Q31. An organization has recently deployed ISE with the latest models of Cisco switches, and it plans to deploy Trustsec to secure its infrastructure. The company also wants to allow different network access policies for different user groups (e.g., administrators). Which solution is needed to achieve these goals? 

A. Cisco Security Group Access Policies in order to use SGACLs to control access based on SGTs assigned to different users 

B. MACsec in Multiple-Host Mode in order to open or close a port based on a single authentication 

C. Identity-based ACLs on the switches with user identities provided by ISE 

D. Cisco Threat Defense for user group control by leveraging Netflow exported from the switches and login information from ISE 

Answer:


Q32. Which two components are required to connect to a WLAN network that is secured by EAP-TLS authentication? (Choose two.) 

A. Kerberos authentication server 

B. AAA/RADIUS server 

C. PSKs 

D. CA server 

Answer: B,D 


Q33. ORRECT TEXT 

The Secure-X company has started to tested the 802.1X authentication deployment using the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee desktop will be connected to the 802.1X enabled switch port and will use the Cisco AnyConnect NAM 802.1X supplicant to log in and connect to the network. 

Your particular tasks in this simulation are to create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database. Once the new identity source sequence has been configured, edit the existing DotlX authentication policy to use the new AD_internal identity source sequence. 

The Microsoft Active Directory (AD1) identity store has already been successfully configured, you just need to reference it in your configuration. 

In addition to the above, you are also tasked to edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile. 

Perform this simulation by accessing the ISE GUI to perform the following tasks: 

. Create a new identity source sequence named AD_internal to first use the Microsoft Active Directory (AD1) then use the ISE Internal User database 

. Edit the existing Dot1X authentication policy to use the new AD_internal identity source sequence: 

. If authentication failed-reject the access request 

. If user is not found in AD-Drop the request without sending a response 

. If process failed-Drop the request without sending a response 

. Edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile. 

To access the ISE GUI, click the ISE icon in the topology diagram. To verify your configurations, from the ISE GUI, you should also see the Authentication Succeeded event for the it1 user after you have successfully defined the DotlX authentication policy to use the Microsoft Active Directory first then use the ISE Internal User Database to authenticate the user. And in the Authentication Succeeded event, you should see the IT_Corp authorization profile being applied to the it1 user. If your configuration is not correct and ISE can't authenticate the user against the Microsoft Active Directory, you should see the Authentication Failed event instead for the it1 user. 

Note: If you make a mistake in the Identity Source Sequence configuration, please delete the Identity Source Sequence then re-add a new one. The edit Identity Source Sequence function is not implemented in this simulation. 

Answer: Review the explanation for full configuration and solution. 


Q34. During client provisioning on a Mac OS X system, the client system fails to renew its IP address. Which change can you make to the agent profile to correct the problem? 

A. Enable the Agent IP Refresh feature. 

B. Enable the Enable VLAN Detect Without UI feature. 

C. Enable CRL checking. 

D. Edit the Discovery Host parameter to use an IP address instead of an FQDN. 

Answer:


Q35. Which three statements describe differences between TACACS+ and RADIUS? (Choose three.) 

A. RADIUS encrypts the entire packet, while TACACS+ encrypts only the password. 

B. TACACS+ encrypts the entire packet, while RADIUS encrypts only the password. 

C. RADIUS uses TCP, while TACACS+ uses UDP. 

D. TACACS+ uses TCP, while RADIUS uses UDP. 

E. RADIUS uses ports 1812 and 1813, while TACACS+ uses port 49. 

F. TACACS+ uses ports 1812 and 1813, while RADIUS uses port 49 

Answer: B,D,E 


Q36. Which type of access list is the most scalable that Cisco ISE can use to implement network authorization enforcement for a large number of users? 

A. downloadable access lists 

B. named access lists 

C. VLAN access lists 

D. MAC address access lists 

Answer:


Q37. In a multi-node ISE deployment, backups are not working on the MnT node. Which ISE CLI option would help mitigate this issue? 

A. repository 

B. ftp-url 

C. application-bundle 

D. collector 

Answer:


Q38. Which Cisco ISE 1.x protocol can be used to control admin access to network access devices? 

A. TACACS+ 

B. RADIUS 

C. EAP 

D. Kerberos 

Answer:


Q39. Changes were made to the ISE server while troubleshooting, and now all wireless certificate authentications are failing. Logs indicate an EAP failure. What are the two possible causes of the problem? (Choose two.) 

A. EAP-TLS is not checked in the Allowed Protocols list 

B. Client certificate is not included in the Trusted Certificate Store 

C. MS-CHAPv2-is not checked in the Allowed Protocols list 

D. Default rule denies all traffic 

E. Certificate authentication profile is not configured in the Identity Store 

Answer: A,E 


Q40. Which statement about IOS accounting is true? 

A. A named list of AAA methods must be defined. 

B. A named list of accounting methods must be defined. 

C. Authorization must be configured before accounting. 

D. A named list of tracking methods must be defined. 

Answer: