Most Up-to-date Implementing And Configuring Cisco Identity Services Engine (SISE) 300-715 Prep

NEW QUESTION 1
What does a fully distributed Cisco ISE deployment include?

• A. PAN and PSN on the same node while MnTs are on their own dedicated nodes.
• B. PAN and MnT on the same node while PSNs are on their own dedicated nodes.
• C. All Cisco ISE personas on their own dedicated nodes.
• D. All Cisco ISE personas are sharing the same node.

Answer: A

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_setup_cisco_is

NEW QUESTION 2
Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?

• A. Cisco AnyConnect NAM and Cisco Identity Service Engine
• B. Cisco AnyConnect NAM and Cisco Access Control Server
• C. Cisco Secure Services Client and Cisco Access Control Server
• D. Windows Native Supplicant and Cisco Identity Service Engine

Answer: A

NEW QUESTION 3
An engineer is configuring 802.1X and wants it to be transparent from the users' point of view. The implementation should provide open authentication on the switch ports while providing strong levels of security for non-authenticated devices. Which deployment mode should be used to achieve this?

• A. closed
• B. low-impact
• C. open
• D. high-impact

Answer: B

Explanation:
https://www.lookingpoint.com/blog/cisco-ise-wired-802.1x-deployment-monitormode#:~:text=Low%20im

NEW QUESTION 4
An administrator wants to configure network device administration and is trying to decide whether to use TACACS* or RADIUS. A reliable protocol must be used that can check command authorization Which protocol meets these requirements and why?

• A. TACACS+ because it runs over TCP
• B. RADIUS because it runs over UDP
• C. RADIUS because it runs over TCP.
• D. TACACS+ because it runs over UDP

Answer: A

NEW QUESTION 5
In which two ways can users and endpoints be classified for TrustSec? (Choose Two.)

• A. VLAN
• B. SXP
• C. dynamic
• D. QoS
• E. SGACL

Answer: AE

NEW QUESTION 6
What is a function of client provisioning?

• A. It ensures an application process is running on the endpoint.
• B. It checks a dictionary' attribute with a value.
• C. It ensures that endpoints receive the appropriate posture agents
• D. It checks the existence date and versions of the file on a client.

Answer: C

NEW QUESTION 7
Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

• A. Endpoint
• B. unknown
• C. blacklist
• D. white list
• E. profiled

Answer: B

Explanation:
If you do not have a matching profiling policy, you can assign an unknown profiling policy. The endpoint is therefore profiled as Unknown. The endpoint that does not match any profile is grouped within the Unknown identity group. The endpoint profiled to the Unknown profile requires that you create a profile with an attribute or a set of attributes collected for that endpoint.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html

NEW QUESTION 8
An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?

• A. Install the Root CA and intermediate CA.
• B. Generate the CSR.
• C. Download the intermediate server certificate.
• D. Download the CA server certificate.

Answer: B

NEW QUESTION 9
What allows an endpoint to obtain a digital certificate from Cisco ISE during a BYOD flow?

• A. Network Access Control
• B. My Devices Portal
• C. Application Visibility and Control
• D. Supplicant Provisioning Wizard

Answer: D

NEW QUESTION 10
An engineer wants to learn more about Cisco ISE and deployed a new lab with two nodes. Which two persona configurations allow the engineer to successfully test redundancy of a failed node? (Choose two.)

• A. Configure one of the Cisco ISE nodes as the Health Check node.
• B. Configure both nodes with the PAN and MnT personas only.
• C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary.
• D. Configure both nodes with the PAN, MnT, and PSN personas.
• E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.

Answer: CE

NEW QUESTION 11
Which statement about configuring certificates for BYOD is true?

• A. An Android endpoint uses EST, whereas other operating systems use SCEP for enrollment
• B. The SAN field is populated with the end user name.
• C. An endpoint certificate is mandatory for the Cisco ISE BYOD
• D. The CN field is populated with the endpoint host name

Answer: C

NEW QUESTION 12
An administrator is configuring new probes to use with Cisco ISE and wants to use metadata to help profile the endpoints. The metadata must contain traffic information relating to the endpoints instead of
industry-standard protocol information Which probe should be enabled to meet these requirements?

• A. NetFlow probe
• B. DNS probe
• C. DHCP probe
• D. SNMP query probe

Answer: C

Explanation:
http://www.network-node.com/blog/2016/1/2/ise-20-profiling

NEW QUESTION 13
An engineer is configuring a posture policy for Windows 10 endpoints and wants to ensure that users in each AD group have different conditions to meet to be compliant. What must be done to accomplish this task?

• A. identify The users groups needed for different policies and create service conditions to map each one to its posture requirement
• B. Configure a simple condition for each AD group and use it in the posture policy for each use case
• C. Use the authorization policy within the policy set to group each AD group with their respective posture policy
• D. Change the posture requirements to use an AD group lor each use case then use those requirements in the posture policy

Answer: C

NEW QUESTION 14
When planning for the deployment of Cisco ISE, an organization's security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment provide an adequate amount of security and visibility for the hosts on the network. Why should the engineer configure MAB in this situation?

• A. The Cisco switches only support MAB.
• B. MAB provides the strongest form of authentication available.
• C. The devices in the network do not have a supplicant.
• D. MAB provides user authentication.

Answer: C

NEW QUESTION 15
Which two roles are taken on by the administration person within a Cisco ISE distributed environment? (Choose two.)

• A. backup
• B. secondary
• C. standby
• D. primary
• E. active

Answer: BD

NEW QUESTION 16
Which command displays all 802 1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

• A. show authentication sessions output
• B. Show authentication sessions
• C. show authentication sessions interface Gi 1/0/x
• D. show authentication sessions interface Gi1/0/x output

Answer: B

NEW QUESTION 17
An engineer needs to configure a new certificate template in the Cisco ISE Internal Certificate Authority to prevent BYOD devices from needing to re-enroll when their MAC address changes. Which option must be selected in the Subject Alternative Name field?

• A. Common Name and GUID
• B. MAC Address and GUID
• C. Distinguished Name
• D. Common Name

Answer: B

Explanation:
The engineer needs to select the option of MAC Address and GUID in the Subject Alternative Name field when configuring a new certificate template in the Cisco ISE Internal Certificate Authority to prevent BYOD devices from needing to re-enroll when their MAC address changes.

NEW QUESTION 18
A network administrator must configure Cisco SE Personas in the company to share session information via syslog. Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

• A. pxGrid
• B. admin
• C. policy services
• D. monitor

Answer: D

NEW QUESTION 19
An administrator connects an HP printer to a dot1x enable port, but the printer in not accessible Which feature must the administrator enable to access the printer?

• A. MAC authentication bypass
• B. change of authorization
• C. TACACS authentication
• D. RADIUS authentication

Answer: A

Explanation:
https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933216

NEW QUESTION 20
What are two differences between the RADIUS and TACACS+ protocols'? (Choose two.)

• A. RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol
• B. TACACS+uses TCP port 49. whereas RADIUS uses UDP ports 1812 and 1813.
• C. RADIUS offers multiprotocol support, whereas TACACS+ does not
• D. RADIUS combines authentication and authorization, whereas TACACS+ does not
• E. RADIUS enables encryption of all the packets, whereas with TACACS+. only the password is encrypted.

Answer: BD

NEW QUESTION 21
......