Which personas can a Cisco ISE node assume?

What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?

Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)

Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?

What is a requirement for Feed Service to work?

What is a method for transporting security group tags throughout the network?

Drag the steps to configure a Cisco ISE node as a primary administration node from the left into the correct order on the right.

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node. Which persona should be configured with the largest amount of storage in this environment?

In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two.)

A network engineer must enforce access control using special tags, without re-engineering the network design. Which feature should be configured to achieve this in a scalable manner?

A network engineer is configuring a network device that needs to filter traffic based on security group tags using a security policy on a routed interface. Which command should be used to accomplish this task?

In a Cisco ISE split deployment model, which load is split between the nodes?

What is the deployment mode when two Cisco ISE nodes are configured in an environment?

An engineer is testing Cisco ISE policies in a lab environment with no support for a deployment server. In order to push supplicant profiles to the workstations for testing, firewall ports will need to be opened. From which Cisco ISE persona should this traffic be originating?

What does a fully distributed Cisco ISE deployment include?

An engineer is configuring 802.1X and wants it to be transparent from the users' point of view. The implementation should provide open authentication on the switch ports while providing strong levels of security for non-authenticated devices. Which deployment mode should be used to achieve this?

A network administrator changed a Cisco ISE deployment from pilot to production and noticed that the JVM memory utilization increased significantly. The administrator suspects this is due to replication between the nodes. What must be configured to minimize performance degradation?

An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?

An administrator is adding network devices for a new medical building into Cisco ISE. These devices must be in a network device group that is identifying them as `Medical Switch` so that the policies can be made separately for the endpoints connecting through them. Which configuration item must be changed in the network device within Cisco ISE to accomplish this goal?

An organization wants to split their Cisco ISE deployment to separate the device administration functionalities from the main deployment. For this to work, the administrator must deregister any nodes that will become a part of the new deployment, but the button for this option is grayed out. Which configuration is causing this behavior?

A network administrator must configure Cisco ISE Personas in the company to share session information via syslog. Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

What is the maximum number of PSN nodes supported in a medium-sized deployment?

How is policy services node redundancy achieved in a deployment?

Which two fields are available when creating an endpoint on the context visibility page of Cisco ISE? (Choose two.)

In which two ways can users and endpoints be classified for TrustSec? (Choose two.)

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names?

Which permission is common to the Active Directory Join and Leave operations?

Which interface-level command is needed to turn on 802.1X authentication?

Which RADIUS attribute is used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node?

What does the dot1x system-auth-control command do?

What should be configured on the Cisco ISE authentication policy for unknown MAC addresses/identities for successful authentication?

Which command displays all 802.1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

What are two requirements of generating a single certificate in Cisco ISE by using a certificate provisioning portal, without generating a certificate signing request? (Choose two.)

Refer to the exhibit. Which command is typed within the CLI of a switch to view the troubleshooting output?

What gives Cisco ISE an option to scan endpoints for vulnerabilities?

Which two values are compared by the binary comparison function in authentication that is based on Active Directory?

What happens when an internal user is configured with an external identity store for authentication, but an engineer uses the Cisco ISE admin portal to select an internal identity store as the identity source?

Which two actions occur when a Cisco ISE server device administrator logs in to a device? (Choose two.)

An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks. Which two requirements should be included in this policy? (Choose two.)

An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication. Which access will be denied in this deployment?

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two.)

An engineer is implementing Cisco ISE and needs to configure 802.1X. The port settings are configured for port-based authentication. Which command should be used to complete this configuration?

An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right.

DRAG DROP - Drag the descriptions on the left onto the components of 802.1X on the right. Select and Place:

A network engineer is configuring Cisco TrustSec and needs to ensure that the Security Group Tag is being transmitted between two devices. Where in the Layer 2 frame should this be verified?

A network administrator must configure endpoints using an 802.1X authentication method with EAP identity certificates that are provided by the Cisco ISE. When the endpoint presents the identity certificate to Cisco ISE to validate the certificate, endpoints must be authorized to connect to the network. Which EAP type must be configured by the network administrator to complete this task?

An organization wants to standardize the 802.1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide. What must be configured to accomplish this task?

Refer to the exhibit. In which scenario does this switch configuration apply?

Refer to the exhibit. Which switch configuration change will allow only one voice and one data endpoint on each port?

A network security engineer needs to configure 802.1X port authentication to allow a single host to be authenticated for data and another single host to be authenticated for voice. Which command should the engineer run on the interface to accomplish this goal?

An administrator connects an HP printer to a dot1x enable port, but the printer is nor accessible. Which feature must the administrator enable to access the printer?

When configuring an authorization policy, an administrator cannot see specific Active Directory groups present in their domain to be used as a policy condition. However, other groups that are in the same domain are seen. What is causing this issue?

An engineer is implementing network access control using Cisco ISE and needs to separate the traffic based on the network device ID and use the IOS device sensor capability. Which probe must be used to accomplish this task?

What is an advantage of using EAP-TLS over EAP-MS-CHAPv2 for client authentication?

What must be configured on the WLC to configure Central Web Authentication using Cisco ISE and a WLC?

A network administrator is configuring authorization policies in Cisco ISE. There is a requirement to use AD group assignments to control access to network resources. After a recent power failure and Cisco ISE rebooting itself, the AD group assignments no longer work. What is the cause of this issue?

Refer to the exhibit. Which component must be configured to apply the SGACL?

A laptop was stolen and a network engineer added it to the block list endpoint identity group. What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access?

When creating a policy within Cisco ISE for network access control, the administrator wants to allow different access restrictions based upon the wireless SSID to which the device is connecting. Which policy condition must be used in order to accomplish this?

A company manager is hosting a conference. Conference participants must connect to an open guest SSID and only use a preassigned code that they enter into the guest portal prior to gaining access to the network. How should the manager configure Cisco ISE to accomplish this goal?

An organization has a fully distributed Cisco ISE deployment. When implementing probes, an administrator must scan for unknown endpoints to learn the IP-to- MAC address bindings. The scan is complete on one PSN, but the information is not available on the others. What must be done to make the information available?

An administrator is configuring a switch port for use with 802.1X. What must be done so that the port will allow voice and multiple data endpoints?

An administrator is troubleshooting an endpoint that is supposed to bypass 802.1X and use MAB. The endpoint is bypassing 802.1X and successfully getting network access using MAB, however the endpoint cannot communicate because it cannot obtain an IP address. What is the problem?

A Cisco ISE administrator must restrict specific endpoints from accessing the network while in closed mode. The requirement is to have Cisco ISE centrally store the endpoints to restrict access from. What must be done to accomplish this task?

An engineer is using profiling to determine what access an endpoint must receive. After configuring both Cisco ISE and the network devices for 802.1X and profiling, the endpoints do not profile prior to authentication. What are two reasons this is happening? (Choose two.)

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

An engineer deploys Cisco ISE and must configure Active Directory to then use information from Active Directory in an authorization policy. Which two components must be configured, in addition to Active Directory groups, to achieve this goal? (Choose two.)

Which deployment mode allows for one or more policy service nodes to be used for session failover?

A network administrator has just added a front desk receptionist account to the Cisco ISE Guest Service sponsor group. Using the Cisco ISE Guest Sponsor Portal, which guest services can the receptionist provide?

What is needed to configure wireless guest access on the network?

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two.)

What is a valid guest portal type?

What is the purpose of the ip http server command on a switch?

Which advanced option within a WLAN must be enabled to trigger Central Web Authentication for Wireless users on AireOS controller?

Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication?

An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task?

An engineer is using Cisco ISE and configuring guest services to allow wireless devices to access the network. Which action accomplishes this task?

An engineer is configuring web authentication and needs to allow specific protocols to permit DNS traffic. Which type of access list should be used for this configuration?

An administrator is adding a switch to a network that is running Cisco ISE and is only for IP Phones. The phones do not have the ability to authenticate via 802.1X. Which command is needed on each switch port for authentication?

A network engineer needs to ensure that the access credentials are not exposed during the 802.1X authentication among components. Which two protocols should be configured to accomplish this task? (Choose two.)

A network engineer is configuring guest access and notices that when a guest user registers a second device for access, the first device loses access. What must be done to ensure that both devices for a particular user are able to access the guest network simultaneously?

A Cisco ISE administrator needs to ensure that guest endpoint registrations are only valid for 1 day. When testing the guest policy flow, the administrator sees that the Cisco ISE does not delete the endpoint in the GuestEndpoints identity store after 1 day and allows access to the guest network after that period. Which configuration is causing this problem?

A network administrator is setting up wireless guest access and has been unsuccessful in testing client access. The endpoint is able to connect to the SSID but is unable to gain access to the guest network through the guest portal. What must be done to identify the problem?

An organization is hosting a conference and must make guest accounts for several of the speakers attending. The conference ended two days early but the guest accounts are still being used to access the network. What must be configured to correct this?

An organization is migrating its current guest network to Cisco ISE and has 1000 guest users in the current database. There are no resources to enter this information into the Cisco ISE database manually. What must be done to accomplish this task efficiently?

A customer wants to set up the Sponsor portal and delegate the authentication flow to a third party for added security while using Kerberos. Which database should be used to accomplish this goal?

Which two default guest portals are available with Cisco ISE? (Choose two.)

What is the minimum certainty factor when creating a profiler policy?

What sends the redirect ACL that is configured in the authorization profile back to the Cisco WLC?

Which profiling probe collects the user-agent string?

Which use case validates a change of authorization?

Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

What service can be enabled on the Cisco ISE node to identify the types of devices connecting to a network?

Which two probes must be enabled for the ARP cache to function in the Cisco ISE profiling service so that a user can reliably bind the IP addresses and MAC addresses of endpoints? (Choose two.)

Which two events trigger a CoA for an endpoint when CoA is enabled globally for ReAuth? (Choose two.)

Which two ports do network devices typically use for CoA? (Choose two.)

Which three default endpoint identity groups does Cisco ISE create? (Choose three.)

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network. Which node should be used to accomplish this task?

An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types. Which probe should be used to accomplish this task?

An engineer is configuring Cisco ISE and needs to dynamically identify the network endpoints and ensure that endpoint access is protected. Which service should be used to accomplish this task?