Practice Free 300-715 Exam Online Questions
An administrator is configuring posture with Cisco ISE and wants to check that specific services are present on the workstations that are attempting to access the network.
What must be configured to accomplish this goal?
- A . Create a registry posture condition using a non-OPSWAT API version.
- B . Create an application posture condition using a OPSWAT API version.
- C . Create a compound posture condition using a OPSWAT API version.
- D . Create a service posture condition using a non-OPSWAT API version.
A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA.
Which action does the CoA perform?
- A . It terminates the client session
- B . It applies the downloadable ACL provided in the CoA
- C . It applies new permissions provided in the CoA to the client session.
- D . It triggers the NAD to reauthenticate the client
B
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html
If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?
- A . Client Provisioning
- B . Guest
- C . BYOD
- D . Blacklist
D
Explanation:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/Managing_Lost_or_Stolen_Device.html#90273
The Blacklist identity group is system generated and maintained by ISE to prevent access to lost or stolen devices. In this design guide, two authorization profiles are used to enforce the permissions for wireless and wired devices within the Blacklist:
Blackhole WiFi Access
Blackhole Wired Access
A Cisco ISE engineer is creating a certificate authentication profile to be used with machine authentication for the network. The engineer wants to be able to compare the user-presented certificate with a certificate stored in Active Directory.
What must be done to accomplish this?
- A . Configure the user-presented password hash and a hash stored in Active Directory for comparison
- B . Add the subject alternative name and the common name to the CAP.
- C . Enable the option for performing binary comparison.
- D . Use MS-CHAPv2 since it provides machine credentials and matches them to credentials stored in Active Directory
In a Cisco ISE split deployment model, which load is split between the nodes?
- A . AAA
- B . network admission
- C . log collection
- D . device admission
A
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26.pdf
A network administrator is currently using Cisco ISE to authenticate devices and users via 802 1X There is now a need to also authorize devices and users using EAP-TLS.
Which two additional components must be configured in Cisco ISE to accomplish this’? (Choose two.)
- A . Network Device Group
- B . Serial Number attribute that maps to a CA Server
- C . Common Name attribute that maps to an identity store
- D . Certificate Authentication Profile
- E . EAP Authorization Profile
A Cisco device has a port configured in multi-authentication mode and is accepting connections only from hosts assigned the SGT of SGT_0422048549 The VLAN trunk link supports a maximum of 8 VLANS.
What is the reason for these restrictions?
- A . The device is performing inline tagging without acting as a SXP speaker
- B . The device is performing mime tagging while acting as a SXP speaker
- C . The IP subnet addresses are dynamically mapped to an SGT.
- D . The IP subnet addresses are statically mapped to an SGT
What is needed to configure wireless guest access on the network?
- A . endpoint already profiled in ISE
- B . WEBAUTH ACL for redirection
- C . valid user account in Active Directory
- D . Captive Portal Bypass turned on
A user misplaces a personal phone and wants to blacklist the device from accessing the company network. The company uses Cisco ISE for corporate and BYOD device authentication.
Which action must the user take in Cisco ISE?
- A . Sign in to the BYOD portal and mark the device as Lost.
- B . Sign in to the My Devices portal and mark the device as Lost.
- C . Sign in to the My Devices portal and mark the device as Irrecoverable.
- D . Sign in to the BYOD portal and mark the device as Irrecoverable.
An ISE administrator must change the inactivity timer for MAB endpoints to terminate the authentication session whenever a switch port that is connected to an IP phone does not detect packets from the device for 30 minutes.
Which action must be taken to accomplish this task?
- A . Add the authentication timer reauthenticate server command to the switchport.
- B . Add the authentication timer inactivity 3600 command to the switchport.
- C . Change the idle-timeout on the Radius server to 3600 seconds for IP Phone endpoints.
- D . Configure the session-timeout to be 3600 seconds on Cisco ISE.