Cisco 300-715 - Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Cisco 300-715 Premium Access Download Demo

Page: 5 / 9
Total 303 questions

Drag and drop the configuration steps from the left into the sequence on the right to install two Cisco ISE nodes in a distributed deployment.

Question # 42

Which two default endpoint identity groups does Cisco ISE create? (Choose two )

block list

endpoint

profiled

allow list

unknown

Explanation:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html

Cisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.

Cisco ISE creates the following endpoint identity groups:

Blacklistâ€”This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.

GuestEndpointsâ€”This endpoint identity group includes endpoints that are used by guest users.

Profiledâ€”This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.

RegisteredDevicesâ€”This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group. These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays â€œUnauthorised Network Accessâ€, a default portal page to the blocked devices.

Unknownâ€”This endpoint identity group includes endpoints that do not match any profile in Cisco ISE.

In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint identity groups, which are associated to the Profiled identity group:

Cisco-IP-Phoneâ€”An identity group that contains all the profiled Cisco IP phones on your network.

Workstationâ€”An identity group that contains all the profiled workstations on your network.

Question # 43

A network administrator must use Cisco ISE to check whether endpoints have the correct version of antivirus installed Which action must be taken to allow this capability?

Configure a native supplicant profile to be used for checking the antivirus version

Configure Cisco ISE to push the HostScan package to the endpoints to check for the antivirus version.

Create a Cisco AnyConnect Network Visibility Module configuration profile to send the antivirus information of the endpoints to Cisco ISE.

Create a Cisco AnyConnect configuration within Cisco ISE for the Compliance Module and associated configuration files

Question # 44

A Cisco ISE engineer is creating a certificate authentication profile to be used with machine authentication for the network. The engineer wants to be able to compare the user-presented certificate with a certificate stored in Active Directory. What must be done to accomplish this?

Configure the user-presented password hash and a hash stored in Active Directory for comparison

Add the subject alternative name and the common name to the CAP.

Enable the option for performing binary comparison.

Use MS-CHAPv2 since it provides machine credentials and matches them to credentials stored in Active Directory

Question # 45

An administrator plans to use Cisco ISE to deploy posture policies to assess Microsoft Windows endpoints that run Cisco Secure Client. The administrator wants to minimize the occurrence of messages related to unknown posture profiles if Cisco ISE fails to determine the posture of the endpoint. Secure Client is deployed to all the endpoints. and all the required Cisco ISE authentication, authorization, and posture policy configurations were performed. Which action must be taken next to complete the configuration?

Install the latest version of the Secure Client client on the endpoints.

Enable Cisco ISE posture on Secure Client configuration.

Configure a native supplicant on the endpoints to support the posture policies.

Install the compliance module on the endpoints.

Question # 46

An engineer must organize endpoints in a Cisco ISE identity management store to improve the operational management of IP phone endpoints. The endpoints must meet these requirements:

â€¢ classify endpoints for finance, sales, and marketing departments

â€¢ tag each endpoint as profiled

Which action organizes the endpoints?

Create an endpoint identity group for each department with the IP phone parent group.

Create an endpoint identity group for each department with the profiled parent group.

Add a tag for the endpoints of each department and add an endpoint to profiled group.

Add a tag for the endpoints of each department and use the identity group filter.

Question # 47

A security engineer configures a Cisco Catalyst switch to use Cisco TrustSec. The engineer must define the PAC key to authenticate the switch to Cisco IISE. Drag and drop the commands from the left into sequence on the right. Not all options are used.

Question # 48

An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan What must be done for this AAA configuration to allow compliant access to the network?

Configure the posture authorization so it defaults to unknown status

Fix the CoA port number

Ensure that authorization only mode is not enabled

Enable dynamic authorization within the AAA server group

Question # 49

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is to ensure that the authentication procedure is disabled on the ports but still allows all endpoints to connect to the network. Which port-control option must the engineer configure?

pae-disabled

force-unauthorized

auto

force-authorized

Question # 50

A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?

RADIUS

DLTS

Portal

Admin

Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Cisco 300-715 - Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is:

The Answer Is: