NEW QUESTION 1
Which feature enables the Cisco ISE DHCP profiling capabilities to determine and enforce authorization policies on mobile devices?

• A. disabling the DHCP proxy option
• B. DHCP option 42
• C. DHCP snooping
• D. DHCP spoofing

Answer: A

NEW QUESTION 2
Refer to Following: aaa new model
tacacs-server host 1.1.1.1 single connection tacas-server key cisco123
Which statement about the authentication protocol used in the configuration is true?

• A. Authentication request contains username, encrypted password, NAS IP address, and port.
• B. Authentication and authorization requests are sent in a single open connection between the networkdevice and the TACACS+ server
• C. Authentication request contains username, password, NAS IP address and port.
• D. Authentication and authorization request packets are grouped together in a single packet.

Answer: B

NEW QUESTION 3
What user rights does an account need to join ISE to a Microsoft Active Directory domain?

• A. Create and Delete Computer Objects
• B. Domain Admin
• C. Join and Leave Domain
• D. Create and Delete User Objects

Answer: A

NEW QUESTION 4
Which administrative role has permission to assign Security Group Access Control Lists?

• A. System Admin
• B. Network Device Admin
• C. Policy Admin
• D. Identity Admin

Answer: C

NEW QUESTION 5
Which characteristic of an 3GT enforcement policy is true?

• A. An SGFW has an implicit permit at the beginning.
• B. An SGFW has an implicit deny at the end.
• C. An SGACL has an implicit deny at the end.
• D. An SGACL has an explicit deny at the beginning.

Answer: C

NEW QUESTION 6
Changes were made to the ISE server while troubleshooting, and now all wireless certificate authentications are failing. Logs indicate an EAP failure. What are the two possible causes of the problem? (Choose two.)

• A. EAP-TLS is not checked in the Allowed Protocols list
• B. Client certificate is not included in the Trusted Certificate Store
• C. MS-CHAPv2-is not checked in the Allowed Protocols list
• D. Default rule denies all traffic
• E. Certificate authentication profile is not configured in the Identity Store

Answer: AE

NEW QUESTION 7
Which two component are required for creating native supplicant profile ?

• A. Operative System
• B. Connection type wired/wireless
• C. Ios Sutten
• D. BYOD

Answer: AB

NEW QUESTION 8
Which RADIUS attribute is used primarily to differentiate an IEEE 802.1x request from a Cisco MAB request?

• A. RADIUS Attribute (5) NAS-Port
• B. RADIUS Attribute (6) Service-Type
• C. RADIUS Attribute (7) Framed-Protocol
• D. RADIUS Attribute (61) NAS-Port-Type

Answer: B

NEW QUESTION 9
Which two authentication stores are supported to design a wireless network using PEAP EAP-MSCHAPv2 as the authentication method? (Choose two.)

• A. Microsoft Active Directory
• B. ACS
• C. LDAP
• D. RSA Secure-ID
• E. Certificate Server

Answer: AB

NEW QUESTION 10
What are three ways that an SGT can be assigned to network traffic?

• A. Manual binding of the IP address to an SGT
• B. Manually configured on the switch port
• C. Dynamically assigned by the network access device
• D. Dynamically assigned by the 802.1X authorization result
• E. Manually configured in the NAC agent profile
• F. Dynamically assigned by the AnyConnect network access manager

Answer: ABD

NEW QUESTION 11
Which authorization method is the Cisco best practice to allow endpoints access to the Apple App store or Google Play store with Cisco WLC software version 7.6 or newer?

• A. dACL
• B. DNS ACL
• C. DNS ACL defined in Cisco ISE
• D. redirect ACL

Answer: B

NEW QUESTION 12
What are three portals provided by PSN? (Choose three.)

• A. Monitoring
• B. Troubleshooting
• C. Sponsor
• D. Guest
• E. My devices
• F. Admin

Answer: CDE

NEW QUESTION 13
When RADIUS NAC and AAA Override are enabled for WLC on a Cisco ISE, which two statements about RADIUS NAC are true? (Choose two.)

• A. It will return an access-accept and send the redirection URL for all users.
• B. It establishes secure connectivity between the RADIUS server and the ISE.
• C. It allows the ISE to send a CoA request that indicates when the user is authenticated.
• D. It is used for posture assessment, so the ISE changes the user profile based on posture result.
• E. It allows multiple users to authenticate at the same time.

Answer: CD

NEW QUESTION 14
Which NAC agents support remediation? (Choose three.)

• A. Windows NAC
• B. Windows web-based NAC
• C. MAC NAC
• D. MAC web-based NAC

Answer: ABC

NEW QUESTION 15
Which 802.1X command ignores Access-Reject during EAP authentication?

• A. dot1x pae authenticator
• B. switchport mode access
• C. authentication port-control auto
• D. authentication open
• E. authentication host-mode multi-domain

Answer: D

NEW QUESTION 16
Refer to the exhibit.

Which two things must be verified if authentication is failing with this error message? (Choose two.)

• A. Cisco ISE EAP identity certificate is valid.
• B. CA cert chain of Cisco ISE EAP certificate is installed on the trusted certs store of the client machine.
• C. CA cert chain of the client certificate is installed on Cisco ISE.
• D. Cisco ISE HTTPS/admin certificate is valid.
• E. Cisco ISE server certificate is installed on the client.

Answer: AB

NEW QUESTION 17
Which two fields are characteristics of IEEE 802.1AE frame? (Choose two.)

• A. destination MAC address
• B. source MAC address
• C. 802.1AE header in EtherType
• D. security group tag in EtherType
• E. integrity check value
• F. CRC/FCS

Answer: CE

NEW QUESTION 18
Which command is useful when troubleshooting AAA Authentication between a Cisco router and the AAA server?

• A. test aaa-server test cisco cisco123 all new-code
• B. test aaa group7 tacacs+ auth cisco123 new-code
• C. test aaa group tacacs+ cisco cisco123 new-code
• D. test aaa-server tacacs+ group7 cisco cisco123 new-code

Answer: C

NEW QUESTION 19
Where is dynamic SGT classification configured?

• A. Cisco ISE
• B. NAD
• C. supplicant
• D. RADIUS proxy

Answer: A