Cisco CCNP Security 300-715 Questions & Answers

• Question 11:

  A network engineer is configuring a new certificate template on the internal CA within Cisco ISE to provision certificates to BYOD devices that must be enrolled in the network. What must be configured in the SAN field of the certificate to identify the devices after enrollment?

  A. MAC address

  B. email address

  C. user principal name

  D. common name

  Correct Answer: A

• Question 12:

  An administrator must configure Cisco ISE to authenticate a user accessing a Cisco Adaptive Security Appliance firewall using SSH. The solution must meet these requirements:

  ? The local Cisco ISE database must be used for user authentication ? ASA commands run by users must be validated

  The configurations were performed: ? added the Cisco Adaptive Security Appliance firewall ? configured user accounts ? enabled Device Admin Service in Cisco ISE ? configured a TACACS profile ? configured an authorization policy ? configured the Cisco Adaptive Security Appliance firewall for authentication and authorization

  Which two actions must be taken in Cisco ISE? (Choose two.)

  A. Enable local authentication.

  B. Configure a user identity group.

  C. Configure an authentication profile.

  D. Configure TACACS command sets.

  E. Configure an authorization profile.

  Correct Answer: BD

• Question 13:

  Which nodes are supported in a distributed Cisco ISE deployment? (Choose two.)

  A. Policy Service nodes for session failover

  B. Administration nodes for session failover

  C. Monitoring nodes for PxGrid services

  D. Policy Service nodes for automatic failover

  Correct Answer: AC

• Question 14:

  An engineer is starting to implement a wired 802.1X project throughout the campus. The task is to ensure that the authentication procedure is disabled on the ports but still allows all endpoints to connect to the network. Which port-control option must the engineer configure?

  A. pae-disabled

  B. auto

  C. force-authorized

  D. force-unauthorized

  Correct Answer: C

• Question 15:

  An engineer wants to ease the management of endpoint identity groups from the Cisco ISE GUI. From the Identity Management menu in Cisco ISE, the engineer must be able to list the endpoint identity groups with a name that contains Android. Which task must the engineer perform?

  A. Create and save a quick filter with name equals Android as the criteria.

  B. Create an identity group named Android and set the parent group to profiled.

  C. Create and save an advanced filter with name equals Android as the criteria.

  D. Create an identity group named Android and populate the group with Android devices only.

  Correct Answer: C

• Question 16:

  A technician must configure MAB on an access switch. Due to a protocol error, the engineer discovers that MAB cannot authenticate. For MAB to function, which protocol must be enabled in the authorized protocol lists?

  A. EAP-TLS

  B. MS-CHAPv2

  C. Process Host Lookup

  D. CHAP

  Correct Answer: C

• Question 17:

  A network engineer must create a guest portal for wireless guests on Cisco ISE. The guest users must not be able to create accounts; however, the portal should require a username and password to connect. Which portal type must be created in Cisco ISE to meet the requirements?

  A. Custom Guest Portal

  B. Sponsored Guest Access

  C. Self Registered Guest Access

  D. Hotspot Guest Access

  Correct Answer: B

• Question 18:

  An administrator must configure Cisco ISE profiling services and the Cisco switch device sensor feature to provide user access using the AD-Join-Point and AD-Operating-System attributes from the Active Directory Probe. These configurations were performed:

  ? configured all the required Cisco Wireless LAN Controller configurations ? enabled Active Directory probes ? configured a custom profiling policy ? joined Cisco ISE to Active Directory ? configured the authorization rule with full access permission

  Which two actions complete the configuration? (Choose two.)

  A. Configure an identity group for endpoints.

  B. Enable the SNMP probe.

  C. Configure a profiling logical profile.

  D. Configure custom profiling conditions.

  E. Enable the RADIUS probe.

  Correct Answer: DE

• Question 19:

  A network engineer must configure a centralized Cisco ISE solution for wireless guest access with users in different time zones. The guest account activation time must be independent of the user time zone, and the guest account must be enabled automatically when the user self-registers on the guest portal. Which option in the time profile settings must be selected to meet the requirement?

  A. Select FromFirstLogin from the Account Type dropdown.

  B. Select FromCreation from the Account Type dropdown.

  C. Set the Maximum Account Duration to 1 Day.

  D. Set the Duration field to 24:00:00.

  Correct Answer: A

• Question 20:

  DRAG DROP

  An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right.

  Select and Place:

  

  Correct Answer: