Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. When you configure an endpoint profiling policy rule, which option describes the purpose of the minimum certainty factor?
A. It is compared to the total certainty metric of an individual endpoint to determine whether the endpoint can be trusted.
B. It is compared to the assigned certainty value of an individual endpoint in a device database to determine whether the endpoint can be trusted.
C. It is used to compare the policy condition to other active policies.
D. It is used to determine the likelihood that an endpoint is an active, trusted device on the network.
Answer: A
Q2. Where is dynamic SGT classification configured?
A. Cisco ISE
B. NAD
C. supplicant
D. RADIUS proxy
Answer: A
Q3. Which two services are included in the Cisco ISE posture service? (Choose two.)
A. posture administration
B. posture run-time
C. posture monitoring
D. posture policing
E. posture catalog
Answer: A,B
Q4. What is the default posture status for non-agent capable devices, such as Linux and iDevices?
A. Unknown
B. Validated
C. Default
D. Compliant
Answer: D
Q5. How frequently does the Profiled Endpoints dashlet refresh data?
A. every 30 seconds
B. every 60 seconds
C. every 2 minutes
D. every 5 minutes
Answer: B
Q6. From which location can you run reports on endpoint profiling?
A. Reports > Operations > Catalog > Endpoint
B. Operations > Reports > Catalog > Endpoint
C. Operations > Catalog > Reports > Endpoint
D. Operations > Catalog > Endpoint
Answer: B
Q7. Which two authentication stores are supported to design a wireless network using PEAP EAP-MSCHAPv2 as the authentication method? (Choose two.)
A. Microsoft Active Directory
B. ACS
C. LDAP
D. RSA Secure-ID
E. Certificate Server
Answer: A,B
Q8. Which identity store option allows you to modify the directory services that run on TCP/IP?
A. Lightweight Directory Access Protocol
B. RSA SecurID server
C. RADIUS
D. Active Directory
Answer: A
Q9. ORRECT TEXT
The Secure-X company has started to tested the 802.1X authentication deployment using the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee desktop will be connected to the 802.1X enabled switch port and will use the Cisco AnyConnect NAM 802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database. Once the new identity source sequence has been configured, edit the existing DotlX authentication policy to use the new AD_internal identity source sequence.
The Microsoft Active Directory (AD1) identity store has already been successfully configured, you just need to reference it in your configuration.
In addition to the above, you are also tasked to edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
Perform this simulation by accessing the ISE GUI to perform the following tasks:
. Create a new identity source sequence named AD_internal to first use the Microsoft Active Directory (AD1) then use the ISE Internal User database
. Edit the existing Dot1X authentication policy to use the new AD_internal identity source sequence:
. If authentication failed-reject the access request
. If user is not found in AD-Drop the request without sending a response
. If process failed-Drop the request without sending a response
. Edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
To access the ISE GUI, click the ISE icon in the topology diagram. To verify your configurations, from the ISE GUI, you should also see the Authentication Succeeded event for the it1 user after you have successfully defined the DotlX authentication policy to use the Microsoft Active Directory first then use the ISE Internal User Database to authenticate the user. And in the Authentication Succeeded event, you should see the IT_Corp authorization profile being applied to the it1 user. If your configuration is not correct and ISE can't authenticate the user against the Microsoft Active Directory, you should see the Authentication Failed event instead for the it1 user.
Note: If you make a mistake in the Identity Source Sequence configuration, please delete the Identity Source Sequence then re-add a new one. The edit Identity Source Sequence function is not implemented in this simulation.
Answer: Review the explanation for full configuration and solution.
Q10. With which two appliance-based products can Cisco Prime Infrastructure integrate to perform centralized management? (Choose two.)
A. Cisco Managed Services Engine
B. Cisco Email Security Appliance
C. Cisco Wireless Location Appliance
D. Cisco Content Security Appliance
E. Cisco ISE
Answer: A,E
Q11. Which option restricts guests from connecting more than one device at a time?
A. Guest Portal policy > Set Device registration portal limit
B. Guest Portal Policy > Set Allow only one guest session per user
C. My Devices Portal > Set Maximum number of devices to register
D. Multi-Portal Policy > Guest users should be able to do device registration
Answer: B
Q12. What is the effect of the ip http secure-server command on a Cisco ISE?
A. It enables the HTTP server for users to connect on the command line.
B. It enables the HTTP server for users to connect using Web-based authentication.
C. It enables the HTTPS server for users to connect using Web-based authentication.
D. It enables the HTTPS server for users to connect on the command line.
Answer: C
Q13. Which two statements about MAB are true? (Choose two.)
A. It requires a preexisting database of the MAC addresses of permitted devices.
B. It is unable to control network access at the edge.
C. If MAB fails, the device is unable to fall back to another authentication method.
D. It is unable to link the IP and MAC addresses of a device.
E. It is unable to authenticate individual users.
Answer: A,E
Q14. In the command 'aaa authentication default group tacacs local', how is the word 'default' defined?
A. Command set
B. Group name
C. Method list
D. Login type
Answer: C
Q15. Which two attributes must match between two Cisco ASA devices to properly enable high availability? (Choose two.)
A. model, interface configuration, and RAM
B. major and minor software release
C. tcp dead-peer detection protocol
D. 802.1x authentication identity
Answer: A,B
Q16. In Cisco ISE, which two actions can be taken based on matching a profiler policy? (Choose two).
A. exception
B. network scan (NMAP)
C. delete endpoint
D. automatically remediate
E. create matching identity group
Answer: A,B
Q17. You discover that the Cisco ISE is failing to connect to the Active Directory server. Which option is a possible cause of the problem?
A. NTP server time synchronization is configured incorrectly.
B. There is a certificate mismatch between Cisco ISE and Active Directory.
C. NAT statements required for Active Directory are configured incorrectly.
D. The RADIUS authentication ports are being blocked by the firewall.
Answer: A