Improve 300-715 Samples For Implementing And Configuring Cisco Identity Services Engine (SISE) Certification

NEW QUESTION 1
An administrator for a small network is configuring Cisco ISE to provide dynamic network access to users. Management needs Cisco ISE to not automatically trigger a CoA whenever a profile change is detected. Instead, the administrator needs to verify the new profile and manually trigger a CoA. What must be configuring in the profiler to accomplish this goal?

• A. Port Bounce
• B. No CoA
• C. Session Query
• D. Reauth

Answer: B

Explanation:
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-profiling-policies

NEW QUESTION 2
An organization is adding new profiling probes to the system to improve profiling on Oseo ISE The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected What must be configured on the network device to accomplish this goal?

• A. ARP
• B. SNMP
• C. WCCP
• D. ICMP

Answer: B

Explanation:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-79034313

NEW QUESTION 3
An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan What must be done for this AAA configuration to allow compliant access to the network?

• A. Configure the posture authorization so it defaults to unknown status
• B. Fix the CoA port number
• C. Ensure that authorization only mode is not enabled
• D. Enable dynamic authorization within the AAA server group

Answer: D

NEW QUESTION 4
What does a fully distributed Cisco ISE deployment include?

• A. PAN and PSN on the same node while MnTs are on their own dedicated nodes.
• B. PAN and MnT on the same node while PSNs are on their own dedicated nodes.
• C. All Cisco ISE personas on their own dedicated nodes.
• D. All Cisco ISE personas are sharing the same node.

Answer: A

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_setup_cisco_is

NEW QUESTION 5
What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

• A. The primary node restarts
• B. The secondary node restarts.
• C. The primary node becomes standalone
• D. Both nodes restart.

Answer: D

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/installation_guide/ise_install_guide/ise_deploy.html if your deployment has two nodes and you deregister the secondary node, both nodes in this
primary-secondary pair are restarted. (The former primary and secondary nodes become standalone.)

NEW QUESTION 6
An organization is implementing Cisco ISE posture services and must ensure that a host-based firewall is in place on every Windows and Mac computer that attempts to access the network They have multiple vendors’ firewall applications for their devices, so the engineers creating the policies are unable to use a specific application check in order to validate the posture for this What should be done to enable this type of posture check?

• A. Use the file registry condition to ensure that the firewal is installed and running appropriately.
• B. Use a compound condition to look for the Windows or Mac native firewall applications.
• C. Enable the default rewall condition to check for any vendor rewall application.
• D. Enable the default application condition to identify the applications installed and validade the rewall app.

Answer: C

Explanation:
https://www.youtube.com/watch?v=6Kj8P8Hn7dY&t=109s&ab_channel=CiscoISE-IdentityServicesEngine

NEW QUESTION 7
An engineer is unable to use SSH to connect to a switch after adding the required CLI commands to the device to enable TACACS+. The device administration license has been added to Cisco ISE, and the required policies have been created. Which action is needed to enable access to the switch?

• A. The ip ssh source-interface command needs to be set on the switch
• B. 802.1X authentication needs to be configured on the switch.
• C. The RSA keypair used for SSH must be regenerated after enabling TACACS+.
• D. The switch needs to be added as a network device in Cisco ISE and set to use TACACS+.

Answer: D

NEW QUESTION 8
Which type of identity store allows for creating single-use access credentials in Cisco ISE?

• A. OpenLDAP
• B. Local
• C. PKI
• D. RSA SecurID

Answer: D

NEW QUESTION 9
A user changes the status of a device to stolen in the My Devices Portal of Cisco ISE. The device was originally onboarded in the BYOD wireless Portal without a certificate. The device is found later, but the user cannot re-onboard the device because Cisco ISE assigned the device to the Blocklist endpoint identity group. What must the user do in the My Devices Portal to resolve this issue?

• A. Manually remove the device from the Blocklist endpoint identity group.
• B. Change the device state from Stolen to Not Registered.
• C. Change the BYOD registration attribute of the device to None.
• D. Delete the device, and then re-add the device.

Answer: B

NEW QUESTION 10
What is a method for transporting security group tags throughout the network?

• A. by enabling 802.1AE on every network device
• B. by the Security Group Tag Exchange Protocol
• C. by embedding the security group tag in the IP header
• D. by embedding the security group tag in the 802.1Q header

Answer: B

NEW QUESTION 11
Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication?

• A. MAB and if user not found, continue
• B. MAB and if authentication failed, continue
• C. Dot1x and if user not found, continue
• D. Dot1x and if authentication failed, continue

Answer: A

NEW QUESTION 12
Select and Place

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 13
An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication. Which access will be denied in this?

• A. HTTP
• B. DNS
• C. EAP
• D. DHCP

Answer: A

NEW QUESTION 14
Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints?

• A. large deployment with fully distributed nodes running all personas
• B. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs
• C. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs
• D. small deployment with one primary and one secondary node running all personas

Answer: C

NEW QUESTION 15
Which use case validates a change of authorization?

• A. An authenticated, wired EAP-capable endpoint is discovered
• B. An endpoint profiling policy is changed for authorization policy.
• C. An endpoint that is disconnected from the network is discovered
• D. Endpoints are created through device registration for the guests

Answer: B

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html

NEW QUESTION 16
An engineer needs to export a file in CSV format, encrypted with the password C1$c0438563935, and contains users currently configured in Cisco ISE. Drag and drop the steps from the left into the sequence on the right to complete this task.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 17
Drag the Cisco ISE node types from the left onto the appropriate purposes on the right.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 18
If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

• A. Client Provisioning
• B. Guest
• C. BYOD
• D. Blacklist

Answer: D

Explanation:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Desi The Blacklist identity group is system generated and maintained by ISE to prevent access to lost or stolen devices. In this design guide, two authorization profiles are used to enforce the permissions for wireless and wired devices within the Blacklist:
Blackhole WiFi Access
Blackhole Wired Access

NEW QUESTION 19
Which two default endpoint identity groups does Cisco ISE create? (Choose two )

• A. block list
• B. endpoint
• C. profiled
• D. allow list
• E. unknown

Answer: CE

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide
Default Endpoint Identity Groups Created for EndpointsCisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
Cisco ISE creates the following endpoint identity groups:
Blacklist—This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
GuestEndpoints—This endpoint identity group includes endpoints that are used by guest users.
Profiled—This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
RegisteredDevices—This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group. These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays “Unauthorised Network Access”, a default portal page to the blocked devices.
Unknown—This endpoint identity group includes endpoints that do not match any profile in Cisco ISE. In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint
identity groups, which are associated to the Profiled identity group:
Cisco-IP-Phone—An identity group that contains all the profiled Cisco IP phones on your network.
Workstation—An identity group that contains all the profiled workstations on your network.

NEW QUESTION 20
......