Cisco 300-208 Free Practice Questions

Question No: 9

The corporate security policy requires multiple elements to be matched in an authorization policy. Which elements can be combined to meet the requirement?

A. Device registration status and device activation status

B. Network access device and time condition

C. User credentials and server certificate

D. Built-in profile and custom profile

View Answer

Question No: 10

When RADIUS NAC and AAA Override are enabled for a WLC on a Cisco ISE, which two statements about RADIUS NAC are true? (Choose two.)

A. It returns an access-accept and sends the redirection URL for all users.

B. It establishes secure connectivity between the RADIUS server and the Cisco ISE.

C. It allows the Cisco ISE to send a CoA request that indicates when the user is authenticated.

D. It is used for posture assessment, so the Cisco ISE changes the user profile based on posture result.

E. It allows multiple users to authenticate at the same time.

View Answer

Question No: 11

A security engineer has a new TrustSec project and must create a few static security group tag classifications as a proof of concept. Which two classifications can the tags be mapped to? (Choose two.)

A. VLAN

B. user ID

C. interface

D. switch ID

E. MAC address

View Answer

Question No: 12

An organization has recently deployed ISE with Trustsec capable Cisco switches and would like to allow differentiated network access based on user groups. Which solution is most suitable for achieving these goals?

A. Cyber Threat Defense for user group control by leveraging Netflow exported from the Cisco switches and identity information from ISE

B. MACsec in Multiple-Host Mode in order to encrypt traffic at each hop of the network infrastructure

C. Identity-based ACLs preconfigured on the Cisco switches with user identities provided by ISE

D. Cisco Security Group Access Policies to control access based on SGTs assigned to different user groups

View Answer

Question No: 13

A network security engineer is considering configuring 802.1x port authentication such that a single host is allowed to be authenticated for data and another single host for voice. Which port authentication host mode can be used to achieve this configuration?

A. single-host

B. multihost

C. multauth

D. multidomain

View Answer

Question No: 14

An engineer must enable SGACL policy globally for a Cisco TrustSec u2013enabled routed interface. Which

command must be used?

A. cts role-based monitor enable

B. cts role-based enfrocement

C. cts role-based sgt-caching with-enforcement

D. cts role-based monitor permissions from {sgt_num} to {dgt_num}][ipv4| ipv6]

View Answer

Question No: 15

Which option is the correct redirect-ACL for Wired-CWA, with 10.201.228.76 being the Cisco ISE IP address?

A. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain deny ip any

host 10.201.228.76 permit tcp any any eq 80 permit tcp any any eq 443

B. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain permit ip

any host 10.201.228.76 deny tcp any any eq 80 permit tcp any any eq 443

C. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain permit tcp

any host 10.201.228.76 eq 8443 deny ip any host 10.201.228.76 permit tcp any any eq

80 permit tcp any any eq 443

D. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain deny ip any host 10.201.228.76 permit tcp any any eq 80permit tcp any any eq 443

View Answer

Question No: 16

Refer to the exhibit.

Which ISE flow mode does this diagram represent?

A. Closed mode

B. Monitor mode

C. Application mode

D. Low-impact mode

View Answer

Question No: 17

A network administrator must enable which protocol to utilize EAP-Chaining?

A. EAP-FAST

B. EAP-TLS

C. MSCHAPv2

D. PEAP

View Answer

Question No: 18

Which command defines administrator CLI access in ACS5.x?

A. Application reset-passwd acs username

B. username username password password role admin

C. username username password plain password role admin

D. password-policy

View Answer