An administrator is configuring sponsored guest access using Cisco ISE. Access must be restricted to the sponsor portal to ensure that only necessary employees can issue sponsored accounts, and employees must be classified to do so. What must be done to accomplish this task?

A. Modify the sponsor groups assigned to reflect the desired user groups.

B. Configure an identity-based access list in Cisco ISE to restrict the users allowed to login.

C. Edit the sponsor portal to only accept members from the selected groups.

D. Create an authorization rule using the Guest Flow condition to authorize the administrators.

What is a method for transporting security group tags throughout the network?

A. by embedding the security group tag in the 802.1Q header

B. by the Security Group Tag Exchange Protocol

C. by enabling 802.1AE on every network device

D. by embedding the security group tag in the IP header

An administrator needs to allow guest devices to connect to a private network without requiring usernames and passwords. Which two features must be configured to allow for this? (Choose two.)

A. central WebAuth

B. device registration WebAuth

C. local WebAuth

D. self-registered guest portal

E. hotspot guest portal

What are two benefits of TACACS+ versus RADIUS for device administration? (Choose two.)

A. TACACS+ has command authorization, and RADIUS does not.

B. TACACS+ uses UDP, and RADIUS uses TCP.

C. TACACS+ supports 802.1X, and RADIUS supports MAB.

D. TACACS+ provides the service type, and RADIUS does not.

E. TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

An engineer must configure posture updates. The task is to ensure the latest set of predefined checks and operating system information is updated. The checks must take place regularly. Where in the Cisco ISE interface would the engineer make the necessary changes to the compliance module?

A. Administration > System > Settings > Updates > Posture

B. Administration > System > Settings > Updates > Schedule

C. Administration > System > Settings > Posture > Updates

D. Administration > System > Settings > Posture > Updates > Schedule

Which are two characteristics of TACACS+? (Choose two.)

A. It separates authorization and authentication functions.

B. It combines authorization and authentication functions.

C. It uses UDP port 49.

D. It encrypts the password only.

E. It uses TCP port 49.

A network engineer needs to ensure that the access credentials are not exposed during the 802.1X authentication among components.
Which two protocols should be configured to accomplish this task? (Choose two.)

A. PEAP

B. EAP-TLS

C. EAP-MD5

D. EAP-TTLS

E. LEAP

An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks.
Which two requirements should be included in this policy? (Choose two.)

A. active username limit

B. password expiration period

C. access code control

D. username expiration date

E. minimum password length

An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication.
Which access will be denied in this deployment?

A. DNS

B. DHCP

C. EAP

D. HTTP

In a Cisco ISE split deployment model, which load is split between the nodes?

A. log collection

B. device admission

C. AAA

D. network admission

An administrator is configuring a new profiling policy within Cisco ISE. The organization has several endpoints that are the same device type, and all have the same Block ID in their MAC address. The profiler does not currently have a profiling policy created to categorize these endpoints, therefore a custom profiling policy must be created.
Which condition must the administrator use in order to properly profile an ACME AI Connector endpoint for network access with MAC address 01:41:14:65:50:AB?

A. CDP_cdpCacheDeviceID_CONTAINS_

B. MAC_MACAddress_CONTAINS_

C. Radius_Called_Station-ID_STARTSWITH_

D. MAC_OUI_STARTSWITH_

The IT manager wants to provide different levels of access to network devices when users authenticate using TACACS+. The company needs specific commands to be allowed based on the Active Directory group membership of the different roles within the IT department. The solution must minimize the number of objects created in Cisco ISE. What must be created to accomplish this task?

A. one shell profile and one command set

B. multiple shell profiles and one command set

C. one shell profile and multiple command sets

D. multiple shell profiles and multiple command sets

An organization wants to split their Cisco ISE deployment to separate the device administration functionalities from the main deployment. For this to work, the administrator must deregister any nodes that will become a part of the new deployment, but the button for this option is grayed out.
Which configuration is causing this behavior?

A. All of the nodes are actively being synched.

B. All of the nodes participate in the PAN auto failover.

C. One of the nodes is an active PSN.

D. One of the nodes is the Primary PAN.

A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

A. closed

B. restricted

C. monitor

D. low-impact

Which two probes provide IP-to-MAC address binding information to the ARP cache in Cisco ISE? (Choose two.)

A. HTTP

B. RADIUS

C. DHCP

D. DNS

E. NetFlow

The security team wants to secure the wired network. A legacy printer on the network with the MAC address 00:43:08:50:64:60 does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address?

A. MS-CHAPv2

B. EAP-TLS

C. PAP

D. Process Host Lookup

Refer to the exhibit. An administrator is manually adding a device to a Cisco ISE identity group to ensure that it is able to access the network when needed without authentication. Upon testing, the administrator notices that the device never hits the correct authorization policy line using the condition EndPoints-LogicalProfile
EQUALS static_list. Why is this occurring?

A. The dynamic logical profile is overriding the statically assigned profile.

B. The logical profile is being statically assigned instead of the identity group.

C. The identity group is being assigned instead of the logical profile.

D. The device is changing identity groups after profiling instead of remaining static.

An engineer is configuring Cisco ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADIUS for these devices? (Choose two.)

A. TACACS+ uses secure EAP-TLS while RADIUS does not.

B. TACACS+ is FIPS compliant while RADIUS is not.

C. TACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password.

D. TACACS+ is designed for network access control while RADIUS is designed for role-based access.

E. TACACS+ provides the ability to authorize specific commands while RADIUS does not.

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node.
Which persona should be configured with the largest amount of storage in this environment?

A. Monitoring and Troubleshooting

B. Policy Services

C. Primary Administration

D. Platform Exchange Grid

A network administrator has just added a front desk receptionist account to the Cisco ISE Guest Service sponsor group.
Using the Cisco ISE Guest Sponsor Portal, which guest services can the receptionist provide?

A. Keep track of guest user activities.

B. Create and manage guest user accounts.

C. Configure authorization settings for guest users.

D. Authenticate guest users to Cisco ISE.

Refer to the exhibit.
In which scenario does this switch configuration apply?

A. when allowing a hub with multiple clients connected

B. when allowing multiple IP phones to be connected

C. when preventing users with hypervisor

D. when bypassing IP phone authentication

What is the deployment mode when two Cisco ISE nodes are configured in an environment?

A. standalone

B. distributed

C. standard

D. active

A security engineer has a new TrustSec projct and must create a few static security group tag classifications as proof of concept. Which two classifications must the engineer configure? (Choose two.)

A. switch ID

B. MAC address

C. VLAN

D. user ID

E. interface

An engineer has been tasked with using Cisco ISE to restrict network access at the switchport level using 802.1X authentication. Users who fail 802.1X authentication should e redirected via web redirection and have their access restricted via an ACL. What must be configured in Cisco ISE to accomplish this task?

A. an authorization profile

B. an authorization rule

C. an authentication policy

D. an authentication profile

An engineer needs to configure Cisco ISE Profiling Services to authorize network access for IP speakers that require access to the intercom system. This traffic needs to be identified if the ToS bit is set to 5 and the destination IP address is the intercom system. What must be configured to accomplish this goal?

A. NMAP

B. NETFLOW

C. pxGrid

D. RADIUS

Which use case validates a change of authorization?

A. An endpoint that is disconnected from the network is discovered.

B. Endpoints are created through device registration for the guests.

C. An endpoint profiling policy is changed for authorization policy.

D. An authenticated, wired EAP-capable endpoint is discovered.

A network engineer is in the predeployment discovery phase of a Cisco ISE deployment and must discover the network. There is an existing NMS in the network. Which type of probe must be configured to gather the information?

A. SNMP

B. NMAP

C. NetFlow

D. RADIUS

An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability.
Which probe must be used to accomplish this task?

A. NetFlow probe

B. HTTP probe

C. RADIUS probe

D. network scan probe

Which controller option allows a user to switch from the provisioning SSID to the employee SSID after registration?

A. User Idle Timeout

B. AAA Override

C. Fast SSID Change

D. AP SSID Fallback

Which Cisco ISE module contains a list of vendor names, product names, and attributes provided by OPSWAT?

A. Compliance Module

B. Client Provisioning Module

C. Endpoint Security Module

D. Posture Module

Which file setup method is supported by ZTP on physical appliances?

A. cfg

B. iso

C. img

D. ova

A network administrator must configure Cisco ISE Personas in the company to share session information via syslog.
Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

A. admin

B. policy services

C. monitor

D. pxGrid

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

A. RSA SecurID

B. RADIUS Token

C. Active Directory

D. Internal Database

E. LDAP

An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types.
Which probe should be used to accomplish this task?

A. DHCP

B. DNS

C. NMAP

D. RADIUS

What does a fully distributed Cisco ISE deployment include?

A. PAN and MnT on the same node while PSNs are on their own dedicated nodes.

B. All Cisco ISE personas are sharing the same node.

C. All Cisco ISE personas on their own dedicated nodes.

D. PAN and PSN on the same node while MnTs are on their own dedicated nodes.

To configure BYOD using Cisco ISE. an administrator is considering issuing certificates to the devices connecting to provide a better user experience. External CA servers cannot be used for this purpose because everything must be local to the Cisco ISE. What must be done to accomplish this?

A. Use the captive portal network assistant to issue certificates to the endpoints as they authenticate.

B. Use ISE as a sub CA for the BYOD portal and redirect users to the Root CA for certificate issuance.

C. Configure the Cisco ISE Internal CA to issue certificates to each endpoint connecting to the BYOD network.

D. Configure MS SCEP so that endpoints can query their local AD server for the correct certificate.

An engineer is testing Cisco ISE policies in a lab environment with no support for a deployment server. In order to push supplicant profiles to the workstations for testing, firewall ports will need to be opened.
From which Cisco ISE persona should this traffic be originating?

A. administration

B. authentication

C. policy service

D. monitoring

An organization is adding new profiling probes to the system to improve profiling on Cisco ISE. The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected.
What must be configured on the network device to accomplish this goal?

A. ICMP

B. WCCP

C. ARP

D. SNMP

An administrator is configuring an AD domain to be used with authentication for endpoints and users within Cisco ISE. Which two steps are required to configure this to be used as an external identity store? (Choose two.)

A. Add an Authentication Joint Point.

B. Configure Authentication Domains.

C. Configure Active Directory Schema.

D. Configure Active Directory Domains.

E. Add an Active Directory Join Point.

What is the minimum certainty factor when creating a profiler policy?

A. the minimum number that a predefined condition provides

B. the maximum number that a predefined condition provides

C. the minimum number that a device certainty factor must reach to become a member of the profile

D. the maximum number that a device certainty factor must reach to become a member of the profile

An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?

A. Endpoint Identity Group is Blocklist, and the BYOD state is Registered.

B. Endpoint Identify Group is Blocklist, and the BYOD state is Pending.

C. Endpoint Identity Group is Blocklist, and the BYOD state is Lost.

D. Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate.

An administrator must provide administrative access to the helpdesk users on production Cisco IOS routers. The solution must meet these requirements:
•	Authenticate the users against Microsoft AD.
•	Validate IOS commands run by users.
These configurations have been performed:
•	joined Cisco ISE to AD
•	retrieved AD groups
•	added a router to Cisco ISE
•	enabled Device Admin Service in Cisco ISE
•	configured an authorization policy
•	configured the routers for authentication and authorization
Which two components must be configured? (Choose two.)

A. TACACS command sets

B. authentication profile

C. authorization profile

D. TACACS profile

E. access control list to filter the IOS commands

Refer to the exhibit. Which command is typed within the CLI of a switch to view the troubleshooting output?

A. show authentication sessions mac 000e.84af.59af details

B. show authentication registrations

C. show authentication interface gigabitethernet2/0/36

D. show authentication sessions method

An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?

A. Configure the hotspot portal for guest access and require an access code.

B. Configure the sponsor portal with a single account and use the access code as the password.

C. Configure the self-registered guest portal to allow guests to create a personal access code.

D. Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

When planning for the deployment of Cisco ISE, an organization's security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment needs to provide an adequate amount of security and visibility for the hosts on the network.
Why should the engineer configure MAB in this situation?

A. The Cisco switches only support MAB.

B. MAB provides the strongest form of authentication available.

C. MAB provides user authentication.

D. The devices in the network do not have a supplicant.

What is configured to enforce the blocklist permissions and deny access to clients in the blocklist to protect against a lost or stolen device obtaining access to the network?

A. My Devices portal

B. blocklist portal

C. Authentication rule

D. Authorization rule

An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication. The administrator tests the 802.1X authentication for the endpoint and sees that it is authenticating successful. What must be done to ensure that the endpoint is placed into the correct VLAN?

A. Configure the switchport access vlan 310 command on the switch port.

B. Add VLAN 310 in the common tasks of the authorization profile.

C. Ensure that the endpoint is using the correct policy set.

D. Ensure that the security group is not preventing the endpoint from being in VLAN 310.

An administrator is adding a switch to a network that is running Cisco ISE and is only for IP Phones. The phones do not have the ability to authenticate via
802.1X.
Which command is needed on each switch port for authentication?

A. dot1x system-auth-control

B. enable bypass-MAC

C. enable network-authentication

D. mab

Which command displays all 802.1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

A. show authentication sessions interface Gi1/0/x output

B. show authentication sessions

C. show authentication sessions output

D. show authentication sessions interface Gi 1/0/x

Which deployment mode allows for one or more policy service nodes to be used for session failover?

A. centralized

B. secondary

C. standalone

D. distributed