ExamGecko
Search Search Login
Home Home / Cisco / 300-715

Cisco 300-715 Practice Test - Questions Answers, Page 24

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. An engineer is configuring Cisco ISE for guest services They would like to have any unregistered guests redirected to the guest portal for authentication then have a CoA provide them with full access to the network that is segmented via firewalls Why is the given configuration failing to accomplish this goal?
An organization is hosting a conference and must make guest accounts for several of the speakers attending. The conference ended two days early but the guest accounts are still being used to access the network. What must be configured to correct this?
Which two probes must be enabled for the ARP cache to function in the Cisco ISE profile service so that a user can reliably bind the IP address and MAC addresses of endpoints? (Choose two.)
An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?
DRAG DROP An engineer needs to configure a compliance policy on Cisco ISE to ensure that the latest encryption software is running on the C drive of all endpoints. Drag and drop the configuration steps from the left into the sequence on the right to accomplish this task.
A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?
An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?
An engineer is configuring 802.1X and wants it to be transparent from the users' point of view. The implementation should provide open authentication on the switch ports while providing strong levels of security for non-authenticated devices. Which deployment mode should be used to achieve this?
DRAG DROP Drag and drop the description from the left onto the protocol on the right that is used to carry out system authentication, authorization, and accounting.
What are two components of the posture requirement when configuring Cisco ISE posture? (Choose two)

Question 231

Report
Export
Collapse

DRAG DROP

Drag and drop the configuration steps from the left into the sequence on the right to install two Cisco ISE nodes in a distributed deployment.


Question 231
Correct answer: Question 231

Question 232

Report
Export
Collapse

Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints?

A.

large deployment with fully distributed nodes running all personas

A.

large deployment with fully distributed nodes running all personas

Answers
B.

medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs

B.

medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs

Answers
C.

medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs

C.

medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs

Answers
D.

small deployment with one primary and one secondary node running all personas

D.

small deployment with one primary and one secondary node running all personas

Answers
Suggested answer: C

Question 233

Report
Export
Collapse

What is a restriction of a standalone Cisco ISE node deployment?

A.

Only the Policy Service persona can be disabled on the node.

A.

Only the Policy Service persona can be disabled on the node.

Answers
B.

The domain name of the node cannot be changed after installation.

B.

The domain name of the node cannot be changed after installation.

Answers
C.

Personas are enabled by default and cannot be edited on the node.

C.

Personas are enabled by default and cannot be edited on the node.

Answers
D.

The hostname of the node cannot be changed after installation.

D.

The hostname of the node cannot be changed after installation.

Answers
Suggested answer: C

Question 234

Report
Export
Collapse

What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

A.

a primary and secondary PAN and a health check node for the Secondary PAN

A.

a primary and secondary PAN and a health check node for the Secondary PAN

Answers
B.

a primary and secondary PAN and no health check nodes

B.

a primary and secondary PAN and no health check nodes

Answers
C.

a primary and secondary PAN and a pair of health check nodes

C.

a primary and secondary PAN and a pair of health check nodes

Answers
D.

a primary and secondary PAN and a health check node for the Primary PAN

D.

a primary and secondary PAN and a health check node for the Primary PAN

Answers
Suggested answer: D

Question 235

Report
Export
Collapse

An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message "Node is Unreachable". What is causing this error?

A.

The second node is a PAN node.

A.

The second node is a PAN node.

Answers
B.

No administrative certificate is available for the second node.

B.

No administrative certificate is available for the second node.

Answers
C.

The second node is in standalone mode.

C.

The second node is in standalone mode.

Answers
D.

No admin privileges are available on the second node.

D.

No admin privileges are available on the second node.

Answers
Suggested answer: B

Explanation:

https://www.ciscopress.com/articles/article.asp?p=2812072

Question 236

Report
Export
Collapse

An administrator is configuring cisco ISE lo authenticate users logging into network devices using TACACS+ The administrator is not seeing any oí the authentication in the TACACS+ live logs. Which action ensures the users are able to log into the network devices?

A.

Enable the device administration service in the Administration persona

A.

Enable the device administration service in the Administration persona

Answers
B.

Enable the session services in the administration persona

B.

Enable the session services in the administration persona

Answers
C.

Enable the service sessions in the PSN persona.

C.

Enable the service sessions in the PSN persona.

Answers
D.

Enable the device administration service in the PSN persona.

D.

Enable the device administration service in the PSN persona.

Answers
Suggested answer: D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/ise/24/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html

Question 237

Report
Export
Collapse

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?

A.

authentication open

A.

authentication open

Answers
B.

pae dot1x enabled

B.

pae dot1x enabled

Answers
C.

authentication host-mode multi-auth

C.

authentication host-mode multi-auth

Answers
D.

monitor-mode enabled

D.

monitor-mode enabled

Answers
Suggested answer: D

Explanation:

In the context of a wired 802.1X deployment with Cisco ISE, the requirement is to log failed authentications while minimizing user impact. Let's analyze each option:

A) authentication open - This command configures the port to allow network access regardless of the authentication state. It's useful in situations where specific devices can't perform 802.1X authentication but should still be allowed network access. However, it doesn't specifically address the logging of failed authentications.

B) pae dot1x enabled - PAE (Port Access Entity) refers to the entity on a network device that enforces access control. This command enables 802.1X on the port, which is a prerequisite for implementing 802.1X, but doesn't directly relate to logging failed authentication attempts.

C) authentication host-mode multi-auth - This command configures the port to allow multiple authenticated sessions. This mode is used when multiple devices are connected to the same port (like in a conference room). While it's relevant for 802.1X environments, it doesn't specifically cater to logging failed authentications or minimizing user impact.

D) monitor-mode enabled - This command is used in the context of 802.1X to enable Monitor Mode on a port. Monitor Mode allows a port to grant limited network access to endpoints without 802.1X capabilities. It's often used to ease the deployment of 802.1X by monitoring the authentication status without fully enforcing access control, thereby minimizing user impact. It also helps in logging authentication attempts, including failures.

Question 238

Report
Export
Collapse

The security team identified a rogue endpoint with MAC address 00:46:91:02:28:4A attached to the network. Which action must security engineer take within Cisco ISE to effectively restrict network access for this endpoint?

A.

Configure access control list on network switches to block traffic.

A.

Configure access control list on network switches to block traffic.

Answers
B.

Create authentication policy to force reauthentication.

B.

Create authentication policy to force reauthentication.

Answers
C.

Add MAC address to the endpoint quarantine list.

C.

Add MAC address to the endpoint quarantine list.

Answers
D.

Implement authentication policy to deny access.

D.

Implement authentication policy to deny access.

Answers
Suggested answer: C

Explanation:

Cisco ISE provides a feature called Adaptive Network Control (ANC) that allows administrators to apply policies to endpoints based on their behavior or status1. One of the ANC policies is Quarantine, which restricts network access for an endpoint by assigning it to a limited-access VLAN or applying an access control list (ACL) on the switch port2. To use the Quarantine policy, the administrator must add the MAC address of the rogue endpoint to the endpoint quarantine list in ISE2. This will trigger a change of authorization (CoA) for the endpoint and apply the Quarantine policy. The other options are not effective for restricting network access for a rogue endpoint, as they do not use the ANC feature of ISE.

Question 239

Report
Export
Collapse

A network security administrator needs a web authentication configuration when a guest user connects to the network with a wireless connection using these steps:

. An initial MAB request is sent to the Cisco ISE node.

. Cisco ISE responds with a URL redirection authorization profile if the user's MAC address is unknown in the endpoint identity store.

. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

Which authentication must the administrator configure on Cisco ISE?

A.

device registration WebAuth

A.

device registration WebAuth

Answers
B.

WLC with local WebAuth

B.

WLC with local WebAuth

Answers
C.

wired NAD with local WebAuth

C.

wired NAD with local WebAuth

Answers
D.

NAD with central WebAuth

D.

NAD with central WebAuth

Answers
Suggested answer: D

Explanation:

Central Web Authentication (CWA) is a feature that allows the network access device (NAD) to redirect the web traffic of a guest user to a web portal hosted by Cisco ISE1. The NAD acts as a proxy between the guest user and the ISE node, and performs the authentication and authorization based on the RADIUS attributes returned by ISE1. To configure CWA on ISE, the administrator must create an authorization profile that contains the URL redirection attribute and assign it to the guest user1. The other options are not correct because they do not use CWA. Device registration WebAuth is a feature that allows users to register their devices on ISE before they can access the network2. WLC with local WebAuth is a feature that allows the wireless LAN controller (WLC) to host the web portal and authenticate the guest user locally3. Wired NAD with local WebAuth is a feature that allows the switch to host the web portal and authenticate the guest user locally

Question 240

Report
Export
Collapse

An administrator is configuring cisco ISE lo authenticate users logging into network devices using TACACS+ The administrator is not seeing any o the authentication in the TACACS+ live logs. Which action ensures the users are able to log into the network devices?

A.

Enable the device administration service in the Administration persona

A.

Enable the device administration service in the Administration persona

Answers
B.

Enable the session services in the administration persona

B.

Enable the session services in the administration persona

Answers
C.

Enable the service sessions in the PSN persona.

C.

Enable the service sessions in the PSN persona.

Answers
D.

Enable the device administration service in the PSN persona.

D.

Enable the device administration service in the PSN persona.

Answers
Suggested answer: D

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_tacacs_device_admin.html


Total 242 questions
Go to page: of 25
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms