A network engineer is configuring a new certificate template on the internal CA within Cisco ISE to provision certificates to BYOD devices that must be enrolled in the network. What must be configured in the SAN field of the certificate to identify the devices after enrollment?

Which two events trigger a CoA for an endpoint when CoA is enabled globally for ReAuth? (Choose two.)

An engineer is testing low-impact mode for a phased deployment of Cisco ISE. Which type of traffic is denied when a host tries to connect to the network prior to authentication?

Which two actions must be verified to confirm that the internet is accessible via guest access when configuring a guest portal? (Choose two.)

MacOS users are complaining about having to read through wordy instructions when remediating their workstations to gain access to the network. Which alternate method should be used to tell users how to remediate?

An administrator wants to integrate Cisco ISE with a third-party MDM solution to enforce compliance checks on endpoints. The integration must ensure that devices are compliant with corporate policies, such as encryption and up-to-date antivirus, before allowing full network access. What configuration steps are required in Cisco ISE, and how does pxGrid enhance this integration?

Which command displays all 802.1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?

When configuring Active Directory groups, what does the Cisco ISE use to resolve ambiguous group names?

An engineer is configuring 802.1X and is testing out their policy sets. After authentication, some endpoints are given an access-reject message but are still allowed onto the network. What is causing this issue to occur?

What gives Cisco ISE an option to scan endpoints for vulnerabilities?

DRAG DROP - Drag and drop the description from the left onto the protocol on the right that is used to carry out system authentication, authorization, and accounting. Select and Place:

A new employee just connected their workstation to a Cisco IP phone. The network administrator wants to ensure that the Cisco IP phone remains online when the user disconnects their workstation from the corporate network. Which CoA configuration meets this requirement?

A network engineer is configuring a portal on Cisco ISE for employees. Employees must use this portal when registering personal devices with native supplicants. For onboarding devices connected with Cisco switches and Cisco wireless LAN controllers, the internal CA must be used. Which portal type must the engineer configure?

A network administrator must configure Cisco ISE Personas in the company to share session information via syslog. Which Cisco ISE personas must be added to syslog receivers to accomplish this goal?

An enterprise uses a separate PSN for each of its four remote sites. Recently, a user reported receiving an "EAP-TLS authentication failed" message when moving between remote sites. Which configuration must be applied on Cisco ISE?

When configuring Active Directory groups, an administrator is attempting to retrieve a group that has a name that is ambiguous with another group. What must be done so that the correct group is returned?

In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two.)

An organization is using Cisco ISE to provide AAA services to non-Cisco switches with IP phones connected. An engineer needs to use Profiling Services to authorize network access for IP phones that do not support 802.1X. What must be configured to accomplish this goal?

An administrator in a health facility must assign a medical device to a static profiling policy. Under which settings group must it be configured?

Refer to the exhibit. An engineer is creating a new TACACS+ command set and cannot use any show commands after logging into the device with this command set authorization. Which configuration is causing this issue?

An administrator must provide administrative access to the helpdesk users on production Cisco IOS routers. The solution must meet these requirements: • Authenticate the users against Microsoft AD. • Validate IOS commands run by users. These configurations have been performed: • joined Cisco ISE to AD • retrieved AD groups • added a router to Cisco ISE • enabled Device Admin Service in Cisco ISE • configured an authorization policy • configured the routers for authentication and authorization Which two components must be configured? (Choose two.)

Which term refers to an endpoint agent that tries to join an 802.1X-enabled network?

An organization needs to dynamically assign VLANs to endpoints based on their identity and posture compliance. Describe how policy sets and authorization profiles in Cisco ISE can be configured to achieve this and what troubleshooting steps can be taken if VLAN assignment fails.

Refer to the exhibit. In which scenario does this switch configuration apply?

Which Cisco ISE module contains a list of vendor names, product names, and attributes provided by OPSWAT?

A network engineer must remove a device that has been allowlisted. How should the engineer remove it manually on Cisco ISE?

What should be configured on the Cisco ISE authentication policy for unknown MAC addresses/identities for successful authentication?

An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task?

When creating a policy within Cisco ISE for network access control, the administrator wants to allow different access restrictions based upon the wireless SSID to which the device is connecting. Which policy condition must be used in order to accomplish this?

Which two ports do network devices typically use for CoA? (Choose two.)

A network administrator changed a Cisco ISE deployment from pilot to production and noticed that the JVM memory utilization increased significantly. The administrator suspects this is due to replication between the nodes. What must be configured to minimize performance degradation?

An engineer must use Cisco ISE profiler services to provide network access to Cisco IP phones that cannot support 802.1X. Cisco ISE is configured to use the access switch device sensor information system-description and platform-type to profile Cisco IP phones and allow access. Which two protocols must be configured on the switch to complete the configuration? (Choose two.)

Which two ports must be open between Cisco ISE and the client when you configure posture on Cisco ISE? (Choose two.)

In which two ways can users and endpoints be classified for TrustSec? (Choose two.)

Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two.)

Which two statements regarding Zero Touch Provisioning (ZTP) on Cisco ISE are correct? (Choose two.)

What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

An engineer must use certificate authentication for endpoints that connect to a wired network with a Cisco ISE deployment. The engineer must define the certificate field used as the principal username. What is needed to complete the configuration?

Which two values are compared by the binary comparison function in authentication that is based on Active Directory?

Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.)

An organization integrates Cisco ISE with a third-party MDM solution to enforce compliance on mobile devices. The policy requires that all devices be encrypted and running the latest operating system version before they can access the network. Describe the steps to configure this integration and explain how compliance checks are enforced during the authentication process.

An administrator is configuring a Cisco WLC for web authentication. Which two client profiling methods are enabled by default if the Apply Cisco ISE Default Settings check box has been selected? (Choose two.)

Which two probes must be enabled for the ARP cache to function in the Cisco ISE profiling service so that a user can reliably bind the IP addresses and MAC addresses of endpoints? (Choose two.)

An engineer is configuring a new switch to deploy in the campus network. The task is to configure TACACS+ and RADIUS authentication using the new switch and Cisco ISE. What is the procedure for adding this new switch on the network resources page?

What are two differences of TACACS+ compared to RADIUS? (Choose two.)

An administrator is configuring Cisco ISE to authenticate users logging into network devices using TACACS+. The administrator is not seeing any of the authentication in the TACACS+ live logs. Which action ensures the users are able to log into the network devices?

An engineer tests Cisco ISE posture services on the network and must configure the compliance module to automatically download and install on endpoints. Which action accomplishes this task for VPN users?

DRAG DROP - An engineer needs to export a file in CSV format, encrypted with the password C1$c0438563935, and contains users currently configured in Cisco ISE. Drag and drop the steps from the left into the sequence on the right to complete this task.

An engineer is testing Cisco ISE policies in a lab environment with no support for a deployment server. In order to push supplicant profiles to the workstations for testing, firewall ports will need to be opened. From which Cisco ISE persona should this traffic be originating?

Which Cisco ISE license tier is required to enable advanced features such as posture assessment, threat-centric NAC policies, and dynamic profiling? Describe the benefits of this license tier and how it integrates with external threat intelligence systems to enhance network security.

Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints?

Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)

A network engineer is configuring Cisco TrustSec and needs to ensure that the Security Group Tag is being transmitted between two devices. Where in the Layer 2 frame should this be verified?

An administrator made changes in Cisco ISE and needs to apply new permissions for endpoints that have already been authenticated by sending a CoA packet to the network devices. Which IOS command must be configured on the devices to accomplish this goal?

An administrator for a small network is configuring Cisco ISE to provide dynamic network access to users. Management needs Cisco ISE to not automatically trigger a CoA whenever a profile change is detected. Instead, the administrator needs to verify the new profile and manually trigger a CoA. What must be configured in the profiler to accomplish this goal?

A network administrator must configure endpoints using an 802.1X authentication method with EAP identity certificates that are provided by the Cisco ISE. When the endpoint presents the identity certificate to Cisco ISE to validate the certificate, endpoints must be authorized to connect to the network. Which EAP type must be configured by the network administrator to complete this task?

Which type of identity store allows for creating single-use access credentials in Cisco ISE?

An engineer must organize endpoints in a Cisco ISE identity management store to improve the operational management of IP phone endpoints. The endpoints must meet these requirements: • classify endpoints for finance, sales, and marketing departments • tag each endpoint as profiled Which action organizes the endpoints?

A network administrator wants to configure Cisco ISE to apply different access policies based on the user’s role and device type. How can policy sets and authorization profiles be used to dynamically assign VLANs and access controls? Provide an example configuration.

show authentication sessions Refer to the exhibit. An engineer is configuring a client but cannot authenticate to Cisco ISE. During troubleshooting, the command was issued to display the authentication status of each port. Which command gives additional information to help identify the problem with the authentication?

An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs. An administrator is adding two more PSNs to this deployment but is having problems adding one of them. What is the problem?

An administrator is configuring posture assessment in Cisco ISE for the first time. Which two components must be uploaded to Cisco ISE to use Anyconnect for the agent configuration in a client provisioning policy? (Choose two.)

What is a restriction of a standalone Cisco ISE node deployment?

An engineer is implementing Cisco ISE and needs to configure 802.1X. The port settings are configured for port-based authentication. Which command should be used to complete this configuration?

If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

What is configured to enforce the blocklist permissions and deny access to clients in the blocklist to protect against a lost or stolen device obtaining access to the network?

An organization wants to split their Cisco ISE deployment to separate the device administration functionalities from the main deployment. For this to work, the administrator must deregister any nodes that will become a part of the new deployment, but the button for this option is grayed out. Which configuration is causing this behavior?

Which permission is common to the Active Directory Join and Leave operations?

An engineer is configuring Cisco ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADIUS for these devices? (Choose two.)

Which configuration is required in the Cisco ISE authentication policy to allow Central Web Authentication?

A customer requires a Cisco ISE deployment where quests must log in to a webpage with unique credentials in the form username. User1 and Password: A463646808. Which deployment should the customer use?

An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities. The engineer is configuring new endpoint identity groups as conditions to be used in the AuthZ policies, but noticed that the endpoints are not hitting the correct policies. What must be done in order to get the devices into the right policies?

What is a requirement for Feed Service to work?

An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node. Which persona should be configured with the largest amount of storage in this environment?

What are two differences between the RADIUS and TACACS+ protocols? (Choose two.) A. RADIUS offers multiprotocol support, whereas TACACS+ does not. B. RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol. C. RADIUS enables encryption of all the packets, whereas with TACACS+, only the password is encrypted. D. RADIUS combines authentication and authorization, whereas TACACS+ does not. E. TACACS+ uses TCP port 49, whereas RADIUS uses UDP ports 1812 and 1813.

A network administrator notices that after a company-wide shut down, many users cannot connect their laptops to the corporate SSID. What must be done to permit access in a timely manner?

A network engineer must enable a profiling probe. The profiling must take details through the Active Directory. Where in the Cisco ISE interface would the engineer enable the probe?

Which Cisco ISE deployment model provides redundancy by having every node in the deployment configured with the Administration, Policy Service, and Monitoring personas to protect from a complete node failure?

An administrator needs to add a new third party network device to be used with Cisco ISE for Guest and BYOD authorizations. Which two features must be configured under Network Device Profile to achieve this? (Choose two.)

An engineer is using profiling to determine what access an endpoint must receive. After configuring both Cisco ISE and the network devices for 802.1X and profiling, the endpoints do not profile prior to authentication. What are two reasons this is happening? (Choose two.)

An engineer must configure posture updates. The task is to ensure the latest set of predefined checks and operating system information is updated. The checks must take place regularly. Where in the Cisco ISE interface would the engineer make the necessary changes to the compliance module?

To configure BYOD using Cisco ISE. an administrator is considering issuing certificates to the devices connecting to provide a better user experience. External CA servers cannot be used for this purpose because everything must be local to the Cisco ISE. What must be done to accomplish this?

An organization wants to ensure that only devices compliant with their security policies are granted full access to the corporate network. Noncompliant devices should be restricted to a remediation network until they meet the compliance requirements. How does Cisco ISE enforce such policies, and what role do posture policies and remediation portals play in this process?

An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right.

Refer to the exhibit. An engineer is configuring Cisco ISE for guest services. They would like to have any unregistered guests redirected to the guest portal for authentication, then have a CoA provide them with full access to the network that is segmented via firewalls. Why is the given configuration failing to accomplish this goal?

Which two probes provide IP-to-MAC address binding information to the ARP cache in Cisco ISE? (Choose two.)

An engineer is using Cisco ISE and configuring guest services to allow wireless devices to access the network. Which action accomplishes this task?

What is needed to configure wireless guest access on the network?

A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

DRAG DROP - Drag and drop the configuration steps from the left into the sequence on the right to install two Cisco ISE nodes in a distributed deployment.

Refer to the exhibit. Which command is typed within the CLI of a switch to view the troubleshooting output?

Which Cisco ISE solution ensures endpoints have the latest version of antivirus updates installed before being allowed access to the corporate network?

Which two endpoint compliance statuses are possible? (Choose two.)

An engineer wants to ease the management of endpoint identity groups from the Cisco ISE GUI. From the Identity Management menu in Cisco ISE, the engineer must be able to list the endpoint identity groups with a name that contains Android. Which task must the engineer perform?

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two.)

Which advanced option within a WLAN must be enabled to trigger Central Web Authentication for Wireless users on AireOS controller?

Which personas can a Cisco ISE node assume?

An engineer must develop a policy that utilizes AD group membership on Cisco ISE. Which type of policy element must the engineer configure to create an AD group within a policy?

What is a difference between RADIUS and TACACS+?