Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc...
Which two statements are correct regarding the event that occurred at 2014-05-07 00:22:48.175? (Choose two.)
A. The DACL will permit http traffic from any host to 10.10.2.20
B. The DACL will permit http traffic from any host to 10.10.3.20
C. The DACL will permit icmp traffic from any host to 10.10.2.20
D. The DACL will permit icmp traffic from any host to 10.10.3.20
E. The DACL will permit https traffic from any host to 10.10.3.20
Answer: A,E
Explanation:
Event Details:
Screen Shot 2015-06-23 at 5.38.50 PM
Screen Shot 2015-06-23 at 5.41.14 PM
Q2. Which two conditions are valid when configuring ISE for posturing? (Choose two.)
A. Dictionary
B. member Of
C. Profile status
D. File
E. Service
Answer: D,E
Q3. Which network access device feature can you configure to gather raw endpoint data?
A. Device Sensor
B. Device Classifier
C. Switched Port Analyzer
D. Trust Anchor
Answer: A
Q4. What are the initial steps to configure an ACS as a TACACS server?
A. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Create.
B. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Create.
C. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Manage.
D. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Install.
Answer: B
Q5. ORRECT TEXT
The Secure-X company has started to tested the 802.1X authentication deployment using the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee desktop will be connected to the 802.1X enabled switch port and will use the Cisco AnyConnect NAM 802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database. Once the new identity source sequence has been configured, edit the existing DotlX authentication policy to use the new AD_internal identity source sequence.
The Microsoft Active Directory (AD1) identity store has already been successfully configured, you just need to reference it in your configuration.
In addition to the above, you are also tasked to edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
Perform this simulation by accessing the ISE GUI to perform the following tasks:
. Create a new identity source sequence named AD_internal to first use the Microsoft Active Directory (AD1) then use the ISE Internal User database
. Edit the existing Dot1X authentication policy to use the new AD_internal identity source sequence:
. If authentication failed-reject the access request
. If user is not found in AD-Drop the request without sending a response
. If process failed-Drop the request without sending a response
. Edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
To access the ISE GUI, click the ISE icon in the topology diagram. To verify your configurations, from the ISE GUI, you should also see the Authentication Succeeded event for the it1 user after you have successfully defined the DotlX authentication policy to use the Microsoft Active Directory first then use the ISE Internal User Database to authenticate the user. And in the Authentication Succeeded event, you should see the IT_Corp authorization profile being applied to the it1 user. If your configuration is not correct and ISE can't authenticate the user against the Microsoft Active Directory, you should see the Authentication Failed event instead for the it1 user.
Note: If you make a mistake in the Identity Source Sequence configuration, please delete the Identity Source Sequence then re-add a new one. The edit Identity Source Sequence function is not implemented in this simulation.
Answer: Review the explanation for full configuration and solution.
Q6. In the command 'aaa authentication default group tacacs local', how is the word 'default' defined?
A. Command set
B. Group name
C. Method list
D. Login type
Answer: C
Q7. In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc...
Which three statements are correct regarding the events with the 20 repeat count that occurred at 2014-05-07 00:22:48.748? (Choose three.)
A. The device was successfully authenticated using MAB.
B. The device matched the Machine_Corp authorization policy.
C. The Print Servers authorization profile were applied.
D. The device was profiled as a Linksys-PrintServer.
E. The device MAC address is 00:14:BF:70:B5:FB.
F. The device is connected to the Gi0/1 switch port and the switch IP address is 10.10.2.2.
Answer: A,D,E
Explanation:
Event Details:
Screen Shot 2015-06-23 at 5.32.43 PM …continued:
Screen Shot 2015-06-23 at 5.33.24 PM
Q8. Which statement about a distributed Cisco ISE deployment is true?
A. It can support up to two monitoring Cisco ISE nodes for high availability.
B. It can support up to three load-balanced Administration ISE nodes.
C. Policy Service ISE nodes can be configured in a redundant failover configuration.
D. The Active Directory servers of Cisco ISE can be configured in a load-balanced configuration.
Answer: A
Q9. Refer to the exhibit.
If the given configuration is applied to the object-group vpnservers, during which time period are external users able to connect?
A. From Friday at 6:00 p.m. until Monday at 8:00 a.m.
B. From Monday at 8:00 a.m. until Friday at 6:00 p.m.
C. From Friday at 6:01 p.m. until Monday at 8:01 a.m.
D. From Monday at 8:01 a.m. until Friday at 5:59 p.m.
Answer: A
Q10. Where would a Cisco ISE administrator define a named ACL to use in an authorization policy?
A. In the conditions of an authorization rule.
B. In the attributes of an authorization rule.
C. In the permissions of an authorization rule.
D. In an authorization profile associated with an authorization rule.
Answer: D
Q11. Which identity store option allows you to modify the directory services that run on TCP/IP?
A. Lightweight Directory Access Protocol
B. RSA SecurID server
C. RADIUS
D. Active Directory
Answer: A
Q12. Which three remediation actions are supported by the Web Agent for Windows? (Choose three.)
A. Automatic Remediation
B. Message text
C. URL Link
D. File Distribution
E. AV definition update
F. Launch Program
Answer: B,C,D
Q13. What type of identity group is the Blacklist identity group?
A. endpoint
B. user
C. blackhole
D. quarantine
E. denied systems
Answer: A
Q14. Which statement about system time and NTP server configuration with Cisco ISE is true?
A. The system time and NTP server settings can be configured centrally on the Cisco ISE.
B. The system time can be configured centrally on the Cisco ISE, but NTP server settings must be configured individually on each ISE node.
C. NTP server settings can be configured centrally on the Cisco ISE, but the system time must be configured individually on each ISE node.
D. The system time and NTP server settings must be configured individually on each ISE node.
Answer: D
Q15. Which mechanism does Cisco ISE use to force a device off the network if it is reported lost or stolen?
A. CoA
B. dynamic ACLs
C. SGACL
D. certificate revocation
Answer: A
Q16. Which type of access list is the most scalable that Cisco ISE can use to implement network authorization enforcement for a large number of users?
A. downloadable access lists
B. named access lists
C. VLAN access lists
D. MAC address access lists
Answer: A
Q17. What are the initial steps to configure an ACS as a TACACS server?
A. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Create.
B. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Create.
C. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Manage.
D. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Install.
Answer: B