Visit here for our full Cisco 300-715 exam dumps and practice test questions.
Question 41:
What happens when an endpoint authenticates using MAB and Cisco ISE does not recognize the MAC address in any identity store?
A) The endpoint is granted full access
B) Cisco ISE matches the default MAB rule and applies the corresponding authorization profile
C) The endpoint is automatically profiled as a printer
D) The endpoint is rejected without exceptions
Answer: B
Explanation:
When a device authenticates using MAC Authentication Bypass (MAB), Cisco ISE evaluates the endpoint based solely on its MAC address. MAB is often used by non-supplicant devices such as printers, surveillance cameras, IP phones, badge readers, or industrial IoT devices. These devices generally cannot perform 802.1X authentication or certificate-based validation, so their identity is determined using the MAC address as the user identifier. If Cisco ISE receives a MAB authentication request and the presented MAC address does not exist in any configured identity stores—such as internal endpoints, external databases, guest portals, or imported MAC lists—it must determine how to treat the unknown device.
Option B is correct because Cisco ISE uses policy sets that include a default MAB rule for handling unknown MAC addresses. This rule allows administrators to define baseline “catch-all” behavior for endpoints with unrecognized MAC addresses. Instead of rejecting the session outright, the default MAB authorization rule typically applies a restricted authorization profile such as limited access, a quarantine VLAN, or a profiling-only VLAN. The idea is to allow Cisco ISE to gather additional device attributes through probes such as DHCP, CDP, LLDP, RADIUS attributes, or HTTP user-agent information. These profiling attributes can then classify the endpoint more accurately in subsequent authentications.
Option A is incorrect because granting full access to an unknown MAB device would be a significant security risk. MAB devices are untrusted by default until profiling or administrative approval assigns them to a known identity group.
Option C is incorrect because Cisco ISE does not assume an unknown MAC belongs to a specific device type. Profiling occurs only after collecting sufficient evidence.
Option D is incorrect because strict rejection of unknown MAB endpoints would break essential services like phones or printers. Most deployments allow limited access until profiling is complete.
Thus, option B accurately reflects Cisco ISE’s behavior and best practices for handling unknown devices.
Question 42:
Which ISE feature enables the exchange of contextual session information such as security events or device posture between ISE and security platforms?
A) TrustSec
B) pxGrid
C) TACACS+
D) DHCP snooping
Answer: B
Explanation:
Cisco pxGrid is a framework that enables bidirectional, secure, scalable exchange of contextual information between Cisco ISE and other security platforms within an enterprise network. This ecosystem includes next-generation firewalls, endpoint protection systems, threat intelligence platforms, SIEMs, and network monitoring tools. pxGrid turns Cisco ISE into a central clearinghouse for identity, posture, risk scores, user session data, and device attributes, enabling enforcement across multiple security layers.
Option B is correct because pxGrid allows external systems to subscribe to topics such as session directory updates, posture status changes, SGT mappings, and threat alerts. Additionally, pxGrid-enabled systems can publish real-time alerts to Cisco ISE, triggering adaptive network access controls. For example, if an endpoint protection system detects malware activity, it can notify ISE via pxGrid, and ISE can automatically move the device into a quarantine VLAN or reduce its privileges by assigning a different authorization profile.
Option A, TrustSec, focuses on identity-based network segmentation and enforcement using SGTs, but it does not provide cross-system data exchange.
Option C, TACACS+, is used for administrative authentication and command authorization on network devices. It provides no posture or threat-sharing capabilities.
Option D, DHCP snooping, helps switches track IP-to-MAC binding information but has no function in multi-platform threat or session sharing.
pxGrid is central to the Cisco 300-715 SISE exam because it exemplifies ISE’s role as a policy engine integrated across the security infrastructure. It promotes adaptive security by enabling security events detected by one platform to influence network access decisions orchestrated by ISE. Because of this integration ability, pxGrid allows networks to operate with dynamic, identity-based enforcement that adapts as risk levels change.
Thus, B correctly identifies the feature responsible for contextual data exchange.
Question 43:
What occurs when Cisco ISE pushes a VLAN assignment during RADIUS-based authentication?
A) The NAD ignores the VLAN
B) The NAD reassigns the endpoint to the specified VLAN
C) The endpoint selects its own VLAN
D) The VLAN is applied only after a reboot
Answer: B
Explanation:
When Cisco ISE assigns a VLAN during RADIUS-based authentication, it is leveraging dynamic VLAN assignment, a core functionality in network access control. VLAN assignment is included in the RADIUS Access-Accept message and instructs the NAD to place the endpoint into a VLAN that corresponds to its identity, posture status, device type, or user group.
Option B is correct because NADs (switches and wireless controllers) use the RADIUS attribute Tunnel-Private-Group-ID or similar parameters to assign the endpoint to the VLAN specified by Cisco ISE. This VLAN may offer restricted access for remediation, full-access privileges, guest privileges, or specific segmentation for devices like IP phones or IoT endpoints.
Option A is incorrect because compliant NADs do not ignore RADIUS VLAN assignments unless misconfigured.
Option C is incorrect because endpoints cannot dictate VLAN selection. The network infrastructure enforces segmentation.
Option D is incorrect because VLAN reassignment occurs immediately upon authentication or CoA events, without requiring a restart of the endpoint.
Dynamic VLAN assignment allows scalable and flexible network segmentation. Instead of manually configuring VLANs on switch ports or relying on device location, ISE dynamically selects the VLAN based on identity and policy logic. This allows users to move across locations while retaining consistent access privileges. It is especially valuable for posture workflows, guest access flows, and identity-based segmentation models.
Thus, option B correctly describes the behavior.
Question 44:
Which type of certificate is required on Cisco ISE to support EAP-TLS authentication for wireless clients?
A) A certificate signed by a public or enterprise CA and trusted by clients
B) A self-signed certificate only
C) A certificate with no key usage flags
D) A certificate used exclusively for TACACS+
Answer: A
Explanation:
EAP-TLS is one of the strongest authentication methods supported by Cisco ISE and is widely used in secure enterprise wireless deployments. Its robustness comes from mutual certificate-based authentication, which requires both the client and the authentication server (Cisco ISE) to present valid X.509 certificates that can be fully validated. For this process to work, the EAP server—Cisco ISE—must present a certificate that wireless clients inherently trust.
Option A is correct because Cisco ISE must use a certificate that is signed by a trusted certificate authority, either public (such as DigiCert or Entrust) or an internal enterprise CA that is already deployed in the client environment. Wireless endpoints use this certificate to establish the TLS tunnel required for secure EAP exchanges. If the certificate is not trusted, clients may reject the connection, prompt security warnings, or fail authentication entirely. Many enterprise environments leverage internal PKI servers and distribute trusted root certificates via group policy or MDM to ensure endpoint trust.
Option B is incorrect because a self-signed certificate is not inherently trusted by clients. While it could technically function in a lab environment, it is not suitable for production deployments where endpoints must automatically trust the authentication server without user intervention.
Option C is incorrect because certificates used for EAP-TLS require specific key usage and extended key usage attributes such as Server Authentication and Key Encipherment. A certificate without correct flags will be rejected by supplicants.
Option D is incorrect because certificates used for TACACS+ administration have nothing to do with EAP-TLS wireless authentication.
Using a proper server certificate ensures encrypted communication, prevents man-in-the-middle attacks, and facilitates seamless user experience. Therefore, the correct answer is A.
Question 45:
How does Cisco ISE classify an endpoint when multiple profiling policies match the device attributes?
A) It discards all matches
B) It applies the policy with the highest certainty level
C) It applies all matched profiles
D) It selects the lowest priority profile
Answer: B
Explanation:
Cisco ISE profiling is a dynamic mechanism that uses attributes collected from network probes to identify device types and behavior. When a device connects to the network, ISE gathers data from DHCP fingerprints, LLDP, CDP, HTTP user-agent strings, SNMP OIDs, and other input sources. These attributes are evaluated against profiling policies that define specific criteria for classifying endpoints into identity groups.
When multiple profiling policies appear to match the collected attributes, Cisco ISE does not arbitrarily assign all matching profiles or disregard them. Instead, the profiling engine uses a certainty factor model. Each profiling rule or condition contributes a specific certainty weight. As attributes accumulate, profiles gain higher or lower certainty values. Cisco ISE selects the profile with the highest certainty score as the most likely match. This system ensures accurate classification even when devices share overlapping behaviors or attributes.
Option B is correct because the certainty model ensures the strongest match prevails. For example, a device might partially match multiple general categories like “Windows Device” or “Apple Device,” but more specific attributes—such as the exact DHCP signature—will yield a higher certainty score and drive the final classification.
Option A is incorrect because ISE does not discard all matches; it refines them systematically.
Option C is incorrect because applying multiple profiles simultaneously would break authorization logic and create ambiguity in policy enforcement.
Option D is incorrect because ISE favors the strongest match, not the weakest.
This certainty-based profiling system is essential for accurately classifying IoT devices, printers, phones, and compute endpoints, especially when their signatures overlap. Therefore, option B correctly describes the profiling process.
Question 46:
What occurs when a RADIUS Change of Authorization (CoA) “Port Bounce” is issued by Cisco ISE?
A) The NAD shuts down completely
B) The switch administratively disables and re-enables the port
C) The endpoint receives a new IP without disconnection
D) Posture is skipped
Answer: B
Explanation:
Option A, “The NAD shuts down completely,” is not an accurate description of what occurs during typical network access control operations such as reauthentication, authorization changes, or CoA events. A Network Access Device (NAD) does not shut down as part of endpoint management. Shutting down a NAD would disrupt all connected users and would never be triggered automatically by ISE. Therefore, this option reflects a misunderstanding of device behavior.
Option B, “The switch administratively disables and re-enables the port,” describes one possible outcome in certain Change of Authorization scenarios, particularly when a CoA-Port-Bounce is used. A port bounce temporarily administratively shuts down and then brings up the port. This forces the endpoint to re-establish link, refresh DHCP, and restart authentication. Port bounce is often used when a device needs to obtain new authorization conditions, such as an updated VLAN, new dACL, or fresh posture status. Although disruptive, it is sometimes necessary when the endpoint does not respond to lighter CoA actions. This is the most accurate of the listed behaviors.
Option C, “The endpoint receives a new IP without disconnection,” does not accurately reflect what happens during typical authorization changes. Obtaining a new IP address usually requires the endpoint to send DHCP requests, which are normally triggered by a link flap or network-layer reset. Without some disruption, most endpoints will not initiate a DHCP renewal on their own. Therefore, this scenario is unlikely unless the device itself voluntarily renews.
Option D, “Posture is skipped,” is incorrect. Administrative actions like port bounce or CoA do not instruct the system to skip posture checks. Posture assessment occurs based on configured policy. If posture is required, the endpoint will be evaluated again after reauthentication.
These descriptions clarify that the only realistic behavior among the options is the temporary port reset performed by the switch.
Question 47:
Which protocol does Cisco ISE primarily use to communicate authorization results to a network access device?
A) TACACS+
B) RADIUS
C) HTTPS
D) SNMP
Answer: B
Explanation:
Option A, “TACACS+,” refers to a protocol primarily used for device administration rather than endpoint authentication. TACACS+ is commonly deployed to control access to routers, switches, firewalls, and other infrastructure devices. It allows highly granular command authorization and separates authentication, authorization, and accounting. However, it is not typically used for authenticating network endpoints such as laptops, phones, IoT devices, or BYOD systems. Instead, TACACS+ is a management-plane protocol and is not involved in most client-facing network access workflows.
Option B, “RADIUS,” is the main protocol used for network access control in both wired and wireless environments. RADIUS supports 802.1X authentication, MAC Authentication Bypass, VPN access, guest portals, and dynamic authorization with CoA. It provides the mechanisms needed for identity validation, policy enforcement, VLAN assignment, dACL deployment, and posture workflows. Because of its extensive support for endpoint authentication and authorization, RADIUS is central to most Cisco ISE access control deployments. It plays a crucial role in ensuring secure, identity-based access across diverse network topologies.
Option C, “HTTPS,” represents a secure web communication protocol used for encrypted browsing and portal access, such as guest authentication or BYOD onboarding. HTTPS is used when endpoints interact with a captive portal, provisioning portal, or posture assessment interface. However, HTTPS is not used as the underlying authentication protocol for network admission. It serves more as a transport mechanism for web-based workflows rather than a primary network access control protocol.
Option D, “SNMP,” or Simple Network Management Protocol, is used for device monitoring, status polling, and sometimes limited configuration tasks. SNMP can complement network access control by providing profiling information, but it cannot authenticate endpoints or users. SNMP operates in the management plane and does not participate in authorization decisions during network access events.
Together, these explanations highlight RADIUS as the central protocol for secure endpoint access control, while TACACS+, HTTPS, and SNMP serve different, more specialized network functions.
Question 48:
Which action must be configured in Cisco ISE to enforce endpoint compliance using AnyConnect posture modules?
A) A posture policy with remediation rules and required conditions
B) A TACACS+ authorization rule
C) A DHCP scope update
D) A pxGrid trust ticket
Answer: A
Explanation:
Option A, “A posture policy with remediation rules and required conditions,” refers to one of the core elements needed for any posture-based network access control deployment. A posture policy defines the security requirements an endpoint must meet before receiving full network access. These requirements may include antivirus installation, real-time protection, OS patch levels, disk encryption, firewall status, or specific application checks. When an endpoint fails one of these checks, remediation rules determine what actions the system should take, such as redirecting the device to a remediation portal, installing updates, enabling services, or applying a temporary restricted authorization profile. Without a posture policy and remediation logic, the NAC system cannot evaluate or enforce the endpoint’s security posture.
Option B, “A TACACS+ authorization rule,” does not relate to endpoint posture assessment. TACACS+ is used for administrative access to networking devices and manages which commands device administrators can run. It plays no role in checking or enforcing the posture of user endpoints attempting to join the network.
Option C, “A DHCP scope update,” is unrelated to posture policies. DHCP scope adjustments affect IP address assignments and network planning but do not evaluate or enforce endpoint compliance. Posture checks occur at the authentication and authorization level through RADIUS, not DHCP.
Option D, “A pxGrid trust ticket,” refers to pxGrid’s mechanism for sharing contextual information among integrated security tools. While pxGrid can distribute posture results to other systems, a trust ticket itself is not part of creating or defining a posture policy. It is an add-on for ecosystem integration rather than a foundational posture requirement.
These explanations clarify that only a posture policy with remediation rules enables actual posture enforcement.
Question 49:
Which attribute can Cisco ISE use in an authorization rule to distinguish between corporate laptops and guest devices?
A) SNMP trap sysOID
B) Endpoint identity group from profiling
C) RADIUS shared secret
D) Time of day
Answer: B
Explanation:
Option A, “SNMP trap sysOID,” refers to an identifier used in SNMP-based device monitoring. The sysOID tells a management system what type of device is generating an SNMP trap. While this information is useful for network monitoring and profiling infrastructure devices, it is not normally used as a primary condition in Cisco ISE authorization policies for network access. Authorization decisions are typically based on identity, posture, or profiling data rather than on SNMP system identifiers.
Option B, “Endpoint identity group from profiling,” represents one of the most commonly used and powerful conditions for authorization rules. Profiling engines collect data such as DHCP fingerprints, CDP/LLDP information, MAC OUI, and RADIUS attributes to determine what type of device is connecting. Based on this information, ISE assigns the endpoint to an identity group, such as printer, IP phone, camera, medical device, or corporate workstation. Authorization rules can reference these groups to apply appropriate ACLs, VLANs, or SGTs. This creates scalable, dynamic policy enforcement without having to manually classify every device.
Option C, “RADIUS shared secret,” is used only for securing communication between the NAD and Cisco ISE. It does not play any role in authorization policy logic. The shared secret is simply a cryptographic key ensuring the integrity and privacy of RADIUS messages, not a decision-making attribute.
Option D, “Time of day,” can be used as an optional authorization condition in specific environments. For example, policies may restrict access to certain network resources outside business hours or grant limited access during evenings. While not mandatory, time-of-day conditions are fully supported and can be combined with identity or device context to create more granular controls.
These explanations show that endpoint identity groups from profiling and, in some cases, time-of-day checks are meaningful authorization conditions, while sysOID and shared secrets are not used for access decisions.
Question 50:
Which ISE feature is essential for enforcing identity-based access control using SGTs across TrustSec devices?
A) SNMP monitoring
B) SXP protocol for SGT propagation
C) DHCP option 150
D) TACACS+ command sets
Answer: B
Explanation:
Option A, “SNMP monitoring,” refers to the use of the Simple Network Management Protocol to gather status, performance metrics, and device information from network hardware. SNMP can report interface states, MAC address tables, CPU load, and system identifiers. While SNMP plays a valuable role in network monitoring and can support profiling activities in Cisco ISE by providing device characteristics, it is not directly involved in functions such as security group tag (SGT) propagation or TrustSec enforcement. SNMP is mostly a management-plane protocol used for visibility and alerting rather than access control or segmentation.
Option B, “SXP protocol for SGT propagation,” describes a key component of Cisco TrustSec. SXP (Security Group Tag Exchange Protocol) is used to transport SGT-to-IP bindings between devices that do not support inline tagging. For example, an access switch may assign an SGT to an endpoint but cannot attach the tag directly to packets due to hardware limitations. SXP allows that switch to export the binding to a firewall, core switch, or other TrustSec-aware device, enabling consistent policy enforcement across the network. This makes SXP essential when some parts of the network cannot apply or carry SGTs natively.
Option C, “DHCP option 150,” is a DHCP configuration parameter typically used to specify TFTP server addresses for IP phones or other devices that need to download configuration files. While relevant in voice deployments, it has no role in TrustSec, SGT assignment, or SGT propagation. It is purely a provisioning parameter and does not influence identity-based policy enforcement.
Option D, “TACACS+ command sets,” is associated with administrative access control for network devices. TACACS+ defines what commands a network administrator is allowed to execute on routers, switches, or firewalls. These command sets govern device management permissions but have nothing to do with SGTs, TrustSec, or endpoint policy enforcement.
These explanations clarify that only the SXP protocol is tied directly to SGT propagation, while the other options serve unrelated network functions.
Question 51:
What occurs when a wireless client successfully completes Central Web Authentication (CWA)?
A) The user remains in the redirect ACL indefinitely
B) The WLC applies a new authorization policy granting full access
C) The client receives a new username
D) The endpoint is placed into posture mode
Answer: B
Explanation:
Option A, “The user remains in the redirect ACL indefinitely,” is not an accurate outcome once posture validation succeeds. A redirect ACL is typically used only during the assessment phase to force the client toward the posture or remediation portal. Once the endpoint becomes compliant and Cisco ISE signals that the posture requirement has been met, the redirect ACL is no longer appropriate. Leaving the user in this restricted state would prevent normal network access and defeat the purpose of posture-based workflows. Therefore, this option does not reflect expected behavior.
Option B, “The WLC applies a new authorization policy granting full access,” correctly describes what normally occurs after successful posture assessment in a wireless environment. When the endpoint satisfies all required checks—such as antivirus status, OS updates, firewall configuration, or compliance rules—Cisco ISE sends a Change of Authorization (CoA) message to the Wireless LAN Controller (WLC). The WLC then re-evaluates the session and applies the authorization profile intended for compliant devices. This generally removes the redirect ACL, assigns a production VLAN or interface, and provides full network access. This process completes the posture flow and transitions the endpoint out of restricted mode.
Option C, “The client receives a new username,” has no relevance to posture validation. Posture checks do not modify credentials or identity attributes. The username presented during authentication remains the same throughout the session; posture success does not trigger identity changes.
Option D, “The endpoint is placed into posture mode,” is the opposite of what happens. Posture mode is used during the assessment phase. Once the endpoint is found compliant, it exits posture mode and enters normal operational access.
These explanations make clear that the expected outcome of successful posture validation is the application of a new, unrestricted authorization policy by the WLC.
Question 52:
Which Cisco ISE component is responsible for issuing BYOD endpoint certificates during onboarding?
A) TACACS+ server
B) SCEP Registration Authority
C) DHCP server
D) SNMP engine
Answer: B
Explanation:
Option A, “TACACS+ server,” refers to a system responsible for authenticating and authorizing administrative access to network devices. TACACS+ controls what commands network engineers can execute on routers, switches, and firewalls. Although important for device management security, a TACACS+ server has no role in certificate enrollment, endpoint onboarding, or device identity provisioning. It does not issue certificates, validate device identities through PKI, or participate in SCEP workflows.
Option B, “SCEP Registration Authority,” accurately describes the component associated with issuing certificates to endpoints using the Simple Certificate Enrollment Protocol (SCEP). A Registration Authority (RA) accepts certificate-signing requests from devices, validates them according to policy, and forwards approved requests to the Certificate Authority (CA) for signing. In Cisco ISE environments, the RA is used during BYOD onboarding or device provisioning to issue identity certificates that endpoints later use for EAP-TLS authentication. The RA plays a crucial role in ensuring devices receive trusted credentials without manual IT involvement.
Option C, “DHCP server,” is responsible only for assigning IP addresses and network parameters such as DNS or default gateways. While DHCP can provide profiling information, it does not issue certificates, process certificate requests, or validate cryptographic identities. DHCP functions strictly at the IP configuration level and cannot serve as a certificate enrollment authority.
Option D, “SNMP engine,” is used for management and monitoring tasks. SNMP can report device status, interface utilization, system descriptions, and other operational data. Like DHCP, it is not involved in certificate issuance. It cannot validate certificate requests or participate in SCEP enrollment workflows.
These explanations clarify that only the SCEP Registration Authority is involved in certificate enrollment processes, while the other components serve unrelated network functions.
Question 53:
What happens when an endpoint fails posture requirements and remediation is not successful?
A) The user receives full network access
B) The endpoint remains in the restricted authorization state
C) ISE deletes the endpoint record
D) The endpoint is forced into TACACS+ mode
Answer: B
Explanation:
Option A, “The user receives full network access,” describes the expected outcome when an endpoint has successfully completed authentication and satisfied all required conditions for authorization. This usually occurs after the device has met posture requirements, presented valid credentials, and matched an authorization rule that grants production-level access. In such a scenario, Cisco ISE sends an authorization profile that allows the endpoint to join the normal VLAN or WLAN and removes any temporary restrictions. This outcome reflects a compliant and trusted device receiving full privileges.
Option B, “The endpoint remains in the restricted authorization state,” occurs when the endpoint fails to satisfy one or more required conditions. This may include failing posture checks, presenting insufficient credentials, or mismatching an expected device profile. When this happens, Cisco ISE keeps the endpoint in a limited-access environment such as a remediation VLAN or a redirect ACL. The endpoint may only have access to remediation resources, captive portals, or update servers. This restricted state persists until the endpoint becomes compliant.
Option C, “ISE deletes the endpoint record,” is not a typical automatic action in response to authorization or posture outcomes. Deleting an endpoint record is usually a manual administrative task used for cleanup or troubleshooting. ISE does not remove an endpoint from its database simply because it failed to qualify for full access.
Option D, “The endpoint is forced into TACACS+ mode,” is not applicable. TACACS+ is used solely for administrative access to network devices, not for endpoint authentication. An endpoint cannot be switched into TACACS+ mode, nor does ISE use TACACS+ to manage user or device network access.
These explanations clarify that the only realistic outcomes are either full access or continued restricted access, depending on compliance and policy requirements.
Question 54:
Which protocol does Cisco ISE use to deliver downloadable ACLs (dACLs) to network devices?
A) TACACS+
B) RADIUS
C) LDAP
D) SNMP
Answer: B
Explanation:
Option A, “TACACS+,” refers to a protocol primarily designed for administrative access control on network infrastructure devices such as switches, routers, and firewalls. TACACS+ allows granular command authorization and separates authentication, authorization, and accounting functions. While it is essential for securing device management operations, TACACS+ is not commonly used for authenticating endpoints or users gaining access to the wired or wireless network. Its role is limited to the management plane, not the user or endpoint access plane.
Option B, “RADIUS,” is the most widely used protocol for network access authentication. It forms the backbone of 802.1X authentication, MAC Authentication Bypass, VPN access, guest portals, posture validation, and dynamic authorization in systems like Cisco ISE. RADIUS handles the exchange of credentials, certificate verification, policy enforcement, VLAN assignment, downloadable ACL deployment, and even Change of Authorization messages. Because of its central role in secure network access, RADIUS is the protocol that governs most user and device authentication workflows in enterprise networks.
Option C, “LDAP,” is a directory access protocol often used to query identity stores such as Active Directory or OpenLDAP. While LDAP stores user account information and may help ISE validate directory attributes, LDAP alone cannot perform full network authentication. Typically, LDAP is used as an identity source behind RADIUS, not as the primary access protocol. It lacks the policy, authorization, and accounting functions needed for secure network admission.
Option D, “SNMP,” is a monitoring and management protocol used to gather operational data from network devices. It can report system information, interface statistics, and device health, but it cannot authenticate users or grant network access. SNMP serves a completely different purpose and operates outside the authentication and authorization workflow.
These explanations clarify that RADIUS is the primary access authentication protocol, while the others serve different, unrelated roles in network operations.
Question 55:
What occurs when Cisco ISE assigns an SGT to an endpoint but the switch does not support inline tagging?
A) The endpoint is rejected
B) The SGT-to-IP binding is propagated using SXP
C) The SGT is stored locally on the endpoint
D) The SGT is ignored entirely
Answer: B
Explanation:
Option A, “The endpoint is rejected,” is not an accurate description of what happens when an SGT (Security Group Tag) is assigned to an authenticated session. The assignment of an SGT is part of the authorization step, not a cause for rejection. Endpoints are only rejected if authentication fails or if the authorization policy explicitly denies access. The presence of an SGT does not trigger rejection; instead, it enhances how identity-based policies are enforced throughout the network.
Option B, “The SGT-to-IP binding is propagated using SXP,” correctly describes what happens in networks that rely on TrustSec but do not support inline tagging on all devices. When a switch assigns an SGT to an endpoint, it can generate an SGT-to-IP binding. If the hardware cannot carry the tag inline, the network uses SXP (Security Group Tag Exchange Protocol) to export that binding to other TrustSec-aware infrastructure, such as firewalls, core switches, or segmentation gateways. This allows policy enforcement across the entire network even when some devices do not support embedded tagging. SXP ensures consistent identity-based security across mixed hardware environments.
Option C, “The SGT is stored locally on the endpoint,” is incorrect. Endpoints do not store or interpret SGTs. SGTs exist entirely within the network infrastructure and are used by NADs and TrustSec-enabled devices. The endpoint remains unaware of the tag assigned to its traffic.
Option D, “The SGT is ignored entirely,” misrepresents how authorization works. If a policy assigns an SGT, the network does not ignore it. Whether carried inline or propagated via SXP, the SGT is used to enforce Security Group Access Control Lists (SGACLs) according to identity-based segmentation policies.
These explanations show that SGTs are network-resident constructs, and SXP is the mechanism used for propagating their bindings when inline tagging is not available.
Question 56:
What is the role of authorization profiles in Cisco ISE policy enforcement?
A) To validate user passwords
B) To specify the actions that the NAD should apply after successful authentication
C) To generate reports
D) To assign TACACS+ command sets
Answer: B
Explanation:
Option A, “To validate user passwords,” is not the purpose of a RADIUS authorization profile. Password validation occurs during the authentication phase, where credentials are checked against an identity store such as Active Directory, LDAP, or an internal user database. Authorization profiles only come into play after authentication succeeds. Therefore, they do not handle password checks or credential validation in any form.
Option B, “To specify the actions that the NAD should apply after successful authentication,” correctly describes the true purpose of a RADIUS authorization profile. After a user or device successfully authenticates, Cisco ISE sends an authorization result to the Network Access Device (NAD). This authorization profile can include VLAN assignments, downloadable ACLs, Security Group Tags, URL redirection rules, session time limits, and other policy-based instructions. These attributes define what level of access the endpoint should receive on the network. The NAD enforces these settings in real time, allowing identity-based and context-aware access control. Authorization profiles therefore play a central role in fine-tuning access for different user groups, device types, compliance states, and security requirements.
Option C, “To generate reports,” does not reflect the function of an authorization profile. Reporting in ISE is handled by the Monitoring and Troubleshooting nodes, not by policy constructs such as authorization profiles.
Option D, “To assign TACACS+ command sets,” applies only to TACACS+ device administration policies, not to RADIUS authorization. RADIUS authorization profiles manage endpoint access control, whereas TACACS+ command sets manage administrative privileges on network devices.
These explanations make it clear that authorization profiles control post-authentication access behavior, not passwords, reports, or TACACS+ permissions.
Question 57:
What occurs when an IP phone authenticates using MAB before a connected PC authenticates using 802.1X?
A) The phone blocks PC traffic
B) The switch places the phone in the voice VLAN and waits for 802.1X from the PC
C) The PC is forced into guest mode
D) The phone is reauthenticated when the PC connects
Answer: B
Explanation:
Option A, “The phone blocks PC traffic,” is not what occurs in a typical IP phone and PC daisy-chain setup. An IP phone includes an internal switch port that forwards the PC’s traffic to the upstream switch. It does not filter or block the PC’s Ethernet frames under normal operation. Phones do not provide access control for connected PCs; that responsibility belongs to the network access switch. Therefore, this option does not accurately describe standard behavior.
Option B, “The switch places the phone in the voice VLAN and waits for 802.1X from the PC,” correctly reflects how most enterprise networks handle daisy-chained devices. The IP phone is identified either through CDP/LLDP or via device profiling and is assigned to the voice VLAN automatically. The PC connected behind the phone is treated as a separate endpoint with its own authentication requirements. The switch waits for 802.1X authentication from the PC, or falls back on MAB or another policy if the PC does not support 802.1X. In this scenario, the phone and PC each receive their own network policies, even though they share the same physical cable.
Option C, “The PC is forced into guest mode,” is not standard behavior. A PC behind a phone is not automatically considered a guest. Its access depends on its authentication method and credentials. If it fails authentication, it may be placed into a restricted or guest VLAN, but this only happens when policies dictate it—not simply because it is behind a phone.
Option D, “The phone is reauthenticated when the PC connects,” is also incorrect. The phone maintains its own independent authentication session. Connecting a PC does not trigger the phone to reauthenticate. The PC’s arrival may trigger a new session for the PC, but the phone’s session remains unaffected.
These explanations show that the correct and expected behavior is that the switch assigns the phone to the voice VLAN and separately waits for the PC’s authentication.
Question 58:
Which posture assessment condition can Cisco ISE validate on an endpoint using the AnyConnect agent?
A) Router firmware version
B) Antivirus status and definition age
C) WLAN controller CPU usage
D) TACACS+ command history
Answer: B
Explanation:
Option A, “Router firmware version,” is not part of endpoint posture assessment. Posture checks focus on the security health of the endpoint itself, such as laptops, desktops, and mobile devices, not the infrastructure devices like routers or switches. Firmware version checks belong to network device management, not endpoint compliance evaluation.
Option B, “Antivirus status and definition age,” accurately represents a core element of posture assessment. Posture systems such as Cisco ISE with AnyConnect or the Secure Client posture module evaluate whether an antivirus product is installed, enabled, running up-to-date definitions, and actively providing protection. Many organizations require endpoints to have current antivirus signatures before granting full network access. Posture assessment may also verify real-time scanning, engine version, last update time, and product status. If the antivirus is outdated or disabled, the endpoint may be placed into a remediation network until it meets policy requirements. This makes antivirus status one of the most common and important posture-check parameters.
Option C, “WLAN controller CPU usage,” is completely unrelated to endpoint posture. CPU usage metrics relate to infrastructure performance monitoring and have nothing to do with validating the security health of a connecting endpoint. Posture checks do not evaluate network device load or operational conditions.
Option D, “TACACS+ command history,” pertains to administrative access logs for network devices. TACACS+ records which commands network administrators execute, serving auditing and compliance functions for device management. This information is not used for endpoint posture evaluation, as posture focuses solely on endpoint security conditions, not administrative behavior on infrastructure devices.
These explanations clarify that antivirus status and signature age are key posture elements, while the other options fall outside the scope of endpoint compliance checks.
Question 59:
What must be configured if Cisco ISE is expected to authenticate users stored in an external LDAP directory?
A) RADIUS only
B) LDAP identity source with appropriate DNs and attribute mappings
C) TACACS+ profiles
D) DHCP relay
Answer: B
Explanation:
Option A, “RADIUS only,” does not accurately describe how Cisco ISE integrates with Active Directory (AD). While RADIUS is the protocol used for authenticating endpoints during network access, RADIUS alone does not provide ISE with the directory structure, group membership information, or identity lookups needed for user authentication against AD. To authenticate users using AD credentials, ISE must join the Active Directory domain directly, not simply rely on RADIUS.
Option B, “LDAP identity source with appropriate DNs and attribute mappings,” reflects the correct concept but is incomplete when referring specifically to Microsoft Active Directory integration. LDAP can be used as an identity source in ISE for generic directory services, but AD integration is handled through a native AD join, not a generic LDAP configuration. In other words, while LDAP DNs and attribute mappings are typical when integrating with non-AD LDAP servers, Cisco ISE uses a dedicated AD connector that provides richer capabilities such as machine authentication, password change support, group retrieval, and Kerberos-based interactions. However, among the provided options, this is the closest to describing a directory-based identity integration.
Option C, “TACACS+ profiles,” has nothing to do with integrating ISE with AD. TACACS+ is used strictly for administrative access control to network devices such as routers, switches, and firewalls. TACACS+ profiles define command permissions and device administration policies. They cannot be used to authenticate users or devices against Active Directory.
Option D, “DHCP relay,” is unrelated to identity services. DHCP relay forwards DHCP requests across subnet boundaries so clients can obtain IP addresses from a centralized DHCP server. It does not provide any authentication, identity lookup, or directory integration capabilities. DHCP relay plays no role in connecting Cisco ISE to AD or any identity store.
These explanations show that integration with a directory service requires directory-specific configurations, not TACACS+, DHCP, or RADIUS alone.
Question 60:
What occurs when Cisco ISE determines that an endpoint has completed successful remediation in posture workflow?
A) The endpoint is assigned a compliant authorization profile
B) The endpoint is disconnected permanently
C) Posture is disabled
D) The endpoint is moved to the guest VLAN
Answer: A
Explanation:
Option A, “The endpoint is assigned a compliant authorization profile,” describes the expected and correct behavior when an endpoint passes all required posture checks. In a posture-enabled environment, Cisco ISE evaluates the device for compliance with security requirements such as antivirus status, operating system patches, firewall settings, or specific software installations. Once the endpoint meets all these requirements, ISE updates the session state to compliant and sends a Change of Authorization (CoA) to the switch or wireless controller. The NAD then applies a new authorization profile that typically grants full or production network access. This may include assigning a production VLAN, removing redirect ACLs, or applying the correct Security Group Tag. This is the intended workflow in posture-based network access control.
Option B, “The endpoint is disconnected permanently,” is not accurate. Passing posture checks leads to improved access, not disconnection. Endpoints may be temporarily disconnected during certain CoA actions, but never permanently removed from the network simply for passing posture validation.
Option C, “Posture is disabled,” is incorrect. Posture assessment does not disable itself after the endpoint becomes compliant. The endpoint remains in a compliant posture state, and posture may periodically re-check depending on configuration. Compliance does not turn off posture enforcement.
Option D, “The endpoint is moved to the guest VLAN,” contradicts posture logic. A compliant device is considered trusted, so placing it in a guest VLAN would be counterproductive. Guest VLANs are used for unauthenticated or unknown endpoints, not for compliant ones.
These explanations make clear that successful posture validation results in assignment of the compliant authorization profile, giving the endpoint full or enhanced network access.
