QUESTION NO: 1
Which of these is not an Inline Posture node operating mode?
A. router mode
B. transparent mode
C. bridged mode
D. maintenance mode
Answer: B Explanation:
QUESTION NO: 2
Which one of the following statements is not a correct statement about posture?
A. CoA is required for WebAuth.
B. Cisco ISE Administrator can create multiple agent profiles.
C. Both simple and compound conditions can be used to construct posture requirements.
D. Wireless posture supports multiple authentication methods.
Answer: C Explanation:
QUESTION NO: 3
What are the three default behaviors of Cisco ISE with respect to authentication, when a user connects to a switch that is configured for 802.1X, MAB, and WebAuth? (Choose three)
A. MAB traffic uses internal endpoints for retrieving identity.
B. Dot1X traffic uses a user-defined identity store for retrieving identity.
C. Unmatched traffic is allowed on the network.
D. Unmatched traffic is dropped because of the Reject/Reject/Drop action that is configured under Options.
E. Dot1 traffic uses internal users for retrieving identity.
Answer: A,D,E Explanation: QUESTION NO: 4
The profiling data from network access devices is sent to which Cisco ISE node?
A. Monitoring node
B. Administration node
C. Inline Posture node
D. Policy Service node
Answer: D Explanation:
QUESTION NO: 5
Which statement is not true about client provisioning (CP)?
A. Cisco ISE manages client provisioning resources for your clients.
B. Client provisioning resources are only provisioned from the ISE Administration node.
C. The remediation timer is a means for clients to remediate themselves.
D. Client provisioning can only provision the NAC Agent
Answer: D Explanation:
QUESTION NO: 6
Which default action or action should you take when endpoint usage count exceeds license endpoint value?
A. Bock all traffic, and generate alarms.
B. Bock all traffic
C. Do not take any action.
D. Do not bock traffic and generate an INFO/WARNING/CRITICAL alarm.
Answer: C Explanation: QUESTION NO: 7
The authorization policy in the exhibit is using "Multiple Matched Rule Applies" for rule matching.
ProfileA = VLAN attribute 10, DACL= EmptoyeeSanJose ProfileB = VLAN attribute 20, DACL= Employee. Voice DomainPermission = TRUE Which statement is correct with regards to the Multiple Matched rule?
A. If both Rule 1 and Rule 2 are matched based on the conditions, the switch will get ��VLAN attribute 20, DACL= Employee, Voice DomoinPermission = TRUE��.
B. If both Rule 1 and Rule 2 are matched based on the conditions, the switch will get only ��VLAN attribute 10, DACL = EmployceSonJose, Voice DomainPermission = TRUE��.
C. If both Rule 1 and Rule 2 are matched based on the conditions, the switch will get only "VLAN attribute 10, DACL= EmployeeSanJose".
D. The Multiple Matched rule is not supported in Cisco ISE.
Answer: B Explanation:
QUESTION NO: 8
What is the process for Cisco ISE to obtain a signed certificate from a CA?
A. Generate a CSR; export the CSR to the local file system and send to the CA; download the certificate from the CA. and bind the CA-signed certificate with its private key.
B. Submit a CSR to the CA; download the certificate from the CA" bind the CA-signed certificate with its private key, and import the CA-signed certificate into ISE.
C. Request a certificate from the CA, and import the CA-signed certificate into ISE.
D. Generate a CSR; download the certificate from the CA; bind the CA-signed certificate with its private key, and import the CA-signed certificate into ISE.
Answer: A Explanation:
QUESTION NO: 9
Which two statements are true about the exhibit that is shown? (Choose two.) Select exactly 2 answer(s) from the following:
A. If Continue/Continue/Continue is configured, the endpoint is allowed on the network.
B. The Options setting is by default different for internal endpoints.
C. The default behavior should be Continue/Continue/Continue.
D. All traffic is subject to an authorization policy check.
E. The default behavior is what is shown in the exhibit
Answer: E Explanation:
QUESTION NO: 10
What is the Cisco ISE default admin login name and password?
A. ISEAdmin/admin
B. admin/cisco
C. admin/no default password��the admin password is configured at setup
D. admin/admin
Answer: C Explanation:
QUESTION NO: 11
Where is the license installed within Cisco ISE deployment?
A. A license is installed on the primary or secondary Administration node within ISE deployment.
B. A license is preinstalled for ISE deployment.
C. A license is installed on the Policy Service node within ISE deployment.
D. A license is installed only on the primary Administration node within ISE deployment.
Answer: D Explanation:
QUESTION NO: 12
The default Cisco ISE node configuration has which role or roles enabled by default?
A. Administration only
B. Inline Posture only
C. Administration and Pokey Service
D. Policy Service Monitoring, and Administration
Answer: D Explanation:
QUESTION NO: 13
When does the browser get redirected in WebAuth?
A. when there is a request for DNS
B. before getting the IP address
C. when there is a request for a web page
D. when the Cisco NAC Agent reaches the Policy Service node
Answer: C Explanation:
QUESTION NO: 14
What does MAB leverage a MAC address for?
A. Calling-Station-ID
B. password
C. cisco-av-pair
D. username
Answer: D Explanation:
QUESTION NO: 15
Which two statements are correct about Change of Authorization? (Choose two.)
A. Reauth and port shun are supported Change of Authorization types in Cisco ISE.
B. Different Change of Authorization types of action can be set based on authorization policy.
C. Change of Authorization exception actions are configured globally in Cisco ISE.
D. Port bounce and port shun are supported Change of Authorization types in Cisco ISE.
E. No CoA, port bounce, and reauth are supported Change of Authorization types in Cisco ISE.
Answer: C,E Explanation:
QUESTION NO: 16
Which command is used to verify Inline Posture node operations?
A. show pep table
B. show pep summary
C. show application status pep
D. show pep log
Answer: D Explanation:
QUESTION NO: 17
Which of these is not definable in the guest portal policy?
A. sponsor registration time profile
B. maximum number of failed login attempts
C. default guest role and time profile for self-registration
D. maximum number of devices that can be registered
Answer: A Explanation:
QUESTION NO: 18
Which statement is not correct about Change of Authorization?
A. It is not possible to trigger Change of Authorization manually from the ISE interface.
B. Change of Authorization can be triggered dynamically based on a matched condition in a policy, and manually by being invoked by an administrator operation.
C. Change of Authorization is a fundamental component of Cisco TrustSec and Cisco ISE.
D. Port bounce and reauthentication are both supported for Change of Authorization action types.
Answer: A Explanation:
QUESTION NO: 19
What is the best option to implement access lists for WLC in a Cisco ISE deployment?
A. Named access lists are pushed down to the WLC.
B. Dynamic access lists are configured in Cisco ISE.
C. Named access lists are configured in Cisco ISE.
D. Named access lists are configured on the WLC and not in ISE. Cisco ISE only references the name of the named access list and sends the name to the WLC.
E. Dynamic access lists are pushed down to Cisco switches.
Answer: D Explanation:
QUESTION NO: 20
What is the correct configuration of Inline Posture node interfaces?
A. Trusted (eth0), Untrusted (eth1). High Availability (eth2 or eth3)
B. Trusted (eth0), Untrusted (eth1). H.gh Availability (eth2)
C. Untrusted (eth0), Trusted (eth1). High Availability (eth2 or eth3)
D. Untrusted (eth0). Trusted (eth1), High Availability (eth2)
Answer: A Explanation:
QUESTION NO: 21
Which statement is not true about the authorization policy?
A. For failed authentication, the authorization policy may still be executed based on the authentication policy options set.
B. The authorization policy is executed after the execution of the authentication policy.
C. For failed authentication, the authorization policy is not executed.
D. The authorization policy is used to provide the network authorization to the user/host session based on a given set of criteria.
Answer: C Explanation:
QUESTION NO: 22
Which of these is not a high-availability option that is available for Cisco ISE deployments?
A. In the event of failure of the Primary Administration node, the standby instance automatically becomes active.
B. Stateless failover of Inline Posture nodes
C. In the event of failure of the Primary Monitoring node, the standby instance automatically becomes active.
D. Clustering of Policy Service nodes to provide N + l redundancy
Answer: A Explanation:
QUESTION NO: 23
Which is the cisco-av-pair automatically set to for all Inline Posture inbound profiles?
A. ipep-complaint=true
B. inline-posture=true
C. ipep-authz=true
D. SessionIdValue&action=cpp
Answer: C Explanation:
QUESTION NO: 24
Which of these is not a Cisco ISE deployment recommendation?
A. Profiling requires maintenance of L3 information.
B. Avoid installing Policy Service and Monitoring personas on the same node.
C. Ensure that node groups are L2-adjacent
D. Create a secondary Administration node before adding a Policy Service node.
Answer: A Explanation:
QUESTION NO: 25
Refer to the exhibit
Which two statements are true about Identity Groups and their use in an authorization policy? (Choose two.)
A. Identity groups can only reference internal endpoints and users in the local database.
B. Only User Identity Groups can be created in Cisco ISE.
C. The Whitelist identity group that is shown in the exhibit can be used to contain MAC addresses that are statically entered into Cisco ISE.
D. User Identity Groups can reference External Stores as well as internal users that are created in Cisco ISE.
E. The Whitelist identity group is one of the predefined identity groups in Cisco ISE.
Answer: C,D Explanation:
QUESTION NO: 26
What is the condition that a Cisco ISE authorization policy cannot match?
A. company contact
B. custom
C. time
D. device type
E. posture
Answer: B Explanation:
QUESTION NO: 27
If there is a firewall between Cisco ISE and an Active Directory external identity store, which port does not need to be open?
A. UDP/TCP 389
B. UDP123
C. TCP 21
D. TCP 445
E. TCP 88
Answer: C Explanation:
QUESTION NO: 28
Which three conditions can be used for posture checking? (Choose three.)
A. certificate
B. operating system
C. file
D. application
E. service
Answer: C,D,E Explanation:
QUESTION NO: 29
Which two statements are correct regarding Cisco ISE Guest Services? (Choose two.)
A. Guest portals must be located on the same secondary node where Cisco ISE network access is configured to handle RADIUS requests in the NAD.
B. A guest administration user interface action can be made from the primary and secondary administration interfaces.
C. Multiportal uploads to the primary node are replicated to the secondary node and installed as part of the standard data replication system.
D. The configuration mode for guest services can be different for each node in the deployment.
Answer: A,C Explanation:
QUESTION NO: 30
Which statement is correct about iPad profiling?
A. In order to profile the iPad you must use the user agent
B. The iPad will be auto-profiled in Cisco ISE without any need for configuration.
C. In order to profile the iPad you must use the DHCP probe.
D. Multiple conditions can be used, but a minimum certainty factor has to be matched or exceeded.
Answer: D Explanation: QUESTION NO: 31
Which authentication method or methods are included in FlexAuth?
A. only 602.IX and Web authentication
B. MAS authentication
C. 802.1X authentication
D. only 802.1X and MAB authentication
E. Web authenticate
F. 802.1X. MAB, and Web authentication
Answer: F Explanation:
QUESTION NO: 32
What does MAB stand for?
A. MAC Address Binding
B. MAC Authorization Binding
C. MAC Authorization Bypass
D. MAC Authentication Bypass
Answer: D Explanation:
QUESTION NO: 33
If MAB is enabled before WebAuth in Policy -> Authentications, what option must be selected if authentication fails, in order for users to have the ability to log in to the guest portal?
A. Drop
B. Reject
C. Continue
D. Accept
Answer: C Explanation: QUESTION NO: 34
Which of these is not a method to obtain Cisco ISE profiling data?
A. RADIUS
B. HTTP
C. SNMP query
D. active scans
E. Netflow
F. DNS
Answer: D Explanation:
QUESTION NO: 35
Inline Posture nodes support which enforcement mechanisms?
A. VLAN assignment
B. security group access
C. downloadable ACLs
D. dynamo ACLs
Answer: C Explanation:
QUESTION NO: 36
What are the Cisco ISE posture building blocks?
A. network access devices, Policy Service node, Administration node
B. posture check, posture rules, posture requirement, role requirements
C. posture condition, posture rules, role requirements
D. posture condition, compound posture condition, posture requirements, posture policy
Answer: D Explanation: QUESTION NO: 37
What are the three key layers of the Cisco TrustSec 4okjtK>n architecture? (Choose three)
A. Policy
B. Data Center and Campus Enforcement
C. Authorization
D. Authentication
Answer: A,C,D Explanation:
QUESTION NO: 38
Which statement is not correct about the Cisco ISE Monitoring node?
A. The local collector agent collects logs locally from itself and from any NAD that is configured to send logs to the Policy Service node.
B. Cisco ISE supports distributed log collection across all nodes to optimize local data collection, aggregation, and centralized correlation and storage.
C. The local collector agent process runs only the Inline Posture node.
D. The local collector buffers transport the collected data to designated Cisco ISE Monitoring nodes as syslog; once Monitoring nodes are globally defined via Administration, ISE nodes automatically send logs to one or both of the configured Monitoring nodes.
Answer: C Explanation:
QUESTION NO: 39
Which Cisco ISE component intercepts HTTP and HTTPS requests and redirects them to the Guest User Portal?
A. network access device
B. Policy Service node
C. Monitoring node
D. Administration node
Answer: A Explanation: QUESTION NO: 40
Which three of these are viable endpoint posture compliance statuses? (Choose three.)
A. infected
B. noncompliant
C. compliant
D. unknown
E. quarantine
F. clean
Answer: B,C,D Explanation:
QUESTION NO: 41
An administrator can create CP policies to provision different resources based on which three things? (Choose three.)
A. endpoint operating system
B. dictionary-based conditions
C. user identity group
D. certificates
Answer: A,B,C Explanation:
QUESTION NO: 42
What is the result when a Cisco ISE administrator removes a permanent license?
A. The ISE administrator must contact
[email protected].
B. The ISE deployment falls back to the evaluation license.
C. The ISE administrator must contact TAC
D. The ISE deployment requires a new license for full functionality.
Answer: B Explanation:
QUESTION NO: 43
What are two methods to verify that Cisco ISE is properly connected to AD? (Choose two.)
A. View the Active Directory Log /opt/CSCOcmp/logs/ad_agentlog.
B. Use the ISE Dashboard Summary alarms.
C. Use the Test Connection feature in the Cisco ISE External Identity Sources Active Directory.
D. Use ktpass to determine if the Kerberos ticket is valid.
Answer: B,C Explanation:
QUESTION NO: 44
Which statement is not a restriction when the guest portal runs on a node that assumes the Policy Service persona, because the node with the Administration persona is offline?
A. Change password is not allowed, and accounts are given access with the old password.
B. The AUP is not shown at every login.
C. Self-registration is not allowed.
D. Device registration is not allowed.
E. Maximum failed login will not be enforced.
Answer: B Explanation:
QUESTION NO: 45
Which of the following is not true about profiling in Cisco ISE?
A. Profiling policies are automatically enabled for use.
B. Cisco ISE comes with predefined profiles.
C. The use of Identity Groups is required to leverage the use of profiling in the authorization policy.
D. Cisco ISE does not support hierarchy within the profiling policy.
Answer: D Explanation:
QUESTION NO: 46
Client provisioning resources can be added into the Cisco ISE Administration node from which three of these? (Choose three.)
A. FTP
B. TFTP
C. www-cisco.com
D. local disk
E. Posture Agent Profile
Answer: C,D,E Explanation:
QUESTION NO: 47
What are the three Cisco TrustSec enforcement modes that are used to help protect network operations when securing the network? (Choose three.)
A. high-security mode
B. monitor mode
C. low-impact mode
D. semi-passive mode
E. logging mode
Answer: A,B,C Explanation:
QUESTION NO: 48
What are the three network information items that are required to set up Cisco ISE?
(Choose three.)
A. secondary name server
B. IP address and netmask for the Gigabit Ethernet 1 interface
C. Network Time Protocol server
D. host name
E. primary name server
F. fully qualified domain name
Answer: B,D,E Explanation:
QUESTION NO: 49
What is not a Cisco Borderless Network service?
A. Mobility
B. Security
C. Data Center Resource Management
D. Multimedia Optimization
E. Management
F. Energy Management
G. Application Performance
Answer: C Explanation:
QUESTION NO: 50
Which information is not included in the Low Level Design document?
A. physical network topology
B. network management server
C. external identity sources
D. security policies
Answer: B