issue certificates to the endpoints as they authenticate.
Correct Answer: A
QUESTION 128
An engineer must configure an HTTP probe on a Cisco ISE virtual appliance running on VMWare using a dedicated interface for profiling. The interface is assigned to the VM Network port group. The engineer is logged into the hypervisor with a user account that only provides access to the Cisco ISE VM and the network settings for the VM. Which security setting must be changed for this interface to accept SPAN traffic?
A. Set Promiscuous mode to Accept in the Switch properties.
B. Set Promiscuous mode to Inherit from Switch in the Port Group properties.
C. Set Promiscuous mode to Inherit from Port Group in the Switch properties.
D. Set Promiscuous mode to Accept in the Port Group properties.
Correct Answer: D
QUESTION 129
An engineer is deploying Cisco ISE to use 802.1x authentication for controlling access to the company’s wired network. The request from company management is to minimize the impact on users during the rollout of 802.1x on the company switches. Which mode must be used first in a phased 802.1X deployment to fulfill this request?
A. Low-Impact
B. Closed
C. Open
D. Monitor
Correct Answer: D
QUESTION 130
Which two probes provide IP-to-MAC address binding information to the ARP cache in Cisco ISE? (Choose two.)
A. DHCP
B. HTTP
C. DNS
D. NetFlow
E. RADIUS
Correct Answer: AE
QUESTION 131
Which CLI command must be configured on the switchport to immediately run the MAB process if a non-802.1X capable endpoint connects to the port?
A. dot1x pae authenticator
B. authentication order mab dot1x
C. access-session port-control auto
D. authentication fallback
Correct Answer: B
QUESTION 132
Which Cisco ISE module contains a list of vendor names, product names, and attributes provided by OPSWAT?
A. Client Provisioning Module
B. Endpoint Security Module
C. Compliance Module
D. Posture Module
Correct Answer: C
QUESTION 133
The 300 GB OVA templates for VMs are sufficient for which two dedicated Cisco ISE node types? (Choose two.)
A. pxGrid
B. Log Collector
C. Administration
D. Monitorina
E. Policy Service
Correct Answer: AE
QUESTION 134
An administrator needs to add a new third party network device to be used with Cisco ISE for Guest and BYOD authorizations. Which two features must be configured under Network Device Profile to achieve this? (Choose two.)
A. dACL
B. SNMP community
C. URL Redirect
D. CoA Type
E. TACACS
Correct Answer: CD
QUESTION 135
A user recently had their laptop stolen. IT has ordered a replacement device for the user and was able to obtain the MAC address of the device from the vendor before it shipped. Which statement regarding adding MAC addresses to Cisco ISE is correct?
A. MAC addresses can be manually added using the + sign under Context Visibility > Endpoints.
B. MAC addresses can only be allowed after the device has connected to the network.
C. MAC addresses can only be manually imported using a. csv file and the import option.
D. MAC addresses can only be manually imported using the REST API.
Correct Answer: A
QUESTION 136
Which two statements regarding Zero Touch Provisioning (ZTP) on Cisco ISE are correct? (Choose two.)
A. ZTP is only supported on VMWare.
B. ZTP is only supported on virtual appliances.
C. All passwords must be encrypted in the configuration file.
D. Linux is required to create the configuration image.
E. ZTP cannot be used if ICMP is blocked.
Correct Answer: BD
QUESTION 137
Which two tasks must be completed when configuring the Cisco ISE BYOD Portal? (Choose two.)
A. Enable policy services.
B. Customize device portal.
C. Create endpoint identity groups.
D. Deploy client provisioning portal.
E. Provision external identity sources
Correct Answer: AC
QUESTION 138
When configuring Active Directory groups, an administrator is attempting to retrieve a group that has a name that is ambiguous with another group. What must be done so that the correct group is returned?
A. Configure MAB to utilize one group, and 802.1x to utilize the conflicting group.
B. Select both groups, and use a TGT pointer to identify the appropriate one.
C. Utilize MIB entries to identify the desired group
D. Use the SID as the identifier for the group.
Correct Answer: D
QUESTION 139
An administrator has manually added the MAC address of a wireless device to the Blocklist Identity Group for testing. When the device connects to the wireless network it triggers the Wireless Block List Default rule, but the device is still allowed to access the wireless network. What additional step must be taken to resolve this issue?
A. Disable URL redirection on the Authorization Profile.
B. Change the Access Type under the Authorization Profile to ACCESS_ REJECT.
C. Create an ACL named BLOCKHOLE on the Cisco WLC.
D. Enable SNMP with read and write access on the Cisco WLC.
Correct Answer: B
QUESTION 140
The security engineer for a company has recently deployed Cisco IS to perform centralized authentication of all network device logins using TACACS+ against the local AD domain. Some of the other network engineers are having a hard time remembering to enter their AD account password instead of the local admin password that they have used for years. The security engineer wants to change the password prompt to “Use Local AD Password:” as a way of providing a hint to the network engineers when logging in. Under which page in Cisco ISE would this change be made?
A. The password prompt cannot be changed on a Cisco IOS device
B. Work Centers>Device Administration>Ext Id Sources>Advanced Settings
C. Work Centers>Device Administration> Settings>Connection Settings
D. Work Centers>Device Administration>Network Resources> Network Devices
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.