Cisco 300-715 SISE Exam Practice Test Instant Access

Question 1

A network security administrator needs a web authentication configuration when a guest user connects to the network with a wireless connection using these steps:

. An initial MAB request is sent to the Cisco ISE node.

. Cisco ISE responds with a URL redirection authorization profile if the user's MAC address is unknown in the endpoint identity store.

. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

Which authentication must the administrator configure on Cisco ISE?

Adevice registration WebAuth

BWLC with local WebAuth

Cwired NAD with local WebAuth

DNAD with central WebAuth

Answer : D

Central Web Authentication (CWA) is a feature that allows the network access device (NAD) to redirect the web traffic of a guest user to a web portal hosted by Cisco ISE1. The NAD acts as a proxy between the guest user and the ISE node, and performs the authentication and authorization based on the RADIUS attributes returned by ISE1. To configure CWA on ISE, the administrator must create an authorization profile that contains the URL redirection attribute and assign it to the guest user1. The other options are not correct because they do not use CWA. Device registration WebAuth is a feature that allows users to register their devices on ISE before they can access the network2. WLC with local WebAuth is a feature that allows the wireless LAN controller (WLC) to host the web portal and authenticate the guest user locally3. Wired NAD with local WebAuth is a feature that allows the switch to host the web portal and authenticate the guest user locally

Question 2

An engineer is working on a switch and must tag packets with SGT values such that it learns via SXP. Which command must be entered to meet this requirement?

Aip source guard

Bip dhcp snooping

Cip device tracking maximum

Dip arp inspection

Answer : C

The ip device tracking maximum command is used to configure the maximum number of IP-to-SGT bindings that can be learned via SXP on a switch1. This command also enables the switch to tag packets with SGT values based on the bindings learned from SXP peers. The other commands are not related to SGT tagging or SXP learning.

Question 3

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?

Aauthentication open

Bpae dot1x enabled

Cauthentication host-mode multi-auth

Dmonitor-mode enabled

Answer : D

In the context of a wired 802.1X deployment with Cisco ISE, the requirement is to log failed authentications while minimizing user impact. Let's analyze each option:

A) authentication open - This command configures the port to allow network access regardless of the authentication state. It's useful in situations where specific devices can't perform 802.1X authentication but should still be allowed network access. However, it doesn't specifically address the logging of failed authentications.

B) pae dot1x enabled - PAE (Port Access Entity) refers to the entity on a network device that enforces access control. This command enables 802.1X on the port, which is a prerequisite for implementing 802.1X, but doesn't directly relate to logging failed authentication attempts.

C) authentication host-mode multi-auth - This command configures the port to allow multiple authenticated sessions. This mode is used when multiple devices are connected to the same port (like in a conference room). While it's relevant for 802.1X environments, it doesn't specifically cater to logging failed authentications or minimizing user impact.

D) monitor-mode enabled - This command is used in the context of 802.1X to enable Monitor Mode on a port. Monitor Mode allows a port to grant limited network access to endpoints without 802.1X capabilities. It's often used to ease the deployment of 802.1X by monitoring the authentication status without fully enforcing access control, thereby minimizing user impact. It also helps in logging authentication attempts, including failures.

Question 4

What is a restriction of a standalone Cisco ISE node deployment?

AOnly the Policy Service persona can be disabled on the node.

BThe domain name of the node cannot be changed after installation.

CPersonas are enabled by default and cannot be edited on the node.

DThe hostname of the node cannot be changed after installation.

Answer : C

Question 5

An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?

AVLAN to SGT mapping

BIP Address to SGT mapping

CL3IF to SGT mapping

DSubnet to SGT mapping

Answer : B

https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424: 'The method of sending out IP to SGT mappings from ISE is particularly useful if the access switch does not support TrustSec'

Question 6

Which two authentication protocols are supported by RADIUS but not by TACACS+? (Choose two.)

AMSCHAPv1

BPAP

CEAP

DCHAP

EMSCHAPV2

Answer : C, E

Question 7

An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs An administrator is adding two more PSNs to this deployment but is having problems adding one of them What is the problem?

AThe new nodes must be set to primary prior to being added to the deployment

BThe current PAN is only able to track a max of four nodes

COnly five PSNs are allowed to be in the Cisco ISE cube if configured this way.

DOne of the new nodes must be designated as a pxGrid node

Answer : C

Cisco 300-715 Implementing and Configuring Cisco Identity Services Engine SISE Exam Practice Test