Cisco CCNP Security 300-715 Questions & Answers

• Question 101:

  An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?

  A. the Reauth CoA option in the Cisco ISE system profiling settings enabled

  B. an endpoint profiling policy with the No CoA option enabled

  C. an endpoint profiling policy with the Port Bounce CoA option enabled

  D. the Port Bounce CoA option in the Cisco ISE system profiling settings enabled

  Correct Answer: A

• Question 102:

  The security team wants to secure the wired network. A legacy printer on the network with the MAC address 00:43:08:50:64:60 does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address?

  A. MS-CHAPv2

  B. EAP-TLS

  C. PAP

  D. Process Host Lookup

  Correct Answer: D

  Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010010.html#task_282816DDB9BA440BAF30EB451FF3445E

• Question 103:

  An organization is using Cisco ISE to provide AAA services to non-Cisco switches with IP phones connected. An engineer needs to use Profiling Services to authorize network access for IP phones that do not support 802.1X. What must be configured to accomplish this goal?

  A. DHCP

  B. SNMPTRAP

  C. SNMPQUERY

  D. RADIUS

  Correct Answer: A

• Question 104:

  Which type of identity store allows for creating single-use access credentials in Cisco ISE?

  A. OpenLDAP

  B. Local

  C. PKI

  D. RSA SecurID

  Correct Answer: D

  Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html

• Question 105:

  A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

  A. closed

  B. restricted

  C. monitor

  D. low-impact

  Correct Answer: D

• Question 106:

  An ISE administrator must change the inactivity timer for MAB endpoints to terminate the authentication session whenever a switch port that is connected to an IP phone does not detect packets from the device for 30 minutes. Which action must be taken to accomplish this task?

  A. Add the authentication timer reauthenticate server command to the switchport.

  B. Add the authentication timer inactivity 3600 command to the switchport.

  C. Change the idle-timeout on the Radius server to 3600 seconds for IP Phone endpoints.

  D. Configure the session-timeout to be 3600 seconds on Cisco ISE.

  Correct Answer: B

• Question 107:

  An engineer is testing low-impact mode for a phased deployment of Cisco ISE. Which type of traffic is denied when a host tries to connect to the network prior to authentication?

  A. DNS

  B. EAP

  C. DHCP

  D. HTTP

  Correct Answer: D

• Question 108:

  An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message "Node is Unreachable". What is causing this error?

  A. The second node is a PAN node.

  B. No administrative certificate is available for the second node.

  C. The second node is in standalone mode.

  D. No admin privileges are available on the second node.

  Correct Answer: B

  https://www.ciscopress.com/articles/article.asp?p=2812072

• Question 109:

  An engineer wants to learn more about Cisco ISE and deployed a new lab with two nodes. Which two persona configurations allow the engineer to successfully test redundancy of a failed node? (Choose two.)

  A. Configure one of the Cisco ISE nodes as the Health Check node.

  B. Configure both nodes with the PAN and MnT personas only.

  C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary.

  D. Configure both nodes with the PAN, MnT, and PSN personas.

  E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.

  Correct Answer: CD

• Question 110:

  What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

  A. a primary and secondary PAN and a health check node for the Secondary PAN

  B. a primary and secondary PAN and no health check nodes

  C. a primary and secondary PAN and a pair of health check nodes

  D. a primary and secondary PAN and a health check node for the Primary PAN

  Correct Answer: D

  In a high availability configuration, the Primary Administration Node (PAN) is in the active state. The Secondary PAN (backup PAN) is in the standby state, which means it receives all configuration updates from the Primary PAN, but is not active in the ISE network.

  Cisco ISE supports manual and automatic failover. With automatic failover, when the Primary PAN goes down, an automatic promotion of the Secondary PAN is initiated. Automatic failover requires a non-administration secondary node, which is called a health check node. The health check node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the health check node initiates the promotion of the Secondary PAN to take over the primary role.

  To deploy the auto-failover feature, you must have at least three nodes, where two of the nodes assume the Administration persona, and one node acts as the health check node. A health check node is a non-administration node and can be a Policy Service, Monitoring, or pxGrid node, or a combination of these. If the PANs are in different data centers, you must have a health check node for each PAN.