CCNP Security 350-701 Reddit Questions

Add the DNS entry for the new Cisco ISE node into the DNS server. This is because the fully qualified domain name (FQDN) of the new Cisco ISE node, for example, ise1.cisco.com, must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. The DNS server must contain the IP addresses and FQDNs of the ISE nodes that are part of the distributed deployment1.

The other options are incorrect because:

• Changing the IP address of the new Cisco ISE node to the same network as the others is not necessary, as long as the nodes can communicate with each other over the network.
• Making the new Cisco ISE node a secondary PAN before registering it with the primary is not possible, as the node must be registered first before changing its persona or role.
• Opening port 8905 on the firewall between the Cisco ISE nodes is not required, as this port is used for communication between the primary and secondary Monitoring ISE nodes, not for node registration.

References:

• Setting Up Cisco ISE in a Distributed Environment
• ISE node registering after change domain-name
• FQDN IN ISE

To achieve the goal of excluding some servers from the VPN tunnel and accessing them directly, the engineer must modify the group policy that is applied to the remote access VPN users. The group policy contains the settings for split tunneling, which is a feature that allows the VPN client to route some traffic through the VPN tunnel and some traffic directly to the internet. Split tunneling can be configured based on the destination IP address, the application, or the domain name of the traffic. By modifying the group policy, the engineer can specify which servers or networks should be excluded from the VPN tunnel and accessed directly by the VPN client. This can improve the performance and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and the corporate network. However, split tunneling also introduces some security risks, such as exposing the VPN client to internet threats, bypassing the corporate firewall and security policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the trade-offs and best practices of using split tunneling for remote access VPNs. References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN, Subtopic 3.1.4.2: Configure and Verify Split Tunneling
• VPN Split Tunneling: What It Is & Pros and Cons
• Cisco ASA - Enable Split Tunnel for Remote VPN Clients

CoA-ACK is the CoA response code that is sent if an authorization state is changed successfully on a Cisco IOS device. CoA-ACK stands for CoA acknowledgment, which indicates that the device has received and processed the CoA request from the server and applied the new authorization settings to the session. The attributes returned within a CoA-ACK can vary based on the CoA request, such as session reauthentication, session termination, or session modification. The other options are not correct because they are not valid CoA response codes. CoA-NCL, CoA-NAK, and CoA-MAV are not defined in RFC 5176, which specifies the CoA protocol. CoA-NAK is the closest option, but it stands for CoA non-acknowledgment, which indicates that the device has rejected the CoA request from the server due to some error or inconsistency. References :=

Some possible references are:

• RADIUS Change of Authorization - Cisco
• Security and VPN Configuration Guide, Cisco IOS XE 17.x
• RFC 5176 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)