QUESTION 161
An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs. An administrator is adding two more PSNs to this deployment but is having problems adding one of them. What is the problem?
A. The new nodes must be set to primary prior to being added to the deployment.
B. One of the new nodes must be designated as a pxGnid node.
C. Only five PSNs are allowed to be in the Cisco ISE cube if configured this way.
D. The current PAN is only able to track a max of four nodes.
Correct Answer: C
QUESTION 162
What is a difference between TACACS+ and RADIUS in regards to encryption?
A. TACACS+ encrypts the username and password, whereas RADIUS encrypts only the password.
B. TACACS+ encrypts only the password, whereas RADIUS encrypts the username and password.
C. TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password.
D. TACACS+ encrypts the password, whereas RADIUS sends the entire packet in clear text.
Correct Answer: C
QUESTION 163
An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?
A. Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate.
B. Endpoint Identify Group is Blocklist, and the BYOD state is Pending.
C. Endpoint Identity Group is Blocklist, and the BYOD state is Registered.
D. Endpoint Identity Group is Blocklist, and the BYOD state is Lost.
Correct Answer: C
QUESTION 164
The security team wants to secure the wired network. A legacy printer on the network does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address?
A. Process Host Lookup
B. PAP
C. MS-CHAPv2
D. EAP-TLS
Correct Answer: A
QUESTION 165
An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?
A. pxGrld
B. NMAP
C. NETFLOW
D. RADIUS
Correct Answer: C
QUESTION 166
An engineer is unable to use SSH to connect to a switch after adding the required CLI commands to the device to enable TACACS+. The device administration license has been added to Cisco ISE, and the required policies have been created. Which action is needed to enable access to the switch?
A. The switch needs to be added as a network device in Cisco ISE and set to use TACACS+.
B. 802.1X authentication needs to be configured on the switch.
C. The ip ssh source-interface command needs to be set on the switch.
D. The RSA keypair used for SSH must be regenerated after enabling TACACS+.
Correct Answer: A
QUESTION 167
Which type of identity store allows for creating single-use access credentials in Cisco ISE?
A. Local
B. OpenLDAP
C. RSA SecurID
D. PKI
Correct Answer: C
QUESTION 168
What is a difference between RADIUS and TACACS+?
A. RADIUS supports command accounting, and TACACS+ does not.
B. RADIUS offers multiprotocol support, and TACACS+ supports only IP traffic.
C. RADIUS uses connection-oriented transport, and TACACS+ uses best-effort delivery.
D. RADIUS combines authentication and authorization functions, and TACACS+ separates them.
Correct Answer: D
QUESTION 169
What are two differences of TACACS+ compared to RADIUS? (Choose two.)
A. TACACS+ supports multiple sessions per user, whereas RADIUS supports one session per user.
B. TACACS+ only encrypts the password, whereas RADIUS encrypts the full packet payload.
C. TACACS+ uses a connectionless transport protocol, whereas RADIUS uses a connection-oriented transport protocol.
D. TACACS+ uses a connection-oriented transport protocol, whereas RADIUS uses a connectionless transport protocol.
E. TACACS+ encrypts the full packet payload, whereas RADIUS only encrypts the password.
Correct Answer: DE
QUESTION 170
A user changes the status of a device to stolen in the My Devices Portal of Cisco ISE. The device was originally onboarded in the BYOD wireless Portal without a certificate. The device is found later, but the user cannot re-onboard the device because Cisco ISE assigned the device to the Blocklist endpoint identity group. What must the user do in the My Devices Portal to resolve this issue?
A. Delete the device, and then re-add the device.
B. Change the device state from Stolen to Not Registered.
C. Manually remove the device from the Blocklist endpoint identity group.
D. Change the BYOD registration attribute of the device to None.
Correct Answer: A
QUESTION 171
Which Cisco ISE solution ensures endpoints have the latest version of antivirus updates installed before being allowed access to the corporate network?
A. Provisioning Services
B. Threat Services
C. Profiling Services
D. Posture Services
Correct Answer: D
QUESTION 172
An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?
A. an endpoint profiling policy with the No CoA option enabled
B. the Port Bounce CoA option in the Cisco ISE system profiling settings enabled
C. an endpoint profiling policy with the Port Bounce CoA option enabled
D. the Reauth CoA option in the Cisco ISE system profiling settings enabled
Correct Answer: D
QUESTION 173
An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?
A. L3IF to SGT mapping
B. Subnet to SGT mapping
C. IP Address to SGT mapping
D. VLAN to SGT mapping
Correct Answer: C
QUESTION 174
An ISE administrator must change the inactivity timer for MAB endpoints to terminate the authentication session whenever a switch port that is connected to an IP phone does not detect packets from the device for 60 minutes. Which action must be taken to accomplish this task?
A. Configure the session-timeout to be 3600 seconds on Cisco ISE.
B. Change the idle-timeout on the Radius server to 3600 seconds for IP Phone endpoints.
C. Add the authentication timer inactivity 3600 command to the switchport.
D. Add the authentication timer reauthenticate server command to the switchport.
Correct Answer: C
QUESTION 175
An engineer is testing low-impact mode for a phased deployment of Cisco ISE. Which type of traffic is denied when a host tries to connect to the network prior to authentication?
A. DNS
B. HTTP
C. DHCP
D. EAP
Correct Answer: B
QUESTION 176
A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?
A. Admin
B. DLTS
C. RADIUS
D. Portal
Correct Answer: D
QUESTION 177
Which two actions must be verified to confirm that the internet is accessible via guest access when configuring a guest portal? (Choose two.)
A. Cisco ISE sends a CoA upon successful guest authentication.
B. The guest user gets redirected to the authentication page when opening a browser.
C. The guest device successfully associates with the correct SSID.
D. The guest device can connect to network file shares.
E. The guest device has internal network access on the WLAN.
Correct Answer: BC
QUESTION 178
An administrator must enable scanning for specific endpoints when they attempt to access the network. The scanning must be triggered as a result of successful authentication. Which action accomplishes this task?
A. Add an entry in the authentication conditions to allow only scanned endpoints access, then redirect everything else to the portal to initiate the scan.
B. Configure the endpoint scanning probe to profile the endpoint correctly and assign it a risk score.
C. Create an authorization profile with scanning enabled and add it to the authorization policy that the endpoints will hit.
D. Modify the authorization policy to send init_endpoint_scan as a result to the authenticator.
Correct Answer: C
QUESTION 179
An engineer is configuring a new Cisco ISE node. The Device Admin service must run on this node to handle authentication requests for network device access via TACACS+. Which persona must be enabled on this node to perform this function?
A. Administration
B. Policy Service
C. Monitoring
D. pxGrid
Correct Answer: B
QUESTION 180
A network engineer is attempting to terminate and reinitialize wireless user sessions individually by using the Live Sessions tab in Cisco ISE. Cisco ISE and the Cisco WLC are separated by a firewall. Which port must be allowed on the firewall so that the network engineer can perform this function from Cisco ISE?
A. TCP port 3791
B. TCP port 8443
C. UDP port 1700
D. UDP port 5246
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.