Question No : 1
Refer to the exhibit.



An organization recently implemented network device administration using Cisco ISE. Upon testing the ability to access all of the required devices, a user in the Cisco ISE group IT Admins is attempting to login to a device in their organization's finance department but is unable to .
What is the problem?

• A.The IT training rule is taking precedence over the IT Admins rule.
• B.The authorization conditions wrongly allow IT Admins group no access to finance devices.
• C.The finance location is not a condition in the policy set.
• D.The authorization policy doesn't correctly grant them access to the finance devices.

Show Answers

Answer:

Question No : 2
Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two)

• A.Windows Settings
• B.Connection Type
• C.iOS Settings
• D.Redirect ACL
• E.Operating System

Show Answers

Answer:
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010101.html #reference_21024A3B2B27427EAC78495E56962729

Question No : 3
An administrator wants to configure network device administration and is trying to decide whether to use TACACS* or RADIUS. A reliable protocol must be used that can check command authorization.
Which protocol meets these requirements and why?

• A.TACACS+ because it runs over TCP
• B.RADIUS because it runs over UDP
• C.RADIUS because it runs over TC
• D.TACACS+ because it runs over UDP

Show Answers

Answer:

Question No : 4
What are two requirements of generating a single signing in Cisco ISE by using a certificate provisioning portal, without generating a certificate request? (Choose two)

• A.Location the CSV file for the device MAC
• B.Select the certificate template
• C.Choose the hashing method
• D.Enter the common name
• E.Enter the IP address of the device

Show Answers

Answer:
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

Question No : 5
Which personas can a Cisco ISE node assume'?

• A.policy service, gatekeeping, and monitoring
• B.administration, policy service, and monitoring
• C.administration, policy service, gatekeeping
• D.administration, monitoring, and gatekeeping

Show Answers

Answer:
Explanation:
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html
The persona or personas of a node determine the services provided by a node. An ISE node can assume any or all of the following personas: Administration, Policy Service, and Monitoring. The menu options that are available through the administrative user interface are dependent on the role and personas that an ISE node assumes. See Cisco ISE Nodes and Available Menu Options for more information.

Question No : 6
An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate .
What must be done in order to provide the CA this information?
A. Install the Root CA and intermediate CA.
B. Generate the CSR.
C. Download the intermediate server certificate.
D. Download the CA server certificate.

Show Answers

Answer:B

Question No : 7
An administrator is manually adding a device to a Cisco ISE identity group to ensure that it is able to access the network when needed without authentication Upon testing, the administrator notices that the device never hits the correct authorization policy line using the condition EndPoints LogicalProfile EQUALS static_list.
Why is this occurring?

• A.The dynamic logical profile is overriding the statically assigned profile
• B.The device is changing identity groups after profiling instead ot remaining static
• C.The logical profile is being statically assigned instead of the identity group
• D.The identity group is being assigned instead of the logical profile

Show Answers

Answer:

Question No : 8
An administrator needs to give the same level of access to the network devices when users are logging into them using TACACS+ However, the administrator must restrict certaincommands based on one of three user roles that require different commands.
How is this accomplished without creating too many objects using Cisco ISE?

• A.Create one shell profile and multiple command sets.
• B.Create multiple shell profiles and multiple command sets.
• C.Create one shell profile and one command set.
• D.Create multiple shell profiles and one command set

Show Answers

Answer:
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100010.html
https://www.youtube.com/watch?v=IlZwB71Szog&ab_channel=JasonMaynard

Question No : 9
What must be configured on the Cisco ISE authentication policy for unknown MAC addresses/identities for successful authentication?

• A.pass
• B.reject
• C.drop
• D.continue

Show Answers

Answer:
Explanation:
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html

Question No : 10
What must be configured on the WLC to configure Central Web Authentication using Cisco ISE and a WLC?

• A.Set the NAC State option to SNMP NA
• B.Set the NAC State option to RADIUS NA
• C.Use the radius-server vsa send authentication command.
• D.Use the ip access-group webauth in command.

Show Answers

Answer: