A network engineer is attempting to terminate and reinitialize wireless user sessions individually by using the Live Sessions tab in Cisco ISE. Cisco ISE and the Cisco WLC are separated by a firewall. Which port must be allowed on the firewall so that the network engineer can perform this function from Cisco ISE?

A. TCP port 8443

B. UDP port 5246

C. UDP port 1700

D. TCP port 3791

An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks.
Which two requirements should be included in this policy? (Choose two.)

A. active username limit

B. password expiration period

C. access code control

D. username expiration date

E. minimum password length

What gives Cisco ISE an option to scan endpoints for vulnerabilities?

A. authentication policy

B. authorization profile

C. authentication profile

D. authorization policy

An administrator has added a new Cisco ISE PSN to their distributed deployment. Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two.)

A. Session Services

B. Profiling Services

C. Radius Service

D. Posture Services

E. Endpoint Attribute Filter

A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?

A. RADIUS

B. DLTS

C. Portal

D. Admin

A user recently had their laptop stolen. IT has ordered a replacement device for the user and was able to obtain the MAC address of the device 04.57:47:34 35 0A from the vendor before it shipped. Which statement regarding adding MAC addresses to Cisco ISE is correct?

A. MAC addresses can only be manually imported using a .csv file and the import option.

B. MAC addresses can only be manually imported using the REST API.

C. MAC addresses can only be allowed after the device has connected to the network.

D. MAC addresses can be manually added using the + sign under Context Visibility > Endpoints.

A network engineer must enforce access control using special tags, without re-engineering the network design.
Which feature should be configured to achieve this in a scalable manner?

A. RBAC

B. dACL

C. SGT

D. VLAN

What is a requirement for Feed Service to work?

A. TCP port 8080 must be opened between Cisco ISE and the feed server.

B. Cisco ISE has access to an internal server to download feed update.

C. Cisco ISE has a base license.

D. Cisco ISE has Internet access to download feed update.

DRAG DROP
-
Drag and drop the configuration steps from the left into the sequence on the right to install two Cisco ISE nodes in a distributed deployment.
 

To configure BYOD using Cisco ISE. an administrator is considering issuing certificates to the devices connecting to provide a better user experience. External CA servers cannot be used for this purpose because everything must be local to the Cisco ISE. What must be done to accomplish this?

A. Use the captive portal network assistant to issue certificates to the endpoints as they authenticate.

B. Use ISE as a sub CA for the BYOD portal and redirect users to the Root CA for certificate issuance.

C. Configure the Cisco ISE Internal CA to issue certificates to each endpoint connecting to the BYOD network.

D. Configure MS SCEP so that endpoints can query their local AD server for the correct certificate.

An engineer is configuring a new Cisco ISE node. The Device Admin service must run on this node to handle authentication requests for network device access via TACACS+. Which persona must be enabled on this node to perform this function?

A. pxGrid

B. Administration

C. Policy Service

D. Monitoring

An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?

A. VLAN to SGT mapping

B. IP Address to SGT mapping

C. L3IF to SGT mapping

D. Subnet to SGT mapping

A network engineer responsible for the switching environment must provision a new switch to properly propagate security group tags within the TrustSec inline method. Which CLI command must the network engineer enter on the switch to globally enable the tagging of SGTs?

A. cts sxp enable

B. cts manual

C. cts role-based sgt-map

D. cts role-based enforcement

In a Cisco ISE split deployment model, which load is split between the nodes?

A. log collection

B. device admission

C. AAA

D. network admission

Which controller option allows a user to switch from the provisioning SSID to the employee SSID after registration?

A. User Idle Timeout

B. AAA Override

C. Fast SSID Change

D. AP SSID Fallback

An employee must access the internet through the corporate network from a new mobile device that does not support native supplicant provisioning provided by
Cisco ISE.
Which portal must the employee use to provision to the device?

A. My Devices

B. BYOD

C. Personal Device

D. Client Provisioning

Which two fields are available when creating an endpoint on the context visibility page of Cisco ISE? (Choose two.)

A. Security Group Tag

B. Endpoint Family

C. Policy Assignment

D. Identity Group Assignment

E. IP Address

Refer to the exhibit.
 
A network engineer is configuring the switch to accept downloadable ACLs from a Cisco ISE server.
Which two commands should be run to complete the configuration? (Choose two.)

A. radius-server attribute 8 include-in-access-req

B. ip device tracking

C. dot1x system-auth-control

D. radius server vsa send authentication

E. aaa authorization auth-proxy default group radius

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

A. RSA SecurID

B. RADIUS Token

C. Active Directory

D. Internal Database

E. LDAP

What is the deployment mode when two Cisco ISE nodes are configured in an environment?

A. standalone

B. distributed

C. standard

D. active

An administrator is configuring a new profiling policy within Cisco ISE. The organization has several endpoints that are the same device type, and all have the same Block ID in their MAC address. The profiler does not currently have a profiling policy created to categorize these endpoints, therefore a custom profiling policy must be created.
Which condition must the administrator use in order to properly profile an ACME AI Connector endpoint for network access with MAC address 01:41:14:65:50:AB?

A. CDP_cdpCacheDeviceID_CONTAINS_

B. MAC_MACAddress_CONTAINS_

C. Radius_Called_Station-ID_STARTSWITH_

D. MAC_OUI_STARTSWITH_

An administrator is configuring a Cisco WLC for web authentication. Which two client profiling methods are enabled by default if the Apply Cisco ISE Default
Settings check box has been selected? (Choose two.)

A. LLDP

B. CDP

C. DHCP

D. SNMP

E. HTTP

There are several devices on a network that are considered critical and need to be placed into the ISE database and a policy used for them. The organization does not want to use profiling.
What must be done to accomplish this goal?

A. Enter the MAC address in the correct Endpoint Identity Group.

B. Enter the IP address in the correct Endpoint Identity Group.

C. Enter the IP address in the correct Logical Profile.

D. Enter the MAC address in the correct Logical Profile.

A network engineer must remove a device that has been allowlisted. How should the engineer remove it manually on Cisco ISE?

A. Administration > Identity Management > Endpoint Identity Groups > Profiled

B. Administration > Identity Management > Groups > Endpoint Identity Groups

C. Administration > Identity Management > Groups > Endpoint Identity Groups > Profiled

D. Administration > Identity Management > Endpoint Identity Groups

An engineer is configuring a dedicated SSID for onboarding devices.
Which SSID type accomplishes this configuration?

A. hidden

B. guest

C. dual

D. broadcast

What is an advantage of using EAP-TLS over EAP-MS-CHAPv2 for client authentication?

A. EAP-TLS uses a username and password for authentication to enhance security, while EAP-MS-CHAPv2 does not.

B. EAP-TLS uses multiple forms of authentication, while EAP-MS-CHAPv2 only uses one.

C. EAP-TLS uses a device certificate for authentication to enhance security, while EAP-MS-CHAPv2 does not.

D. EAP-TLS secures the exchange of credentials, while EAP-MS-CHAPv2 does not.

An organization has a fully distributed Cisco ISE deployment. When implementing probes, an administrator must scan for unknown endpoints to learn the IP-to-
MAC address bindings. The scan is complete on one PSN, but the information is not available on the others.
What must be done to make the information available?

A. Cisco ISE must be configured to learn the IP-MAC binding of unknown endpoints via RADIUS authentication, not via scanning.

B. Cisco ISE must learn the IP-MAC binding of unknown endpoints via DHCP profiling, not via scanning.

C. Scanning must be initiated from the MnT node to centrally gather the information.

D. Scanning must be initiated from the PSN that last authenticated the endpoint.

An engineer is configuring posture assessment for their network access control and needs to use an agent that supports using service conditions as conditions for the assessment. The agent should be run as a background process to avoid user interruption, but when it is run, the user can see it. What is the problem?

A. The posture module was deployed using the headend instead of installing it with SCCM.

B. The engineer is using the ג€Anyconnectג€ posture agent but should be using the ג€Stealth Anyconnectג€ posture agent.

C. The proper permissions were not given to the temporal agent to conduct the assessment.

D. The user was in need of remediation so the agent appeared in the notifications.

A client connects to a network and the authenticator device learns the MAC address 04:49:23:86:34:AB of this client. After the MAC address is learned, the 802.1 x authentication process begins on this port. Which ISE deployment mode restricts all traffic initially, applies a rule for access control if 802.1x authentication is successful, and can be configured to grant only limited access if 802.1 x authentication is unsuccessful?

A. open mode

B. monitor mode

C. closed mode

D. low-impact mode

A user reports that the RADIUS accounting packets are not being seen on the Cisco ISE server.
Which command is the user missing in the switch's configuration?

A. aaa accounting resource default start-stop group radius

B. radius-server vsa send accounting

C. aaa accounting network default start-stop group radius

D. aaa accounting exec default start-stop group radius

A new employee just connected their workstation to a Cisco IP phone. The network administrator wants to ensure that the Cisco IP phone remains online when the user disconnects their workstation from the corporate network.
Which CoA configuration meets this requirement?

A. Reauth

B. Disconnect

C. No CoA

D. Port Bounce

Which Cisco ISE deployment model provides redundancy by having every node in the deployment configured with the Administration, Policy Service, and
Monitoring personas to protect from a complete node failure?

A. dispersed

B. distributed

C. two-node

D. hybrid

A network engineer is configuring a Cisco WLC in order to find out more information about the devices that are connecting. This information must be sent to Cisco ISE to be used in authorization policies. Which profiling mechanism must be configured in the Cisco WLC to accomplish this task?

A. SNMP

B. CDP

C. DNS

D. DHCP

Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.)

A. seven PSN nodes with one PxGrid node

B. two PSN nodes with one PxGrid node

C. five PSN nodes with one PxGrid node

D. six PSN nodes:

E. three PSN nodes

An administrator is adding a switch to a network that is running Cisco ISE and is only for IP Phones. The phones do not have the ability to authenticate via
802.1X.
Which command is needed on each switch port for authentication?

A. dot1x system-auth-control

B. enable bypass-MAC

C. enable network-authentication

D. mab

What are two differences between the RADIUS and TACACS+ protocols? (Choose two.)

A. RADIUS offers multiprotocol support, whereas TACACS+ does not.

B. RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol.

C. RADIUS enables encryption of all the packets, whereas with TACACS+, only the password is encrypted.

D. RADIUS combines authentication and authorization, whereas TACACS+ does not.

E. TACACS+ uses TCP port 49, whereas RADIUS uses UDP ports 1812 and 1813.

A network engineer received alerts from the monitoring platform that a switch port exists with multiple sessions. RADIUS CoA using Cisco ISE must be used to address the issue. Which RADIUS CoA configuration must be used?

A. port bounce

B. no CoA

C. exception

D. reauth

An organization wants to standardize the 802.1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide.
What must be configured to accomplish this task?

A. dynamic access list within the authorization profile

B. extended access-list on the switch for the client

C. security group tag within the authorization policy

D. port security on the switch based on the client’s information

Which RADIUS attribute is used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node?

A. session-timeout

B. termination-action

C. radius-server timeout

D. idle-timeout

Which two tasks must be completed when configuring the Cisco ISE BYOD Portal? (Choose two.)

A. Enable policy services.

B. Create endpoint identity groups.

C. Customize device portal.

D. Provision external identity sources.

E. Deploy client provisioning portal.

An engineer is configuring 802.1X and is testing out their policy sets. After authentication, some endpoints are given an access-reject message but are still allowed onto the network. What is causing this issue to occur?

A. The authorization results for the endpoints include the Trusted security group tag.

B. The authorization results for the endpoints include a dACL allowing access.

C. The switch port is configured with authentication event server dead action authorize vlan.

D. The switch port is configured with authentication open.

Which two actions must be verified to confirm that the internet is accessible via guest access when configuring a guest portal? (Choose two.)

A. The guest device successfully associates with the correct SSID.

B. The guest user gets redirected to the authentication page when opening a browser.

C. The guest device has internal network access on the WLAN.

D. The guest device can connect to network file shares.

E. Cisco ISE sends a CoA upon successful guest authentication.

An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication.
Which access will be denied in this deployment?

A. DNS

B. DHCP

C. EAP

D. HTTP

A new Cisco ISE infrastructure is being built to provide network access control. If Cisco Discovery Protocol is used, what information is being gathered in relation to profiling with Cisco ISE?

A. IdentityGroup

B. device ID

C. RADIUS session attributes

D. DHCP session attributes

An organization has a SGACL locally configured on a switch port, but when a user in the Executives group connects to the network, they receive a different level of network access than expected. When Cisco ISE pushes SGACLs to the switch after the authorization phase, how does the switch decide which access to grant the user?

A. Dynamically downloaded policies override local policies in all cases.

B. Local policies override dynamically downloaded policies in all cases.

C. The policies are merged, but local policies receive priority.

D. The policies are merged, but dynamically downloaded policies receive priority.

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall.
Which two ports should be opened to accomplish this task? (Choose two.)

A. TELNET: 23

B. HTTPS: 443

C. HTTP: 80

D. LDAP: 389

E. MSRPC:445

An engineer is configuring Cisco ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADIUS for these devices? (Choose two.)

A. TACACS+ uses secure EAP-TLS while RADIUS does not.

B. TACACS+ is FIPS compliant while RADIUS is not.

C. TACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password.

D. TACACS+ is designed for network access control while RADIUS is designed for role-based access.

E. TACACS+ provides the ability to authorize specific commands while RADIUS does not.

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network.
Which node should be used to accomplish this task?

A. policy service

B. monitoring

C. primary policy administrator

D. pxGrid

A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

A. closed

B. restricted

C. monitor

D. low-impact

An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication. The administrator tests the 802.1X authentication for the endpoint and sees that it is authenticating successful. What must be done to ensure that the endpoint is placed into the correct VLAN?

A. Configure the switchport access vlan 310 command on the switch port.

B. Add VLAN 310 in the common tasks of the authorization profile.

C. Ensure that the endpoint is using the correct policy set.

D. Ensure that the security group is not preventing the endpoint from being in VLAN 310.