NEW QUESTION 1
Which three default endpoint identity groups does Cisco ISE create? (Choose three.)

• A. endpoint
• B. unknown
• C. blacklist
• D. profiled
• E. whitelist

Answer: BCD

Explanation:
Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1203054

NEW QUESTION 2
Which two responses from the RADIUS server to NAS are valid during the authentication process? (Choose two.)

• A. access-challenge
• B. access-accept
• C. access-request
• D. access-reserved
• E. access-response

Answer: AB

NEW QUESTION 3
Which command displays all 802.1X/MAB sessions that are active on the switch ports of a Cisco Catalyst switch?

• A. show authentication sessions interface Gi1/0/x output
• B. show authentication sessions
• C. show authentication sessions output
• D. show authentication sessions interface Gi 1/0/x

Answer: D

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-xe-3se-3850-cr-book_chapter_01.html#wp3404908137

NEW QUESTION 4
Which two probes must be enabled for the ARP cache to function in the Cisco ISE profiling service so that a user can reliably bind the IP addresses and MAC addresses of endpoints? (Choose two.)

• A. SNMP
• B. HTTP
• C. RADIUS
• D. DHCP
• E. NetFlow

Answer: CD

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html

NEW QUESTION 5
Which use case validates a change of authorization?

• A. An endpoint that is disconnected from the network is discovered.
• B. Endpoints are created through device registration for the guests.
• C. An endpoint profiling policy is changed for authorization policy.
• D. An authenticated, wired EAP-capable endpoint is discovered.

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html

NEW QUESTION 6
Which two endpoint compliance statuses are possible? (Choose two.)

• A. compliant
• B. valid
• C. unknown
• D. known
• E. invalid

Answer: AC

NEW QUESTION 7
What is needed to configure wireless guest access on the network?

• A. endpoint already profiled in ISE
• B. WEBAUTH ACL for redirection
• C. Captive Portal Bypass turned on
• D. valid user account in Active Directory

Answer: C

NEW QUESTION 8
Which port does Cisco ISE use for native supplicant provisioning of a Windows laptop?

• A. TCP 8905
• B. TCP 8909
• C. TCP 443
• D. UDP 1812

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010101.html

NEW QUESTION 9
Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

• A. blacklist
• B. unknown
• C. whitelist
• D. profiled
• E. endpoint

Answer: B

Explanation:
Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html

NEW QUESTION 10
In which two ways can users and endpoints be classified for TrustSec? (Choose two.)

• A. VLAN
• B. dynamic
• C. QoS
• D. SGACL
• E. SXP

Answer: AD

NEW QUESTION 11
What is a characteristic of the UDP protocol?

• A. UDP can detect when a server is down.
• B. UDP can detect when a server is slow.
• C. UDP offers best-effort delivery.
• D. UDP offers information about a non-existent server.

Answer: C

NEW QUESTION 12
Which two ports do network devices typically use for CoA? (Choose two.)

• A. 19005
• B. 443
• C. 3799
• D. 8080
• E. 1700

Answer: CE

Explanation:
Reference: https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points

NEW QUESTION 13
What are two components of the posture requirement when configuring Cisco ISE posture? (Choose two.)

• A. Client Provisioning portal
• B. remediation actions
• C. updates
• D. access policy
• E. conditions

Answer: BE

NEW QUESTION 14
What are two benefits of TACACS+ versus RADIUS for device administration? (Choose two.)

• A. TACACS+ has command authorization, and RADIUS does not.
• B. TACACS+ uses UDP, and RADIUS uses TCP.
• C. TACACS+ supports 802.1X, and RADIUS supports MAB.
• D. TACACS+ provides the service type, and RADIUS does not.
• E. TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

Answer: AE

NEW QUESTION 15
What does the dot1x system-auth-control command do?

• A. globally enables 802.1x
• B. causes a network access switch not to track 802.1x sessions
• C. enables 802.1x on a network access device interface
• D. causes a network access switch to track 802.1x sessions

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/dot1x.html

NEW QUESTION 16
Which two task types are included in the Cisco ISE common tasks support for TACACS+ profiles? (Choose two.)

• A. ASA
• B. Firepower
• C. Shell
• D. WLC
• E. IOS

Answer: CD

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2--1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100010.html

NEW QUESTION 17
What is a method for transporting security group tags throughout the network?

• A. by embedding the security group tag in the 802.1Q header
• B. by the Security Group Tag Exchange Protocol
• C. by enabling 802.1AE on every network device
• D. by embedding the security group tag in the IP header

Answer: B

NEW QUESTION 18
What is a requirement for Feed Service to work?

• A. TCP port 8080 must be opened between Cisco ISE and the feed server.
• B. Cisco ISE has access to an internal server to download feed update.
• C. Cisco ISE has a base license.
• D. Cisco ISE has Internet access to download feed update.

Answer: B

NEW QUESTION 19
What sends the redirect ACL that is configured in the authorization profile back to the Cisco WLC?

• A. State attribute
• B. Class attribute
• C. Event
• D. Cisco-av-pair

Answer: D

Explanation:
Reference: https://community.cisco.com/t5/network-access-control/ise-airespace-acl-wlc-problem/td-p/2110491

NEW QUESTION 20
During BYOD flow, from where does a Microsoft Windows PC download the Network Setup Assistant?

• A. Microsoft App Store
• B. Cisco App Store
• C. Cisco ISE directly
• D. Native OTA functionality

Answer: C

Explanation:
Reference: https://ciscocustomer.lookbookhq.com/iseguidedjourney/BYOD-configuration

NEW QUESTION 21
What allows an endpoint to obtain a digital certificate from Cisco ISE during a BYOD flow?

• A. Application Visibility and Control
• B. Supplicant Provisioning Wizard
• C. My Devices Portal
• D. Network Access Control

Answer: C

NEW QUESTION 22
Which personas can a Cisco ISE node assume?

• A. policy service, gatekeeping, and monitoring
• B. administration, monitoring, and gatekeeping
• C. administration, policy service, and monitoring
• D. administration, policy service, gatekeeping

Answer: C

Explanation:
Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

NEW QUESTION 23
......