Practice Free 300-715 Exam Online Questions
Which conditions can trigger a CoA (Change of Authorization. in Cisco ISE? (Choose three.
- A . Endpoint passes authentication
- B . Endpoint profile changes
- C . Endpoint installs new software
- D . Admin manually triggers a re-authentication
- E . Endpoint complies with assigned policies
An organization has a fully distributed Cisco ISE deployment When implementing probes, an administrator must scan for unknown endpoints to learn the IP-to-MAC address bindings. The scan is complete on one FPSN. but the information is not available on the others.
What must be done to make the information available?
- A . Scanning must be initiated from the PSN that last authenticated the endpoint
- B . Cisco ISE must learn the IP-MAC binding of unknown endpoints via DHCP profiling, not via scanning
- C . Scanning must be initiated from the MnT node to centrally gather the information
- D . Cisco ISE must be configured to learn the IP-MAC binding of unknown endpoints via RADIUS authentication, not via scanning
Which two external identity stores are supported by Cisco ISE for password types? (Choose two.)
- A . LDAP
- B . OBDC
- C . RADIUS Token Server
- D . TACACS+ Token Server
- E . SOL
Which two ports must be open between Cisco ISE and the client when you configure posture on Cisco ISE? (Choose two).
- A . TCP 8443
- B . TCP 8906
- C . TCP 443
- D . TCP 80
- E . TCP 8905
A network administrator must use Cisco ISE to check whether endpoints have the correct version of
antivirus installed.
Which action must be taken to allow this capability?
- A . Configure a native supplicant profile to be used for checking the antivirus version
- B . Configure Cisco ISE to push the HostScan package to the endpoints to check for the antivirus version.
- C . Create a Cisco AnyConnect Network Visibility Module configuration profile to send the antivirus information of the endpoints to Cisco ISE.
- D . Create a Cisco AnyConnect configuration within Cisco ISE for the Compliance Module and associated configuration files
A
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_client_prov.html
About Anyconnect Network Visibility Module
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/nvm.html
Refer to the exhibit.
A network engineers configuring the switch to accept downloadable ACLs from a Cisco ISC server.
Which two commands should be run to complete the configuration? (Choose two)
- A . aaa authorization auth-proxy default group radius
- B . radius server vsa sand authentication
- C . radius-server attribute 8 include-in-access-req
- D . ip device tracking
- E . dot1x system-auth-control
Wireless network users authenticate to Cisco ISE using 802.1X through a Cisco Catalyst switch. An engineer must create an updated configuration to assign a security group tag to the user’s traffic using inline tagging to prevent unauthenticated users from accessing a restricted server.
The configurations were performed:
• configured Cisco ISE as a Cisco TrustSec AAA server
• configured the switch as a RADIUS device in Cisco ISE
• configured the wireless LAN controller as a TrustSec device in Cisco ISE
• created a security group tog for the wireless users
• created a certificate authentication profile
• created an identity source sequence
• assigned an appropriate security group tag to the wireless users
• defined security group access control lists to specify an egress policy
• enforced the access control lists on the TrustSec policy matrix in Cisco ISE
• configured TrustSec on the switch
• configured TrustSec on the wireless LAN controller
Which two actions must be taken to complete the configuration? (Choose two.)
- A . Configure Security Group Tag Exchange Protocol on the wireless LAN controller.
- B . Configure Security Group Tag Exchange Protocol to distribute IP to security group tags on Cisco ISE.
- C . Configure inline tag propagation on the switch and wireless LAN controller.
- D . Create static IP-to-SGT mapping for the restricted web server.
- E . Configure Security Group Tag Exchange Protocol on the switch.
A network administrator is configuring authorization policies on Cisco ISE There is a requirement to use AD group assignments to control access to network resources After a recent power failure and Cisco ISE rebooting itself, the AD group assignments no longer work.
What is the cause of this issue?
- A . The AD join point is no longer connected.
- B . The AD DNS response is slow.
- C . The certificate checks are not being conducted.
- D . The network devices ports are shut down.
A
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612
When planning for the deployment of Cisco ISE, an organization’s security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment provide an adequate amount of security and visibility for the hosts on the network.
Why should the engineer configure MAB in this situation?
- A . The Cisco switches only support MAB.
- B . MAB provides the strongest form of authentication available.
- C . The devices in the network do not have a supplicant.
- D . MAB provides user authentication.
What protocol does Cisco ISE use primarily to communicate authentication and authorization policies to network devices?
- A . SNMP
- B . HTTPS
- C . RADIUS
- D . SSH