Cisco ISE 300-715 Flashcards Quizlet 101

Cisco ISE 300-715 Flashcards | Quizlet https://quizlet.com/808969743/cisco-ise-300-715-flash-cards/?funnel...
Cisco ISE 300-715 Study
Other Computer Skills
Cisco ISE 300-715

Leave the first rating
Terms in this set (101)
What guest services can a Create and manage guest user accounts
receptionist provide who has
an account in the ISE Guest
Serves Sponsor Group?
Service of ISE node to Profiling

identify types of devices
connecting to the network
Default endpoint identity Unknown

group for an endpoint that
does not match any profile in
ISE
What sends the redirect ACL Cisco-au-pair

that is configured in the ISE
Authorization Profile back to
the WLC?
1 of 20 27/09/2023, 11:15 pm
Cisco
What twoISE 300-715
values are 1. User presented certificate compared withStudy
the
compared by the binary AD store certificate
comparison function in 2. Subject alternate name compared with the
authentication based on common name
active directory? What are
two other values?
Cisco ISE is running in an IP mab

phone only environment.
Phones cannot authenticate
via 802.1X, what command is
needed on each switch port
for authentication?
How is PSN redundancy Create a node group

achieved in a deployment?
In an ISE distributed 1. PSN

deployment an engineer 2. Admin
needs to configure network
probes to collect attributes
from endpoints. Which node
can he use to accomplish
this? Which note can he use
to configure this?
What are two guest password 1. Password expiration period

policy requirements to 2. Minimum password length
mitigate brute force attacks?
Two components of posture 1. Conditions

requirement when configuring 2. Remediation actions
ISE posture
2 of 20 27/09/2023, 11:15 pm
Cisco ISE
What is the 300-715
minimum certainty The minimum value threshold that a device Study
must
factor when creating a meet for ISE to consider that device part of that
profiler policy? profile
An employee has been Authentication will fail. Engineer needs to select

configured with an external external identity source
identity store for
authentication. If the engineer
uses the admin portal to
select the internal identity
store as the ID source, what
happens?
What are two methods for a 1. Import - CSV

sponsor to create bulk guest 2. Random - ISE autogenerates the user accounts
accounts from the sponsor
portal?
When configuring web Extended ACL

authentication and do you
want to allow specific
protocols such as permit DNS
traffic, what type of ACL
should you use?
1. Sponsored guest
What are the ISE guest portal
2. Hotspot
types?
3. Self registered guest
What ports need to be open TCP 389 - LDAP

to configure AD has an TCP 445 - MSRPC
external authentication source
for ISE?
3 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715

In a split deployment which AAA - authentication, authorization, accounting
Study
workload is split between all
of the nodes?
1. Admin
What are the personas of an
2. PSN
ISE node?
3. MnT
What is the method to SGT exchange protocol

transport SGTs throughout the
network?
1. Administration - system - deployment

2. Click the checkbox next to the node and select
Four steps to edit an ISE node
edit
and make it a PAN?
3. Click make primary administration node
4. Click save
What does I SE used to SID

resolve ambiguous AD group
names?
RADIUS attribute to Idle-timeout

dynamically assign an
inactivity timer for MAB
users?
Portal to customize your Client provisioning

settings to login and
download the compliance
module?
4 of 20 27/09/2023, 11:15 pm
Cisco
AdvancedISE 300-715
WLAN option to AAA override Study
enable that will trigger
central web authentication for
wireless users on AirOS
controller?
Portal to prevent lost or Blacklist portal - you can still see info as to why a
stolen items from accessing device was blocked
the network?
Probe to re-profile endpoints DHCP

based only on new requests
of INIT-REBOOT and
SELECTING messages?
ISE configuration requirement If user not found, continue

in authentication policy to
allow central web
authentication?
What are two features 1. New AD user 802.1X authentication

available when PAN is down 2. Posture
and SAN has not yet been
promoted?
What ISE persona needs the Monitoring and troubleshooting (MnT)

largest amount of storage?
What happens when an ISE Only the secondary node restarts

distributed deployment add
to notes and the secondary
node becomes de registered?
5 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 1. Unknown Study

2. Registered
What are the default identity
3. Profiled
groups that ISE creates?
4. Blacklist
5. Guest Endpoints
Command to configure web ip http port <port number>

authentication on a switch
using non-standard ports?
Successful authentication of Continue

unknown MAC or identities
requires this configuration on
the ice auth policy?
What is the port for native TCP 8909

supplicant provisioning of a
Windows laptop?
Common permission to AD Search AD to see if a ISE user machine account

join and leave operations? already exists
Two fields of the context of 1. Identity group assignment

his ability page of ISE when 2. Policy assignment
creating an endpoint
What are two ways to classify 1. Static - VLAN

users and end points for 2. Dynamic - 802.1X, MAB, web authentication
TrustSec?
What are two task types of WLC

common tasks support for Shell
TACACS+ profiles?
6 of 20 27/09/2023, 11:15 pm
Cisco ISE
What is the 300-715
command to filter cts role-based enforcement Study
traffic based on SGTs using a
security policy on a routed
interface?
What gives ISE the option to Authorization profile

scan for endpoint
vulnerabilities?
What is the required TCP HTTPS

protocol for BYOD device to
access the BYOD portal?
What are the open ports TCP 8443

needed for posture TCP 8905
configuration between client
and ISE?
To enforce access control SGTs

using tags, what feature of
Cisco ISE can be used in a
scalable manner?
Benefits of TACACS+ over 1. TACACS+ encrypts the whole payload while

RADIUS for device RADIUS only encrypts the password
administration? 2. TACACS+ has command authorization
Low impact mode in an ISE HTTP

phase deployment; what
service access will be denied
when connecting to the
network before auth?
7 of 20 27/09/2023, 11:15 pm
Cisco ISE
What must 300-715
match between Shared secret Study
ISE and the NAD two
successfully authenticate
endpoints?
What is the purpose of the "ip Allows the switch to redirect users for central web
http server" command on a authentication
switch?
What are two required iOS settings

components for the native Operating system
supplicant profile within
BYOD flow?
In a standalone Cisco ISE Admin

deployment, which two PSN
personas can be configured
on a node?
What is the command to 1. show authentication sessions

display all 802.1X and MAB 2. show authentication sessions interface
active sessions on a catalyst <interface>
or legacy switch? What is the
command to display the
active session on a specific
interface?
What supplicant and server Supplicant - AnyConnect NAM

are capable of EAP - Server - Cisco ISE
CHAINING?
8 of 20 27/09/2023, 11:15 pm
Cisco
What are ISE 300-715
the requirements 1. Certificate template is selected Study
when generating a single 2. Common name is entered
certificate in ISE via the
certificate provisioning portal
without generating a CSR?
What is the necessary 802.1X 1. dot1x pae authenticator

authentication command at 2. dot1x system-auth-control
the interface level? What is
the command at the global
level?
What are the two required RADIUS

probes for ARP cache DHCP
function of ISE profiling
service to work?
What is a use case that Endpoint profiling policy gets changed for the
validates a change of authorization policy
authorization?
What are two possible Compliant

endpoint compliance Unknown
statuses?
What profiling probe collects HTTP

the user - agent string?
If CoA is enabled globally for Endpoint profile change from Unknown to

ReAuth, what events could Windows10-Device
trigger a CoA for an Endpoint profile change from Apple-Device to
endpoint? Apple-iPhone
9 of 20 27/09/2023, 11:15 pm
Cisco ISE
ISE service 300-715
to check Posture Study
compliance of end points
before they connect to the
network?
What is the term for the Supplicant

endpoint agent trying to join
a 802.1X network?
What is a requirement of the Cisco ISE has connection to the Internet to

feed service? download the feed update
What occurs when an ISE The internal identity store is queried by ISE, then
administrator logs into a the external identity store is queried
device?
What are the two standard 1700

ports for CoA? 3799
What is required to configure The redirect ACL must be created on the WLC
ISE guest services to allow and referenced in the Cisco ISE policy
wireless devices to access the
network?
What is needed on the WLC Webauth ACL for redirection

to configure wireless guest
access on the network?
10 of 20 27/09/2023, 11:15 pm
Cisco ISEis implementing

An engineer 300-715 dot1x system-auth-control (question specifies port
Study
Cisco ISE and needs to settings are already configured, so not dot1x pae
configure 802.1X. The port authenticator)
settings are configured for
port-based authentication.
Which command should be
used to complete this
configuration?
Which protocol's best used TACACS+

for device administration,
authentication, and
authorization?
What is a feature of TACACS+ Each command entered must be authenticated

authorization? and then authorized
What two protocols are used RADIUS

for endpoint authentication TACACS+
communications between
ANAD and an authentication
server?
When enabled, settings will not be populated

across all PSNs
What is true of TACACS+ It is not enabled by default
support in Cisco ISE? It does not require a plus license
When enabled, all capable devices are not
instantly able to communicate with the server
What does a TACACS Enforces a specified list of commands that can be

command set do? executed by a device administrator
11 of 20 27/09/2023, 11:15 pm
Cisco ISEallows
What feature 300-715
for similar Device Groups Study
device types to share the
same policies?
TACACS regular policy set Authorization rule table

consists of: Authentication rule table
Two components of the Posture Administration Services

posture service? Posture Run-time Services
File condition
Simple posture conditions Registry condition
USB Condition
What module contains a list of Compliance module

fields and attributes that are
provided by OPSWAT that
support posture in Cisco ISE?
Audit - client permitted even if security posture is

non compliant
Posture operational Optional - client is given option to continue to
deployment modes (3) bypass the posture assessment policy
Mandatory - client is notified of failure and must
take corrective action to comply with policy
Cisco ISE feature that is Client provisioning

responsible for pushing client
agent software to an
endpoint:
First step to supporting client Download the appropriate agents to Cisco ISE
provisioning?
12 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 Supplicant provisioning on all major platforms

Study
User-based device registration reduces the
Benefits of BYOD (3) burden on IT staff
Certificates can be automatically provisioned to
support both EAP-TLS and PEAP-MSCHAPv2
In a BYOD scenario where In the Native Supplicant Profile check the box for
iPads and iPhons will not "enable if target network is hidden"
connect to a desired SSID,
what is the solution?
After on boarding process Registered Devices

has been completed via the
BYOD portal, what identity
group does the endpoint
belong?
Purposes of a certificate Define SCEP RA profile to be use for the CA

template for BYOD Define key sizes
deployment (3)? Define SAN field options
Policy for employee provisioned endpoints

should come before the policy for unprovisioned
Guidelines for proper endpoints due to top down processing
provisioning of a dual SSID Configure a provisioning policy rule to specify
BYOD solution (3): which native supplicant profile to use
Separate provisioning policy rules can be created
to accommodate endpoints with different OS
How can a certificate be Users can use the My Devices portal

revoked from an endpoint Admins can do this via standard Cisco ISE GUI
should it be stolen?
13 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 Can be used to automatically discover, locate,

Study
and determine the capabilities of all connected
ISE profiling service
endpoints
characteristics (3):
Option for static profiling
Profiling sensor only runs on PSNs
Two components of the Cisco The sensor

ISE profiling service: The analyzer
What must be done to keep Use the Cisco ISE profiler feed service
profile definitions and OUI
databases up to date?
Work Center > Guest Access > Portals &

Components > Guest Portals
User portal that end user goes through for

Guest Portal onboarding. This is only used for dual-SSID flow.
Existing guest portal can be used for guest and
BYOD at the same time, provided that the
customer is using named guest access as
opposed to hotspot guest access.
Work Center > BYOD > Portals & Components >

BYOD Portals Or Administration > Device Portal
Management > BYOD
BYOD PORTAL
User portal that end user goes through for

onboarding. This is only used for sing-SSID flow
14 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 Administration > Device Portal ManagementStudy

>
Blacklist
User portal for users with endpoints in blacklist

Blacklist Portal group. Instead of denying network access for
blacklisted devices, it may be useful to provide
visual guidance on how to proceed to get the
device back on the network when their device is
blacklisted.
Work Center > BYOD > Portals & Components >

My Devices Portals OrAdministration > Device
Portal Management > My Devices
Used for end users to manage their own devices.

My Devices Portal (MDP) Here users can view onboarded devices as well
as add devices manually. User can also mark
devices as stolen or lost which can impact
network access. If ISE is integrated with
MDM/EMM, user can also issue lock, full wipe,
and corporate wipe from the portal.
Administration > Device Portal Management >

Certificate Provisioning Portal
Used for signing and generating certificates

Certificate Provisioning Portal
manually. Certificates can be signed by importing
CSR or certificate pair can be generated from the
portal. Access to the portal can be controlled via
ID store and groups.
client provisioning
3 Main components of device
Remediation
posture
Assessment
15 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 The basic "permissions container" for a RADIUS-

Study
based network access service. The authorization
profile is where you define all permissions to be
granted for a network access request. VLANs,
authorization profile
ACLs, URL redirects, session timeout or
reauthorization timers, or any other RADIUS
attributes to be returned in a response are
defined in the authorization profile.
Audit
Client is not notified of any failure results based
on posture assessment policy.
Optional
Client is notified of failure results and given the
option to continue to bypass the posture
Posture Operational Modes
assessment policy.
Mandatory
Client is notified of failure results and given a
remediation timer to manually perform corrective
action to comply with the posture assessment
policy.
16 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 Inline Tagging Study

The SGT is embedded into the ethernet frame to
allow the upstream devices to read and apply
policy. The ability to insert the SGT within an
ethernet frame does require Cisco network
devices with ASIC support for TrustSec. The frame
is dropped if a tagged frame is received by a
network device that does not support it.
Trustsec methods of
propagation SXP (SGT Exchange Protocol)
Network devices that don't have hardware
support use a protocol called SXP, a TCP-based
peer-to-peer protocol. It is used to share the IP to
SGT mapping and allows for continued SGT
propagation to the next device in the path. SXP
peer that sends IP to SGT mapping is called a
speaker while IP to SGT mapping receiver is
called a listener.
Sets the Port Access Entity (PAE) type.

supplicant—The interface acts only as a supplicant
and does not respond to messages that are meant
for an authenticator.
dot1x pae [supplicant | authenticator-—The interface acts only as an

authenticator | both] authenticator and does not respond to any
messages meant for a supplicant.
both—The interface behaves both as a supplicant

and as an authenticator and thus does respond to
all dot1x messages.
17 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 Enables 802.1X port-based authentication on the

Study
interface.
auto—Enables IEEE 802.1X authentication and
causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and
received through the port. The authentication
process begins when the link state of the port
changes from down to up or when an EAPOL-
start frame is received. The Device requests the
identity of the supplicant and begins relaying
authentication messages between the supplicant
and the authentication server. Each supplicant
attempting to access the network is uniquely
identified by the Device by using the supplicant
MAC address.
access-session port-control
force-authorized-—Disables IEEE 802.1X
{auto | force-authorized |
authentication and causes the port to change to
force-unauthorized}
the authorized state without any authentication
exchange required. The port sends and receives
normal traffic without IEEE 802.1X-based
authentication of the client. This is the default
setting.
force-unauthorized—Causes the port to remain in

the unauthorized state, ignoring all attempts by
the supplicant to authenticate. The Device cannot
provide authentication services to the supplicant
through the port.
Note
Effective with Cisco IOS Release 12.2(33)SXI, the
authentication port-control command replaces
the dot1xport-control command.
18 of 20 27/09/2023, 11:15 pm
Cisco ISE 300-715 Multi-auth: - Every supplicant authenticates Study

individually.
Multi-Domain: - One voice and one data VLAN
allowed.
Multi-Host: - If one gets authenticated, the
remaining will get authenticated.
Single Mode: - One on one, only data VLAN (No
Voice VLAN is allowed)
SINGLE HOST Mode

If there is an authorized client, the port is
authorized. On a port, only one host can be
permitted.
The unauthorized port condition is caused by the
second client.
Multiple Host Mode

If there is at least one authorized client, a port is
authorized.
Untagged traffic is remapped to the guest VLAN
access-session host-mode when a port is unauthorized and a guest VLAN is
[multi-auth | multi-domain | enabled. Unless it belongs to the guest VLAN or
multi-host | single-host] an unauthenticated VLAN, tagged communication
interface-id is dropped. Only tagged traffic belonging to
unauthenticated VLANs is bridged if the guest
VLAN is not configured on a port.
Untagged and tagged traffic from all hosts
connected to the port is bridged when the port is
authorized, based on the static/Dynamic VLAN
membership port configuration.
Multiple Domain Mode

When only one data and voice VLAN is present
behind a single port, and you want independent
authentication for both the phone and the
19 of 20 27/09/2023, 11:15 pm
workstation, this scenario is referred to as MDA

Cisco ISE 300-715 (Multiple domain mode)
Study
Multiple Authentication Mode

A port in the multi-session mode does not have
an authentication status, unlike the single-host and
multi-host modes. Each client connected to the
port is assigned this status.
Enable AAA override

Enable WLC to use CWA
NAC State - Radius
20 of 20 27/09/2023, 11:15 pm

Cisco ISE 300-715 Flashcards Quizlet 101

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ISE 300-715 Flashcards Quizlet 101

Uploaded by

Copyright:

Available Formats

Cisco ISE 300-715 Flashcards | Quizlet https://quizlet.com/808969743/cisco-ise-300-715-flash-cards/?funnel...

Cisco ISE 300-715 Study

Other Computer Skills

Cisco ISE 300-715

Terms in this set (101)

Service of ISE node to Profiling

Default endpoint identity Unknown

What sends the redirect ACL Cisco-au-pair

Cisco ISE is running in an IP mab

How is PSN redundancy Create a node group

In an ISE distributed 1. PSN

What are two guest password 1. Password expiration period

Two components of posture 1. Conditions

An employee has been Authentication will fail. Engineer needs to select

What are two methods for a 1. Import - CSV

When configuring web Extended ACL

What ports need to be open TCP 389 - LDAP

Cisco ISE 300-715

What is the method to SGT exchange protocol

1. Administration - system - deployment

What does I SE used to SID

RADIUS attribute to Idle-timeout

Portal to customize your Client provisioning

Probe to re-profile endpoints DHCP

ISE configuration requirement If user not found, continue

What are two features 1. New AD user 802.1X authentication

What ISE persona needs the Monitoring and troubleshooting (MnT)

What happens when an ISE Only the secondary node restarts

Cisco ISE 300-715 1. Unknown Study

Command to configure web ip http port <port number>

Successful authentication of Continue

What is the port for native TCP 8909

Common permission to AD Search AD to see if a ISE user machine account

Two fields of the context of 1. Identity group assignment

What are two ways to classify 1. Static - VLAN

What are two task types of WLC

What gives ISE the option to Authorization profile

What is the required TCP HTTPS

What are the open ports TCP 8443

To enforce access control SGTs

Benefits of TACACS+ over 1. TACACS+ encrypts the whole payload while

Low impact mode in an ISE HTTP

What are two required iOS settings

In a standalone Cisco ISE Admin

What is the command to 1. show authentication sessions

What supplicant and server Supplicant - AnyConnect NAM

What is the necessary 802.1X 1. dot1x pae authenticator

What are the two required RADIUS

What are two possible Compliant

What profiling probe collects HTTP

If CoA is enabled globally for Endpoint profile change from Unknown to

What is the term for the Supplicant

What is a requirement of the Cisco ISE has connection to the Internet to

What are the two standard 1700

What is needed on the WLC Webauth ACL for redirection

Cisco ISEis implementing

Which protocol's best used TACACS+

What is a feature of TACACS+ Each command entered must be authenticated

What two protocols are used RADIUS

When enabled, settings will not be populated

What does a TACACS Enforces a specified list of commands that can be

TACACS regular policy set Authorization rule table

Two components of the Posture Administration Services

What module contains a list of Compliance module