Cisco CCNP Security 300-715 Questions & Answers

• Question 21:

  DRAG DROP

  Drag and drop the description from the left onto the protocol on the right that is used to carry out system authentication, authentication, and accounting.

  Select and Place:

  

  Correct Answer:

  

  https://www.mbne.net/tech-notes/aaa-tacacs-radius

• Question 22:

  DRAG DROP

  Drag the descriptions on the left onto the components of 802.1X on the right.

  Select and Place:

  

  Correct Answer:

  

  https://netlabz.wordpress.com/2016/09/24/cisco-ise-fundamentals/

  

• Question 23:

  DRAG DROP

  Drag the steps to configure a Cisco ISE node as a primary administration node from the left into the correct order on the night.

  Select and Place:

  

  Correct Answer:

  

  https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_Step 1

  Choose Administration > System > Deployment.

  The Register button will be disabled initially. To enable this button, you must configure a Primary PAN.

  Step 2

  Check the check box next to the current node, and click Edit.

  Step 3

  Click Make Primary to configure your Primary PAN.

  Step 4

  Enter data on the General Settings tab.

  Step 5

  Click Save to save the node configuration.

• Question 24:

  DRAG DROP

  Drag the Cisco ISE node types from the left onto the appropriate purposes on the right.

  Select and Place:

  

  Correct Answer:

  

  Monitoring = provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources

  Policy Service = provides network access, posture, guest access, client provisioning, and profiling services.

  This persona evaluates the policies and makes all the decisions.

  Administration = manages all system-related configuration and configurations that relate to functionality such as authentication, authorization, auditing, and so on pxGrid = shares context-sensitive information from Cisco ISE to subscribers

  https://www.cisco.com/c/en/us/td/docs/security/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_011.html#ID57

• Question 25:

  Refer to the exhibit.

  

  Which checkbox must be enabled to allow Cisco ISE to publish group membership information for active users that can be shared with Cisco Firepower devices?

  A. Enable Passive Identity Service

  B. Enable SXP Service

  C. Enable Device Admin Service

  D. pxGrid

  Correct Answer: D

• Question 26:

  What is a difference between TACACS+ compared to RADIUS? (Choose two.)

  A. TACACS+ encrypts only the password, and RADIUS encrypts the entire packet payload.

  B. TACACS+ uses a connection-oriented transport, and RADIUS uses a connectionless transport.

  C. TACACS+ supports 802.1X network access control, and RADIUS supports only MAB.

  D. TACACS+ offers multiple protocol support, and RADIUS supports only IP traffic.

  Correct Answer: BD

• Question 27:

  An engineer must use certificate authentication for endpoints that connect to a wired network with a Cisco ISE deployment. The engineer must define the certificate field used as the principal username. What is needed to complete the configuration?

  A. authorization profile

  B. authentication policy

  C. authorization rule

  D. authentication profile

  Correct Answer: D

• Question 28:

  A client with MAC address 04:77:10:14:67:AB connects to the network. The client does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE Server to support MAB authentication for this MAC address?

  A. Process Host Lookup

  B. EAP-FAST

  C. EAP-TTLS

  D. MS-CHAPv2

  Correct Answer: A

• Question 29:

  A network engineer is configuring a Cisco WLC in order to find out more information about the devices that are connecting. This information must be sent to Cisco ISE to be used in authorization policies. Which profiling mechanism must be configured in the Cisco WLC to accomplish this task?

  A. SNMP

  B. CDP

  C. DNS

  D. DHCP

  Correct Answer: D

• Question 30:

  The security team identified a rogue endpoint with MAC address 00:46:91:02:28:4A attached to the network. Which action must security engineer take within Cisco ISE to effectively restrict network access for this endpoint?

  A. Configure access control list on network switches to block traffic.

  B. Create authentication policy to force reauthentication.

  C. Add MAC address to the endpoint quarantine list.

  D. Implement authentication policy to deny access.

  Correct Answer: C

  Cisco ISE provides a feature called Adaptive Network Control (ANC) that allows administrators to apply policies to endpoints based on their behavior or status1. One of the ANC policies is Quarantine, which restricts network access for an endpoint by assigning it to a limited-access VLAN or applying an access control list (ACL) on the switch port2. To use the Quarantine policy, the administrator must add the MAC address of the rogue endpoint to the endpoint quarantine list in ISE2. This will trigger a change of authorization (CoA) for the endpoint and apply the Quarantine policy. The other options are not effective for restricting network access for a rogue endpoint, as they do not use the ANC feature of ISE.