Which two ports must be open between Cisco ISE and the client when you configure posture on Cisco ISE? (Choose two.)

A. TCP 80

B. TCP 8905

C. TCP 8443

D. TCP 8906

E. TCP 443

An engineer is enabling a newly configured wireless SSID for tablets and needs visibility into which other types of devices are connecting to it. What must be done on the Cisco WLC to provide this information to Cisco ISE?

A. enable mDNS snooping

B. enable Fast Transition

C. enable MAC filtering

D. enable IP Device Tracking

An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability.
Which probe must be used to accomplish this task?

A. NetFlow probe

B. HTTP probe

C. RADIUS probe

D. network scan probe

What is needed to configure wireless guest access on the network?

A. endpoint already profiled in ISE

B. WEBAUTH ACL for redirection

C. Captive Portal Bypass turned on

D. valid user account in Active Directory

What is an advantage of using EAP-TLS over EAP-MS-CHAPv2 for client authentication?

A. EAP-TLS uses a username and password for authentication to enhance security, while EAP-MS-CHAPv2 does not.

B. EAP-TLS uses multiple forms of authentication, while EAP-MS-CHAPv2 only uses one.

C. EAP-TLS uses a device certificate for authentication to enhance security, while EAP-MS-CHAPv2 does not.

D. EAP-TLS secures the exchange of credentials, while EAP-MS-CHAPv2 does not.

An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two.)

A. Session Services

B. Profiling Services

C. Radius Service

D. Posture Services

E. Endpoint Attribute Filter

An engineer needs to configure a new certificate template in the Cisco ISE Internal Certificate Authority to prevent BYOD devices from needing to re-enroll when their MAC address changes. Which option must be selected in the Subject Alternative Name field?

A. Common Name and GUID

B. MAC Address and GUID

C. Distinguished Name

D. Common Name

What are two components of the posture requirement when configuring Cisco ISE posture? (Choose two.)

A. Client Provisioning portal

B. remediation actions

C. updates

D. access policy

E. conditions

An engineer must create an authentication policy in Cisco ISE to allow wired printers that lack support for 802.1X onto the network. What must the RadiusFlowType be set to in the policy to meet the requirement?

A. MAB

B. Wired_MAB

C. Compliant_Devices

D. Compliance_Unknown_Devices

Which are two characteristics of TACACS+? (Choose two.)

A. It separates authorization and authentication functions.

B. It combines authorization and authentication functions.

C. It uses UDP port 49.

D. It encrypts the password only.

E. It uses TCP port 49.

An administrator is migrating device administration access to Cisco ISE from the legacy TACACS+ solution that used only privilege 1 and 15 access levels. The organization requires more granular controls of the privileges and wants to customize access levels 2-5 to correspond with different roles and access needs.
Besides defining a new shell profile in Cisco ISE, what must be done to accomplish this configuration?

A. Enable the privilege levels in Cisco ISE.

B. Enable the privilege levels in the IOS devices.

C. Define the command privileges for levels 2-5 in Cisco ISE.

D. Define the command privileges for levels 2-5 in the IOS devices.

An administrator is configuring endpoint profiling and needs to enable CoA for devices that change profiles. Which two actions must be taken to accomplish this goal? (Choose two.)

A. Ensure that the firewall is not blocking port 1700

B. Define “reauth” in the default CoA action to be used

C. Use an API to detect when profile changes occur and send instructions to ISE to provide a CoA

D. Modify the RADIUS endpoint attribute filters to send CoA actions as the profiles change

E. Enable the CoA policy and create rules for each type

A network administrator is setting up wireless guest access and has been unsuccessful in testing client access. The endpoint is able to connect to the SSID but is unable to gain access to the guest network through the guest portal.
What must be done to identify the problem?

A. Use traceroute to ensure connectivity.

B. Use context visibility to verify posture status.

C. Use the identity group to validate the authorization rules.

D. Use the endpoint ID to execute a session trace.

An engineer needs to create a Self-Registered Guest Portal in Cisco ISE in which guest users receive their passwords via SMS. Which two settings must be configured to accomplish this task? (Choose two.)

A. Choose the SMS provider previously configured as a SMS gateway under the Registration Form Settings.

B. Select SMS for the Send Credential upon notification setting under Registration Form Settings.

C. Choose the SMS provider previously configured as a SMS gateway under Device Registration Settings.

D. Select Allow employees to use personal devices and SMS for notifications under BYOD.

E. Select SMS for the Send Credential upon notification setting under the Login Page Settings.

When creating a policy within Cisco ISE for network access control, the administrator wants to allow different access restrictions based upon the wireless SSID to which the device is connecting.
Which policy condition must be used in order to accomplish this?

A. Network Access NetworkDeviceName CONTAINS

B. DEVICE Device Type CONTAINS

C. Airespace Airespace-Wlan-Id CONTAINS

D. Radius Called-Station-ID CONTAINS

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names?

A. MIB

B. SID

C. MAB

D. TGT

An administrator is adding network devices for a new medical building into Cisco ISE. These devices must be in a network device group that is identifying them as
`Medical Switch` so that the policies can be made separately for the endpoints connecting through them.
Which configuration item must be changed in the network device within Cisco ISE to accomplish this goal?

A. Change the device profile to Medical Switch.

B. Change the device type to Medical Switch.

C. Change the device location to Medical Switch.

D. Change the model name to Medical Switch.

Which two fields are available when creating an endpoint on the context visibility page of Cisco ISE? (Choose two.)

A. Security Group Tag

B. Endpoint Family

C. Policy Assignment

D. Identity Group Assignment

E. IP Address

The security team wants to secure the wired network. A legacy printer on the network with the MAC address 00:43:08:50:64:60 does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address?

A. MS-CHAPv2

B. EAP-TLS

C. PAP

D. Process Host Lookup

When configuring an authorization policy, an administrator cannot see specific Active Directory groups present in their domain to be used as a policy condition.
However, other groups that are in the same domain are seen.
What is causing this issue?

A. Cisco ISE’s connection to the AD join point is failing.

B. Cisco ISE only sees the built-in groups, not user created ones.

C. The groups are not added to Cisco ISE under the AD join point.

D. The groups are present but need to be manually typed as conditions.

A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?

A. RADIUS

B. DLTS

C. Portal

D. Admin

A user recently had their laptop stolen. IT has ordered a replacement device for the user and was able to obtain the MAC address of the device 04.57:47:34 35 0A from the vendor before it shipped. Which statement regarding adding MAC addresses to Cisco ISE is correct?

A. MAC addresses can only be manually imported using a .csv file and the import option.

B. MAC addresses can only be manually imported using the REST API.

C. MAC addresses can only be allowed after the device has connected to the network.

D. MAC addresses can be manually added using the + sign under Context Visibility > Endpoints.

An administrator is configuring RADIUS on a Cisco switch with a key set to Cisc407294634 but is receiving the error `Authentication failed: 22040 Wrong password or invalid shared secret.`
What must be done to address this issue?

A. Add the network device as a NAD inside Cisco ISE using the existing key.

B. Configure the key on the Cisco ISE instead of the Cisco switch.

C. Validate that the key is correct on both the Cisco switch as well as Cisco ISE.

D. Use a key that is between eight and ten characters.

A new employee just connected their workstation to a Cisco IP phone. The network administrator wants to ensure that the Cisco IP phone remains online when the user disconnects their workstation from the corporate network.
Which CoA configuration meets this requirement?

A. Reauth

B. Disconnect

C. No CoA

D. Port Bounce

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

A. RSA SecurID

B. RADIUS Token

C. Active Directory

D. Internal Database

E. LDAP

What are two requirements of generating a single certificate in Cisco ISE by using a certificate provisioning portal, without generating a certificate signing request?
(Choose two.)

A. Enter the IP address of the device.

B. Enter the common name.

C. Choose the hashing method.

D. Locate the CSV file for the device MAC.

E. Select the certificate template.

What are two differences of TACACS+ compared to RADIUS? (Choose two.)

A. TACACS+ uses a connectionless transport protocol, whereas RADIUS uses a connection-oriented transport protocol.

B. TACACS+ encrypts the full packet payload, whereas RADIUS only encrypts the password.

C. TACACS+ only encrypts the password, whereas RADIUS encrypts the full packet payload.

D. TACACS+ uses a connection-oriented transport protocol, whereas RADIUS uses a connectionless transport protocol.

E. TACACS+ supports multiple sessions per user, whereas RADIUS supports one session per user.

Refer to the exhibit.
Which switch configuration change will allow only one voice and one data endpoint on each port?

A. auto to manual

B. mab to dot1x

C. multi-auth to multi-domain

D. multi-auth to single-auth

An organization is adding new profiling probes to the system to improve profiling on Cisco ISE. The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected.
What must be configured on the network device to accomplish this goal?

A. ICMP

B. WCCP

C. ARP

D. SNMP

What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

A. a primary and secondary PAN and a health check node for the Secondary PAN

B. a primary and secondary PAN and no health check nodes

C. a primary and secondary PAN and a pair of health check nodes

D. a primary and secondary PAN and a health check node for the Primary PAN

Which use case validates a change of authorization?

A. An endpoint that is disconnected from the network is discovered.

B. Endpoints are created through device registration for the guests.

C. An endpoint profiling policy is changed for authorization policy.

D. An authenticated, wired EAP-capable endpoint is discovered.

There are several devices on a network that are considered critical and need to be placed into the ISE database and a policy used for them. The organization does not want to use profiling.
What must be done to accomplish this goal?

A. Enter the MAC address in the correct Endpoint Identity Group.

B. Enter the IP address in the correct Endpoint Identity Group.

C. Enter the IP address in the correct Logical Profile.

D. Enter the MAC address in the correct Logical Profile.

What is a characteristic of the UDP protocol?

A. UDP can detect when a server is down.

B. UDP can detect when a server is slow.

C. UDP offers best-effort delivery.

D. UDP offers information about a non-existent server.

Which two authentication protocols are supported by RADIUS but not by TACACS+? (Choose two.)

A. MSCHAPv1

B. PAP

C. EAP

D. CHAP

E. MSCHAPV2

A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

A. closed

B. restricted

C. monitor

D. low-impact

Which two task types are included in the Cisco ISE common tasks support for TACACS+ profiles? (Choose two.)

A. ASA

B. Firepower

C. Shell

D. WLC

E. IOS

An engineer configured posture assessment for their network access control with the goal of using an agent that supports using service conditions for the assessment. The agent should run as a background process to avoid user interruption, but the user can see it when it is run. What is the problem?

A. The selected posture agent does not support the engineer’s goal.

B. The posture module was deployed using the headend instead of installing it with SCCM.

C. The proper permissions were not given to the temporal agent to conduct the assessment.

D. The user required remediation so the agent appeared in the notifications.

An administrator has manually added the MAC address of a wireless device to the Blocklist Identity Group for testing. When the device connects to the wireless network it triggers the Wireless Block List Default rule, but the device is still allowed to access the wireless network. What additional step must be taken to resolve tissue?

A. Disable URL redirection on the Authorization Profile.

B. Enable SNMP with read and write access on the Cisco WLC.

C. Create an ACL named BLOCKHOLE on the Cisco WLC.

D. Change the Access Type under the Authorization Profile lo ACCESS_REJECT.

An administrator adds a new network device to the Cisco ISE configuration to authenticate endpoints to the network. The RADIUS test fails after the administrator configures all of the settings in Cisco ISE and adds the proper configurations to the switch.
What is the issue?

A. The endpoint profile is showing as ”unknown”

B. The endpoint does not have the appropriate credentials for network access

C. The certificate on the switch is self-signed, not a CA-provided certificate

D. The shared secret is incorrect on the switch or on Cisco ISE

An engineer wants to learn more about Cisco ISE and deployed a new lab with two nodes. Which two persona configurations allow the engineer to successfully test redundancy of a failed node? (Choose two.)

A. Configure one of the Cisco ISE nodes as the Health Check node.

B. Configure both nodes with the PAN and MnT personas only.

C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary.

D. Configure both nodes with the PAN, MnT, and PSN personas.

E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.

An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?

A. the Reauth CoA option in the Cisco ISE system profiling settings enabled

B. an endpoint profiling policy with the No CoA option enabled

C. an endpoint profiling policy with the Port Bounce CoA option enabled

D. the Port Bounce CoA option in the Cisco ISE system profiling settings enabled

Users in an organization report issues about having to remember multiple usernames and passwords. The network administrator wants the existing Cisco ISE deployment to utilize an external identity source to alleviate this issue.
Which two requirements must be met to implement this change? (Choose two.)

A. Establish access to one Global Catalog server

B. Ensure that the NAT address is properly configured

C. Provide domain administrator access to Active Directory

D. Configure a secure LDAP connection

E. Enable IPC access over port 80

DRAG DROP
-
Drag and drop the configuration steps from the left into the sequence on the right to install two Cisco ISE nodes in a distributed deployment.
 

A network engineer received alerts from the monitoring platform that a switch port exists with multiple sessions. RADIUS CoA using Cisco ISE must be used to address the issue. Which RADIUS CoA configuration must be used?

A. port bounce

B. no CoA

C. exception

D. reauth

An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?

A. NMAP

B. NETFLOW

C. pxGrid

D. RADIUS

An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?

A. Configure the hotspot portal for guest access and require an access code.

B. Configure the sponsor portal with a single account and use the access code as the password.

C. Configure the self-registered guest portal to allow guests to create a personal access code.

D. Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

Which type of identity store allows for creating single-use access credentials in Cisco ISE?

A. OpenLDAP

B. Local

C. PKI

D. RSA SecurID

Which two probes provide IP-to-MAC address binding information to the ARP cache in Cisco ISE? (Choose two.)

A. HTTP

B. RADIUS

C. DHCP

D. DNS

E. NetFlow

What gives Cisco ISE an option to scan endpoints for vulnerabilities?

A. authentication policy

B. authorization profile

C. authentication profile

D. authorization policy

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall.
Which two ports should be opened to accomplish this task? (Choose two.)

A. TELNET: 23

B. HTTPS: 443

C. HTTP: 80

D. LDAP: 389

E. MSRPC:445