Visit here for our full Cisco 300-715 exam dumps and practice test questions.
Question 121:
How does Cisco ISE determine the correct authorization result when a wired client performs successful EAP-TLS authentication but subsequently fails a required posture check such as missing OS patches or disabled firewall?
A) ISE maintains full network access due to successful authentication
B) ISE applies an authorization rule that limits access until the endpoint becomes posture compliant
C) ISE forces the device into guest onboarding
D) ISE terminates the session and blocks reauthentication
Answer: B
Explanation:
Cisco ISE uses multiple evaluation layers when determining a client’s final authorization level. Authentication determines who the device or user is, while posture determines whether the device is secure enough to receive access. A device may authenticate successfully using EAP-TLS, proving its cryptographic identity, yet still fail posture requirements if it lacks mandatory patch compliance, antivirus protection, disk encryption, or other security controls defined by the organization. This distinction is essential in Zero Trust Network Access models, where both identity and device health are needed before approving network access.
Option B is correct because Cisco ISE uses posture policy classification to reevaluate authorization after authentication. When the AnyConnect posture agent reports non-compliance, ISE reassigns the endpoint to a restricted authorization profile. This profile often includes a quarantine VLAN, a remediation ACL, or limited web access to update servers or patch repositories. ISE typically uses a Change of Authorization (CoA) to dynamically enforce this change during an active session. The device remains in restricted mode until posture revalidation succeeds.
Option A is incorrect because authentication alone is insufficient for full access in posture-enabled deployments. Posture requirements always override authorization if configured to do so.
Option C is incorrect because guest onboarding workflows relate to BYOD onboarding, not posture non-compliance. Failure of posture does not shift an enterprise device into guest mode.
Option D is incorrect because ISE does not block the device permanently. Instead, posture failures are considered correctable issues, not security violations requiring total disconnection.
Cisco ISE’s posture engine allows continuous, adaptive security enforcement. Even if a device starts compliant, it may drift into non-compliance during its active session. Posture reassessments ensure that ISE dynamically enforces access changes. This approach prevents compromised or neglected devices from gaining or maintaining excessive access. With these principles in mind, option B remains the only correct and complete answer.
Question 122:
How does Cisco ISE process authorization when an endpoint uses MAB authentication but profiling later increases identity certainty from “Unknown” to a specific IoT device type such as “IP Camera VendorX”?
A) ISE keeps the original authorization results and ignores new profiling certainty
B) ISE dynamically reevaluates authorization and assigns updated access appropriate to the new device type
C) ISE forces CoA disconnect only if the endpoint uses EAP-TLS
D) ISE deletes the endpoint session and forces full reauthentication
Answer: B
Explanation:
MAC Authentication Bypass (MAB) is commonly used for endpoints that do not support 802.1X. When a device first connects, profiling certainty may initially be low, especially if only limited attributes exist (such as MAC OUI). As more probes collect data—DHCP, HTTP, SNMP, RADIUS attributes—Cisco ISE gradually increases the certainty of the device identity. Profiling transitions such as “Unknown → Generic IP Camera → VendorX IP Camera” allow ISE to map devices into more specific endpoint groups.
Option B is correct because Cisco ISE continuously evaluates profiling results. When identity certainty increases, the endpoint may now match a different authorization rule. ISE triggers a Change of Authorization (CoA) to reapply authorization based on the updated profile. This behavior is essential for IoT security. Many IoT devices initially appear generic but require highly specific VLANs, ACLs, or TrustSec SGTs once properly identified.
Option A is incorrect because ISE does not ignore profiling changes. Profiling is intentionally designed to modify authorization dynamically.
Option C is incorrect because CoA is not limited to EAP-TLS. It applies to MAB sessions as well.
Option D is incorrect because ISE does not delete sessions. Instead, CoA updates authorization without full reauthentication.
This dynamic process ensures IoT devices do not receive excessive access before they are fully identified. Therefore, option B is correct.
Question 123:
How does Cisco ISE determine the correct policy action when an AnyConnect VPN user passes authentication but connects from a previously unseen device that has no posture assessment results available?
A) ISE grants full VPN access because identity authentication succeeded
B) ISE assigns a limited authorization profile until posture assessment is completed
C) ISE rejects the VPN connection
D) ISE bypasses posture entirely for new devices
Answer: B
Explanation:
VPN deployments integrated with Cisco ISE rely heavily on posture evaluation for endpoint security, especially when remote work environments introduce unmanaged or BYOD devices. Authentication confirms the user’s identity, but remote devices often require health assessments before joining the internal network. When a user authenticates from a device that ISE has never profiled or assessed, no posture information is available. This represents a possible security risk because unknown devices may be non-compliant or compromised.
Option B is correct because Cisco ISE applies pre-posture authorization until a posture assessment completes. The user can establish the VPN session, but their access is restricted by a remediation ACL or quarantine VLAN defined in the authorization profile. This ACL frequently allows only communication with ISE, update servers, antivirus repositories, or internal patching systems. Once the AnyConnect posture agent completes its assessment and reports compliance, ISE can send a CoA to reassign full access.
Option A is incorrect because authentication alone is insufficient in posture-enabled VPN environments.
Option C is incorrect because ISE does not reject connections simply due to missing posture data.
Option D is incorrect because posture is mandatory when configured by the organization.
This ensures that remote access remains secure even when new devices appear. Thus, B is correct.
Question 124:
How does Cisco ISE process authorization for an endpoint when a downloadable ACL (dACL) contains too many ACE entries and exceeds the device’s memory limits?
A) ISE automatically compresses the ACL to fit
B) The switch rejects the dACL, and ISE falls back to the next applicable authorization rule or default behavior
C) The switch installs only the first half of the ACL
D) ISE forces the device into guest VLAN
Answer: B
Explanation:
Downloadable ACLs are dynamically pushed by ISE to enforcement devices. However, network switches and wireless controllers have platform-specific limitations on how many ACE entries they can store. If a dACL exceeds hardware capabilities, the switch cannot install it. The behavior that follows depends on RADIUS and enforcement device logic.
Option B is correct because the switch rejects the oversized dACL and falls back to the next available authorization behavior. This usually means the port retains its previously applied ACL, applies a fallback ACL, or uses a default VLAN assignment. Cisco ISE logs the failure in the Live Logs, which administrators can use to diagnose dACL oversizing issues.
Option A is incorrect because ISE does not automatically compress ACLs. Administrators must manually reduce ACL size.
Option C is incorrect because switches do not partially install ACLs. That would be insecure and unpredictable.
Option D is incorrect because oversized dACLs do not force guest VLAN assignment.
Thus, option B is correct.
Question 125:
How does Cisco ISE determine the correct identity when TEAP EAP-Chaining authenticates a domain-joined laptop with machine credentials first and then user credentials afterward?
A) ISE uses only machine identity for policy
B) ISE uses only user identity for policy
C) ISE correlates both machine and user identities to form a single chained authentication decision
D) ISE rejects the login because two identities appear
Answer: C
Explanation:
TEAP supports full EAP chaining, allowing machine and user authentication to occur within the same tunnel. This is critical for ensuring that only authorized users on authorized devices receive network access.
Option C is correct because Cisco ISE correlates machine and user identities to produce one unified authorization result. For example, the machine identity is validated using its computer certificate, while the user is validated through their UPN and AD credentials. ISE evaluates both identities against policy rules that may require matching conditions such as “Domain-joined device AND valid user.” This allows organizations to assign access only when both factors succeed.
Option A and B are incorrect because using only one identity would defeat the purpose of chained authentication.
Option D is incorrect because TEAP is designed to handle dual identities.
Thus, the correct choice is C.
Question 126:
How does Cisco ISE handle authorization when an IP phone authenticates via MAB but later sends LLDP-MED voice VLAN attributes?
A) ISE ignores LLDP-MED attributes
B) ISE updates authorization to apply voice-specific policies
C) ISE forces the phone to reauthenticate with 802.1X
D) ISE blocks the session because LLDP cannot modify policy
Answer: B
Explanation:
When a network switch receives LLDP-MED attributes from an IP phone and reports them to Cisco ISE, the system does not ignore this information. LLDP-MED attributes such as device type, capabilities, and network policy information are commonly used in profiling. Profiling allows ISE to correctly identify the endpoint as an IP phone rather than a general-purpose device. Once ISE recognizes the phone’s profile, it can update authorization accordingly.
ISE does not block the session simply because LLDP-MED information is provided. LLDP is a normal layer-2 discovery protocol, and its attributes are specifically used to help classify devices, not reject them. It also does not require the phone to reauthenticate using 802.1X unless the environment is configured for 802.1X-based voice authentication. In most deployments, voice endpoints authenticate using MAB or are assigned voice policies based on profiling alone.
The real purpose of LLDP-MED in this context is to help ISE identify the device as a voice endpoint. Once ISE confirms the profiling match, it updates the device’s authorization. This typically includes placing the phone into the voice VLAN, assigning the correct QoS settings, or applying a voice-specific authorization profile. The updated authorization ensures that the phone receives the correct network treatment for signaling and media traffic.
Therefore, the correct behavior is that ISE updates authorization to apply voice-specific policies.
Question 127:
How does Cisco ISE determine policy for devices accessing a captive portal through Central Web Authentication (CWA) when multiple redirects are required (e.g., guest login and posture portal)?
A) ISE displays both portals at the same time
B) ISE sequences the redirects based on authorization workflow priority
C) ISE selects a random portal
D) ISE forces the device into MAB mode
Answer: B
Explanation:
When a device matches conditions that could trigger more than one web-redirect workflow, Cisco ISE does not show multiple portals at once, nor does it randomly choose which one to present. Redirects in ISE are structured and rely on the authorization policy order. Because of this, ISE evaluates authorization rules from top to bottom, and the first rule that includes a redirect action becomes the active workflow. This ensures that the redirect sequence follows the intended priority defined by the administrator.
ISE does not force a device into MAC Authentication Bypass in this situation, because the device is already in an authenticated or partially authenticated state if it is reaching redirect logic. Additionally, displaying multiple portals simultaneously is not supported; only one redirection can be applied at a time, and combining two different workflows would cause confusion and break the expected flow.
Instead, ISE uses the configured authorization workflow priority to determine which redirect takes precedence. For example, a posture redirect might be evaluated before a guest login redirect, or an onboarding portal might be prioritized above a generic web-auth redirect. Whichever rule appears first and matches the session dictates the single redirect that the switch or controller will enforce.
Therefore, the correct behavior is that ISE sequences the redirects based on authorization workflow priority.
Question 128:
How does Cisco ISE determine the correct posture status when the AnyConnect agent reports conflicting results between different modules (firewall enabled but antivirus disabled)?
A) ISE selects whichever result appears first
B) ISE marks the device non-compliant if any required module fails
C) ISE ignores failing modules
D) ISE allows partial authorization
Answer: B
Explanation:
When Cisco ISE evaluates posture results from the AnyConnect or other posture agents, it does not pick a result arbitrarily, nor does it allow partial authorization when required checks fail. Posture assessment is based on compliance with every required condition defined in the posture policy. If the policy specifies multiple required modules—such as antivirus, firewall status, disk encryption, patch level, or anti-malware definitions—then all of those modules must pass for the device to be considered compliant.
ISE does not ignore failing modules, because doing so would undermine the purpose of posture enforcement. Even if most modules pass, a single failed required check causes the overall posture to be marked non-compliant. Likewise, ISE does not allow partial authorization in required posture workflows. While administrators can configure different authorization profiles for non-compliant devices, these still fall under restricted or remediation access rather than full access.
ISE also does not select whichever result appears first. Posture evaluation is a structured, rule-based process, not a first-match or priority-based sequence like authorization rules.
Because of this, the correct behavior is that ISE marks the device non-compliant if any required module fails.
Question 129:
How does Cisco ISE process authorization when a device matches two different authorization rules with identical conditions but different priorities?
A) ISE denies access
B) ISE selects the rule with the highest priority
C) ISE selects the rule with the lowest priority
D) ISE merges both rules
Answer: B
Explanation:
When two authorization rules in Cisco ISE match the same session, ISE does not deny access, merge rules, or choose randomly. Authorization rules are always evaluated from top to bottom, and the first rule that matches is the one that takes effect. This means the administrator-defined order of rules directly determines which authorization result is applied. Higher-priority rules are placed higher in the list, and once a match is found, ISE stops evaluating the remaining rules.
ISE does not select the lowest-priority rule, because lower rules would only be considered if none of the higher rules matched. Nor does ISE merge rule actions; only one authorization profile, one SGT, and one set of permissions can apply to a session. Merging would cause unpredictable or conflicting network policies and is not part of ISE’s design.
ISE also does not deny access simply because more than one rule could apply. As long as at least one valid rule matches, ISE applies the first relevant rule and allows the session according to that authorization result.
Therefore, when multiple rules match, ISE selects the authorization rule with the highest priority.
Question 130:
How does Cisco ISE determine enforcement when pxGrid reports that a previously healthy device is now infected with high-severity malware?
A) ISE ignores pxGrid alerts
B) ISE applies adaptive network control policies such as quarantine VLAN or CoA disconnect
C) ISE restarts the switch
D) ISE grants full access for forensic analysis
Answer: B
Explanation:
When Cisco ISE receives a pxGrid alert indicating that a device is compromised or behaving maliciously, it does not ignore the alert. pxGrid integration is specifically designed to allow security tools such as Secure Network Analytics, Firepower, or endpoint protection systems to share threat information with ISE in real time. This helps the network respond quickly to security events without waiting for manual intervention.
ISE does not restart network switches in response to a pxGrid alert. Restarting a switch would cause widespread disruption, impact unrelated devices, and is not an action supported by adaptive network control. Similarly, granting full access for forensic analysis would contradict standard security practices. When a device is suspected of being compromised, increasing its access level would only increase risk and is not part of any ISE workflow.
Instead, ISE uses the alert information to trigger adaptive network control policies. Based on the severity or category of the threat, ISE can enforce actions such as placing the device into a quarantine VLAN, applying a restrictive ACL, or issuing a Change of Authorization disconnect so that the endpoint is effectively isolated from the network. These responses are automated, policy-driven, and designed to contain the threat immediately while still allowing administrators to investigate the event afterward.
Because of this, the correct behavior is that ISE applies adaptive network control policies such as quarantine VLAN assignment or a CoA disconnect when pxGrid alerts indicate a threat.
Question 131:
How does Cisco ISE determine authorization when a wireless client authenticates via EAP-TLS on a WLC, but the RADIUS attributes include both a previously assigned VLAN and a dACL returned by ISE?
A) The WLC ignores the dACL and keeps the previously assigned VLAN
B) The WLC applies both the VLAN assignment and the dACL as instructed by ISE
C) The WLC rejects the session due to conflicting authorization results
D) The WLC removes all authorization information and allows full access
Answer: B
Explanation:
When a wireless client authenticates through a Cisco Wireless LAN Controller (WLC) using EAP-TLS, Cisco ISE evaluates identity attributes, certificate profiles, and authorization policies to determine the correct enforcement action. These enforcement results may include VLAN assignments, downloadable ACLs (dACLs), URL redirections, or TrustSec Security Group Tags (SGTs). In many deployments, a wireless client may be placed into a particular VLAN upon initial authentication, but ISE may later return a dACL for more granular control.
Option B is correct because the WLC is designed to apply both VLAN and dACL attributes simultaneously. The VLAN defines layer-2 segmentation, placing the endpoint in a specific broadcast domain, while the dACL provides layer-3 and layer-4 access control. These enforcement mechanisms operate independently, and the WLC is capable of enforcing both without conflict. In fact, Cisco ISE frequently pairs VLAN assignment with dACLs for more fine-tuned network control.
Option A is incorrect because the WLC does not ignore dACLs unless the platform lacks dACL support or the dACL download fails. In such cases, fallback behavior applies, but that is not the default assumption.
Option C is incorrect because these authorization attributes are not conflicting. They complement one another, providing multiple layers of network enforcement.
Option D is incorrect because WLCs do not remove enforcement attributes and offer full access when conflicting attributes exist. Wireless controllers always enforce some form of authorization outcome.
Cisco ISE uses multiple overlapping enforcement mechanisms because modern networks require both macro-segmentation (VLANs) and micro-segmentation (dACLs). VLAN assignment alone is not sufficient for controlling access because it only segments the network into broadcast domains. dACLs are needed to enforce precise communication rules such as allowing DHCP, DNS, and select business applications while blocking lateral movement.
Because Cisco ISE is the policy decision point and the WLC is the policy enforcement point, the WLC is responsible for honoring all enforcement instructions ISE sends. Therefore, when ISE returns both a VLAN and a dACL, the WLC applies both. This layered enforcement improves security posture by combining network segmentation with explicit traffic filtering, ensuring that even authenticated devices must follow strict communication policies. For these reasons, B is the correct answer.
Question 132:
How does Cisco ISE determine access when an endpoint initially authenticates using PEAP-MSCHAPv2, but after successful login, the session transitions into a posture-required state?
A) ISE terminates the session because posture cannot follow 802.1X
B) ISE uses CoA to apply posture-specific authorization such as quarantine VLANs or remediation ACLs
C) ISE maintains full access because authentication already succeeded
D) ISE forces the endpoint into guest mode
Answer: B
Explanation:
Posture enforcement is a dynamic process that reacts to device health rather than just identity credentials. PEAP-MSCHAPv2 authenticates user credentials inside a secure TLS tunnel, but authentication alone does not guarantee security compliance. Once authentication succeeds, Cisco ISE evaluates posture requirements to determine whether the endpoint should receive unrestricted access or be placed into a remediation or quarantine state.
Option B is correct because Cisco ISE uses Change of Authorization (CoA) to update enforcement dynamically once posture evaluation begins. PEAP authentication establishes the identity, but the posture module must verify conditions such as antivirus status, OS patches, disk encryption, firewall activation, and policy compliance. If posture is required but not yet completed, ISE assigns a posture-required authorization profile. This profile typically includes a remediation VLAN, posture dACL, or redirect ACL to force traffic to ISE’s posture portal. CoA ensures the new authorization takes immediate effect without requiring the user to reconnect.
Option A is incorrect because posture fully supports 802.1X workflows. It is a core part of Cisco ISE’s NAC architecture.
Option C is incorrect because authentication alone is insufficient when posture requirements are configured. Full access is never granted until posture validation succeeds.
Option D is incorrect because guest workflows are entirely separate from posture workflows and are not triggered by posture requirements.
Posture-required states ensure that authenticated devices cannot access sensitive resources until they demonstrate compliance. This aligns with Zero Trust principles, prioritizing device health and risk level over identity alone. The ability to dynamically switch authorization states through CoA is essential for maintaining security without disconnecting users. Thus, B is the correct answer.
Question 133:
How does Cisco ISE determine authorization when an industrial switch forwards only LLDP, DHCP, and minimal traffic due to restricted hardware design, but requires profiling to identify PLC controllers?
A) ISE fails profiling because insufficient data is available
B) ISE relies on DHCP and CDP/LLDP attributes as primary profiling sources and can still identify industrial devices
C) ISE assigns full access until profiling succeeds
D) ISE waits for HTTP probes to classify the device correctly
Answer: B
Explanation:
Industrial devices such as PLCs (Programmable Logic Controllers) and industrial sensors often operate on hardened switches or rugged networks with limited Layer-2 and Layer-3 protocols. Industrial switches may not support standard profiling probes like HTTP or RADIUS accounting attributes, which complicates profiling in typical enterprise environments.
Option B is correct because Cisco ISE’s profiling engine uses a multi-probe architecture capable of identifying devices even when the environment restricts traffic. LLDP provides key attributes such as system capabilities and device identity, while DHCP provides fingerprinting data based on option sets and vendor identifiers. These two probes alone can often identify PLC controllers, industrial workstations, and SCADA devices. ISE correlates this data with profiling rules using rule weight and certainty scoring to reach 100% device classification.
Option A is incorrect because profiling does not fail simply because some probes are unavailable. ISE is designed to handle limited environments.
Option C is incorrect because ISE does not automatically grant full access while waiting for profiling results. Instead, it applies default or restricted authorization until classification improves.
Option D is incorrect because HTTP probes are not required and often unavailable in industrial networks.
Cisco ISE supports industrial networking environments precisely because operational technology (OT) devices rarely support 802.1X or modern protocols. Profiling using LLDP and DHCP allows ISE to apply proper segmentation, ensuring critical devices receive only the network access they require. Thus, B is correct.
Question 134:
How does Cisco ISE determine authorization when multiple identity sources (Active Directory, LDAP, and Internal Users) return valid matches for the same username during authentication?
A) ISE randomly selects an identity source
B) ISE follows the configured Identity Source Sequence to determine which user store to prioritize
C) ISE denies authentication due to ambiguity
D) ISE merges attributes from all user stores
Answer: B
Explanation:
When multiple user stores are available in Cisco ISE, the system does not select one at random, nor does it deny authentication simply because more than one source exists. Instead, ISE uses a structured method called an Identity Source Sequence. This sequence defines the exact order in which ISE checks each identity source, such as Active Directory, LDAP directories, internal users, certificate maps, or external identity providers. ISE processes the sources in the order defined by the administrator, stopping at the first match. This ensures predictable and consistent authentication behavior, with no ambiguity about which store takes priority.
ISE also does not merge attributes from multiple user stores during authentication. Only the attributes from the matching identity source are used. Once ISE identifies the user in a particular store, it does not continue searching or combine information from other sources.
Because of this, the correct behavior is that ISE follows the configured Identity Source Sequence to determine which user store to prioritize.
Question 135:
How does Cisco ISE determine enforcement when a TrustSec-capable switch fails to download the assigned SGT from ISE during session authorization?
A) The switch applies a default SGT such as Unknown
B) The switch rejects the session
C) The switch assigns multiple fallback SGTs
D) ISE removes the device from the SGT database
Answer: A
Explanation:
When a device successfully authenticates but Cisco ISE does not return a Security Group Tag (SGT) in the authorization result, the switch does not reject the session or remove anything from the SGT database. Instead, TrustSec behavior dictates that the switch applies a default or fallback SGT, which is typically the value known as Unknown. This ensures that traffic classification still occurs even when no explicit tag is provided. The Unknown SGT is commonly used to represent unauthenticated, untagged, or unclassified traffic, and it allows policy enforcement to continue based on default TrustSec rules.
The switch does not reject the session simply because an SGT was not returned. Authentication and SGT assignment are separate processes. As long as authentication succeeds, the session remains valid even without a specific tag. Rejecting the session would disrupt normal network access, and ISE does not instruct switches to treat missing SGT information as an error condition.
Assigning multiple fallback SGTs is not possible. TrustSec architecture only allows a single SGT per session. There is no stacking or merging of tags, and switches cannot apply more than one tag at a time. The fallback mechanism therefore always resolves to a single default SGT if none is supplied by ISE.
ISE also does not remove the device from the SGT database in response to a missing SGT assignment. The database keeps mappings for endpoints and security groups but does not dynamically delete entries simply because no SGT was returned during one session.
Therefore, the correct behavior is that the switch applies a default SGT such as Unknown.
Question 136:
How does Cisco ISE handle authorization when a wired client authenticated with EAP-FAST enters a reauthentication cycle triggered by inactivity timeout?
A) ISE denies the new attempt because EAP-FAST does not support reauthentication
B) ISE processes the new authentication exactly as a fresh session and reapplies authorization policies
C) ISE keeps the old authorization profile regardless
D) ISE forces the device into MAB fallback
Answer: B
Explanation:
When a device that previously authenticated with EAP-FAST later initiates a new authentication attempt, Cisco ISE does not block or reject it. EAP-FAST fully supports reauthentication and session renewal, so there is no restriction that prevents a device from starting a new 802.1X exchange. Because of this, ISE does not deny the attempt simply because it follows a previous session.
ISE also does not keep the old authorization profile once a new authentication begins. A fresh EAP exchange replaces the existing session, meaning the previous authorization state is no longer considered authoritative. ISE evaluates the new authentication request from the beginning, checks the presented credentials, validates policies, and determines the appropriate authorization profile as if this were a completely new session. This ensures that any changes to user identity, device posture, certificates, or group membership are accurately reflected in the updated authorization result.
ISE does not force the device into MAC Authentication Bypass when a new EAP-FAST attempt occurs. MAB is only used when a device fails or does not participate in 802.1X. Since the device is actively attempting EAP-FAST, there is no reason for the switch or ISE to offer MAB as an alternative.
Therefore, when a device reauthenticates with EAP-FAST, ISE processes the new authentication as a fresh session and reapplies authorization policies accordingly.
Question 137:
How does Cisco ISE determine policy when a device fails EAP-TLS authentication due to untrusted CA but succeeds with MAB immediately after?
A) ISE blocks the device entirely
B) ISE applies MAB authorization, which usually results in restricted access
C) ISE prioritizes 802.1X and denies MAB
D) ISE assigns full access because MAB succeeded
Answer: B
Explanation:
When a device fails 802.1X authentication, the switch typically falls back to MAC Authentication Bypass if MAB is enabled on the interface. Cisco ISE does not block the device outright in this situation unless policy is intentionally configured to do so. Instead, ISE treats the MAB attempt as a separate authentication method and evaluates it according to the authorization rules that apply specifically to MAC-based identities.
Because MAB identifies devices only by their MAC address, which is considered a weak and easily spoofed credential, the authorization that follows is usually limited or restricted. Common outcomes include assignment to a limited VLAN, a quarantine or remediation network, or a restricted downloadable ACL. This ensures that unmanaged or unauthenticated devices can still reach essential services such as DHCP, DNS, or onboarding portals, but are not given broad access to the corporate network.
ISE does not prioritize 802.1X over MAB in a way that denies MAB outright. Instead, 802.1X is attempted first; only when that fails or times out does MAB occur. Once MAB starts, ISE processes it normally. The presence of failed 802.1X attempts does not cause ISE to deny the MAB authentication unless a specific rule instructs it to.
ISE also does not grant full access simply because MAB succeeded. Full access is almost never tied to MAC-based authentication because it lacks user identity, device trust, and security posture information. Granting full access after a MAB success would be a security risk, so most deployment models avoid it.
Therefore, the correct behavior is that ISE applies MAB authorization, which usually results in restricted access.
Question 138:
How does Cisco ISE determine client access when a wireless session transitions from WebAuth to EAP-based reauthentication after the user closes and reconnects to Wi-Fi?
A) ISE maintains WebAuth session
B) ISE treats the new authentication as fresh and reevaluates authorization using the EAP method
C) ISE blocks EAP until WebAuth expires
D) ISE bypasses authorization
Answer: B
Explanation:
When a device that is currently in a WebAuth session later performs an EAP-based authentication such as EAP-TLS or PEAP, Cisco ISE does not continue using the old WebAuth session. WebAuth is a temporary, redirect-based method used when the endpoint cannot or has not yet performed 802.1X. Once the device transitions into an EAP-capable authentication, ISE treats this event as a completely new and independent authentication attempt. It processes the EAP exchange normally, validates the credentials or certificate, and then reevaluates the authorization policy from the beginning. This allows ISE to apply the correct authorization profile based on the stronger and more reliable identity information provided by EAP.
ISE does not maintain the WebAuth session once EAP occurs, because WebAuth does not offer persistent identity guarantees. It also does not block EAP just because WebAuth has not yet timed out, since doing so would prevent the device from upgrading its security posture. Similarly, ISE does not bypass authorization; in fact, it performs full evaluation again because EAP is considered the preferred authentication method for managed devices.
Therefore, when EAP occurs after a WebAuth session, ISE treats the new authentication as fresh and reevaluates authorization using the EAP method.
Question 139:
How does Cisco ISE determine endpoint policy when pxGrid feeds vulnerability severity but not device identity group changes?
A) ISE ignores severity levels
B) ISE evaluates the severity to trigger adaptive network control even without group changes
C) ISE requires identity group updates before enforcing policy
D) ISE blocks all pxGrid input
Answer: B
Explanation:
When Cisco ISE receives pxGrid threat intelligence from systems such as Secure Network Analytics, Firepower, or AMP, it does not ignore the severity of the event. Severity is one of the key elements ISE uses to determine what adaptive network control actions should be taken. Even when identity groups or profiling groups remain unchanged, ISE can still use the threat severity rating to trigger actions such as quarantining a device, sending a Change of Authorization, or applying a more restrictive authorization profile. This allows ISE to react immediately to high-risk conditions without waiting for any group membership modifications.
ISE does not require identity group updates before enforcing threat-driven policies. Group changes can be useful for reporting or long-term classification, but they are not necessary for immediate enforcement. ISE processes the pxGrid event, checks the severity, matches it against its authorization rules, and enforces the appropriate adaptive response automatically.
ISE also does not block all pxGrid input. The purpose of pxGrid integration is to enable information sharing between security systems, giving ISE visibility into threats detected elsewhere. Blocking such data would defeat the purpose of using pxGrid.
Because of this, the correct understanding is that ISE evaluates the severity to trigger adaptive network control even when no identity group changes occur.
Question 140:
How does Cisco ISE determine authorization when a device authenticates through TEAP but the user portion of the chain fails while machine authentication succeeds?
A) ISE grants full access
B) ISE assigns machine-only restricted access
C) ISE denies authentication
D) ISE assigns guest access
Answer: B
Explanation:
When a device completes machine authentication but no user authentication follows, Cisco ISE does not treat the session as fully trusted. Machine authentication only proves that the device is known and properly joined to the organization, but it does not verify who is actually using it. Because of this, ISE does not grant full access based solely on the machine’s identity. Full access is typically reserved for situations where both the device and the user have successfully authenticated, confirming both trust factors.
ISE also does not deny authentication in this scenario, because the machine authentication itself is valid. Denial would occur only if the certificate were expired, untrusted, revoked, or otherwise failed validation. Similarly, ISE does not assign guest access, because machine certificates represent corporate-managed devices, and guest authorization is associated with portal-based workflows, not certificate-based EAP-TLS logins.
Instead, ISE places the device into a machine-only restricted access state. This authorization level is intentionally limited. It usually provides enough connectivity for system processes such as domain communications, management traffic, or basic updates, but does not offer the privileges a user would have after logging in. Once the user authenticates, ISE can reevaluate the session and elevate the authorization accordingly.
Therefore, when only machine authentication succeeds and no user authentication occurs afterward, the device receives machine-only restricted access.
