CertsTopics Logo

Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Free and Premium Cisco 300-715 Dumps Questions Answers

Page: 1 / 22
Total 295 questions
Get 300-715 Full Access Download 300-715 PDF

Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE) Questions and Answers

Question 1

When creating a policy within Cisco ISE for network access control, the administrator wants to allow different access restrictions based upon the wireless SSID to which the device is connecting. Which policy condition must be used in order to accomplish this?

Options:

A.

Network Access NetworkDeviceName CONTAINS

B.

DEVICE Device Type CONTAINS

C.

Radius Called-Station-ID CONTAINS

D.

Airespace Airespace-Wlan-ld CONTAINS

Buy Now
Question 2

An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?

Options:

A.

authentication open

B.

pae dot1x enabled

C.

authentication host-mode multi-auth

D.

monitor-mode enabled

Question 3

Drag the Cisco ISE node types from the left onto the appropriate purposes on the right.

Options:

Question 4

Refer to the exhibit. In which scenario does this switch configuration apply?

Options:

A.

when allowing a hub with multiple clients connected

B.

when passing IP phone authentication

C.

when allowing multiple IP phones to be connected

D.

when preventing users with hypervisor

Question 5

What are two differences between the RADIUS and TACACS+ protocols'? (Choose two.)

Options:

A.

RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol

B.

TACACS+uses TCP port 49. whereas RADIUS uses UDP ports 1812 and 1813.

C.

RADIUS offers multiprotocol support, whereas TACACS+ does not

D.

RADIUS combines authentication and authorization, whereas TACACS+ does not

E.

RADIUS enables encryption of all the packets, whereas with TACACS+. only the password is encrypted.

Question 6

An engineer is configuring Cisco ISE and needs to dynamically identify the network endpoints and ensure that endpoint access is protected. Which service should be used to accomplish this task?

    Profiling

Options:

A.

Guest access

B.

Client provisioning

C.

Posture

Question 7

What must be configured on the WLC to configure Central Web Authentication using Cisco ISE and a WLC?

Options:

A.

Set the NAC State option to SNMP NAC.

B.

Set the NAC State option to RADIUS NAC.

C.

Use the radius-server vsa send authentication command.

D.

Use the ip access-group webauth in command.

Question 8

Refer to the exhibit.

An engineer is configuring a client but cannot authenticate to Cisco ISE During troubleshooting, the show authentication sessions command was issued to display the authentication status of each port Which command gives additional information to help identify the problem with the authentication?

Options:

A.

show authentication sessions

B.

show authentication sessions Interface Gil/0/1 output

C.

show authentication sessions interface Gi1/0/1 details

D.

show authentication sessions output

Question 9

An administrator is configuring a switch port for use with 802 1X What must be done so that the port will allow voice and multiple data endpoints?

Options:

A.

Configure the port with the authentication host-mode multi-auth command

B.

Connect the data devices to the port, then attach the phone behind them.

C.

Use the command authentication host-mode multi-domain on the port

D.

Connect a hub to the switch port to allow multiple devices access after authentication

Question 10

A user changes the status of a device to stolen in the My Devices Portal of Cisco ISE. The device was originally onboarded in the BYOD wireless Portal without a certificate. The device is found later, but the user cannot re-onboard the device because Cisco ISE assigned the device to the Blocklist endpoint identity group. What must the user do in the My Devices Portal to resolve this issue?

Options:

A.

Manually remove the device from the Blocklist endpoint identity group.

B.

Change the device state from Stolen to Not Registered.

C.

Change the BYOD registration attribute of the device to None.

D.

Delete the device, and then re-add the device.

Question 11

An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities. The engineer is configuring new endpoint identity groups as conditions to be used in the AuthZ policies, but noticed that the endpoints are not hitting the correct policies. What must be done in order to get the devices into the right policies?

Options:

A.

Manually add the MAC addresses of the devices to endpoint ID groups in the context visibility database.

B.

Create an AuthZ policy to identify Unknown devices and provide partial network access prior to profiling.

C.

Add an identity policy to dynamically add the IP address of the devices to their endpoint identity groups.

D.

Identify the non 802.1X supported device types and create custom profiles for them to profile into.

Question 12

An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?

Options:

A.

Configure the hotspot portal for guest access and require an access code.

B.

Configure the sponsor portal with a single account and use the access code as the password.

C.

Configure the self-registered guest portal to allow guests to create a personal access code.

D.

Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

Question 13

How is policy services node redundancy achieved in a deployment?

Options:

A.

by enabling VIP

B.

by utilizing RADIUS server list on the NAD

C.

by creating a node group

D.

by deploying both primary and secondary node

Question 14

Which two external identity stores support EAP-TLS and PEAP-TLS? (Choose two.)

Options:

A.

Active Directory

B.

RADIUS Token

C.

Internal Database

D.

RSA SecurlD

E.

LDAP

Question 15

A Cisco ISE administrator must restrict specific endpoints from accessing the network while in closed mode. The requirement is to have Cisco ISE centrally store the endpoints to restrict access from. What must be done to accomplish this task''

Options:

A.

Add each MAC address manually to a blocklist identity group and create a policy denying access

B.

Create a logical profile for each device's profile policy and block that via authorization policies.

C.

Create a profiling policy for each endpoint with the cdpCacheDeviceld attribute.

D.

Add each IP address to a policy denying access.

Question 16

Which default endpoint identity group does an endpoint that does not match any profile in Cisco ISE become a member of?

Options:

A.

Endpoint

B.

unknown

C.

blacklist

D.

white list

E.

profiled

Question 17

Which protocol must be allowed for a BYOD device to access the BYOD portal?

Options:

A.

HTTP

B.

SMTP

C.

HTTPS

D.

SSH

Question 18

An engineer is configuring a new Cisco ISE node. Context-sensitive information must be shared between the Cisco ISE and a Cisco ASA. Which persona must be enabled?

Options:

A.

Administration

B.

Policy Service

C.

pxGrid

D.

Monitoring

Question 19

What are two differences of TACACS+ compared to RADIUS? (Choose two.)

Options:

A.

TACACS+ uses a connectionless transport protocol, whereas RADIUS uses a connection-oriented transport protocol.

B.

TACACS+ encrypts the full packet payload, whereas RADIUS only encrypts the password.

C.

TACACS+ only encrypts the password, whereas RADIUS encrypts the full packet payload.

D.

TACACS+ uses a connection-oriented transport protocol, whereas RADIUS uses a connectionless transport protocol.

E.

TACACS+ supports multiple sessions per user, whereas RADIUS supports one session per user.

Question 20

Which two actions must be verified to confirm that the internet is accessible via guest access when configuring a guest portal? (Choose two.)

Options:

A.

The guest device successfully associates with the correct SSID.

B.

The guest user gets redirected to the authentication page when opening a browser.

C.

The guest device has internal network access on the WLAN.

D.

The guest device can connect to network file shares.

E.

Cisco ISE sends a CoA upon successful guest authentication.

Question 21

What must match between Cisco ISE and the network access device to successfully authenticate endpoints?

Options:

A.

SNMP version

B.

shared secret

C.

certificate

D.

profile

Question 22

An administrator is attempting to replace the built-in self-signed certificates on a Cisco ISE appliance. The CA is requesting some information about the appliance in order to sign the new certificate. What must be done in order to provide the CA this information?

Options:

A.

Install the Root CA and intermediate CA.

B.

Generate the CSR.

C.

Download the intermediate server certificate.

D.

Download the CA server certificate.

Question 23

A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA Which action does the CoA perform?

Options:

A.

It terminates the client session

B.

It applies the downloadable ACL provided in the CoA

C.

It applies new permissions provided in the CoA to the client session.

D.

It triggers the NAD to reauthenticate the client

Question 24

Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?

Options:

A.

Cisco AnyConnect NAM and Cisco Identity Service Engine

B.

Cisco AnyConnect NAM and Cisco Access Control Server

C.

Cisco Secure Services Client and Cisco Access Control Server

D.

Windows Native Supplicant and Cisco Identity Service Engine

Question 25

An engineer deploys Cisco ISE and must configure Active Directory to then use information from Active Directory in an authorization policy. Which two components must be configured, in addition to Active Directory groups, to achieve this goat? (Choose two )

Options:

A.

Active Directory External Identity Sources

B.

Library Condition for External Identity. External Groups

C.

Identity Source Sequences

D.

LDAP External Identity Sources

E Library Condition for Identity Group: User Identity Group

Question 26

An engineer has been tasked with standing up a new guest portal for customers that are waiting in the lobby. There is a requirement to allow guests to use their social media logins to access the guest network to appeal to more customers What must be done to accomplish this task?

Options:

A.

Create a sponsor portal to allow guests to create accounts using their social media logins.

B.

Create a sponsored guest portal and enable social media in the external identity sources.

C.

Create a self-registered guest portal and enable the feature for social media logins

D.

Create a hotspot portal and enable social media login for network access

Question 27

Which statement about configuring certificates for BYOD is true?

Options:

A.

An Android endpoint uses EST, whereas other operating systems use SCEP for enrollment

B.

The SAN field is populated with the end user name.

C.

An endpoint certificate is mandatory for the Cisco ISE BYOD

D.

The CN field is populated with the endpoint host name

Question 28

An engineer is configuring 802.1X and is testing out their policy sets. After authentication, some endpoints are given an access-reject message but are still allowed onto the network. What is causing this issue to occur?

Options:

A.

The switch port is configured with authentication event server dead action authorize vlan.

B.

The authorization results for the endpoints include a dACL allowing access.

C.

The authorization results for the endpoints include the Trusted security group tag.

D.

The switch port is configured with authentication open.

Question 29

A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

Options:

A.

closed

B.

restricted

C.

monitor

D.

low-impact

Question 30

What is a restriction of a standalone Cisco ISE node deployment?

Options:

A.

Only the Policy Service persona can be disabled on the node.

B.

The domain name of the node cannot be changed after installation.

C.

Personas are enabled by default and cannot be edited on the node.

D.

The hostname of the node cannot be changed after installation.

Question 31

Which RADIUS attribute is used to dynamically assign the inactivity active timer for MAB users from the Cisco ISE node'?

Options:

A.

radius-server timeout

B.

session-timeout

C.

idle-timeout

D.

termination-action

Question 32

An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication The administrator tests the 802.1X authentication for the endpoint and sees that it is authenticating successfully What must be done to ensure that the endpoint is placed into the correct VLAN?

Options:

A.

Configure the switchport access vlan 310 command on the switch port

B.

Ensure that the security group is not preventing the endpoint from being in VLAN 310

C.

Add VLAN 310 in the common tasks of the authorization profile

D.

Ensure that the endpoint is using The correct policy set

Question 33

Which two features must be used on Cisco ISE to enable the TACACS. feature? (Choose two)

Options:

A.

Device Administration License

B.

Server Sequence

C.

Command Sets

D.

Enable Device Admin Service

E.

External TACACS Servers

Question 34

Which two VMware features are supported on a Cisco ISE virtual appliance? (Choose two.)

Options:

A.

multivendor integration

B.

VM hardware version 7+

C.

VM snapshots

D.

OVF support

E.

VM cold migration

Question 35

What happens when an internal user is configured with an external identity store for authentication, but an engineer uses the Cisco ISE admin portal to select an internal identity store as the identity source?

Options:

A.

Authentication is redirected to the internal identity source.

B.

Authentication is redirected to the external identity source.

C.

Authentication is granted.

D.

Authentication fails.

Question 36

Refer to the exhibit. An engineer must configure BYOD in Cisco ISE. A single SSID must be used to allow BYOD devices to connect to the network. These configurations have been performed on Wireless LAN Controller already:

RADIUS server

BYOD-Dot1x SSID

Which two configurations must be done in Cisco ISE to meet the requirement? (Choose two.)

Options:

A.

FlexConnect ACL

B.

External identity source

C.

Authentication policy

D.

Redirect ACL

E.

Profiling policy

Question 37

Which two methods should a sponsor select to create bulk guest accounts from the sponsor portal? (Choose two )

Options:

A.

Random

B.

Monthly

C.

Daily

D.

Imported

E.

Known

Question 38

What is a function of client provisioning?

Options:

A.

It ensures an application process is running on the endpoint.

B.

It checks a dictionary' attribute with a value.

C.

It ensures that endpoints receive the appropriate posture agents

D.

It checks the existence date and versions of the file on a client.

Question 39

An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the used to accomplish this task?

Options:

A.

policy service

B.

monitoring

C.

pxGrid

D.

primary policy administrator

Question 40

An organization is adding new profiling probes to the system to improve profiling on Oseo ISE The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected What must be configured on the network device to accomplish this goal?

Options:

A.

ARP

B.

SNMP

C.

WCCP

D.

ICMP

Question 41

Which interface-level command is needed to turn on 802 1X authentication?

Options:

A.

Dofl1x pae authenticator

B.

dot1x system-auth-control

C.

authentication host-mode single-host

D.

aaa server radius dynamic-author

Question 42

A Cisco ISE administrator needs to ensure that guest endpoint registrations are only valid for one day When testing the guest policy flow, the administrator sees that the Cisco ISE does not delete the endpoint in the Guest Endpoints identity store after one day and allows access to the guest network after that period. Which configuration is causing this problem?

Options:

A.

The Endpoint Purge Policy is set to 30 days for guest devices

B.

The RADIUS policy set for guest access is set to allow repeated authentication of the same device

C.

The length of access is set to 7 days in the Guest Portal Settings

D.

The Guest Account Purge Policy is set to 15 days

Question 43

What is a function of client provisioning?

Options:

A.

Client provisioning ensures that endpoints receive the appropriate posture agents.

B.

Client provisioning checks a dictionary attribute with a value.

C.

Client provisioning ensures an application process is running on the endpoint.

D.

Client provisioning checks the existence, date, and versions of the file on a client.

Question 44

An engineer is deploying a new Cisco ISE environment for a company. The company wants the deployment to use TACACS+. The engineer verifies that Cisco ISE has a Device Administration license. What must be configured to enable TACACS+ operations?

Options:

A.

Device Administration Work Center

B.

Device Admin service

C.

Device Administration Deployment settings

D.

Device Admin Policy Sets settings

Question 45

A network administrator is configuring a secondary cisco ISE node from the backup configuration of the primary cisco ISE node to create a high availability pair The Cisco ISE CA certificates and keys must be manually backed up from the primary Cisco ISE and copied into the secondary Cisco ISE Which command most be issued for this to work?

Options:

A.

copy certificate Ise

B.

application configure Ise

C.

certificate configure Ise

D.

Import certificate Ise

Question 46

A network engineer is configuring a network device that needs to filter traffic based on security group tags using a security policy on a routed into this task?

Options:

A.

cts authorization list

B.

cts role-based enforcement

C.

cts cache enable

D.

cts role-based policy priority-static

Question 47

Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)

Options:

A.

hotspot

B.

new AD user 802 1X authentication

C.

posture

D.

BYOD

E.

guest AUP

Question 48

Drag the descriptions on the left onto the components of 802.1X on the right.

Options:

Question 49

An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right.

Options:

Question 50

An engineer must organize endpoints in a Cisco ISE identity management store to improve the operational management of IP phone endpoints. The endpoints must meet these requirements:

• classify endpoints for finance, sales, and marketing departments

• tag each endpoint as profiled

Which action organizes the endpoints?

Options:

A.

Create an endpoint identity group for each department with the IP phone parent group.

B.

Create an endpoint identity group for each department with the profiled parent group.

C.

Add a tag for the endpoints of each department and add an endpoint to profiled group.

D.

Add a tag for the endpoints of each department and use the identity group filter.

Question 51

Which nodes are supported in a distributed Cisco ISE deployment?

Options:

A.

Policy Service nodes tor automatic failover

B.

Administration nodes for session failover

C.

Monitoring nodes for PxGrid services

D.

Policy Service nodes for session failover

Question 52

A network engineer must enable a profiling probe. The profiling must take details through the Active Directory. Where in the Cisco ISE interface would the engineer enable the probe?

Options:

A.

Policy > Policy Elements > Profiling

B.

Administration > Deployment > System > Profiling

C.

Policy > Deployment > System > Profiling

D.

Administration > System > Deployment > Profiling

Question 53

A network engineer needs to ensure that the access credentials are not exposed during the 802.1x authentication among components. Which two protocols should complete this task?

Options:

A.

PEAP

B.

EAP-MD5

C.

LEAP

D.

EAP-TLS

E.

EAP-TTLS

Question 54

In which two ways can users and endpoints be classified for TrustSec?

(Choose Two.)

Options:

A.

VLAN

B.

SXP

C.

dynamic

D.

QoS

E.

SGACL

Question 55

An enterprise uses a separate PSN for each of its four remote sites. Recently, a user reported receiving an "EAP-TLS authentication failed" message when moving between remote sites. Which configuration must be applied on Cisco ISE?

Options:

A.

Use a third-party certificate on the network device.

B.

Add the device to all PSN nodes in the deployment.

C.

Renew the expired certificate on one of the PSN.

D.

Configure an authorization profile for the end users.

Question 56

What is a characteristic of the UDP protocol?

Options:

A.

UDP can detect when a server is down.

B.

UDP offers best-effort delivery

C.

UDP can detect when a server is slow

D.

UDP offers information about a non-existent server

Question 57

What is a valid guest portal type?

Options:

A.

Sponsored-Guest

B.

My Devices

C.

Sponsor

D.

Captive-Guest

Question 58

Which nodes are supported in a distributed Cisco ISE deployment?

Options:

A.

Policy Service nodes for session failover

B.

Monitoring nodes for PxGrid services

C.

Administration nodes for session failover

D.

Policy Service nodes for automatic failover

Question 59

A network administrator is configuring authorization policies on Cisco ISE There is a requirement to use AD group assignments to control access to network resources After a recent power failure and Cisco ISE rebooting itself, the AD group assignments no longer work What is the cause of this issue?

Options:

A.

The AD join point is no longer connected.

B.

The AD DNS response is slow.

C.

The certificate checks are not being conducted.

D.

The network devices ports are shut down.

Question 60

Which two responses from the RADIUS server to NAS are valid during the authentication process? (Choose two)

Options:

A.

access-response

B.

access-request

C.

access-reserved

D.

access-accept

E.

access-challenge

Question 61

Which term refers to an endpoint agent that tries to join an 802 1X-enabled network?

Options:

A.

EAP server

B.

supplicant

C.

client

D.

authenticator

Question 62

The Cisco Wireless LAN Controller and guest portal must be set up in Cisco ISE. These configurations were performed:

• configured all the required Cisco Wireless LAN Controller configurations

• added the wireless controller to Cisco ISE network devices

• created an endpoint identity group

• configured credentials to be sent by email

• configured the SMTP server

• configured an authorization profile with redirection to the guest portal and redirected the access control list

• configured an authentication policy for MAB users

• created an authorization policy

Which two components would be required to complete the configuration? (Choose two.)

Options:

A.

sponsor group

B.

hotspot guest portal

C.

sponsor portal

D.

self-registered guest portal

E.

guest type

Question 63

Which two endpoint compliance statuses are possible? (Choose two.)

Options:

A.

unknown

B.

known

C.

invalid

D.

compliant

E.

valid

Question 64

What sends the redirect ACL that is configured in the authorization profile back to the Cisco WLC?

Options:

A.

Cisco-av-pair

B.

Class attribute

C.

Event

D.

State attribute

Question 65

An engineer is configuring sponsored guest access and needs to limit each sponsored guest to a maximum of two devices. There are other guest services in production that rely on the default guest types. How should this configuration change be made without disrupting the other guest services currently offering three or more guest devices per user?

Options:

A.

Create an ISE identity group to add users to and limit the number of logins via the group configuration.

B.

Create a new guest type and set the maximum number of devices sponsored guests can register

C.

Create an LDAP login for each guest and tag that in the guest portal for authentication.

D.

Create a new sponsor group and adjust the settings to limit the devices for each guest.

Question 66

An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message "Node is Unreachable". What is causing this error?

Options:

A.

The second node is a PAN node.

B.

No administrative certificate is available for the second node.

C.

The second node is in standalone mode.

D.

No admin privileges are available on the second node.

Question 67

What should be considered when configuring certificates for BYOD?

    An endpoint certificate is mandatory for the Cisco ISE BYOD

Options:

A.

An Android endpoint uses EST whereas other operation systems use SCEP for enrollment

B.

The CN field is populated with the endpoint host name.

C.

The SAN field is populated with the end user name

Question 68

Which two values are compared by the binary comparison (unction in authentication that is based on Active Directory?

Options:

A.

subject alternative name and the common name

B.

MS-CHAPv2 provided machine credentials and credentials stored in Active Directory

C.

user-presented password hash and a hash stored in Active Directory

D.

user-presented certificate and a certificate stored in Active Directory

Question 69

What is the default port used by Cisco ISE for NetFlow version 9 probe?

Options:

A.

UDP 9996

B.

UDP 9997

C.

UDP 9998

D.

UDP 9999

Question 70

An engineer is configuring Cisco ISE for guest services They would like to have any unregistered guests redirected to the guest portal for authentication then have a CoA provide them with full access to the network that is segmented via firewalls Why is the given configuration failing to accomplish this goal?

Options:

A.

The Guest Flow condition is not in the line that gives access to the quest portal

B.

The Network_Access_Authentication_Passed condition will not work with guest services for portal access.

C.

The Permit Access result is not set to restricted access in its policy line

D.

The Guest Portal and Guest Access policy lines are in the wrong order

Question 71

An administrator for a small network is configuring Cisco ISE to provide dynamic network access to users. Management needs Cisco ISE to not automatically trigger a CoA whenever a profile change is detected. Instead, the administrator needs to verify the new profile and manually trigger a CoA. What must be configuring in the profiler to accomplish this goal?

Options:

A.

Port Bounce

B.

No CoA

C.

Session Query

D.

Reauth

Question 72

An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two)

Options:

A.

TELNET 23

B.

LDAP 389

C.

HTTP 80

D.

HTTPS 443

E.

MSRPC 445

Question 73

An employee must access the internet through the corporate network from a new mobile device that does not support native supplicant provisioning provided by Cisco ISE. Which portal must the employee use to provision to the device?

Options:

A.

BYOD

B.

Personal Device

C.

My Devices

D.

Client Provisioning

Question 74

Which CLI command must be configured on the switchport to immediately run the MAB process if a non-802.1X capable endpoint connects to the port?

Options:

A.

authentication order mab dot1x

B.

authentication fallback

C.

dot1x pae authenticator

D.

access-session port-control auto

Question 75

An administrator is configuring a new profiling policy within Cisco ISE The organization has several endpoints that are the same device type and all have the same Block ID in their MAC address. The profiler does not currently have a profiling policy created to categorize these endpoints. therefore a custom profiling policy must be created Which condition must the administrator use in order to properly profile an ACME Al Connector endpoint for network access with MAC address ?

Options:

A.

MAC_OUI_STARTSWITH_

B.

CDP_cdpCacheDevicelD_CONTAINS_

C.

MAC_MACAddress_CONTAINS_

D.

Radius Called Station-ID STARTSWITH

Question 76

An employee logs on to the My Devices portal and marks a currently on-boarded device as ‘Lost’.

Which two actions occur within Cisco ISE as a result oí this action? (Choose two)

Options:

A.

Certificates provisioned to the device are not revoked

B.

BYOD Registration status is updated to No

C.

The device access has been denied

D.

BYOD Registration status is updated to Unknown.

E.

The device status is updated to Stolen

Question 77

What is a valid status of an endpoint attribute during the device registration process?

Options:

A.

block listed

B.

pending

C.

unknown

D.

DenyAccess

Question 78

An engineer wants to use certificate authentication for endpoints that connect to a wired network integrated with Cisco ISE. The engineer needs to define the certificate field used as the principal username. Which component would be needed to complete the configuration?

Options:

A.

Authorization rule

B.

Authorization profile

C.

Authentication policy

D.

Authentication profile

Question 79

An administrator enables the profiling service for Cisco ISE to use for authorization policies while in closed mode. When the endpoints connect, they receive limited access so that the profiling probes can gather information and Cisco ISE can assign the correct profiles. They are using the default values within Cisco ISE. but the devices do not change their access due to the new profile. What is the problem'?

Options:

A.

In closed mode, profiling does not work unless CDP is enabled.

B.

The profiling probes are not able to collect enough information to change the device profile

C.

The profiler feed is not downloading new information so the profiler is inactive

D.

The default profiler configuration is set to No CoA for the reauthentication setting

Question 80

Refer to the exhibit.

An engineer is creating a new TACACS* command set and cannot use any show commands after togging into the device with this command set authorization Which configuration is causing this issue?

Options:

A.

Question marks are not allowed as wildcards for command sets.

B.

The command set is allowing all commands that are not in the command list

C.

The wildcard command listed is in the wrong format

D.

The command set is working like an ACL and denying every command.

Question 81

In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two )

Options:

A.

publisher

B.

administration

C.

primary

D.

policy service

E.

subscriber

Question 82

Which two fields are available when creating an endpoint on the context visibility page of Cisco IS? (Choose two)

Options:

A.

Policy Assignment

B.

Endpoint Family

C.

Identity Group Assignment

D.

Security Group Tag

E.

IP Address

Question 83

Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.)

Options:

A.

three PSN nodes

B.

seven PSN nodes with one PxGrid node

C.

five PSN nodes with one PxGrid node

D.

two PSN nodes with one PxGrid node

E.

six PSN nodes

Question 84

When configuring an authorization policy, an administrator cannot see specific Active Directory groups present in their domain to be used as a policy condition. However, other groups that are in the same domain are seen What is causing this issue?

Options:

A.

Cisco ISE only sees the built-in groups, not user created ones

B.

The groups are present but need to be manually typed as conditions

C.

Cisco ISE's connection to the AD join point is failing

D.

The groups are not added to Cisco ISE under the AD join point

Question 85

What are two benefits of TACACS+ versus RADIUS for device administration? (Choose two )

Options:

A.

TACACS+ supports 802.1X, and RADIUS supports MAB

B.

TACACS+ uses UDP, and RADIUS uses TCP

C.

TACACS+ has command authorization, and RADIUS does not.

D.

TACACS+ provides the service type, and RADIUS does not

E.

TACACS+ encrypts the whole payload, and RADIUS encrypts only the password.

Question 86

What is a difference between RADIUS versus TACACS+ with regards to packet encryption?

Options:

A.

TACACS+ encrypts the entire body of the packet, and RADIUS encrypts the username and password in the access-request packet.

B.

RADIUS encrypts the entire body of the packet, and TACACS+ encrypts the username and password in the access-request packet.

C.

RADIUS encrypts the entire body of the packet, and TACACS+ encrypts only the password in the access-request packet.

D.

TACACS+ encrypts the entire body of the packet, and RADIUS encrypts only the password in the access-request packet.

Question 87

A company manager is hosting a conference. Conference participants must connect to an open guest SSID and only use a preassigned code that they enter into the guest portal prior to gaining access to the network. How should the manager configure Cisco ISE to accomplish this goal?

Options:

A.

Create entries in the guest identity group for all participants.

B.

Create an access code to be entered in the AUP page.

C.

Create logins for each participant to give them sponsored access.

D.

Create a registration code to be entered on the portal splash page.

Question 88

A network administrator changed a Cisco ISE deployment from pilot to production and noticed that the JVM memory utilization increased significantly. The administrator suspects this is due to replication between the nodes What must be configured to minimize performance degradation?

Options:

A.

Review the profiling policies for any misconfiguration

B.

Enable the endpoint attribute filter

C.

Change the reauthenticate interval.

D.

Ensure that Cisco ISE is updated with the latest profiler feed update

Exam Detail
Vendor: Cisco
Certification: CCNP Security
Exam Code: 300-715
Exam Name: Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)
Last Update: Sep 16, 2025
300-715 Question Answers
Page: 1 / 22
Total 295 questions
Get 300-715 Full Access Download 300-715 PDF