Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which three host modes support MACsec? (Choose three.)
A. multidomain authentication host mode
B. multihost mode
C. multi-MAC host mode
D. single-host mode
E. dual-host mode
F. multi-auth host mode
Answer: A,B,D
Q2. Which authorization method is the Cisco best practice to allow endpoints access to the
Apple App store or Google Play store with Cisco WLC software version 7.6 or newer?
A. dACL
B. DNS ACL
C. DNS ACL defined in Cisco ISE
D. redirect ACL
Answer: B
Q3. Which feature must you configure on a switch to allow it to redirect wired endpoints to Cisco ISE?
A. the http secure-server command
B. RADIUS Attribute 29
C. the RADIUS VSA for accounting
D. the RADIUS VSA for URL-REDIRECT
Answer: A
Q4. Which functionality does the Cisco ISE self-provisioning flow provide?
A. It provides support for native supplicants, allowing users to connect devices directly to the network.
B. It provides the My Devices portal, allowing users to add devices to the network.
C. It provides support for users to install the Cisco NAC agent on enterprise devices.
D. It provides self-registration functionality to allow guest users to access the network.
Answer: A
Q5. What steps must you perform to deploy a CA-signed identity certificate on an ISE device?
A. 1. Download the CA server certificate and install it on ISE.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the CA request.
4. Install the issued certificate on the ISE.
B. 1. Download the CA server certificate and install it on ISE.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the CSR.
4. Install the issued certificate on the CA server.
C. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate and install it on ISE.
3. Access the ISE server and submit the CA request.
4. Install the issued certificate on the CA server.
D. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate and install it on ISE.
3. Access the CA server and submit the CSR.
4. Install the issued certificate on the ISE.
Answer: D
Q6. Which condition triggers wireless authentication? A. NAS-Port-Type is set to IEEE 802.11.
B. Framed-Compression is set to None.
C. Service-Type is set to Framed.
D. Tunnel-Type is set to VLAN.
Answer: A
Q7. Which three network access devices allow for static security group tag assignment? (Choose three.)
A. intrusion prevention system
B. access layer switch
C. data center access switch
D. load balancer
E. VPN concentrator
F. wireless LAN controller
Answer: B,C,E
Q8. In a basic ACS deployment consisting of two servers, for which three tasks is the primary server responsible? (Choose three.)
A. configuration
B. authentication
C. sensing
D. policy requirements
E. monitoring
F. repudiation
Answer: A,B,D
Q9. In an 802.1X authorization process, a network access device provides which three functions? (Choose three.)
A. Filters traffic prior to authentication
B. Passes credentials to authentication server
C. Enforces policy provided by authentication server
D. Hosts a central web authentication page
E. Confirms supplicant protocol compliance
F. Validates authentication credentials
Answer: A,B,C
Q10. Which statement about Cisco ISE BYOD is true?
A. Dual SSID allows EAP-TLS only when connecting to the secured SSID.
B. Single SSID does not require endpoints to be registered.
C. Dual SSID allows BYOD for guest users.
D. Single SSID utilizes open SSID to accommodate different types of users.
E. Single SSID allows PEAP-MSCHAPv2 for native supplicant provisioning.
Answer: E
Q11. A network administrator must enable which protocol to utilize EAP-Chaining?
A. EAP-FAST
B. EAP-TLS
C. MSCHAPv2
D. PEAP
Answer: A
Q12. Your guest-access wireless network is experiencing degraded performance and excessive latency due to user saturation. Which type of rate limiting can you implement on your network to correct the problem?
A. per-device
B. per-policy
C. per-access point
D. per-controller
E. per-application
Answer: A
Q13. In a multi-node ISE deployment, backups are not working on the MnT node. Which ISE CLI option would help mitigate this issue?
A. repository
B. ftp-url
C. application-bundle
D. collector
Answer: A
Q14. Refer to the exhibit.
If the given configuration is applied to the object-group vpnservers, during which time period are external users able to connect?
A. From Friday at 6:00 p.m. until Monday at 8:00 a.m.
B. From Monday at 8:00 a.m. until Friday at 6:00 p.m.
C. From Friday at 6:01 p.m. until Monday at 8:01 a.m.
D. From Monday at 8:01 a.m. until Friday at 5:59 p.m.
Answer: A
Q15. Which two Cisco Catalyst switch interface commands allow only a single voice device and a single data device to be connected to the IEEE 802.1X-enabled interface? (Choose two.)
A. authentication host-mode single-host
B. authentication host-mode multi-domain
C. authentication host-mode multi-host
D. authentication host-mode multi-auth
Answer: A,B
Q16. When RADIUS NAC and AAA Override are enabled for a WLC on a Cisco ISE, which two statements about RADIUS NAC are true? (Choose two.)
A. It returns an access-accept and sends the redirection URL for all users.
B. It establishes secure connectivity between the RADIUS server and the Cisco ISE.
C. It allows the Cisco ISE to send a CoA request that indicates when the user is authenticated.
D. It is used for posture assessment, so the Cisco ISE changes the user profile based on posture result.
E. It allows multiple users to authenticate at the same time.
Answer: C,D
Q17. Which feature enables the Cisco ISE DHCP profiling capabilities to determine and enforce authorization policies on mobile devices?
A. disabling the DHCP proxy option
B. DHCP option 42
C. DHCP snooping
D. DHCP spoofing
Answer: A