Visit here for our full Cisco 300-715 exam dumps and practice test questions.
Question 1:
Which configuration requirement must be fulfilled on an IOS network device to allow Cisco ISE to perform TACACS+ device administration for administrator authentication and command authorization?
A) A shared secret must be configured only on Cisco ISE
B) Cisco ISE must be configured as a TACACS+ server on the device with a matching shared secret
C) The device must rely exclusively on RADIUS and not TACACS+
D) The device must store TACACS+ authorization profiles locally
Answer: B)
Explanation:
TACACS+ is the protocol of choice for device administration in Cisco ISE because it separates authentication, authorization, and accounting. When using Cisco ISE to centrally manage administrative access and command-level authorization, the IOS device must define ISE as a TACACS+ server using the correct IP address and a shared secret that matches the one configured on ISE. Cisco ISE compares this secret to confirm the identity of the network device and to ensure the encrypted TACACS+ traffic is trustworthy.
Option B is correct because TACACS+ operation requires symmetric configuration. Cisco IOS devices use the AAA model and must explicitly reference ISE under the TACACS+ server configuration. Once the association is created, IOS forwards administrator login attempts and command requests to ISE for approval. Without the matching shared secret, TACACS+ negotiation fails and the device cannot authenticate administrators.
Option A is incorrect because TACACS+ communication must be secured by matching secrets on both sides. A single-sided configuration results in immediate authentication rejection.
Option C is incorrect because RADIUS alone cannot provide command-level authorization. Cisco ISE supports both protocols, but TACACS+ is the required one for device administration tasks like restricting privileged commands or granting role-specific access.
Option D is incorrect because authorization profiles always reside on Cisco ISE. The IOS device never stores command sets or privileges; it only enforces whatever ISE instructs.
Thus, B correctly reflects the mandatory requirement for TACACS+ administration integration.
Question 2:
When Cisco ISE determines through posture assessment that an AnyConnect endpoint is non-compliant, what immediate action does the network access device apply based on ISE’s authorization instructions?
A) The endpoint receives full access and remediation occurs later
B) A redirect ACL and restricted authorization profile is applied to move the endpoint to a remediation network
C) The AnyConnect posture module performs remediation automatically without any ISE policy
D) All network traffic from the endpoint is entirely blocked
Answer: B)
Explanation:
Cisco ISE uses posture assessment to evaluate whether endpoints comply with corporate security requirements. When an endpoint is determined to be non-compliant, ISE instructs the NAD to place the device into a remediation environment. The NAD does this by enforcing an ACL that restricts all general access while still permitting traffic to DNS, DHCP, ISE, and remediation servers. The redirect ACL forces all HTTP/HTTPS traffic to the remediation portal, guiding the user toward corrective actions such as software updates or antivirus fixes.
Option B is correct because the redirect ACL is the core mechanism for posture workflows. It ensures the device has network connectivity only to necessary remediation resources, preventing it from accessing production assets prematurely.
Option A is incorrect because granting full access before remediation undermines NAC security.
Option C is incorrect because AnyConnect depends on ISE’s authorization decision. The posture module detects issues but does not independently set access restrictions.
Option D is incorrect because blocking all traffic would prevent remediation entirely. Cisco ISE purposely provides controlled access to allow updates.
Thus, B accurately describes the enforced action after a failed posture check.
Question 3:
During guest onboarding through Cisco ISE, what condition must the wireless controller satisfy to ensure a client is redirected to the guest web portal when attempting to browse?
A) The client must authenticate via 802.1X before any redirect occurs
B) The wireless controller must apply a redirect ACL and URL sent by Cisco ISE
C) A static redirect IP must be permanently configured on ISE without NAD involvement
D) The client device must use a manually configured static IP
Answer: B)
Explanation:
Guest access in Cisco ISE functions through web redirection, which requires seamless cooperation between ISE and the wireless controller. After the controller receives the RADIUS authorization result from ISE, it applies a redirect ACL that permits DNS and DHCP but intercepts HTTP/HTTPS traffic and forwards it to the ISE guest portal using the redirect URL provided.
Option B is correct because this redirect ACL and URL provide the mechanism for guiding unauthenticated users to the correct captive portal.
Option A is incorrect because guest access typically precedes authentication; many deployments intentionally use open SSIDs.
Option C is incorrect because redirection is dynamically signaled through authorization profiles in ISE, not preconfigured statically.
Option D is incorrect because DHCP assignment is expected and recommended. Static IPs are unnecessary and would complicate onboarding.
Thus, proper redirect ACL application as described in option B is essential.
Question 4:
What is the primary function of the Cisco ISE Profiler Feed Service when maintaining accurate identification of endpoints in the network?
A) To update profiling policies and OUI databases with new device signatures
B) To authenticate endpoints using EAP methods
C) To provide remediation instructions for posture failures
D) To assign SGT values based only on MAC addresses
Answer: A)
Explanation:
Cisco ISE profiling allows automated classification of endpoints using probes and signature attributes. The Profiler Feed Service regularly updates critical components such as device signatures, DHCP fingerprints, and manufacturer OUIs to ensure Cisco ISE can accurately classify modern devices. This prevents misclassification when new IoT devices, operating systems, or network components appear in the environment.
Option A is correct because the feed service supplies up-to-date intelligence that enhances profiling.
Option B is incorrect because authentication functions are separate from profiling.
Option C is incorrect because posture remediation is controlled by the posture module and client provisioning portal.
Option D is incorrect because SGT assignments depend on authorization rules, not feeds.
Thus, A best describes the feed service’s purpose.
Question 5:
What is the purpose of an authorization profile in Cisco ISE during the enforcement of access control decisions on a network access device?
A) To select identity source sequences for authentication
B) To define network access attributes such as VLAN, ACL, dACL, or SGT for authorized sessions
C) To configure EAP certificate settings
D) To create TACACS+ command sets for device administration
Answer: B)
Explanation:
Authorization profiles translate Cisco ISE policy decisions into real-world enforcement actions applied by NADs. These profiles specify the conditions under which endpoints are placed into particular network segments, assigned ACLs, redirected to portals, or tagged with TrustSec SGTs. They form the backbone of policy enforcement in both wired and wireless deployments.
Option B correctly identifies authorization profiles as the mechanism for defining network-level permissions.
Option A is incorrect because identity source sequences belong to authentication policy.
Option C is incorrect because EAP settings are authentication-related.
Option D is incorrect because TACACS+ command sets are separate objects used in device administration.
Thus, B conveys the core function of authorization profiles.
Question 6:
How does MAC Authentication Bypass (MAB) operate on a switch when authenticating devices that lack a supplicant in a Cisco ISE deployment?
A) It rejects any MAC address that is not pre-registered
B) It sends the MAC address as both username and password to Cisco ISE for authentication
C) It is used only for wireless onboarding
D) It requires a posture assessment before authentication occurs
Answer: B)
Explanation:
Option A, “It rejects any MAC address that is not pre-registered,” does not accurately reflect how MAC Authentication Bypass (MAB) typically works. MAB is not limited to pre-registered MAC addresses; rather, it forwards the device’s MAC address to the authentication server, which then determines whether the address is recognized. If a MAC address is not known or not assigned to an identity group, the server may still authorize it into a guest or limited-access VLAN. Therefore, rejection is not automatic unless the policy defines it that way.
Option B, “It sends the MAC address as both username and password to Cisco ISE for authentication,” correctly describes the standard behavior of MAB. When a device cannot perform 802.1X, the switch extracts the MAC address and formats it as a username and password, typically without separators (for example, 001122334455). Cisco ISE receives this information in a RADIUS Access-Request and compares it against its internal endpoint database or identity groups. Based on the match or classification, ISE assigns the proper authorization policy.
Option C, “It is used only for wireless onboarding,” is incorrect. MAB is primarily a wired-access mechanism used on switches for devices that cannot run an 802.1X supplicant. While wireless networks may use MAC-based authentication for certain legacy devices, MAB is overwhelmingly associated with wired port authentication rather than wireless onboarding workflows.
Option D, “It requires a posture assessment before authentication occurs,” is also incorrect. Posture assessment is performed after authentication and authorization, not before. MAB simply provides a method to authenticate devices that cannot present credentials. Once authorized, the system may choose to run posture checks if the device supports them, but posture is never a prerequisite for MAB itself.
These options clarify the purpose and limitations of MAC Authentication Bypass in network access control environments.
Question 7:
What core function does Cisco ISE pxGrid provide when integrating ISE with external security platforms such as firewalls and SIEM systems?
A) Performing EAP authentication on behalf of clients
B) Sharing contextual identity, posture, and SGT information with external systems
C) Redirecting endpoints to guest portals
D) Provisioning AnyConnect modules to endpoints
Answer: B)
Explanation:
Option A, “Performing EAP authentication on behalf of clients,” is not a function associated with pxGrid. EAP authentication is handled between the endpoint, the authenticator (such as a switch or wireless controller), and the RADIUS server, typically Cisco ISE. pxGrid does not participate in the EAP exchange or influence the credential-handling process. Its purpose lies elsewhere, focused on sharing contextual information after authentication has already taken place.
Option B, “Sharing contextual identity, posture, and SGT information with external systems,” accurately describes the core role of pxGrid. pxGrid is a bidirectional information-sharing framework that allows Cisco ISE to exchange details about user identity, device attributes, session status, posture evaluation, and TrustSec Security Group Tags with other security tools. These tools may include firewalls, SIEM platforms, network visibility systems, threat intelligence engines, and endpoint protection solutions. By distributing this context, pxGrid allows external systems to enforce more intelligent access decisions, automate threat response, and correlate activity across the network.
Option C, “Redirecting endpoints to guest portals,” is not a pxGrid feature. Redirection to guest, onboarding, or posture portals is accomplished through authorization rules, redirect ACLs, and RADIUS attributes applied by the network access device. pxGrid plays no role in redirection workflows and cannot force endpoints into captive portal flows.
Option D, “Provisioning AnyConnect modules to endpoints,” also does not pertain to pxGrid. AnyConnect module deployment, including posture agents or VPN components, is handled through web deployment, management tools, or the posture feature in Cisco ISE. pxGrid does not deliver software to endpoints.
Together, these explanations show that pxGrid’s primary function is to share rich contextual security data, enabling a more integrated and adaptive security ecosystem.
Question 8:
Which requirement must be met for a successful EAP-TLS authentication between an endpoint and Cisco ISE?
A) The NAD must present its own certificate to authenticate the client
B) The endpoint certificate must chain to a CA trusted by Cisco ISE
C) A certificate is optional for EAP-TLS
D) The endpoint must store the Cisco ISE admin certificate
Answer: B)
Explanation:
Option A, “The NAD must present its own certificate to authenticate the client,” misrepresents how EAP-TLS works. In an EAP-TLS flow, the Network Access Device (such as a switch or wireless controller) does not authenticate the client using its own certificate. Instead, the NAD simply acts as a pass-through, relaying EAP messages between the endpoint and Cisco ISE. The TLS handshake occurs directly between the endpoint and ISE. The NAD does not present a certificate for the purpose of validating the client and does not participate in the cryptographic exchange beyond encapsulating RADIUS messages.
Option B, “The endpoint certificate must chain to a CA trusted by Cisco ISE,” accurately reflects a core requirement of EAP-TLS authentication. For ISE to validate the endpoint’s identity, the endpoint must present a certificate issued by a Certificate Authority that ISE trusts. This can be an internal enterprise CA, a public CA, or any CA whose root or intermediate certificates are uploaded into ISE’s trusted store. Without this trust relationship, ISE cannot validate the certificate’s authenticity, and the authentication will fail. This is one of the primary mechanisms that provides strong security in EAP-TLS.
Option C, “A certificate is optional for EAP-TLS,” is incorrect. EAP-TLS is a certificate-based authentication method by definition. Both the client and the server must use certificates to establish mutual trust. Without a valid client certificate, EAP-TLS cannot function, making certificates mandatory rather than optional.
Option D, “The endpoint must store the Cisco ISE admin certificate,” is also incorrect. The endpoint must trust the certificate presented by ISE during the TLS handshake, but this is not the same as storing an admin certificate. Typically, the endpoint only needs the root or intermediate CA certificate that issued ISE’s server certificate. It does not need or use the administrative certificate used for logging into the ISE GUI.
These points collectively clarify how certificate trust and validation operate in an EAP-TLS authentication architecture.
Question 9:
What role do Cisco ISE profiling probes play in the identification of endpoints?
A) All probes must be enabled for profiling to work
B) Probes collect attributes such as DHCP fingerprints and CDP information to determine device type
C) Probes authenticate the endpoint
D) Probes directly assign SGTs to the endpoint
Answer: B)
Explanation:
Option A, “All probes must be enabled for profiling to work,” is not accurate. Cisco ISE profiling does not require every probe to be enabled. Profiling is modular and flexible; administrators can enable only the probes that make sense for their environment. For example, DHCP, SNMP, RADIUS, and CDP/LLDP probes are commonly used, while others may remain disabled to reduce network overhead or avoid unnecessary data collection. Profiling still functions effectively even with a limited set of probes, as long as enough attributes are gathered to match a device profile.
Option B, “Probes collect attributes such as DHCP fingerprints and CDP information to determine device type,” correctly describes the primary role of profiling probes. These probes gather identity-relevant data from various sources. DHCP options can reveal operating system characteristics, CDP or LLDP can identify phones and switches, RADIUS attributes may include device hints, and SNMP queries can provide hardware details. By combining these attributes, ISE can classify endpoints into categories such as printers, IP phones, cameras, laptops, or medical devices. This classification supports automated policy assignment and reduces administrative effort.
Option C, “Probes authenticate the endpoint,” is incorrect. Probes themselves do not participate in authentication. Authentication is performed through protocols like 802.1X, MAB, or web authentication based on credentials, certificates, or MAC addresses. Profiling probes only passively observe device characteristics; they do not validate identity or grant access.
Option D, “Probes directly assign SGTs to the endpoint,” is also incorrect. Security Group Tags (SGTs) are assigned through authorization policies after the endpoint has authenticated and been classified. Probes contribute by helping determine the device type, which may influence which policy is applied, but they do not assign tags directly. SGT assignment is a policy decision, not a probing function.
These explanations highlight the purpose of profiling probes and distinguish them clearly from authentication and policy-enforcement mechanisms.
Question 10:
How does Cisco ISE evaluate policy sets when processing incoming RADIUS or TACACS+ requests?
A) All policy sets are evaluated simultaneously
B) Policy sets are evaluated top-down until a matching condition is found
C) Policy sets are only used for TACACS+
D) Policy sets apply exclusively to guest access
Answer: B)
Explanation:
Option A, “All policy sets are evaluated simultaneously,” is not how Cisco ISE processes policy sets. Policy sets do not execute in parallel or in a combined fashion. Instead, they follow a structured evaluation process to ensure that authentication and authorization rules apply consistently. The system examines policy sets one at a time, using defined conditions to determine whether a particular set should apply to an incoming request.
Option B, “Policy sets are evaluated top-down until a matching condition is found,” correctly describes how Cisco ISE processes them. When a RADIUS or TACACS+ request arrives, ISE starts from the first policy set in the list and evaluates the conditions associated with it. If the conditions match—such as device type, protocol, or NAD group—ISE selects that policy set and stops evaluating the remaining sets. Only the authentication and authorization rules inside the selected policy set are applied to the session. This top-down processing model makes the order of policy sets extremely important, much like access control lists on switches and routers.
Option C, “Policy sets are only used for TACACS+,” is incorrect. Policy sets apply to both RADIUS-based network access control (802.1X, MAB, VPN, wireless) and TACACS+ device administration, depending on how they are configured. They provide a unified framework for organizing policies.
Option D, “Policy sets apply exclusively to guest access,” is also incorrect. Guest access is only one of many possible use cases within RADIUS policy sets. They are used for corporate devices, BYOD, IoT, posture workflows, VPN, and more.
Together, these explanations clarify how policy sets function and why their order and structure matter in Cisco ISE deployments.
Question 11:
Which action does a Cisco switch perform when Cisco ISE returns a downloadable ACL (dACL) as part of an authorization result for a connected endpoint?
A) The switch ignores the dACL and applies the ACL configured on the interface
B) The switch downloads and enforces the ACL received from Cisco ISE for that session
C) The switch sends the dACL to the endpoint to install locally
D) The switch resets the port to apply the ACL after reauthentication
Answer: B)
Explanation:
Option A, “The switch ignores the dACL and applies the ACL configured on the interface,” describes a scenario in which the downloadable ACL (dACL) is not used. This might happen if the network access device does not support dACLs, if the authorization result from Cisco ISE does not include a valid dACL, or if a configuration or compatibility issue prevents the switch from downloading it. In such a case, the switch falls back to a statically configured ACL on the interface. While functional, this behavior eliminates the dynamic, per-session flexibility that dACLs are designed to provide.
Option B, “The switch downloads and enforces the ACL received from Cisco ISE for that session,” is the correct description of how dACLs normally work. When an endpoint successfully authenticates, Cisco ISE sends a downloadable ACL as part of the authorization response. The switch stores and applies this ACL specifically for that authenticated session, enabling granular, identity-based network access control. This approach allows central policy management without requiring manual ACL configuration on every port.
Option C, “The switch sends the dACL to the endpoint to install locally,” is incorrect. dACLs are always enforced by the switch, never by the endpoint. The endpoint has no role in applying or processing ACL rules in this model. Enforcement is entirely network-side.
Option D, “The switch resets the port to apply the ACL after reauthentication,” does not reflect normal behavior. dACLs do not require a port reset. The ACL is applied dynamically at the time of authorization or reauthorization, without disrupting the physical link. Triggering a port bounce would unnecessarily interrupt the user’s session.
Together, these points clarify how downloadable ACLs are handled and why they provide powerful, centrally managed access control in identity-based network environments.
Question 12:
What behavior occurs when Cisco ISE evaluates an authentication rule that includes an identity source sequence containing multiple user databases?
A) Cisco ISE queries all identity sources simultaneously and selects the first successful match
B) Cisco ISE evaluates the identity sources in the listed order and stops after the first successful authentication
C) Cisco ISE rejects the request if the first database does not contain the user
D) Cisco ISE always requires that all identity sources contain the same identity
Answer: B)
Explanation:
Option A, “Cisco ISE queries all identity sources simultaneously and selects the first successful match,” does not describe how ISE actually behaves. ISE does not send authentication requests to all identity sources at the same time. Instead, it follows an ordered methodical process, ensuring only one source is consulted at a time. Parallel lookups could create ambiguity and unnecessary load, so ISE avoids this approach.
Option B, “Cisco ISE evaluates the identity sources in the listed order and stops after the first successful authentication,” accurately reflects ISE’s real behavior. Identity source sequences operate in a top-down fashion. When an authentication request arrives, ISE checks the first configured identity store, such as Active Directory, an internal user database, LDAP, or certificate store. If authentication fails or the user is not found, ISE moves to the next source in the sequence. Once a match is found and authentication succeeds, ISE stops checking further sources. This ordered evaluation provides flexibility while keeping authentication efficient and predictable.
Option C, “Cisco ISE rejects the request if the first database does not contain the user,” is incorrect. ISE does not immediately reject a request simply because the first identity source fails to authenticate the user. It continues through the identity source sequence until it finds a match or exhausts all options.
Option D, “Cisco ISE always requires that all identity sources contain the same identity,” is also incorrect. ISE does not require synchronization between identity stores. Different sources may contain different users, and the sequence is used to determine which store to check first.
These explanations clarify how identity source sequences control authentication flow in Cisco ISE.
Question 13:
What happens when a certificate used in an EAP-TLS authentication attempt does not chain to a trusted certificate authority configured in Cisco ISE?
A) Cisco ISE ignores the certificate chain and proceeds with authentication
B) Cisco ISE rejects the authentication because the certificate cannot be validated
C) Cisco ISE accepts the certificate but flags the session as untrusted
D) Cisco ISE requests a secondary authentication method from the endpoint
Answer: B)
Explanation:
Option A, “Cisco ISE ignores the certificate chain and proceeds with authentication,” is not correct. Cisco ISE never ignores certificate-chain validation when performing certificate-based authentication such as EAP-TLS or TLS-based portal authentication. Certificate validation is a core security requirement. If the chain cannot be verified, ISE will not simply continue the process. Allowing authentication to proceed without proper validation would defeat the purpose of certificate-based security.
Option B, “Cisco ISE rejects the authentication because the certificate cannot be validated,” accurately describes ISE’s behavior when the certificate chain is incomplete, untrusted, expired, or improperly signed. During EAP-TLS, ISE examines the client certificate, checks its validity dates, confirms the chain back to a trusted root CA, and verifies revocation status when configured. If any part of the trust chain is missing or untrusted, ISE terminates the authentication and returns an Access-Reject. This protects the network from devices presenting forged or untrusted certificates.
Option C, “Cisco ISE accepts the certificate but flags the session as untrusted,” does not reflect how ISE handles certificate validation failures. ISE does not allow partially trusted or untrusted certificates to authenticate and does not create a session with a warning state. Authentication either succeeds with full trust or fails outright.
Option D, “Cisco ISE requests a secondary authentication method from the endpoint,” is also not accurate for EAP-TLS. The protocol does not support fallback authentication within the same exchange. If the certificate cannot be validated, the session ends. ISE cannot prompt the client to supply another method because EAP-TLS is strictly certificate-based.
These explanations clarify that ISE requires full, validated certificate chains for successful certificate-based authentication and will reject any session lacking proper trust.
Question 14:
When an endpoint is onboarded using Cisco ISE’s BYOD workflow, what role does the Client Provisioning Portal (CPP) play in the onboarding process?
A) It authenticates the endpoint using EAP-TLS directly
B) It provides device-specific agents, profiles, or certificates needed for secure network access
C) It assigns the SGT needed for TrustSec enforcement
D) It handles TACACS+ administrative logins
Answer: B)
Explanation:
Option A, “It authenticates the endpoint using EAP-TLS directly,” is not an accurate description of what the provisioning portal does. Authentication in EAP-TLS is handled by the 802.1X exchange between the endpoint, the network access device, and Cisco ISE. The provisioning portal itself does not perform EAP-TLS authentication. Instead, the portal is used before authentication to prepare the endpoint with the necessary software or certificates so it can later authenticate successfully.
Option B, “It provides device-specific agents, profiles, or certificates needed for secure network access,” accurately describes the core purpose of the provisioning portal. In BYOD or onboarding workflows, the portal delivers configuration profiles, client certificates, or agent modules that an endpoint requires to comply with corporate security policies. This may include onboarding profiles for mobile devices, AnyConnect posture modules, supplicant configurations, or device certificates for EAP-TLS. Once the required components are installed, the endpoint can authenticate using stronger methods and can be placed into the appropriate authorization policy. The provisioning portal essentially prepares the device for secure access without requiring IT intervention.
Option C, “It assigns the SGT needed for TrustSec enforcement,” is not a function of the provisioning portal. Security Group Tags are assigned during authorization, after the endpoint successfully authenticates. The portal does not determine TrustSec roles or push SGTs to the network access device.
Option D, “It handles TACACS+ administrative logins,” is also incorrect. TACACS+ administration is part of device-management workflows and occurs in the Device Administration section of Cisco ISE. The provisioning portal is designed for onboarding endpoints, not authenticating administrators or controlling command-level access to switches, routers, or firewalls.
These explanations clarify that the provisioning portal is focused on preparing endpoints for secure access, not performing authentication, assigning tags, or managing administrative logins.
Question 15:
How does Cisco ISE use CoA (Change of Authorization) when an endpoint’s status changes during a session, such as after posture compliance is achieved?
A) CoA disconnects the user permanently from the network
B) CoA forces the NAD to re-evaluate authorization and apply new policies to the session
C) CoA updates the policy only in Cisco ISE without changing switch behavior
D) CoA requires the user to reconnect manually
Answer: B)
Explanation:
Option A, “CoA disconnects the user permanently from the network,” does not reflect how Change of Authorization (CoA) works. While a CoA can trigger a temporary disconnection or session termination, it does not remove the user from the network permanently. The purpose of CoA is to dynamically adjust a session, not to permanently revoke access. After a CoA disconnect, the endpoint typically reauthenticates immediately and receives new authorization policies. Therefore, this option exaggerates the effect of CoA and is inaccurate.
Option B, “CoA forces the NAD to re-evaluate authorization and apply new policies to the session,” correctly describes the main function of a Change of Authorization. When Cisco ISE sends a CoA request to a Network Access Device (such as a switch or wireless controller), the NAD reevaluates the session’s authorization state. This may include applying a new VLAN, updating a downloadable ACL, changing an SGT, or initiating a posture redirect. CoA allows administrators to enforce policy changes instantly, such as after posture results, profiling updates, or risk score changes. It is one of the most important mechanisms for adaptive network control.
Option C, “CoA updates the policy only in Cisco ISE without changing switch behavior,” is incorrect. CoA specifically instructs the NAD to change behavior on the active session. Updating policy inside ISE alone would have no effect unless the NAD also receives and applies new instructions, which is exactly what CoA delivers.
Option D, “CoA requires the user to reconnect manually,” is also not correct. Depending on the type of CoA, the NAD may briefly interrupt the session or simply update authorization in place. In most cases, the process is transparent to the user and does not require manual reconnection. Only in rare situations, such as certain wireless clients, might a reconnection be necessary.
These explanations clarify that CoA is a dynamic mechanism used to enforce new policies immediately, not a permanent disconnect or a user-driven reconnection trigger.
Question 16:
In a Cisco ISE TrustSec deployment, what function does the Security Group Tag (SGT) serve?
A) It replaces VLANs for segmentation at layer 2 only
B) It serves as a logical identity label used to enforce access policies across the network
C) It stores user passwords securely
D) It determines which RADIUS attributes the NAD should send
Answer: B)
Explanation:
Option A, “It replaces VLANs for segmentation at layer 2 only,” is not an accurate description of Security Group Tags (SGTs). While SGTs can reduce reliance on VLAN-based segmentation, they do not operate only at layer 2, nor do they function as a one-for-one replacement for VLANs. VLANs segment networks based on physical or logical topology, while SGTs provide identity-based segmentation that can extend across multiple network layers. SGTs travel with traffic and enable consistent access control even when devices move across different parts of the network. Therefore, this statement oversimplifies and misrepresents how SGTs function.
Option B, “It serves as a logical identity label used to enforce access policies across the network,” accurately captures the purpose of SGTs in a TrustSec architecture. An SGT is an identity tag assigned to a user, device, or session after authentication. The tag represents the role or trust level of the entity, such as employee, contractor, printer, or guest. Network devices can use SGTs to apply Security Group Access Control Lists (SGACLs), which enforce policies based on identity rather than IP addresses or VLANs. This enables scalable, adaptive segmentation across multi-layer environments, regardless of physical network structure.
Option C, “It stores user passwords securely,” is incorrect. SGTs do not store any sensitive authentication information. They are simply labels, not credential repositories, and they do not play any role in password handling, storage, or verification.
Option D, “It determines which RADIUS attributes the NAD should send,” is also inaccurate. SGTs are assigned as part of authorization results, but they do not control what attributes the Network Access Device sends to ISE. Instead, policy rules and NAD configuration determine which RADIUS attributes are exchanged.
These explanations clarify that SGTs are identity-driven tags used to enforce distributed, scalable security policies across the network.
Question 17:
What occurs when Cisco ISE enforces posture policy that requires specific antivirus software, but the endpoint lacks the required version?
A) ISE grants full access with a warning
B) The endpoint is redirected to remediation resources until compliance is achieved
C) The endpoint is permanently blocked
D) ISE automatically installs the required antivirus without user confirmation
Answer: B)
Explanation:
Posture policies allow organizations to verify whether endpoints meet health requirements before granting network access. When antivirus software is outdated or missing, Cisco ISE restricts access by placing the device into a remediation state using redirect ACLs or VLAN assignments. The endpoint remains there until the required software version is installed and verified.
Option B is correct because redirection is central to remediation and posture workflow.
Option A is incorrect because allowing full access defeats the purpose of NAC.
Option C is incorrect because the endpoint is not permanently blocked; remediation is encouraged.
Option D is incorrect because Cisco ISE does not install software automatically without user action or endpoint support.
Thus, B matches the expected posture enforcement behavior.
Question 18:
What must be configured on a wireless LAN controller to support Central Web Authentication (CWA) with Cisco ISE?
A) WPA2-Enterprise with EAP-TLS
B) A pre-shared key for all guest users
C) ACLs that permit DNS and ISE access while redirecting web traffic to the ISE portal
D) A static VLAN assignment for all guest endpoints
Answer: C)
Explanation:
Central Web Authentication requires the WLC to intercept HTTP/HTTPS traffic from clients and redirect them to ISE. For this to work, the controller must apply an ACL that permits DNS and DHCP, allows access to Cisco ISE, and restricts other traffic. This ACL is typically pushed by ISE during authorization.
Option C is correct because this ACL configuration is essential for CWA.
Option A is incorrect because CWA often occurs before 802.1X.
Option B is incorrect because PSKs are not part of the CWA workflow.
Option D is incorrect because VLAN assignment can be dynamic and is not fixed for all guests.
Thus, C describes the required WLC configuration.
Question 19:
What is the purpose of enabling the DHCP probe in Cisco ISE profiling?
A) To authenticate endpoints by validating DHCP packets
B) To capture DHCP attributes such as option fields that help identify device types
C) To assign VLANs during onboarding
D) To reroute posture traffic during remediation
Answer: B)
Explanation:
The DHCP probe listens for DHCP packets and extracts attributes such as option 55, request lists, vendor class identifiers, and fingerprints that help Cisco ISE profile devices. These attributes are matched against profiling policies to classify endpoints accurately.
Option B is correct because DHCP fingerprints are a major profiling attribute.
Option A is incorrect because DHCP is not used for authentication.
Option C is incorrect because VLAN assignment occurs during authorization policy.
Option D is incorrect because DHCP probes do not reroute traffic.
Thus, B is correct.
Question 20:
How does Cisco ISE perform TACACS+ command authorization when an administrator enters privileged commands on a network device?
A) The device allows all commands without checking with Cisco ISE
B) The device forwards the command to ISE, which evaluates the command against configured command sets
C) The device checks the command locally without using ISE
D) The device retrieves ACLs from ISE and applies them to commands
Answer: B)
Explanation:
In a TACACS+-enabled deployment, command authorization is handled centrally by Cisco ISE. When an administrator enters a command, the device forwards the command details to Cisco ISE via TACACS+. Cisco ISE checks the command against assigned command sets and determines whether it is permitted or denied.
Option B is correct because TACACS+ command authorization is entirely policy-driven from ISE.
Option A is incorrect because TACACS+ explicitly enforces restrictions.
Option C is incorrect because local authorization is only used when TACACS+ fails or is not enabled.
Option D is incorrect because ACLs do not apply to command authorization.
Thus, B accurately explains TACACS+ command authorization behavior.
