Pass Cisco Implementing and Configuring Cisco Identity Services Engine Exam in First Attempt Guaranteed Updated Dump from ExamsLabs!
Pass 300-715 Exam with 153 Questions - Verified By ExamsLabs
NEW QUESTION 91
An organization is implementing Cisco ISE posture services and must ensure that a host-based firewall is in place on every Windows and Mac computer that attempts to access the network They have multiple vendors' firewall applications for their devices, so the engineers creating the policies are unable to use a specific application check in order to validate the posture for this What should be done to enable this type of posture check?
- A. Use the file registry condition to ensure that the firewal is installed and running appropriately.
- B. Use a compound condition to look for the Windows or Mac native firewall applications.
- C. Enable the default rewall condition to check for any vendor rewall application.
- D. Enable the default application condition to identify the applications installed and validade the rewall app.
Answer: C
Explanation:
https://www.youtube.com/watch?v=6Kj8P8Hn7dY&t=109s&ab_channel=CiscoISE-IdentityServicesEngine
NEW QUESTION 92
Refer to the exhibit.
A network engineers configuring the switch to accept downloadable ACLs from a Cisco ISC server Which two commands should be run to complete the configuration? (Choose two)
- A. ip device tracking
- B. dot1x system-auth-control
- C. aaa authorization auth-proxy default group radius
- D. radius server vsa sand authentication
- E. radius-server attribute 8 include-in-access-req
Answer: D,E
NEW QUESTION 93
Which two default endpoint identity groups does Cisco ISE create? (Choose two )
- A. unknown
- B. profiled
- C. allow list
- D. endpoint
- E. block list
Answer: A,B
Explanation:
Explanation
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide Default Endpoint Identity Groups Created for EndpointsCisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
Cisco ISE creates the following endpoint identity groups:
* Blacklist-This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
* GuestEndpoints-This endpoint identity group includes endpoints that are used by guest users.
* Profiled-This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
* RegisteredDevices-This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group.
* These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays "Unauthorised Network Access", a default portal page to the blocked devices.
* Unknown-This endpoint identity group includes endpoints that do not match any profile in Cisco ISE.
In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint identity groups, which are associated to the Profiled identity group:
* Cisco-IP-Phone-An identity group that contains all the profiled Cisco IP phones on your network.
* Workstation-An identity group that contains all the profiled workstations on your network.
NEW QUESTION 94
Which two task types are included in the Cisco ISE common tasks support for TACACS+ profiles?
(Choose two.)
- A. Shell
- B. Firepower
- C. IOS
- D. ASA
- E. WLC
Answer: A,E
Explanation:
Reference:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100010.html TACACS+ Profile TACACS+ profiles control the initial login session of the device administrator. A session refers to each individual authentication, authorization, or accounting request. A session authorization request to a network device elicits an ISE response. The response includes a token that is interpreted by the network device, which limits the commands that may be executed for the duration of a session. The authorization policy for a device administration access service can contain a single shell profile and multiple command sets. The TACACS+ profile definitions are split into two components:
Common tasks
Custom attributes
There are two views in the TACACS+ Profiles page (Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles)-Task Attribute View and Raw View. Common tasks can be entered using the Task Attribute View and custom attributes can be created in the Task Attribute View as well as the Raw View.
The Common Tasks section allows you to select and configure the frequently used attributes for a profile. The attributes that are included here are those defined by the TACACS+ protocol draft specifications. However, the values can be used in the authorization of requests from other services. In the Task Attribute View, the ISE administrator can set the privileges that will be assigned to the device administrator. The common task types are:
Shell
WLC
Nexus
Generic
The Custom Attributes section allows you to configure additional attributes. It provides a list of attributes that are not recognized by the Common Tasks section. Each definition consists of the attribute name, an indication of whether the attribute is mandatory or optional, and the value for the attribute. In the Raw View, you can enter the mandatory attributes using a equal to (=) sign between the attribute name and its value and optional attributes are entered using an asterisk (*) between the attribute name and its value. The attributes entered in the Raw View are reflected in the Custom Attributes section in the Task Attribute View and vice versa. The Raw View is also used to copy paste the attribute list (for example, another product's attribute list) from the clipboard onto ISE. Custom attributes can be defined for nonshell services.
NEW QUESTION 95
An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?
- A. Generate the CSR.
- B. Install the Root CA and intermediate CA.
- C. Download the intermediate server certificate.
- D. Download the CA server certificate.
Answer: B
NEW QUESTION 96
Which two default endpoint identity groups does cisco ISE create? (Choose two )
- A. profiled
- B. whitelist
- C. blacklist
- D. Unknown
- E. end point
Answer: A,C
Explanation:
Explanation
Default Endpoint Identity Groups Created for EndpointsCisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide
NEW QUESTION 97
Refer to the exhibit.
A network engineers configuring the switch to accept downloadable ACLs from a Cisco ISC server Which two commands should be run to complete the configuration? (Choose two)
- A. dot1x system-auth-control
- B. radius-server attribute 8 include-in-access-req
- C. aaa authorization auth-proxy default group radius
- D. ip device tracking
- E. radius server vsa sand authentication
Answer: D,E
NEW QUESTION 98
Which statement is true?
- A. A Cisco ISE Advanced license can be used without any Base licenses.
- B. A Cisco ISE Advanced license is perpetual in nature.
- C. A Cisco ISE Advanced license can be installed on top of a Base and/or Wireless license.
- D. A Cisco ISE Wireless license can be installed on top of a Base and/or Advanced license.
Answer: C
NEW QUESTION 99
A network engineer is configuring guest access and notices that when a guest user registers a second device for access, the first device loses access What must be done to ensure that both devices for a particular user are able to access the guest network simultaneously?
- A. Modify the guest type to increase the number of maximum devices
- B. Use a custom portal to increase the number of logins
- C. Create an Adaptive Network Control policy to increase the number of devices
- D. Configure the sponsor group to increase the number of logins.
Answer: A
Explanation:
https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_01111.html.xml
NEW QUESTION 100
Refer to the exhibit:
Which command is typed within the CU of a switch to view the troubleshooting output?
- A. show authentication registrations
- B. show authentication sessions method
- C. show authentication sessions mac 000e.84af.59af details
- D. show authentication interface gigabitethemet2/0/36
Answer: C
NEW QUESTION 101
An engineer is configuring Cisco ISE and needs to dynamically identify the network endpoints and ensure that endpoint access is protected.
Which service should be used to accomplish this task?
- A. guest access
- B. client provisioning
- C. profiling
- D. posture
Answer: C
Explanation:
Section: Profiler
Explanation
NEW QUESTION 102
Which protocol must be allowed for a BYOD device to access the BYOD portal?
- A. HTTPS
- B. HTTP
- C. SSH
- D. SMTP
Answer: C
NEW QUESTION 103
An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right.
Answer:
Explanation:
NEW QUESTION 104
A network administrator changed a Cisco ISE deployment from pilot to production and noticed that the JVM memory utilization increased significantly. The administrator suspects this is due to replication between the nodes What must be configured to minimize performance degradation?
- A. Ensure that Cisco ISE is updated with the latest profiler feed update
- B. Review the profiling policies for any misconfiguration
- C. Enable the endpoint attribute filter
- D. Change the reauthenticate interval.
Answer: C
Explanation:
Explanation
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide
NEW QUESTION 105
Which two probes must be enabled for the ARP cache to function in the Cisco ISE profile service so that a user can reliably bind the IP address and MAC addresses of endpoints? (Choose two.)
- A. NetFlow
- B. DHCP
- C. RADIUS
- D. HTTP
- E. SNMP
Answer: B,C
Explanation:
Explanation
Cisco ISE implements an ARP cache in the profiling service, so that you can reliably map the IP addresses and the MAC addresses of endpoints. For the ARP cache to function, you must enable either the DHCP probe or the RADIUS probe. The DHCP and RADIUS probes carry the IP addresses and the MAC addresses of endpoints in the payload data. The dhcp-requested address attribute in the DHCP probe and the Framed-IP-address attribute in the RADIUS probe carry the IP addresses of endpoints, along with their MAC addresses, which can be mapped and stored in the ARP cache.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide
NEW QUESTION 106
There are several devices on a network that are considered critical and need to be placed into the ISE database and a policy used for them. The organization does not want to use profiling. What must be done to accomplish this goal?
- A. Enter the IP address in the correct Logical Profile.
- B. Enter the MAC address in the correct Endpoint Identity Group.
- C. Enter the IP address in the correct Endpoint Identity Group.
- D. Enter the MAC address in the correct Logical Profile.
Answer: C
NEW QUESTION 107
What must be configured on the Cisco ISE authentication policy for unknown MAC addresses/identities for successful authentication?
- A. continue
- B. pass
- C. reject
- D. drop
Answer: A
Explanation:
Explanation
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html
NEW QUESTION 108
......
Penetration testers simulate 300-715 exam: https://www.examslabs.com/Cisco/CCNPSecurity/best-300-715-exam-dumps.html
Free Test Engine For Implementing and Configuring Cisco Identity Services Engine Certification Exams: https://drive.google.com/open?id=127XTJas8eDEVM6u68UWpYrfuUCCit-yX