• Home
  • Articles
  • Free CCNP Security 300-715 Ultimate Study Guide (Updated 153 Questions) [Q23-Q46]

Free CCNP Security 300-715 Ultimate Study Guide (Updated 153 Questions) [Q23-Q46]

Share

Free CCNP Security 300-715 Ultimate Study Guide (Updated 153 Questions)

Get to the Top with 300-715 Practice Exam Questions


Understanding functional and technical aspects of Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) Policy enforcement

The following will be discussed in CISCO 300-715 exam dumps:

  • Cisco TrustSec Configuration
  • Implementing Third-Party Network Access Device Support
  • Introducing Web Access with Cisco ISE
  • Local
  • Describe identity store options
  • Introducing Identity Management
  • Easy Connect
  • Configure native AD and LDAP
  • Cisco ISE Deployment Models
  • Describing Cisco ISE Functions
  • Context Visibility
  • PKI
  • Configuring Sponsor and Guest Portals
  • LDAP
  • AD
  • Configure wired/wireless 802.1X network access
  • Introducing Cisco TrustSec
  • Cisco ISE Policy Enforcement
  • Using MAC Authentication Bypass for Wired and Wireless Access
  • Smart Card
  • Web Authentication and Guest Services
  • Configuring Certificate Services
  • Using Cisco ISE as a Network Access Policy Engine
  • Introducing Guest Access Components
  • Introducing Cisco ISE Policy
  • Configuring Guest Access Settings
  • OTP

 

NEW QUESTION 23
Which two values are compared by the binary comparison (unction in authentication that is based on Active Directory?

  • A. user-presented certificate and a certificate stored in Active Directory
  • B. MS-CHAFV2 provided machine credentials and credentials stored in Active Directory
  • C. user-presented password hash and a hash stored in Active Directory
  • D. subject alternative name and the common name

Answer: D

Explanation:
Explanation
Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates, you must select an identity source. If you select Active Directory as an identity source, subject and common name and subject alternative name (all values) can be used to look up a user.
https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_01110.html

 

NEW QUESTION 24
Which two default endpoint identity groups does Cisco ISE create? (Choose two )

  • A. block list
  • B. allow list
  • C. profiled
  • D. endpoint
  • E. unknown

Answer: C,E

Explanation:
Reference:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html Default Endpoint Identity Groups Created for Endpoints Cisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
Cisco ISE creates the following endpoint identity groups:
Blacklist-This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
GuestEndpoints-This endpoint identity group includes endpoints that are used by guest users.
Profiled-This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
RegisteredDevices-This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group. These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays "Unauthorised Network Access", a default portal page to the blocked devices.
Unknown-This endpoint identity group includes endpoints that do not match any profile in Cisco ISE.
In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint identity groups, which are associated to the Profiled identity group:
Cisco-IP-Phone-An identity group that contains all the profiled Cisco IP phones on your network.
Workstation-An identity group that contains all the profiled workstations on your network.

 

NEW QUESTION 25
Drag the Cisco ISE node types from the left onto the appropriate purposes on the right.

Answer:

Explanation:

Explanation

Monitoring= provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources Policy Service= provides network access, posture, guest access, client provisioning, and profiling services.
This persona evaluates the policies and makes all the decisions.
Administration= manages all system-related configuration and configurations that relate to functionality such as authentication, authorization, auditing, and so on pxGrid= shares context-sensitive information from Cisco ISE to subscribers
https://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide

 

NEW QUESTION 26
Which RADIUS attribute is used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node?

  • A. idle timeout
  • B. session timeout
  • C. termination-action
  • D. radius-server timeout

Answer: A

Explanation:
Reference:
When the inactivity timer is enabled, the switch monitors the activity from authenticated endpoints. When the inactivity timer expires, the switch removes the authenticated session. The inactivity timer for MAB can be statically configured on the switch port, or it can be dynamically assigned using the RADIUS Idle-Timeout attribute

 

NEW QUESTION 27
A policy is being created in order to provide device administration access to the switches on a network. There is a requirement to ensure that if the session is not actively being used, after 10 minutes, it will be disconnected. Which task must be configured in order to meet this requirement?

  • A. session timeout
  • B. idle time
  • C. set attribute as
  • D. monitor

Answer: A

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_admin_accesspolicy_settings.html#reference_0E24B8FBFAB248219E1194435670347F

 

NEW QUESTION 28
Which two default endpoint identity groups does Cisco ISE create? (Choose two )

  • A. block list
  • B. allow list
  • C. profiled
  • D. endpoint
  • E. unknown

Answer: C,E

Explanation:
Explanation
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide Default Endpoint Identity Groups Created for EndpointsCisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
Cisco ISE creates the following endpoint identity groups:
* Blacklist-This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
* GuestEndpoints-This endpoint identity group includes endpoints that are used by guest users.
* Profiled-This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
* RegisteredDevices-This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group.
These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE
* redirects blocked devices to a URL, which displays "Unauthorised Network Access", a default portal page to the blocked devices.
* Unknown-This endpoint identity group includes endpoints that do not match any profile in Cisco ISE.
In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint identity groups, which are associated to the Profiled identity group:
* Cisco-IP-Phone-An identity group that contains all the profiled Cisco IP phones on your network.
* Workstation-An identity group that contains all the profiled workstations on your network.

 

NEW QUESTION 29
What is a function of client provisioning?

  • A. Client provisioning checks a dictionary attribute with a value.
  • B. Client provisioning ensures that endpoints receive the appropriate posture agents.
  • C. Client provisioning ensures an application process is running on the endpoint.
  • D. Client provisioning checks the existence, date, and versions of the file on a client.

Answer: B

Explanation:
Reference:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_client_prov.html#:~:text=After%20Cisco%20ISE%20classifies%20a,packages%20and%20profiles%2C%20if%20necessary.

 

NEW QUESTION 30
An engineer is configuring a dedicated SSID for onboarding devices. Which SSID type accomplishes this configuration?

  • A. broadcast
  • B. hidden
  • C. dual
  • D. guest

Answer: C

Explanation:
https://community.cisco.com/t5/security-documents/ise-byod-dual-vs-single-ssid-onboarding/ta-p/3641422
https://www.youtube.com/watch?v=HH_Xasqd9k4&ab_channel=CiscoISE-IdentityServicesEngine
http://www.labminutes.com/sec0053_ise_1_1_byod_wireless_onboarding_dual_ssid

 

NEW QUESTION 31
Which two ports must be open between Cisco ISE and the client when you configure posture on Cisco ISE?
(Choose two).

  • A. TCP 8905
  • B. TCP 80
  • C. TCP 443
  • D. TCP 8443
  • E. TCP 8906

Answer: A,B

 

NEW QUESTION 32
Refer to the exhibit.

An organization recently implemented network device administration using Cisco ISE. Upon testing the ability to access all of the required devices, a user in the Cisco ISE group IT Admins is attempting to login to a device in their organization's finance department but is unable to. What is the problem?

  • A. The authorization conditions wrongly allow IT Admins group no access to finance devices.
  • B. The finance location is not a condition in the policy set.
  • C. The authorization policy doesn't correctly grant them access to the finance devices.
  • D. The IT training rule is taking precedence over the IT Admins rule.

Answer: C

 

NEW QUESTION 33
An organization wants to standardize the 802 1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide What must be configured to accomplish this task?

  • A. port security on the switch based on the client's information
  • B. dynamic access list within the authorization profile
  • C. security group tag within the authorization policy
  • D. extended access-list on the switch for the client

Answer: C

Explanation:
Explanation
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html#

 

NEW QUESTION 34
Which two events trigger a CoA for an endpoint when CoA is enabled globally for ReAuth? (Choose two.)

  • A. updating of endpoint dACL
  • B. endpoint profile transition from Unknown to Windows10-Workstation
  • C. endpoint profile transition from Apple-device to Apple-iPhone
  • D. endpoint marked as lost in My Devices Portal
  • E. addition of endpoint to My Devices Portal

Answer: B,C

Explanation:
Section: Profiler

 

NEW QUESTION 35
Which scenario does not support Cisco ISE guest services?

  • A. wireless LAN controller with central WebAuth
  • B. wired NAD with local WebAuth
  • C. wired NAD with central WebAuth
  • D. wireless LAN controller with local WebAuth

Answer: A

 

NEW QUESTION 36
Which two features must be used on Cisco ISE to enable the TACACS. feature? (Choose two)

  • A. Command Sets
  • B. Device Admin Service
  • C. Server Sequence
  • D. External TACACS Servers
  • E. Device Administration License

Answer: D

 

NEW QUESTION 37
When setting up profiling in an environment using Cisco ISE for network access control, an organization must use non-proprietary protocols for collecting the information at layer 2. Which two probes will provide this information without forwarding SPAN packets to Cisco ISE? {Choose two.)

  • A. SNMP query probe
  • B. NetFlow probe
  • C. DNS probe
  • D. RADIUS probe
  • E. DHCP SPAN probe

Answer: A,D

Explanation:
Explanation
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-profiling-design

 

NEW QUESTION 38
If a user reports a device lost or stolen, which portal should be used to prevent the device from accessing the network while still providing information about why the device is blocked?

  • A. Guest
  • B. Client Provisioning
  • C. Blacklist
  • D. BYOD

Answer: C

Explanation:
Reference:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/Managing_Lost_or_Stolen_Device.html#90273 The Blacklist identity group is system generated and maintained by ISE to prevent access to lost or stolen devices. In this design guide, two authorization profiles are used to enforce the permissions for wireless and wired devices within the Blacklist:
Blackhole WiFi Access
Blackhole Wired Access

 

NEW QUESTION 39
When configuring an authorization policy, an administrator cannot see specific Active Directory groups present in their domain to be used as a policy condition. However, other groups that are in the same domain are seen What is causing this issue?

  • A. The groups are present but need to be manually typed as conditions
  • B. Cisco ISE's connection to the AD join point is failing
  • C. The groups are not added to Cisco ISE under the AD join point
  • D. Cisco ISE only sees the built-in groups, not user created ones

Answer: C

Explanation:
Reference:
https://www.youtube.com/watch?v=0kuEZEo564s&ab_channel=CiscoISE-IdentityServicesEngine

 

NEW QUESTION 40
Which two ports must be open between Cisco ISE and the client when you configure posture on Cisco ISE?
(Choose two).

  • A. TCP 8905
  • B. TCP 443
  • C. DTCP80
  • D. TCP 8443
  • E. TCP 8906

Answer: A,D

 

NEW QUESTION 41
An organization wants to improve their BYOD processes to have Cisco ISE issue certificates to the BYOD endpoints. Currently, they have an active certificate authority and do not want to replace it with Cisco ISE.
What must be configured within Cisco ISE to accomplish this goal?

  • A. Create a certificate signing request and have the root certificate authority sign it.
  • B. Add the root certificate authority to the trust store and enable it for authentication.
  • C. Add an OCSP profile and configure the root certificate authority as secondary.
  • D. Create an SCEP profile to link Cisco ISE with the root certificate authority.

Answer: D

Explanation:
Explanation
Ref:https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-pr

 

NEW QUESTION 42
An administrator is configuring TACACS+ on a Cisco switch but cannot authenticate users with Cisco ISE. The configuration contains the correct key of Cisc039712287. but the switch is not receiving a response from the Cisco ISE instance What must be done to validate the AAA configuration and identify the problem with the TACACS+ servers?

  • A. Validate that the key value is correct using the test aaa authentication admin <key> legacy command.
  • B. Check for server reachability using the test aaa group tacacs+ admin <key> legacy command.
  • C. Test the user account on the server using the test aaa group radius server CUCS user admin pass <key> legacy command.
  • D. Conrm the authorization policies are correct using the test aaa authorization admin drop legacy command.

Answer: B

Explanation:
https://medium.com/training-course-ccna-security-210-260/ccna-security-part-3-implementing-aaa-in-cisco-ios-4b13ab285f51

 

NEW QUESTION 43
A network engineer is configuring Cisco TrustSec and needs to ensure that the Security Group Tag is being transmitted between two devices Where in the Layer 2 frame should this be verified?

  • A. Payload
  • B. 802.1Q filed
  • C. 802.1 AE header
  • D. CMD filed

Answer: D

Explanation:
Reference:
https://www.cisco.com/c/dam/global/en_ca/assets/ciscoconnect/2014/pdfs/policy_defined_segmentation_with_trustsec_rob_bleeker.pdf (slide 25)

 

NEW QUESTION 44
Which two responses from the RADIUS server to NAS are valid during the authentication process? (Choose two )

  • A. access-challenge
  • B. access-reserved
  • C. access-accept
  • D. access-request
  • E. access-response

Answer: A,B

 

NEW QUESTION 45
What is the minimum certainty factor when creating a profiler policy?

  • A. the minimum number that a predefined condition provides
  • B. the maximum number that a predefined condition provides
  • C. the minimum number that a device certainty factor must reach to become a member of the profile
  • D. the maximum number that a device certainty factor must reach to become a member of the profile

Answer: B

 

NEW QUESTION 46
......


Cisco 300-715 is a qualifying and concentration test for the CCNP Security certificate. The applicants must pass it along with the core exam to earn this professional-level certification. At the same time, the specialists who ace this test will also obtain the Cisco Certified Specialist – Security Identity Management Implementation certificate. This exam is designed to evaluate the individuals’ knowledge of Cisco Identity Service Engine. The area of coverage includes deployment & architecture, web auth and guest services, profiler, policy enforcement, network access for device administration, BYOD, and endpoint compliance, among others.

 

Pass Cisco 300-715 exam - questions - convert Tets Engine to PDF: https://www.premiumvcedump.com/Cisco/valid-300-715-premium-vce-exam-dumps.html

Use Real 300-715 Dumps Free Sample Questions and Practice Test Engine: https://drive.google.com/open?id=1AlcGbzBJz27pIXWwGCh4eMpgm73ntHqn

Related Articles

more
Cisco 300-715 Certification Practice Exam