Visit here for our full Cisco 300-715 exam dumps and practice test questions.
Question 101:
How does Cisco ISE determine the appropriate authorization result when an endpoint successfully authenticates using EAP-TLS, but its device certificate contains Organizational Unit (OU) attributes that map to a restricted access policy?
A) Cisco ISE ignores the certificate OU and applies the default permit rule
B) Cisco ISE evaluates the OU field as an authorization condition and may assign restricted access accordingly
C) Cisco ISE bypasses authorization when OU fields are present
D) Cisco ISE forces the device into MAB mode for further evaluation
Answer: B
Explanation:
Cisco ISE uses both authentication and authorization to determine network access levels. During EAP-TLS authentication, the certificate serves two major purposes: validating the identity cryptographically and providing identity attributes that may be used in authorization. Certificates include fields such as Common Name (CN), Subject Alternative Name (SAN), and Organizational Unit (OU). These fields can be leveraged by Cisco ISE to enforce granular access policies. Many organizations use OU fields to differentiate corporate laptops, IT-managed mobile devices, contractors, and specialized systems such as point-of-sale terminals or restricted administrative devices.
Option B is correct because Cisco ISE can parse OU fields from the device certificate and use them as match conditions within authorization policies. For example, suppose the certificate OU includes “Contractor-Limited,” “Guest-Device,” or “Restricted-Operations.” In that case, ISE can map the device into specific identity groups or apply restricted access requirements. Even though authentication is successful — meaning the certificate is valid and trusted — authorization remains a separate evaluation that determines what level of network access is appropriate. A device may be cryptographically trusted but still intentionally restricted due to its classification.
Option A is incorrect because ISE does not ignore OU fields when configured to use certificate attributes for policy mapping. Ignoring OU values would undermine the granularity of certificate-based access control.
Option C is incorrect because authorization always follows authentication. The presence of OU fields does not bypass that process.
Option D is incorrect because ISE does not switch to MAB after successful EAP-TLS. MAB is only a fallback method used when authentication does not occur.
ISE’s ability to use certificate attributes during authorization is essential for Zero Trust policies, ensuring that not all authenticated devices are treated equally. Certificates validate identity, but OU fields dictate the level of trust and associated permissions. This layered security approach ensures that high-risk or limited-trust devices do not gain unnecessary access even though their authentication succeeds. Therefore, B is correct.
Question 102:
What happens when an endpoint connects to a switch port configured for Cisco ISE Closed Mode, but the device fails both 802.1X and MAB authentication attempts?
A) The switch automatically grants limited access
B) The switch blocks all traffic except EAPOL and necessary control-plane frames
C) Cisco ISE assigns a guest portal redirect
D) The switch moves the port into spanning-tree blocking mode
Answer: B
Explanation:
Closed Mode (sometimes referred to as “Low-Impact Mode” vs. “Closed Mode”) is the strictest form of Cisco ISE-based network access control. In this deployment model, the switch port remains in an unauthorized state until successful authentication occurs. Only a minimal subset of traffic is allowed prior to authentication, typically limited to EAPOL for 802.1X, DHCP, ARP, and occasionally CDP/LLDP depending on configuration and platform capabilities. No user or endpoint traffic is permitted unless authentication succeeds.
Option B is correct because in Cisco ISE Closed Mode, if both 802.1X and MAB fail, the port remains unauthorized, effectively blocking all user-generated IP traffic. The endpoint cannot access DHCP, DNS, internal networks, or internet resources. This behavior is by design: Closed Mode enforces a default-deny policy, ensuring that unmanaged, rogue, or unauthorized devices cannot communicate on the network under any circumstances. This aligns with Zero Trust NAC principles.
Option A is incorrect because Closed Mode does not grant limited access; that behavior is associated with Low-Impact Mode or Monitor Mode.
Option C is incorrect because guest portals require at least a URL-redirect authorization profile, which only applies after successful MAB authentication. If MAB fails, ISE cannot redirect the client.
Option D is incorrect because spanning-tree blocking is unrelated to NAC and does not activate due to authentication failure.
Closed Mode is frequently used in highly secure environments such as finance, defense, and healthcare, where no unknown device should ever receive connectivity. The strict behavior ensures that the only devices communicating are those that authenticate successfully. This makes B the correct and accurate answer.
Question 103:
How does Cisco ISE determine authorization for a VPN user when it receives RADIUS attributes from an ASA/FTD headend that include both group-policy and tunnel-group name values?
A) Cisco ISE ignores all VPN attributes and uses internal groups only
B) Cisco ISE evaluates RADIUS attributes such as Tunnel-Group-Name and Group-Policy as authorization conditions
C) Cisco ISE treats VPN authentications identically to wired 802.1X
D) Cisco ISE discards the session due to conflicting attributes
Answer: B
Explanation:
Cisco ISE can integrate with VPN headends such as Cisco ASA and Firepower Threat Defense (FTD) to authenticate remote-access VPN users. These devices send RADIUS attributes such as Tunnel-Group-Name, Group-Policy, and in some cases IP-Pool names or Class attributes. These attributes can be used by Cisco ISE during authorization to differentiate between connection types, user classes, and levels of remote access.
Option B is correct because Cisco ISE can match authorization rules based on the RADIUS attributes received from the VPN headend. For instance, remote users connecting through a “Contractor-VPN” tunnel-group may be assigned restricted access. Those connecting through an “Employee-Full-Access” group-policy may be given more privileges. Cisco ISE can also enforce posture policies for VPN clients, ensuring that remote endpoints connecting via AnyConnect meet corporate compliance standards before full access is granted.
Option A is incorrect because ISE does not ignore VPN attributes. They can be used as powerful authorization differentiators.
Option C is incorrect because VPN authentication differs significantly from 802.1X and includes unique VPN attributes that wired/wireless deployments do not send.
Option D is incorrect because Cisco ISE does not discard sessions solely due to receiving multiple RADIUS attributes. Cisco VPN devices routinely send both group-policy and tunnel-group attributes.
In summary, Cisco ISE uses the incoming RADIUS attributes from VPN headends to map users into appropriate authorization policies, enabling flexible and identity-driven access control for remote workers. Therefore, B is correct.
Question 104:
What occurs when a profiling policy in Cisco ISE reaches 100% certainty for a device type, but the authorization policy relies on a lower-level parent endpoint group?
A) The authorization policy fails because the certainty is too high
B) Cisco ISE still allows rule matching based on parent identity groups
C) Cisco ISE resets the profiling certainty to 50%
D) The device bypasses profiling and moves directly to posture assessment
Answer: B
Explanation:
Cisco ISE’s profiling engine uses probes—DHCP, RADIUS, SNMP, HTTP, etc.—to gather endpoint attributes and match them against profiling policies. These policies form a hierarchical structure where parent groups represent broader classifications (e.g., “Printer”) and child groups represent more specific types (e.g., “HP LaserJet Printer”). When profiling reaches 100% certainty for a specific device type, it assigns the endpoint to the most specific profile available.
Option B is correct because Cisco ISE allows authorization policies to use either the specific profiling group or any of its parent groups. For example, if a device is identified with 100% certainty as “Cisco-IP-Phone,” it also belongs to the parent group “IP-Phone.” Authorization rules can reference either group and still match correctly. This design offers maximum flexibility, ensuring administrators don’t need to write overly granular or redundant rules if broader group matching is sufficient.
Option A is incorrect because high certainty helps ISE confidently classify devices, not hinder authorization.
Option C is incorrect because profiling certainty does not automatically reduce or reset unless new contradictory attributes appear.
Option D is incorrect because profiling and posture are separate workflows; achieving profiling certainty does not trigger posture.
Profiling hierarchy is essential because it gives administrators control over how broad or narrow access rules should be. Often, organizations apply uniform access rules to all printers regardless of model. Other times, certain specialized devices require unique access. The hierarchical model allows authorization policies to accommodate both broad and specific classification goals. Thus, B is the correct answer.
Question 105:
How does Cisco ISE determine access for devices authenticating through the TEAP protocol using both machine and user credentials within the same secure tunnel?
A) Cisco ISE processes only the user credentials and ignores machine identity
B) Cisco ISE combines machine and user authentication results into a single chained decision
C) Cisco ISE assigns guest access until the user identity is received
D) Cisco ISE rejects the session because TEAP does not support chained authentication
Answer: B
Explanation:
TEAP (Tunnel Extensible Authentication Protocol) was developed to provide more advanced capabilities than EAP-FAST, particularly around chained authentication. Chained authentication allows Cisco ISE to validate both the machine identity and the user identity in one secure tunnel. This is extremely useful for organizations requiring stronger verification that the user is logging in from a trusted device. TEAP is supported by Windows 10/11 native supplicants, Cisco AnyConnect, and other modern supplicants.
Option B is correct because TEAP performs both machine and user authentication within the same protected tunnel. Cisco ISE can combine these results and evaluate authorization rules based on both identities. For example, ISE can grant full employee access only when both machine and user authentication succeed. If only machine authentication succeeds, ISE may grant limited pre-logon access. If only user authentication succeeds but the device is not a trusted domain-joined machine, ISE may assign BYOD-restricted access.
Option A is incorrect because TEAP explicitly supports chained authentication; ignoring machine identity defeats the purpose.
Option C is incorrect because guest access is unrelated to TEAP workflows.
Option D is incorrect because TEAP was specifically designed for chained authentication improvement.
The ability to unify machine and user identity ensures that organizations can enforce Zero Trust NAC principles by verifying both the device and the user before granting full privileges. Therefore, B is correct.
Question 106:
What happens when a switch receives a Cisco ISE downloadable ACL (dACL) update through RADIUS CoA during an active session?
A) The switch ignores the new ACL until reauthentication
B) The switch immediately replaces the existing ACL with the new dACL and enforces updated permissions
C) The switch applies both ACLs simultaneously and merges their entries
D) The switch disconnects the endpoint and requires a manual reconnect
Answer: B
Explanation:
When a network switch receives an updated dynamic ACL (dACL) from an authentication server such as Cisco ISE, its behavior can vary depending on the switch model, software version, and the method used to deliver the authorization change. One possible outcome is that the switch ignores the new ACL until a reauthentication event occurs. This is actually the most common behavior on many switches. The existing ACL remains active, and updated permissions are not enforced until a reauthentication or a Change of Authorization (CoA) forces the switch to reevaluate the session. In this case, the switch waits until the session is reset or refreshed before downloading and applying the new ACL.
Another possibility is that the switch immediately replaces the existing ACL with the new dACL and begins enforcing the updated permissions. This behavior is typically seen on newer switches or those running more advanced software that supports real-time ACL updates through CoA. Instead of waiting for a reauthentication event, the switch removes the old ACL and installs the new one as soon as the RADIUS server instructs it to do so. This allows for very fast policy changes, which is useful in environments where authorization levels must adapt instantly.
Some might assume that the switch could apply both ACLs at the same time and merge their permissions, but this does not occur in practice. Switches do not combine multiple dACLs because merging rules from different sources could create unpredictable security results. Instead, only one dynamic ACL is active for a given session, so older ACLs are replaced rather than combined.
Lastly, there is the possibility that the switch disconnects the endpoint and requires a manual reconnect. This is not typical behavior unless the system is misconfigured or an intentional CoA termination is issued. Network access control is designed to modify permissions with as little disruption as possible, so forcing a user to reconnect manually would be counterproductive and is avoided in normal configurations.
Question 107:
How does Cisco ISE determine posture compliance for macOS and Windows devices using the AnyConnect posture module?
A) By analyzing DHCP fingerprints
B) Through local OS agent scans evaluating antivirus, firewall, updates, and system health conditions
C) By reading SNMP data
D) Through TACACS+ accounting
Answer: B
Explanation:
When determining an endpoint’s posture or security compliance, different network access control systems use a variety of mechanisms. One common method involves analyzing DHCP fingerprints. This technique inspects the DHCP request fields sent by a device when it joins the network. These fields often reveal clues about the operating system or device type based on unique combinations of DHCP options. While this helps identify the general OS family, it does not provide true posture information such as whether antivirus software is running or whether system patches are current. DHCP fingerprinting is more about device profiling than detailed health evaluation.
A more comprehensive method of posture assessment is performed through local OS agent scans. This approach uses a software agent installed directly on the endpoint to evaluate security-related conditions such as antivirus status, firewall settings, disk encryption, patch levels, and overall system health. This is the most accurate and reliable form of posture assessment because the agent has direct visibility into the operating system. Network access control platforms like Cisco ISE, Aruba ClearPass, and others typically rely on such agents to enforce posture-based access policies. This method provides real-time verification of compliance before granting or maintaining network access.
Some systems also gather information by reading SNMP data. SNMP can be helpful for profiling network-connected devices such as printers, IP phones, or infrastructure components. It allows the NAC system to query details like device type, model, firmware version, or interface statistics. However, SNMP is not generally used for posture assessment of endpoints like laptops or mobile devices because it does not provide insight into internal security conditions. It is best suited for non-user devices that cannot run agents.
TACACS+ accounting is not involved in endpoint posture assessment. TACACS+ is used primarily for authentication, authorization, and accounting of administrative access to network devices such as switches and routers. It tracks what commands administrators execute but provides no visibility into endpoint operating systems or security posture. Consequently, it has no role in evaluating endpoint compliance in a NAC workflow.
Question 108:
What occurs when a device undergoes successful BYOD onboarding but later attempts to connect using an expired client certificate?
A) Cisco ISE still accepts the certificate if onboarding history exists
B) Cisco ISE denies EAP-TLS authentication due to expired certificate validity
C) The device is redirected to the posture portal
D) The switch automatically falls back to MAB
Answer: B
Explanation:
When a device attempts EAP-TLS authentication using an expired certificate, Cisco ISE follows strict certificate validation rules. In this situation, Cisco ISE denies the authentication attempt because the certificate is no longer valid. EAP-TLS relies entirely on the trustworthiness and current validity of the presented certificate, and ISE does not grant network access if the certificate is outside its valid time range. Even if the device successfully onboarded in the past, previous onboarding history does not override certificate checks, so ISE does not accept the certificate simply because it was trusted before. Redirection to a posture portal also does not occur, because posture assessment takes place only after a successful authentication. Since the authentication fails at the certificate validation stage, the session never progresses to posture evaluation. Falling back to MAC Authentication Bypass is not a default or automatic behavior either; switches only fall back to MAB when 802.1X fails at the protocol level—for example, when no credentials are presented or the supplicant does not respond—not when valid but expired credentials are rejected by ISE. Therefore, when an endpoint presents an expired certificate during EAP-TLS, the outcome is that Cisco ISE denies the authentication outright and the device does not gain access through 802.1X.
Question 109:
Which Cisco ISE enforcement method is most appropriate for restricting IoT devices with limited capabilities such as printers or cameras?
A) EAP-TLS
B) MAC Authentication Bypass with profiling-based authorization
C) TACACS+
D) SAML-based SSO
Answer: B
Explanation:
Among the options provided, only one method is commonly used to identify and authorize non-user devices such as printers, IP phones, cameras, and IoT endpoints.
EAP-TLS is a certificate-based authentication method typically used for fully managed user devices like laptops, desktops, and mobile devices. These devices have supplicants capable of handling 802.1X exchanges and storing certificates. However, most non-user or headless devices do not support 802.1X or certificate-based authentication, which makes EAP-TLS impractical for this category.
MAC Authentication Bypass, combined with profiling-based authorization, is widely used for non-user devices. Many IoT or embedded devices cannot run supplicants, cannot store certificates, and do not support interactive authentication. In these situations, the switch falls back to MAB, identifying the device by its MAC address. Cisco ISE or another NAC platform then uses profiling methods—such as DHCP fingerprinting, CDP/LLDP information, SNMP queries, TCP/UDP behavior, or OUI lookups—to determine the device type. Based on the profile, the system assigns the appropriate authorization, such as a restricted VLAN, ACL, or Security Group Tag. This approach is specifically designed for non-user endpoints that are simple, static, and often unmanaged.
TACACS+ is unrelated to endpoint authentication. It is used for administrative login to network infrastructure devices like switches, routers, and firewalls. It does not authenticate endpoints on access ports and plays no role in identifying IoT or headless devices.
SAML-based SSO is a method used for web-based authentication to cloud applications. It is associated with identity federation for user logins and cannot be used for network-level device authentication, especially not for non-user hardware.
Therefore, the correct method for authenticating non-user devices is MAC Authentication Bypass with profiling-based authorization.
Question 110:
How does Cisco ISE determine whether a session should be terminated when receiving threat intelligence from pxGrid-integrated systems such as Cisco Secure Endpoint or Firepower?
A) ISE ignores external threat data
B) ISE evaluates threat severity and applies adaptive network control policies such as CoA-Disconnect
C) ISE shuts down the network switch
D) ISE requires manual approval for all threat actions
Answer: B
Explanation:
When Cisco ISE receives external threat intelligence from systems such as Cisco Secure Network Analytics (Stealthwatch), Firepower, AMP for Endpoints, or other pxGrid-integrated tools, it uses this information to dynamically adjust network access based on risk. ISE does not ignore this data; threat intelligence is one of the key components of adaptive network control. When a connected security platform reports that a device is compromised, infected, or behaving maliciously, ISE evaluates the severity of the alert and takes the appropriate policy action based on configured authorization rules. This often includes triggering Change of Authorization actions such as CoA-Disconnect, CoA-Reauth, or policy changes that move the device into a quarantined VLAN, apply a restrictive dACL, or block access entirely. These automated reactions allow the network to respond in real time without waiting for human intervention.
ISE does not shut down the entire network switch as a response to a threat event. Shutting down a switch would be overly disruptive, affect unrelated devices, and is not supported as a threat response mechanism within ISE. The platform focuses on per-endpoint controls, ensuring that only the compromised device is affected while the rest of the network continues operating normally.
ISE also does not require manual approval before executing threat response actions. The objective of integrating threat intelligence with ISE is to automate containment and mitigation. Policies are configured in advance so the system can react immediately when a threat is detected. While administrators can review logs, alerts, or dashboards, manual approval is never required for standard threat-driven actions.
Therefore, the accurate description is that ISE evaluates the incoming threat information, determines the severity, and applies adaptive network control policies such as initiating a CoA-Disconnect or other automated containment measures.
Question 111:
How does Cisco ISE determine authorization when an endpoint authenticates using EAP-TLS but the subject alternative name (SAN) field contains multiple identities such as UPN, email, and DNS entries?
A) ISE selects the first SAN entry and ignores all others
B) ISE can evaluate any SAN field type defined in the Certificate Authentication Profile and use it for authorization decisions
C) ISE fails authentication when multiple SAN entries exist
D) ISE converts SAN values into SGTs automatically
Answer: B
Explanation:
When Cisco ISE processes a certificate during EAP-TLS authentication, it fully parses the certificate’s Subject Alternative Name (SAN) fields. ISE does not limit itself to only the first SAN entry, nor does it fail simply because multiple SAN values are present. In fact, having multiple SAN entries is extremely common in modern certificates, especially machine and user certs generated by enterprise PKIs.
ISE is capable of evaluating any SAN field type that has been configured in the Certificate Authentication Profile (CAP). Within the CAP, the administrator chooses which SAN fields to extract—such as DNS name, RFC822 email, UPN, or OtherName—and ISE uses those extracted attributes for identity mapping and authorization decisions. This gives administrators flexibility to build policies based on UPN values, email addresses, device identifiers, or other certificate-based attributes. As long as the selected SAN field exists and matches the expected format, ISE can use it without issue.
ISE does not fail authentication simply because multiple SAN entries exist. It will only fail if the required SAN field is missing, does not match policy, or the certificate is otherwise invalid. The presence of multiple SAN entries is normal and fully supported.
ISE also does not convert SAN values into Security Group Tags (SGTs). SGTs come from TrustSec or Scalable Group Tag policies, not from SAN parsing. Authorization rules may assign SGTs based on certificate attributes, but ISE does not transform SAN values into SGTs on its own.
Therefore, the correct understanding is that ISE can evaluate any SAN field type defined in the Certificate Authentication Profile and use it for authorization decisions.
Question 112:
What happens when Cisco ISE receives a TACACS+ accounting stop record indicating that an administrator executed high-risk commands on a network device?
A) ISE ignores the information unless integrated with pxGrid
B) ISE can trigger adaptive network control policies, alerts, or logging depending on TACACS+ command accounting configuration
C) ISE blocks the administrator’s Active Directory account
D) ISE forces the switch to close all active sessions
Answer: B
Explanation:
TACACS+ in Cisco ISE is not only used for authentication and authorization of network device administrators but also for command accounting. Command accounting provides auditing visibility into who executed what commands and when they executed them. When ISE receives a TACACS+ accounting stop record containing high-risk or sensitive commands—such as “write erase,” “reload,” “no shutdown,” “configure terminal,” or modifications to critical routing/security configurations—it evaluates this information for further action.
Option B is correct because Cisco ISE can log the activity, generate security alerts, send syslog notifications, forward the event to SIEM tools, or trigger adaptive network control (ANC) policies when integrated with pxGrid or other security platforms. While ANC is generally used for endpoint network enforcement, TACACS+ command accounting events can feed into broader security monitoring workflows. For example, an administrator executing unauthorized commands may be part of a compromised account incident. SIEM tools can correlate ISE TACACS+ data with other logs to detect insider threats.
Option A is incorrect because ISE does not ignore high-risk command logs; they are stored centrally and can trigger alerts.
Option C is incorrect because ISE does not directly modify AD accounts.
Option D is incorrect because TACACS+ accounting does not force the closure of all active network sessions.
Cisco ISE’s TACACS+ capabilities ensure accountability for administrative actions. By logging and exporting accounting records, organizations maintain detailed audit trails required for compliance, forensic analysis, and security monitoring. Therefore, B is the correct answer.
Question 113:
How does Cisco ISE evaluate policy for endpoints connected behind an unmanaged switch or hub when the switch port operates in multi-domain authentication (MDA) mode?
A) ISE fails authentication because hubs do not support 802.1X
B) ISE treats all endpoints as a single session and cannot differentiate them
C) ISE authorizes each MAC address independently using MAB for devices behind the unmanaged hub
D) ISE automatically places the entire port into guest mode
Answer: C
Explanation:
Multi-Domain Authentication (MDA) is designed to differentiate voice and data endpoints connected to a single switch port—typically an IP phone and a workstation. However, some environments involve unmanaged switches or hubs placed behind a single port, often in industrial, retail, or legacy device scenarios. These unmanaged devices lack 802.1X capabilities, which complicates identity-based enforcement. Fortunately, Cisco ISE supports fallback mechanisms.
Option C is correct because Cisco ISE can authenticate each device behind the unmanaged hub individually using MAC Authentication Bypass (MAB). The upstream switch detects multiple MAC addresses arriving on the same port. Since unmanaged devices cannot run 802.1X, the switch attempts MAB for each discovered MAC address. Cisco ISE then evaluates each MAB request separately, applying appropriate authorization based on profiling results, endpoint identity groups, or custom MAB policies. This allows a single physical switch port to support multiple independently controlled endpoints even without 802.1X.
Option A is incorrect because while hubs cannot run 802.1X, ISE does not fail authentication for the entire port; MAB is used.
Option B is incorrect because ISE does not treat them as a single session. Each MAC address becomes an independent RADIUS session.
Option D is incorrect because guest mode is only applied when explicitly matched through authorization rules, not automatically based on topologies.
This flexibility enables ISE to enforce security even in environments with legacy or unmanaged devices. Therefore, C is correct.
Question 114:
How does Cisco ISE process posture compliance when an endpoint completes mandatory remediation but later disables a required security control such as antivirus protection?
A) ISE maintains the compliant state permanently
B) ISE reevaluates posture through periodic posture checks and reassigns restricted authorization if non-compliant
C) ISE immediately deletes the endpoint from its database
D) ISE forces a full redirect to the BYOD onboarding portal
Answer: B
Explanation:
Posture compliance is a dynamic process. After an endpoint initially performs remediation—installing patches, enabling firewalls, updating antivirus—Cisco ISE maintains posture compliance through periodic checks. These checks are performed by the AnyConnect posture agent or the temporal posture validation engine built into ISE. Compliance is not assumed indefinitely; it must be continuously validated.
Option B is correct because Cisco ISE periodically reevaluates posture. If an endpoint disables or loses compliance for a required control (for example, antivirus gets disabled), ISE detects this on the next posture validation cycle. ISE then triggers a Change of Authorization (CoA) to assign a restricted authorization profile such as a quarantine VLAN, remediation dACL, or limited internet-only access. This ensures that endpoints remain compliant throughout their entire session.
Option A is incorrect because compliance is never permanent.
Option C is incorrect because ISE does not delete endpoints simply for posture changes; it applies policy.
Option D is incorrect because the BYOD portal is not part of the posture workflow.
Continuous posture monitoring ensures that security is maintained, not just granted once. This adaptive security model is core to Cisco ISE. Thus, B is the correct answer.
Question 115:
What occurs when a wireless client authenticates using PEAP-MSCHAPv2 but fails inner-method password validation while successfully establishing the outer TLS tunnel?
A) Cisco ISE grants partial access
B) Cisco ISE rejects the authentication because the inner method failed
C) The client is redirected to guest portal
D) The WLC assigns the client to a random VLAN
Answer: B
Explanation:
PEAP-MSCHAPv2 uses a two-layer EAP framework. The outer layer establishes a secure TLS tunnel using server certificates, ensuring encryption of inner authentication traffic. The inner method uses MSCHAPv2 to authenticate user credentials against an identity source such as Active Directory. Even if the outer TLS tunnel is successfully established, the inner authentication must also succeed for full authentication to complete.
Option B is correct because Cisco ISE validates the user credentials inside the MSCHAPv2 exchange. If password validation fails (due to incorrect password, expired credentials, or account lockout), ISE immediately rejects the authentication. The secure tunnel remains temporary and does not imply authorization.
Option A is incorrect because partial access is not granted when authentication fails.
Option C is incorrect because guest redirection occurs only through specific authorization profiles and usually relies on MAB, not failed 802.1X attempts.
Option D is incorrect because wireless LAN controllers do not assign random VLANs for failed authentication; they enforce deny.
Understanding the difference between outer and inner methods in PEAP is crucial. The outer TLS tunnel does not guarantee authentication. Thus, B is correct.
Question 116:
How does Cisco ISE determine access for a wired client when the switch uses Critical Auth Mode (CRITICAL-AUTH) due to RADIUS server unreachability?
A) The switch blocks all traffic
B) The switch applies a preconfigured critical authorization profile such as a limited VLAN or ACL
C) ISE maintains full access through cached results
D) The switch forces all ports to shut down
Answer: B
Explanation:
Critical Auth Mode allows network connectivity to be maintained during outages where RADIUS servers such as Cisco ISE become unreachable. Without CRITICAL-AUTH, endpoints could lose access to essential services during network or server maintenance. With CRITICAL-AUTH enabled, the switch applies a fallback authorization method.
Option B is correct because the switch applies a preconfigured critical authorization profile, which may include a limited VLAN, a restricted ACL, or a dedicated “critical” VLAN. This profile is configured on the switch itself and serves as a temporary measure until ISE becomes reachable again. Devices gain connectivity but within controlled limitations.
Option A is incorrect because CRITICAL-AUTH does not block all traffic; that would prevent operational continuity.
Option C is incorrect because cached results apply only to Caching-Based Authentication (CBA), not Critical Auth Mode.
Option D is incorrect because switches do not shut down ports due to RADIUS failure.
CRITICAL-AUTH ensures business continuity without bypassing security entirely. Thus, B is correct.
Question 117:
How does Cisco ISE process policy decisions when a device is assigned multiple SGTs from different profiling or identity sources?
A) ISE randomly selects an SGT
B) ISE assigns only the highest-priority SGT defined in authorization policies
C) ISE applies all SGTs simultaneously
D) ISE removes all SGTs to avoid conflict
Answer: B
Explanation:
When Cisco ISE evaluates authorization rules that include Security Group Tag (SGT) assignments, it does not attempt to merge, stack, or randomly choose from multiple tags. Instead, ISE processes authorization rules in top-down order, and the first matching rule determines the final SGT assignment. Only one SGT can be applied to an endpoint session at any given time, so ISE selects the SGT associated with the highest-priority (earliest matching) rule. This ensures predictable and consistent policy enforcement.
ISE does not randomly select an SGT under any circumstances. Its policy evaluation engine is deterministic, meaning the outcome is always based on the order and conditions defined by the administrator. Applying all SGTs simultaneously is also impossible because TrustSec supports only one SGT per session. Multiple SGTs would create conflicting security contexts and are not supported by the underlying architecture.
ISE likewise does not remove all SGTs to avoid conflicts. As long as a matching authorization rule exists, ISE will assign exactly one SGT. If no rule assigns an SGT, the session simply proceeds without one, but this is not a conflict-resolution mechanism—it’s just the absence of an assignment.
Therefore, the correct interpretation is that ISE assigns only the highest-priority SGT defined in the authorization policies.
Question 118:
What happens when an endpoint passes machine authentication but fails subsequent user authentication in a dual-authentication environment?
A) The device receives full corporate access
B) The device receives limited pre-logon access until user authentication succeeds
C) The switch disables the port
D) Cisco ISE forces MAB
Answer: B
Explanation:
In deployments requiring both machine and user authentication, ISE differentiates between pre-logon and post-logon access. Machines authenticate during boot and may receive a limited access profile.
Option B is correct because failure of user authentication does not remove pre-logon access. Instead, limited connectivity remains active until proper user authentication occurs.
Option A is incorrect because full access requires both authentications.
Option C is incorrect because ports remain active.
Option D is incorrect because fallback to MAB is not triggered.
Thus, B is correct.
Question 119:
How does Cisco ISE enforce compliance for VPN clients when posture requirements are enabled on remote-access connections?
A) ISE ignores posture for VPN
B) ISE requires posture validation before granting full tunnel access
C) VPN headends bypass ISE decisions
D) ISE forces split-tunneling
Answer: B
Explanation:
When a remote user connects through a VPN solution that integrates with Cisco ISE, posture assessment becomes an important part of ensuring the security of remote access. ISE does not ignore posture for VPN traffic. In fact, posture assessment is one of the key features used during remote-access authentication flows, especially when AnyConnect is involved. After the initial authentication and authorization, ISE determines whether the endpoint must undergo posture verification based on defined policies.
ISE often requires posture validation before granting full tunnel access. In a typical deployment, the user first establishes a VPN session, receives a limited or restricted authorization profile, and then the AnyConnect posture module evaluates the device’s compliance. This can include checking antivirus, firewall settings, disk encryption, operating system patch levels, and other endpoint security indicators. Only after the endpoint reports a compliant posture does ISE update authorization, allowing the VPN headend to grant full or unrestricted access. If the device fails posture checks, ISE can restrict access, quarantine the session, or deny connectivity depending on the configured policy.
VPN headends do not bypass ISE decisions. When integrated, devices such as ASA, FTD, or IOS-XE VPN gateways rely on ISE for authentication, authorization, and posture-based policy decisions. The headend enforces whatever authorization ISE returns, including ACLs, group policies, session restrictions, or quarantine roles.
ISE also does not force split tunneling. Split tunneling is configured on the VPN gateway and is unrelated to posture assessment. While posture status may influence tunnel group or ACL assignment, it does not change whether traffic is split or full-tunnel unless the administrator explicitly designs policy that way.
Therefore, the correct behavior is that ISE requires posture validation before granting full tunnel access.
Question 120:
How does Cisco ISE determine access for devices using Web Authentication (CWA) when the redirect ACL allows only DNS and HTTP/HTTPS to the ISE portal?
A) Devices receive unrestricted network access
B) Devices gain only enough access to reach the portal until authentication completes
C) Devices bypass CWA
D) Devices authenticate with EAP-TLS automatically
Answer: B
Explanation:
During a Central Web Authentication (CWA) workflow, devices do not receive full network access immediately. Instead, they are placed into a restricted authorization state while waiting for the user to complete the web-based login process. In this stage, the switch or wireless controller grants only the minimal access needed for the endpoint to reach the redirect portal hosted by Cisco ISE. This typically includes DHCP, DNS, and HTTP/HTTPS connectivity to ISE’s portal, while all other resources remain blocked. Only after the user authenticates through the portal does ISE send a Change of Authorization (CoA) to elevate the device’s network access.
Devices do not receive unrestricted access at the start of the CWA process, because doing so would defeat the purpose of web authentication and potentially allow unauthenticated users onto the network. Likewise, devices cannot bypass CWA unless a different authorization rule matches that does not require portal-based login. CWA is an intentional redirection workflow, not something endpoints skip automatically.
Devices also do not authenticate with EAP-TLS during CWA. CWA is a web-based portal authentication method, designed for guest access or devices without 802.1X supplicants. EAP-TLS is entirely separate and used for certificate-based machine or user authentication, not for web-redirect flows.
Therefore, the correct description is that devices gain only enough access to reach the portal until authentication completes.
