NEW QUESTION 1
Which three components comprise the Cisco ISE profiler? (Choose three.)

• A. the sensor, which contains one or more probes
• B. the probe manager
• C. a monitoring tool that connects to the Cisco ISE
• D. the trigger, which activates ACLs
• E. an analyzer, which uses configured policies to evaluate endpoints
• F. a remitter tool, which fails over to redundant profilers

Answer: ABE

NEW QUESTION 2
You must recover a wireless client from quarantine. You disconnect the client from the network. Which action do you take next?

• A. Reboot the client machine after the idle timeout period expires.
• B. Start a manual reassessment
• C. Reconnect to the network after the idle timeout period expires.
• D. Turn off the MIC of the client

Answer: C

NEW QUESTION 3
Which operating system type needs access to the Internet to download the application that is required for BYOD on-boarding?

• A. iOS
• B. OSX
• C. Android
• D. Windows

Answer: C

NEW QUESTION 4
How many bits are in a security group tag?

• A. 64
• B. 8
• C. 16
• D. 32

Answer: C

NEW QUESTION 5
What steps must you perform to deploy a CA-signed identity certificate on an ISE device?

• A. 1. Download the CA server certificate and install it on ISE.2. Generate a signing request and save it as a file.3. Access the CA server and submit the CA request.4. Install the issued certificate on the ISE.
• B. 1. Download the CA server certificate and install it on ISE.2. Generate a signing request and save it as a file.3. Access the CA server and submit the CSR.4. Install the issued certificate on the CA server.
• C. 1. Generate a signing request and save it as a file.2. Download the CA server certificate and install it on ISE.3. Access the ISE server and submit the CA request.4. Install the issued certificate on the CA server.
• D. 1. Generate a signing request and save it as a file.2. Download the CA server certificate and install it on ISE.3. Access the CA server and submit the CSR.4. Install the issued certificate on the ISE.

Answer: D

NEW QUESTION 6
Which interface-level command is needed to turn on dot1x authentication?

• A. authentication pae authenticator
• B. aaa server radius dynamic-author
• C. authentication host-mode single-host
• D. dot1x system-auth-control

Answer: C

Explanation: In order to enable 802.1x functionality, enter this command: Switch(config)# dot1x system-auth-control

NEW QUESTION 7
Which two identity store options allow you to authorize based on group membership? (Choose two).

• A. Lightweight Directory Access Protocol
• B. RSA SecurID server
• C. RADIUS
• D. Active Directory

Answer: AD

NEW QUESTION 8
Which two services are included in the Cisco ISE posture service? (Choose two.)

• A. posture administration
• B. posture run-time
• C. posture monitoring
• D. posture policing
• E. posture catalog

Answer: AB

NEW QUESTION 9
Which two options are valid for configuring IEEE 802.1AE MACSec between switches in a TrustSec network? (Choose two.)

• A. manually on links between supported switches
• B. in the Cisco Identity Services Engine
• C. in the global configuration of a TrustSec non-seed switch
• D. dynamically on links between supported switches
• E. in the Cisco Secure Access Control System
• F. in the global configuration of a TrustSec seed switch

Answer: AD

NEW QUESTION 10
Which two endpoint operating systems are supported during BYOD onboarding? (Choose two.)

• A. Red Hat Enterprise Linux
• B. BlackBerry
• C. Nook
• D. Microsoft Windows
• E. Android

Answer: AE

NEW QUESTION 11
Which two options can be pushed from Cisco ISE server as part of successful 802.1x authentication?

• A. Reauthentication timer
• B. DACL
• C. Vlan
• D. Authentication order
• E. Posture status
• F. Authentication priority

Answer: BC

NEW QUESTION 12
An engineer has discovered that a NAD is already configured to send packets to the cisco ISE node running session services, which probe profile requires the simplest configuration?

• A. RADIUS
• B. DHCP
• C. SPAN
• D. NMAP
• E. HTTP

Answer: A

NEW QUESTION 13
A properly configured Cisco ISE Policy Service node is not receiving any profile data from a Cisco switch that runs Device Sensor.
Which option is the most likely reason for the failure?

• A. Syslog is configured for the Policy Administration Node.
• B. RADIUS Accounting is disabled.
• C. The SNMP community strings are mismatched.
• D. RADIUS Authentication is misconfigured.
• E. The connected endpoints support CDP but not DHCP.

Answer: B

NEW QUESTION 14
Which three host modes support MACsec? (Choose three.)

• A. multidomain authentication host mode
• B. multihost mode
• C. multi-MAC host mode
• D. single-host mode
• E. dual-host mode
• F. multi-auth host mode

Answer: ABD

NEW QUESTION 15
Certain endpoints are missing DHCP profiling data.
Which option describes what can be used to determine if DHCP requests from clients are reaching Cisco ISE?

• A. output of show interface gigabitEthernet 0 from the CLI
• B. output of debug logging all 7 from the CLI
• C. output of show logging application profiler.log from the CLI
• D. the TCP dump diagnostic tool through the GUI
• E. the posture troubleshooting diagnostic tool through the GUI

Answer: D

NEW QUESTION 16
What endpoint operating system provides native support for the SPW?

• A. Apple iOS
• B. Android OS
• C. Windows 8
• D. Mac OS X

Answer: A

NEW QUESTION 17
Which two options are advantages of using the Cisco IOS Device Sensor as compared to other profiling probes'? (Choose two.)

• A. uses RADIUS authentication messages to send gathered data to a Cisco ISE server
• B. provides DHCP information to a Cisco ISE server without using an IP helper address
• C. reduces the amount of traffic going to a Cisco ISE server
• D. collects switch CPU and RAM usage for monitoring purposes
• E. replaces all the other profiling probes

Answer: AD

NEW QUESTION 18
Which two options are EAP methods supported by Cisco ISE? (Choose two.)

• A. EAP-FAST
• B. EAP-TLS
• C. EAP-MS-CHAPv2
• D. EAP-GTC

Answer: AB

NEW QUESTION 19
Which option is the correct redirect-ACL for Wired-CWA, with 10.201.228.76 being the Cisco ISE IP address?

• A. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain deny ip any ho 10.201.228.76 permit tcp any any eq 80 permit tcp any any eq 443
• B. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain permit ip any 10.201.228.76 deny tcp any any eq 80 permit tcp any any eq 443
• C. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain permit tcp any 10.201.228.76 eq 8443 deny ip any host 10.201.228.76 permit tcp any any eq 80 permit tcp any 443
• D. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain deny ip any 10.201.228.76 permit tcp any any eq 80permit tcp any any eq 443

Answer: A