NEW QUESTION 1
An engineer is adding APs to an existing VoWLAN to allow for location based services. Which option
will the primary change be to the network?

• A. increased transmit power on all APs
• B. moving to a bridging model
• C. AP footprint
• D. cell overlap would decrease
• E. triangulation of devices

Answer: C

NEW QUESTION 2
Refer to the exhibit. You are configuring an autonomous AP for 802.1x access to a wired infrastructure. What does the command do?

• A. It enables the AP to override the authentication timeout on the RADIUS server.
• B. It configures how long the AP must wait for a client to reply to an EAP/dot1x message before the authentication fails.
• C. It enables the supplicant to override the authentication timeout on the client
• D. It configures how long the RADIUS server must wait for supplicant to reply to an EAP/dot1x message before the authentication fails.

Answer: C

NEW QUESTION 3
Which three WLAN polices can be controlled by using the Cisco IBNS on the Cisco WLC and Cisco Secure ACS? (Choose three.)

• A. QoS setting
• B. VLAN
• C. EAP type
• D. ACL
• E. authentication priority order
• F. NAC state

Answer: ABD

NEW QUESTION 4
While deploying PEAP authentication on a customer laptop with the native Windows supplicant, the PEAP security options do not appear. Which option describes what must be done?

• A. Enable automatic connection to the WLAN.
• B. Enable static DNS on the WLAN.
• C. Enable AES on the WLAN settings.
• D. Enable WLAN autoconfig services on the P

Answer: C

NEW QUESTION 5
Which two requirements must be met to ensure that Cisco ISE can join the Active Directory domain of the company. (Choose two.)

• A. If a firewall exists between Cisco ISE and Active Directory domain server, these ports are allowed through UDP 69, 123, and 389; and TCP 88, 389, 445, 464, 636, 3268, and 3269.
• B. The hostname of Cisco ISE is less than 20 characters in length.
• C. An account has been created in Active Directory for Cisco ISE that has the necessary permissions.
• D. The DNS name is configured on Cisco ISE and resolved on the Active Directory domain server
• E. Time synchronization between Cisco ISE and Active Directory must be within 10 minute

Answer: CD

NEW QUESTION 6
Which three methods are valid for guest wireless using web authentication? (Choose three.)

• A. LDAP
• B. SSL
• C. local
• D. TLS
• E. EAP-TLS
• F. RADIUS

Answer: ACF

Explanation:

There are three ways to authenticate users when you use web authentication. Local authentication allows you to authenticate the user in the Cisco WLC. You can also use an external RADIUS server or a LDAP server as a backend database in order to authenticate the users.
https://www.sslshopper.com/ssl-certificate-not-trusted-error.html

NEW QUESTION 7
Refer to the exhibit.

A network engineer must configure a WLAN on a Cisco IOS-XE controller to support corporate devices (using VLAN 30) and BYOD (using VLAN 40) on the same secure SSID. The security team has built an ISE deployment to be used for VLAN assignment and to restrict access based on policy and posture compliance.
Given the existing WLAN configuration, which configuration change must be made?

• A. remove ip dhcp required
• B. Add aaa-override
• C. Remove nac
• D. Add mac-filtering default

Answer: B

NEW QUESTION 8
A wireless engineer wants to view how many wIPS alerts have been detected in Cisco Prime. Which tab does the engineer select in the wireless dashboard?

• A. Security
• B. Cleanair
• C. Context Aware
• D. Mesh

Answer: A

NEW QUESTION 9
Which three authentication methods correctly describe digital certificate requirements when using EAP-TLS authentication? (Choose three)

• A. The client does not need the corresponding private key.
• B. The EAP-TLS is sent in cleartext when the root certificate is not installed.
• C. The certificate has to be X 509 Version 3.
• D. EAP-TLS requires a root certificate but not a user certificate.
• E. The certificate must be installed when the requested user is logged in to the machine.
• F. The subject name in the certificate must correspond to the user account name

Answer: CDE

Explanation:
https://www.cisco.com/en/US/tech/ CK7 22/ CK8 09/technologies_white_paper09186a008 009256b.shtml
The certificate has to be X.509 Version 3
EAP-TLS Machine Authentication requires both Active Directory and an Enterprise root C
A. In order
to acquire a certificate for EAP-TLS machine authentication,
For a client (using Windows XP professional, for example) to authenticate using EAP-TLS, the client must obtain a personal client certificate. This certificate must meet several requirements: Figure 5-1. Client Certificate and the Enhanced Key Usage Field. • The certificate has to be installed when the requested user is logged
https://www.cisco.com/en/US/tech/ CK7 22/ CK8 09/technologies_white_paper09186a008009256b.sht ml

NEW QUESTION 10
Which three commands are part of the requirements on Cisco Catalyst 3850 series Switch with Cisco IOX XE to create a RADIUS authentication server group? (Choose three.)

• A. authentication dot1x default local
• B. aaa session-idcommon
• C. dot1x system-auth-control
• D. aaa new-model
• E. local-auth wcm_eap_prof
• F. security dot1x

Answer: BCD

NEW QUESTION 11
A Cisco WLC has been added to the network and Cisco ISE as a network device, but authentication is failing. Which configuration within the network device configuration should be verified?

• A. shared secret
• B. device ID
• C. SNMP RO community
• D. device interface credentials

Answer: A

NEW QUESTION 12
An engineer requires authentication for WPA2 that will use fast rekeying to enable clients to roam from one access point to another without going through the controller. Which security option should be configured?

• A. PSK
• B. AES
• C. Cisco Centralized key Management
• D. 802.1x

Answer: C

NEW QUESTION 13
Refer to the exhibit.

A WLAN with the SSID "Enterprise" is configured. Which rogue is marked as malicious?

• A. a rogue with two clients, broadcasting the SSID "Employee" heard at -50 dBm
• B. a rogue with no clients, broadcasting the SSID "Enterprise" heard at -50 dBm
• C. a rouge with two clients, broadcasting the SSID "Enterprise" heard at -80 dBm
• D. a rogue with two clients, broadcasting the SSID "Enterprise" heard at -50 dBm

Answer: C

NEW QUESTION 14
A customer is concerned that radar is impacting the access point that service the wireless network in an office located near an airport. On which type of channel should you conduct spectrum analysis to identify if radar is impacting the wireless network?

• A. UNII-3 channels
• B. UNII-1 channels
• C. 802.11b channels
• D. 2.4 GHz channels
• E. UMII-2 channels
• F. Channels 1, 5, 9, 13

Answer: E

NEW QUESTION 15
Which option describes the purpose of configuring switch peer groups?

• A. enforces RF profiles
• B. enables location services
• C. restricts roaming traffic to certain switches
• D. allows template based configuration changes

Answer: C

NEW QUESTION 16
An engineer is working on a remote site that is configured using FlexConnect. They are worried that the access points will not send RADIUS requests directly to the authentication server is standalone mode. Which command ensures direct authentication using the default ports as defined on the WLC?

• A. config filexconnect group Remote radius server acct add primary 10.10.10.10 1813 Cisco123
• B. config filexconnect group Remote radius server auth add primary 10.10.10.10 1813 Cisco123
• C. config filexconnect group Remote radius server acct add primary 10.10.10.10 1812 Cisco123
• D. config filexconnect group Remote radius server auth add primary 10.10.10.10 1812 Cisco123

Answer: C

NEW QUESTION 17
Which of the following user roles can access CMX Visitor Connect?

• A. Administrator
• B. Power User
• C. Guest User
• D. Super Administrator

Answer: A

NEW QUESTION 18
Refer to the exhibit.

An engineer utilizing ISE as the wireless AAA service noticed that the accounting process on the server at 10.10.2.3 has failed, but authentication process is still functional.
Which ISE nodes receive WLC RADIUS traffic, using the CLI output and assuming the WLAN uses the servers in their indexed order?

• A. authentication to 10.10.2.4, accounting to 10.10.2.3.
• B. authentication to 10.10.2.3, accounting to 10.10.2.3.
• C. authentication to 10.10.2.4, accounting to 10.10.2.4.
• D. authentication to 10.10.2.3, accounting to 10.10.2.4.

Answer: B

NEW QUESTION 19
A wireless engineer want to how many wlPS alerts have been detected in CISCO Prime. Which tab does the engineer select in the windows dashboard?

• A. Security
• B. CleanAir
• C. Context Aware
• D. Mesh

Answer: A

Explanation:

Security Index, including the top security issues Adaptive WIPS Rogue classification graph Rogue containment graph Attacks detected Malicious, unclassified, friendly, and custom rogue APs CleanAir security Adhoc rogues Security https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-
1/user/guide/pi_ug/view-dash.html

NEW QUESTION 20
Which attribute on the Cisco WLC v7.0 does RADIUS IETF attribute "Tunnel-Private-Group ID" assign?

• A. ACL
• B. DSCP
• C. QoS
• D. VLAN

Answer: D

NEW QUESTION 21
An engineer is configuring a wireless network for local FlexConnect authentication. What three configurations are required for the WLC with WLAN 1 and AP Cisco? (Choose three.)

• A. config ap filexconnect vlan enable Cisco
• B. config wlan filexconnect vlan-central-switching 1 enable
• C. config ap filexconnect vlan wlan 1 Cisco
• D. config wlan filexconnect local-switching 1 enable
• E. config wlan filexconnect ap-auth 1 enable
• F. config ap mode filexconnect Cisco

Answer: ACD

NEW QUESTION 22
An engineer is configuring client MFP. What WLAN Layer 2 security must be selected to use client MFP?

• A. Static WEP
• B. CKIP
• C. WPA+WPA2
• D. 802 1x

Answer: C

NEW QUESTION 23
Which feature should an engineer select to implement the use of VLAN tagging, QoS, and ACLs to clients based on RADIUS attributes?

• A. per-WLAN RADIUS source support
• B. client profiling
• C. AAA override
• D. captive bypassing
• E. identity-based networking

Answer: C

NEW QUESTION 24
......