Cisco CCNP Security 300-715 Questions & Answers

• Question 181:

  A laptop was stolen and a network engineer added it to the block list endpoint identity group

  What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access?

  A. Select DenyAccess within the authorization policy.

  B. Ensure that access to port 8443 is allowed within the ACL.

  C. Ensure that access to port 8444 is allowed within the ACL.

  D. Select DROP under If Auth fail within the authentication policy.

  Correct Answer: C

  https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010000.html

• Question 182:

  An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability. Which probe must be used to accomplish this task?

  A. HTTP probe

  B. NetFlow probe

  C. network scan probe

  D. RADIUS probe

  Correct Answer: D

  https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html http://www.network-node.com/blog/2016/1/2/ise-20-profiling

• Question 183:

  What does a fully distributed Cisco ISE deployment include?

  A. PAN and PSN on the same node while MnTs are on their own dedicated nodes.

  B. PAN and MnT on the same node while PSNs are on their own dedicated nodes.

  C. All Cisco ISE personas on their own dedicated nodes.

  D. All Cisco ISE personas are sharing the same node.

  Correct Answer: C

  Reference: CCNP Security Identity Management SISE 300-715 Official Cert Guide, Chapter 6, Page 117, Figure 6-4. In a fully distributed deployment each persona is on it's own dedicated node. This is the only deployment model that allows you to scale beyond the 5 PSNs.

  https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_setup_cisco_ise.html

• Question 184:

  An administrator is migrating device administration access to Cisco ISE from the legacy TACACS+ solution that used only privilege 1 and 15 access levels. The organization requires more granular controls of the privileges and wants to customize access levels 2-5 to correspond with different roles and access needs. Besides defining a new shell profile in Cisco ISE.

  What must be done to accomplish this configuration?

  A. Enable the privilege levels in Cisco ISE

  B. Enable the privilege levels in the IOS devices.

  C. Define the command privileges for levels 2-5 in the IOS devices

  D. Define the command privileges for levels 2-5 in Cisco ISE

  Correct Answer: D

  https://learningnetwork.cisco.com/s/blogs/a0D3i000002eeWTEAY/cisco-ios-privilege-levels

• Question 185:

  An organization is adding new profiling probes to the system to improve profiling on Oseo ISE The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected

  What must be configured on the network device to accomplish this goal?

  A. ARP

  B. SNMP

  C. WCCP

  D. ICMP

  Correct Answer: B

  https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-790343135

• Question 186:

  An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the used to accomplish this task?

  A. policy service

  B. monitoring

  C. pxGrid

  D. primary policy administrator

  Correct Answer: B

• Question 187:

  An organization is migrating its current guest network to Cisco ISE and has 1000 guest users in the current database There are no resources to enter this information into the Cisco ISE database manually. What must be done to accomplish this task effciently?

  A. Use a CSV file to import the guest accounts

  B. Use SOL to link me existing database to Ctsco ISE

  C. Use a JSON fie to automate the migration of guest accounts

  D. Use an XML file to change the existing format to match that of Cisco ISE

  Correct Answer: A

  https://www.youtube.com/watch?v=DNYaFl-8zWkandab_channel=CiscoISE-IdentityServicesEngine

• Question 188:

  MacOS users are complaining about having to read through wordy instructions when remediating their workstations to gam access to the network Which alternate method should be used to tell users how to remediate?

  A. URL link

  B. message text

  C. executable

  D. file distribution

  Correct Answer: A

  https://www.sciencedirect.com/topics/computer-science/remediation-action

• Question 189:

  A network administrator is configuring a secondary cisco ISE node from the backup configuration of the primary cisco ISE node to create a high availability pair The Cisco ISE CA certificates and keys must be manually backed up from the primary Cisco ISE and copied into the secondary Cisco ISE

  Which command most be issued for this to work?

  A. copy certificate Ise

  B. application configure Ise

  C. certificate configure Ise

  D. Import certificate Ise

  Correct Answer: B

  https://community.cisco.com/t5/network-access-control/ise-certificate-import-export/m-p/3847746

• Question 190:

  A new employee just connected their workstation to a Cisco IP phone. The network administrator wants to ensure that the Cisco IP phone remains online when the user disconnects their Workstation from the corporate network Which CoA configuration meets this requirement?

  A. Port Bounce

  B. Reauth

  C. NoCoA

  D. Disconnect

  Correct Answer: B

  https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-profiling-design