500-490 Exam Dumps : Designing Cisco Enterprise Networks (ENDESIGN) exam

The node that enables Cisco ISE to share contextual information on a device with Cisco Stealthwatch is the pXGrid Controller. The pXGrid Controller is a component of the ISE Policy Service Node (PSN) that facilitates the exchange of contextual data between ISE and other security products, such as Stealthwatch, via the Platform Exchange Grid (pxGrid) protocol. The pXGrid Controller acts as a broker that registers, authenticates, and authorizes pxGrid clients, and allows them to publish and subscribe to topics of interest. For example, Stealthwatch can subscribe to the Session Directory topic to obtain user and device information from ISE, and use it to enrich the network flow data and provide better visibility and security analytics. Stealthwatch can also publish topics, such as Rapid Threat Containment (RTC), to allow ISE to take mitigation actions on compromised endpoints, such as quarantine or re-authentication. References:

Cisco Identity Services Engine Administrator Guide, Release 2.4 - Manage Platform Exchange Grid Services [Cisco Identity Services Engine] - Cisco1

Deploying Cisco Stealthwatch 7.x with Cisco ISE 2.4 using pxGrid - Cisco Community2

Stealthwatch — Networking fun3

pxGrid in Depth > Sharing the Context | Cisco Press4

Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the statements that are true regarding Cisco ISE are:

ISE can detect endpoints whose addresses have been translated via NAT: Cisco ISE can discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security1. Cisco ISE can also detect endpoints whose addresses have been translated via NAT by using various methods, such as passive and active discovery, NMAP scanning, DHCP snooping, and RADIUS accounting234.

The number of logs that ISE can retain is determined by your disk space: Cisco ISE provides a logging mechanism that is used for auditing, faultmanagement, and troubleshooting. The logging mechanism helps you to identify fault conditions in deployed services and troubleshoot issues efficiently. You can configure your Cisco ISE node to collect the logs in the local systems using a virtual loopback address5. The number of logs that ISE can retain is determined by your disk space, as well as the data purging settings that you can configure under Administration > System > Maintenance > Data Purging6. You can also configure Cisco ISE to send its logs to a remote system for greater retention history7.

The other statements are not true regarding Cisco ISE, because:

In distributed deployments, failover from primary to secondary Policy Administration Nodes happens automatically: Cisco ISE supports high availability for the Administration persona, which provides centralized configuration and management of the distributed deployment. You can configure one primary Administration ISE node and one secondary Administration ISE node for high availability. However, the failover from primary to secondary Policy Administration Nodes does not happen automatically, unless you enable the automatic failover feature and configure a health check node to monitor the primary node’s status8. Otherwise, you have to manually promote the secondary node to become the primary node in case of a failure9.

In two-node standalone ISE deployments, failover must be done manually: Cisco ISE supports high availability for the Policy Service persona, which provides network access, posture, guest access, client provisioning, and profiling services. You can configure multiple Policy Service Nodes (PSNs) in a node group to provide session failover and load balancing for the endpoints. In a two-nodestandalone ISE deployment, where each node assumes all the personas, the failover for the Policy Service persona does not need to be done manually, as long as the network access devices are configured to use both nodes for RADIUS and TACACS services10.

ISE supports IPv6 downloadable ACLs: Cisco ISE supports downloadable ACLs (DACLs), which are configured and implemented through authorization profiles. DACLs are used to enforce granular access control policies for the endpoints based on their identity and other attributes. However, Cisco ISE does not support IPv6 downloadable ACLs, as it only supports IPv4 ACLs for RADIUS and TACACS protocols1112.

References:

1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Profiler Service Overview 3: ISE Deployment through NAT Boundaries - Cisco Community 4: Configure ISE 3.3 Native IPSec to Secure NAD (IOS-XE) Communication - Cisco 5: Logging [Cisco Identity Services Engine] - Cisco Systems 6: ISE maximum logging time / data retention - Cisco Community 7: Logs retention on ISE - Cisco Community 8: Cisco Identity Services Engine Administrator Guide, Release 2.4 9: Setting Up Cisco ISE in a Distributed Environment 10: Cisco Content Hub - Network Deployments in Cisco ISE 11: Cisco Identity Services Engine Administrator Guide, Release 2.2 12: Solved: ISE: support for IPv6 DACL’s - Cisco Community

"There is no automatic failover for the Administration persona." platforms and ISE versions appear to support ipv6 dacl just fine now

Cisco ISE can handle authentication for printers that do not have a supplicant using MAB (MAC Authentication Bypass). MAB is a method of authenticating devices based on their MAC address. MAB is useful for devices that do not support 802.1X or other authentication protocols, such as printers, cameras, or IoT devices. MAB works as follows:

The device sends an Ethernet frame with its MAC address as the source address.

The switch sends a RADIUS Access-Request message to ISE with the MAC address as the username and password.

ISE checks the MAC address against a database of known devices or an identity source sequence.

If the MAC address is found and authorized, ISE sends a RADIUS Access-Accept message to the switch with the appropriate authorization profile.

The switch applies the authorization profile to the device and grants it access to the network.

MAB is less secure than 802.1X, as MAC addresses can be spoofed or cloned. Therefore, MAB should be used with caution and combined with other security measures, such as profiling, posture, or endpoint protection. MAB should also be restricted to specific ports or VLANs that are isolated from the rest of the network.

References:

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure MAC Authentication Bypass [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authentication Policies [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Authorization Policies [Cisco Identity Services Engine]

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Manage Identity Source Sequences [Cisco Identity Services Engine]

Cisco Identity Services Engine API Reference Guide, Release 2.7 - Authentication [Cisco Identity Services Engine]

Designing Cisco Enterprise Networks (ENDESIGN) Exam Topics [Cisco]

Cisco Validated Design Guides [Cisco]