Visit here for our full Cisco 300-715 exam dumps and practice test questions.
Question 141:
How does Cisco ISE determine the appropriate authorization when a wired client authenticates using EAP-TLS, but the client certificate maps to multiple Active Directory groups and multiple authorization rules match?
A) ISE merges all matching rules and applies combined enforcement
B) ISE applies the first matching authorization rule based on rule priority order
C) ISE denies authorization because group membership is ambiguous
D) ISE selects the group with the longest name to determine policy
Answer: B
Explanation:
Cisco ISE relies on deterministic rule evaluation to prevent ambiguity in authorization outcomes. In EAP-TLS authentication, the certificate establishes user or device identity, and ISE then queries Active Directory to discover the associated security groups. Many enterprise users belong to several AD groups, such as HR, department-specific groups, security groups, compliance groups, and global access groups. This results in a user potentially matching multiple authorization rules simultaneously. To avoid conflicting permissions, Cisco ISE evaluates rules sequentially based on their assigned priority.
Option B is correct because ISE always processes authorization rules from the highest priority to the lowest. As soon as a rule’s conditions match, ISE stops evaluating subsequent rules. This ensures predictable and consistent behavior. Administrators carefully design authorization rule order to reflect organizational policy, ensuring that the highest-priority rules are broader or more restrictive as needed. For example, privileged administrative devices may require a special rule placed at the top of the list to override general employee policies.
Option A is incorrect because ISE does not merge multiple authorization rules. Merging rules would create complex, unpredictable outcomes. Enforcement instructions—VLAN assignment, SGT, dACL—must be unambiguous.
Option C is incorrect because ISE does not deny authorization simply because a user is in multiple AD groups. Multi-group membership is normal.
Option D is incorrect because ISE does not use group name length or alphabetical sorting to determine policy.
This rule-first-match design is foundational to ISE authorization because it ensures that administrators maintain complete control over how multiple identity attributes influence policy. If ISE merged rules or applied random selection, security policies could become inconsistent or dangerously permissive. Instead, administrators use rule ordering and group mapping to fine-tune access control. This approach scales across thousands of users and devices while keeping policy interpretation transparent and auditable. Therefore, option B is correct.
Question 142:
How does Cisco ISE determine enforcement when a device authenticates using MAB, is initially profiled as Unknown, but later receives DHCP attributes that indicate it is a medical IoT device requiring a specific SGT?
A) ISE ignores new profiling data because MAB is not trusted
B) ISE processes the new profiling attributes and triggers a CoA to apply the correct SGT
C) ISE applies no changes because SGTs can only be assigned during authentication
D) ISE removes the device session and forces reauthentication
Answer: B
Explanation:
MAC Authentication Bypass plays a crucial role in IoT deployments because most IoT devices cannot support 802.1X. Initially, many IoT devices provide limited identifying information. When a device first connects, it may appear only as Unknown due to minimal MAC OUI fingerprints. As the device transmits DHCP traffic, ISE’s profiling probes capture vendor-class identifiers, option sets, and DHCP signatures unique to medical or industrial devices. These additional data points allow ISE to refine its classification.
Option B is correct because Cisco ISE continuously evaluates profiling input. When profiling reaches a new certainty threshold—such as identifying a medical infusion pump, patient monitor, or X-ray imaging console—ISE triggers a Change of Authorization (CoA). This CoA causes the switch to reapply authorization using the updated identity group. This often includes assigning the appropriate SGT for TrustSec segmentation. Medical IoT devices must be isolated in specific SGTs that prevent lateral movement while allowing access to necessary clinical systems.
Option A is incorrect because ISE does not ignore new profiling data. Profiling is designed to dynamically update identity classification.
Option C is incorrect because SGTs can be updated dynamically during active sessions using CoA, not only during initial authentication.
Option D is incorrect because ISE does not require reauthentication for profiling-based changes.
Dynamic profiling ensures accurate categorization and secure segmentation of devices that cannot authenticate through certificates or credentials. Medical IoT devices pose unique challenges because they often run proprietary operating systems or lack modern security features. Proper SGT assignment mitigates risk by limiting traffic based on role and device type. Thus, B is correct.
Question 143:
How does Cisco ISE determine authorization when TEAP EAP-chaining succeeds for the machine portion but the user logs in with cached credentials that cannot be validated against Active Directory?
A) ISE grants full access because machine authentication succeeded
B) ISE assigns a machine-only authorization profile with restricted access
C) ISE rejects the session entirely
D) ISE places the device into guest mode
Answer: B
Explanation:
TEAP supports full EAP chaining, enabling both machine and user identity validation inside a single secure tunnel. Machine authentication typically occurs using a computer certificate, while user authentication relies on Active Directory validation. However, if a user logs into Windows using cached credentials (common when offline or when AD cannot be reached), TEAP still attempts to authenticate the user portion but fails because the AD controller cannot validate the credentials.
Option B is correct because Cisco ISE falls back to machine-only authorization when only machine identity can be validated. This means the device may receive basic network connectivity, such as access to domain controllers, login servers, or resources required to complete user login. Full user privileges cannot be granted because the user’s identity has not been verified.
Option A is incorrect because machine authentication alone rarely qualifies for full access.
Option C is incorrect because TEAP allows partial success; it does not reject the session unless both identities fail.
Option D is incorrect because guest mode is not related to domain-joined machine workflows.
Chained authentication allows ISE to differentiate between a trusted machine and a validated user session, enabling fine-grained access control. Machine-only access prevents unauthorized users from gaining sensitive privileges while still allowing the device to reach necessary infrastructure. This ensures security without breaking enterprise workflows. Thus, B is correct.
Question 144:
How does Cisco ISE determine authorization for a wireless client that successfully authenticates but must be redirected to a BYOD onboarding portal due to missing device registration records?
A) ISE grants full access since authentication succeeded
B) ISE applies a redirect ACL and onboarding authorization profile until the device completes registration
C) ISE assigns a guest VLAN automatically
D) ISE denies all traffic
Answer: B
Explanation:
Cisco ISE uses BYOD onboarding workflows to onboard personal and unmanaged devices into the enterprise network securely. Even after successful authentication—typically through PEAP or certificate-based authentication—ISE must verify whether the device is registered in the BYOD database. If the device lacks registration metadata, ISE needs to guide the user through the onboarding process.
Option B is correct because ISE applies a redirect ACL using an onboarding authorization profile. This ACL restricts user traffic so only DNS and HTTP/HTTPS traffic to the ISE onboarding portal are permitted. The user is then redirected to the BYOD portal, where the device is registered, provisioned with certificates, profiles, and Wi-Fi configurations. Once onboarding completes, ISE sends a CoA to update the authorization classification, granting full access.
Option A is incorrect because authentication alone does not prove onboarding compliance.
Option C is incorrect because guest VLAN assignment is not part of BYOD onboarding workflow unless explicitly configured.
Option D is incorrect because BYOD workflows require selective traffic allowance, not total denial.
BYOD onboarding ensures that personal devices meet minimum requirements before joining enterprise networks. Redirects enforce controlled access while still allowing users to complete onboarding. Thus, B is correct.
Question 145:
How does Cisco ISE determine access when a client authenticated through PEAP transitions to VPN access using AnyConnect, and both sessions occur simultaneously?
A) ISE merges both sessions into a single identity
B) ISE evaluates each session independently for authentication and authorization
C) ISE blocks VPN connections when wired/wireless NAC is active
D) ISE forces the endpoint to drop one session
Answer: B
Explanation:
Cisco ISE treats every network access request as an independent session. A user may connect via wired NAC, wireless EAP, or AnyConnect VPN simultaneously. Each connection has separate enforcement outcomes because the network path, enforcement device, policy rules, and posture requirements differ.
Option B is correct because Cisco ISE evaluates VPN and local-NAC sessions independently. VPN connections often have posture requirements, different VLAN assignments, and separate ACLs. Wireless or wired NAC sessions may have 802.1X-based authorization, profiling, or TrustSec requirements. The identity may be the same, but every session has a unique RADIUS context.
Option A is incorrect because session merging is not supported.
Option C is incorrect because ISE explicitly supports parallel access routes.
Option D is incorrect because ISE does not require session termination across access methods.
This flexibility allows users to maintain multiple network paths while ISE controls each independently. Thus, B is correct.
Question 146:
How does Cisco ISE determine authorization when an IoT device authenticates using MAB and the switch is configured with Critical Auth Mode due to temporary ISE unavailability?
A) The switch blocks the device
B) The switch applies a critical authorization profile until ISE becomes reachable
C) ISE grants full access automatically
D) The switch forces 802.1X retry loops
Answer: B
Explanation:
Critical Auth Mode ensures continuity during RADIUS unreachability events. IoT devices using MAB rely on ISE availability; when ISE becomes unreachable, these devices cannot authenticate normally.
Option B is correct because the switch applies a critical authorization profile in CRITICAL-AUTH mode. IoT devices maintain limited but essential network access until ISE recovers.
Option A is incorrect because blocking disrupts operations.
Option C is incorrect because full access is not granted.
Option D is incorrect because IoT devices cannot perform 802.1X.
Thus, B is correct.
Question 147:
How does Cisco ISE determine enforcement when a device authenticates successfully but the profiling engine later detects spoofed MAC address behavior?
A) ISE ignores profiling anomalies
B) ISE triggers adaptive network control actions such as quarantine
C) ISE deletes the endpoint
D) ISE converts the session to guest mode
Answer: B
Explanation:
When Cisco ISE detects profiling anomalies, it does not ignore them. Profiling exists specifically to recognize devices accurately and detect when their behavior changes in a way that may indicate misclassification or a potential security issue. Ignoring these anomalies would defeat the purpose of profiling intelligence.
ISE also does not delete the endpoint record. Endpoint deletion is an administrative action and is not automatically triggered by profiling changes. Likewise, converting the session to guest mode is not appropriate, because guest workflows are based on explicit guest authentication or onboarding, not on profiling behavior.
Instead, when profiling anomalies occur—especially when new device characteristics conflict with the previously assigned profile—ISE may trigger adaptive network control actions. These actions can include placing the device into a quarantine or restricted VLAN, applying a more restrictive ACL, or issuing a Change of Authorization to reevaluate the device’s access. This response helps contain potentially suspicious behavior while allowing administrators to investigate further.
Therefore, the correct behavior is that ISE triggers adaptive network control actions such as quarantine.
Question 148:
How does Cisco ISE determine authorization when a user authenticates through TACACS+ but the device admin command set requires a specific command authorization policy?
A) ISE applies user authentication only
B) ISE evaluates command sets and enforces policy per command
C) ISE allows all commands
D) ISE blocks all commands
Answer: B
Explanation:
In a TACACS+ workflow, Cisco ISE does much more than simply authenticate the administrator. After authentication succeeds, ISE moves into the authorization phase, where it evaluates which commands the user is allowed to run on the network device. This means ISE does not apply user authentication only; authentication is just the first step. Once the user is confirmed, ISE checks the command sets and shell profiles associated with that identity.
ISE does not allow all commands by default. Permission to run CLI commands is based on the specific TACACS+ command sets defined in ISE. Each command or command group can be explicitly permitted or denied depending on the user’s role, group membership, or assigned privileges. This enables very granular control, such as allowing read-only access, permitting only certain configuration commands, or restricting the ability to modify sensitive features.
ISE also does not block all commands unless a policy is intentionally misconfigured or explicitly designed to do so. Instead, it enforces policy on a per-command basis. Every command entered on a device is checked against ISE’s policy before execution. If the command is approved within the assigned command set, the device allows it to run; if the command is denied, the device rejects it and logs the event.
Therefore, the correct behavior is that ISE evaluates command sets and enforces policy on a per-command basis.
Question 149:
How does Cisco ISE determine posture outcome when multiple third-party security tools report conflicting device health states via pxGrid?
A) ISE chooses the healthiest report
B) ISE treats any failing health state as non-compliant
C) ISE averages results
D) ISE ignores third-party inputs
Answer: B
Explanation:
When Cisco ISE receives health or compliance information from multiple sources—such as the AnyConnect posture agent, Cisco Secure Endpoint, or other third-party integrations—it does not try to pick the best or healthiest report. Posture evaluation in ISE is based on the principle that every required condition must be satisfied before a device can be considered compliant. Because of this, ISE does not average results or try to interpret mixed inputs into a middle-ground score. It also does not ignore third-party posture or health information, since these integrations are designed to enhance posture accuracy.
If any connected health source reports a failing or non-compliant state for a required condition, ISE marks the entire posture result as non-compliant. This ensures that no device is granted full access if it fails key security checks, even if one of the reporting systems says it is healthy. The strict, all-requirements-must-pass model prevents security gaps where a single check failure could otherwise be overlooked.
Therefore, the correct behavior is that ISE treats any failing health state as non-compliant.
Question 150:
How does Cisco ISE determine authorization when an endpoint undergoes successful posture remediation and reports compliance after being in a restricted state?
A) ISE leaves the device in quarantine
B) ISE triggers a CoA to elevate authorization to full access
C) ISE forces reauthentication only
D) ISE removes all authorizations
Answer: B
Explanation:
When a device finishes remediation and reports a compliant posture status, Cisco ISE does not leave it stuck in the quarantine or restricted state. Quarantine is only meant to be temporary while the endpoint corrects its security issues. Once the posture agent notifies ISE that all required checks have passed, ISE recognizes the new compliant state and updates the authorization accordingly.
ISE does not simply force a reauthentication without changing anything. While a CoA may involve reauthentication depending on configuration, the important part is not the reauth itself but the fact that authorization is elevated based on the compliant posture. Likewise, ISE does not remove all authorizations, since that would disrupt network access and contradict the purpose of posture enforcement.
Instead, ISE issues a Change of Authorization to the network device so the endpoint can receive its full-access authorization profile. This may include lifting quarantine ACLs, removing redirection, restoring the normal VLAN, or assigning the appropriate SGT. The CoA ensures that the endpoint transitions smoothly from restricted posture-required access to full operational access without requiring the user to disconnect or manually restart the session.
Therefore, the correct behavior is that ISE triggers a CoA to elevate authorization to full access.
Question 151:
How does Cisco ISE determine the correct authorization when an endpoint authenticates successfully using EAP-TLS, but the certificate revocation check (CRL/OCSP) returns a temporary “unknown” status due to unreachable CRL distribution points?
A) ISE automatically assumes the certificate is valid and grants full access
B) ISE applies a fallback authorization rule that limits access until revocation status is verified
C) ISE rejects the authentication entirely
D) ISE switches to MAB authentication
Answer: B
Explanation:
Cisco ISE validates EAP-TLS certificates using several checks: trust anchor validation, certificate chain validation, certificate expiration, SAN identity mapping, and certificate revocation status. Revocation checks use CRL or OCSP endpoints embedded in the certificate. However, many enterprise environments experience situations where revocation servers are temporarily unreachable, such as DNS failures, firewall misconfigurations, proxy issues, network segmentation, or outages in external CA infrastructure. When these checks return an “unknown” status instead of “good” or “revoked,” ISE must determine how to proceed without violating Zero Trust principles.
Option B is correct because Cisco ISE can apply a fallback authorization rule when revocation status cannot be confirmed. ISE policies allow administrators to classify “revocation check unknown” as a conditional match. The fallback authorization often provides restricted access, such as quarantine VLANs, a limited dACL, or access only to certificate renewal endpoints or PKI servers. This ensures that the device remains connected but is unable to interact with sensitive network segments until revocation can be validated. This method protects the network from potentially compromised certificates while ensuring that minor PKI outages do not completely disrupt operations.
Option A is incorrect because blindly assuming validity violates certificate-based security standards. If the certificate were actually revoked, such behavior would present a major risk.
Option C is incorrect because immediately rejecting the authentication would cause large-scale access failures anytime PKI infrastructure experiences temporary outages. Cisco ISE is designed to offer graceful degradation, not immediate denial.
Option D is incorrect because switching to MAB after a failed revocation check is not supported. MAB is only used when 802.1X authentication itself fails, not for revocation issues.
Cisco ISE’s flexibility in handling CRL/OCSP failures ensures both resilience and security. By applying controlled fallback authorization, ISE maintains operational continuity while minimizing risk. Thus, B is the correct answer.
Question 152:
How does Cisco ISE determine the final authorization when a wired client authenticates through PEAP-MSCHAPv2 but then receives a new device profile that identifies it as a gaming console on a corporate network?
A) ISE keeps full access because authentication succeeded
B) ISE triggers a CoA and reassigns authorization based on the gaming console profile
C) ISE moves the device to the guest VLAN automatically
D) ISE deletes the endpoint record and forces new authentication
Answer: B
Explanation:
Profiling plays a critical role in refining authorization decisions after initial authentication. Many devices authenticate successfully even though they are not corporate assets. PEAP-MSCHAPv2 validates user credentials but does not identify hardware type. Cisco ISE’s profiling engine uses DHCP fingerprints, HTTP agent strings, SNMP attributes, MAC OUI, and other probe data to categorize devices more accurately. If a client authenticates using user credentials on a wired port but is later identified as a gaming console, this indicates a policy violation because gaming devices do not belong on corporate networks.
Option B is correct because ISE dynamically updates authorization based on the new device profile. After profiling detects the gaming console characteristics, ISE triggers a Change of Authorization (CoA) to reassign a more appropriate authorization rule, such as quarantine VLAN, internet-only dACL, or blocked access. Profiling always takes precedence over user authentication when device type indicates non-compliance or policy violations.
Option A is incorrect because authentication is not the only factor. Device identity (profiling) is equally important for Zero Trust enforcement.
Option C is incorrect unless authorization rules explicitly map gaming consoles to a guest VLAN. This is not automatic behavior.
Option D is incorrect because ISE does not delete devices to enforce dynamic authorization.
ISE’s ability to dynamically change authorizations ensures rogue or inappropriate devices do not gain persistent corporate access. For this reason, B is the correct answer.
Question 153:
How does Cisco ISE determine the correct authorization when TEAP EAP-chaining completes successfully, but the user belongs to multiple AD groups mapped to conflicting authorization policies?
A) ISE chooses a random authorization rule
B) ISE evaluates rules in order and applies the highest-priority matching rule
C) ISE merges attributes from all rules into a combined authorization
D) ISE denies access because the user belongs to multiple groups
Answer: B
Explanation:
Cisco ISE uses fully deterministic rule ordering to avoid conflict when users belong to multiple AD groups. In TEAP chaining, both the machine and the user identities are validated. This increases the complexity of authorization because ISE receives a larger set of AD group membership attributes. When a user belongs to multiple groups—for example, Domain Users, Engineering, VPN Users, and Restricted Access—there may be several matching authorization rules with different outcomes.
Option B is correct because ISE evaluates authorization policies from top to bottom and applies the first rule that matches. This ensures consistent outcomes across sessions. Administrators design authorization rules so that the most restrictive or specific policies appear higher in the list, while generic or fallback rules are placed lower.
Option A is incorrect because ISE never selects rules randomly.
Option C is incorrect because ISE does not combine ACLs, VLANs, or SGTs from multiple rules. Only one result is applied.
Option D is incorrect because multi-group membership is normal and not grounds for denial.
Correct policy ordering is essential for TEAP deployments because chaining provides additional identity data that can increase rule matches. ISE’s rule-priority logic guarantees predictable policy enforcement, making B the correct answer.
Question 154:
How does Cisco ISE determine authorization when an endpoint authenticates with MAB, initially receives limited access, but later joins an 802.1X-capable domain through GPO updates and begins sending EAPOL frames?
A) ISE locks the endpoint into permanent MAB mode
B) The switch transitions the session to 802.1X and ISE grants updated authorization
C) ISE rejects the 802.1X attempt because MAB occurred first
D) ISE disables the port due to conflicting authentication attempts
Answer: B
Explanation:
When a device initially authenticates with MAC Authentication Bypass and later begins performing 802.1X, Cisco ISE and the switch do not lock it into MAB mode or treat the new attempt as invalid. MAB is intended only as a fallback mechanism for devices that cannot perform 802.1X. As soon as the device starts sending proper 802.1X traffic, the switch transitions the session to use 802.1X instead of MAB. This is expected behavior and is built into standard NAC designs so that endpoints can upgrade to stronger authentication as soon as they are capable.
ISE does not reject the new 802.1X attempt just because MAB occurred first. The new authentication is processed normally as a fresh session, allowing ISE to apply authorization rules that are more appropriate for authenticated users or trusted machines. The previous MAB authorization is replaced, and the device receives updated access permissions based on the 802.1X result.
ISE also does not disable the port due to having seen two authentication methods. Multi-authentication transitions like this are common, especially during device boot sequences. Phones, thin clients, and many IoT devices may start with MAB and then initiate 802.1X once their supplicant becomes active.
Because of this, the correct behavior is that the switch transitions the session to 802.1X and ISE grants updated authorization.
Question 155:
How does Cisco ISE determine session authorization when an AnyConnect VPN user authenticates through a certificate, but the posture module reports that disk encryption is disabled?
A) ISE grants full VPN access because certificate authentication is strong
B) ISE assigns a posture-required authorization such as remediation ACL
C) ISE blocks all VPN connectivity
D) ISE forces the session to use split tunneling only
Answer: B
Explanation:
When a remote user authenticates to a VPN using certificate-based methods like EAP-TLS, Cisco ISE still evaluates posture requirements separately. Strong authentication alone does not guarantee that the endpoint meets the organization’s security standards. Because of this, ISE does not grant full VPN access solely on the basis of certificate strength. Certificates confirm identity, but they do not provide information about antivirus status, firewall settings, disk encryption, patch levels, or other health checks that posture assessment is designed to validate.
ISE also does not block all VPN connectivity if posture has not yet been completed. Instead, the user is permitted to establish a limited connection, often called a remediation or quarantine state. This restricted access allows the endpoint to communicate with necessary resources, such as the ISE portal or update servers, so that it can complete any required posture checks. Blocking connectivity outright would prevent the user from installing updates or completing remediation steps.
Likewise, ISE does not force the VPN session into split-tunneling mode. Split tunneling is determined by policy on the VPN headend device, not by ISE’s posture engine. While authorization rules may assign different group policies or ACLs based on posture, they do not alter whether the tunnel is split or full unless the administrator explicitly ties those behaviors to posture status.
In a typical deployment, once certificate-based authentication succeeds, ISE evaluates whether the endpoint must undergo posture verification. If posture is required and has not yet been satisfied, ISE assigns a posture-required authorization result. This usually includes a remediation ACL or redirection to the posture portal so the endpoint can be checked and corrected before gaining full access.
Therefore, the correct behavior is that ISE assigns a posture-required authorization such as a remediation ACL.
Question 156:
How does Cisco ISE determine enforcement when a device authenticates using EAP-FAST but the PAC (Protected Access Credential) is expired or invalid?
A) ISE rejects the session and forces PAC renewal
B) ISE ignores PAC expiry and grants access
C) ISE falls back to MAB
D) ISE automatically switches to TEAP
Answer: A
Explanation:
When an EAP-FAST deployment relies on Protected Access Credentials (PACs), the PAC lifetime is critical for maintaining a secure and functioning authentication workflow. If a PAC expires, Cisco ISE does not simply reject the authentication outright and force an immediate PAC regeneration, because doing so would break connectivity for any endpoint whose PAC has aged out. At the same time, ISE does not ignore the expiration and grant access, because an expired PAC no longer provides the assurances needed for secure tunnel establishment. Falling back to MAC Authentication Bypass is also not part of the EAP-FAST logic. MAB is used only when a device completely fails to speak 802.1X, not when a tunnel method encounters a credential-related issue.
In modern deployments, EAP-FAST is being phased out in favor of TEAP, which is its successor and incorporates improved security, enhanced tunnel capabilities, and more flexible inner method handling. TEAP is designed to replace EAP-FAST in circumstances where PACs are no longer valid or where EAP-FAST would normally need PAC provisioning. Because TEAP does not require PACs in the same way and instead uses standard TLS for tunnel establishment, it removes the dependency on PAC lifetime altogether. As a result, when a PAC expires and the system is configured to transition away from EAP-FAST, ISE can automatically allow the authentication to continue using TEAP instead. This creates a smoother and more secure migration path, reduces authentication disruptions, and avoids legacy PAC maintenance overhead.
Therefore, when a PAC expires in an environment that supports both methods, ISE automatically switches to TEAP rather than rejecting the session or forcing fallback to weaker methods. This ensures the device can continue authenticating securely without needing to re-provision a PAC or rely on less reliable fallback procedures.
Question 157:
How does Cisco ISE determine policy when an IoT device periodically changes DHCP class identifiers due to firmware updates?
A) ISE permanently classifies based on first-seen profile
B) ISE updates profiling dynamically and may reassign authorization via CoA
C) ISE marks the device as rogue
D) ISE blocks DHCP traffic
Answer: B
Explanation:
When a device’s behavior or attributes change over time, Cisco ISE does not lock it into the first profile that was detected. Profiling in ISE is designed to be dynamic, meaning it continuously evaluates information such as DHCP attributes, LLDP/CDP data, SNMP responses, traffic patterns, and other profiling probes. If newly observed attributes more accurately represent the device type, ISE updates the profiling classification accordingly.
ISE does not mark the device as rogue simply because its profile changes. Rogue device detection is a separate function and is based on specific security criteria, not normal changes in endpoint behavior. Likewise, ISE does not block DHCP traffic, since DHCP is an essential source of profiling data. Blocking it would interfere with network access and prevent ISE from accurately identifying the device.
ISE also does not permanently rely on the first-seen profile. Doing so would cause misclassification and incorrect authorization over time as devices update firmware, change operating systems, or alter their network behavior.
Instead, when profiling updates occur, ISE may reassign authorization based on the new identity. If the new profile triggers a different authorization rule, ISE can issue a Change of Authorization to the switch or controller. This may result in a new VLAN assignment, a different ACL, or updated Security Group Tags. The dynamic nature of this process ensures that access policies remain appropriate for the device’s true identity.
Therefore, the correct behavior is that ISE updates profiling dynamically and may reassign authorization via CoA.
Question 158:
How does Cisco ISE determine authorization when posture is required but the AnyConnect posture module is not installed on the endpoint?
A) ISE grants full access
B) ISE applies a remediation-required authorization with redirection to install posture module
C) ISE blocks the device permanently
D) ISE switches to guest mode
Answer: B
Explanation:
When a device connects to the network but does not yet have the posture agent installed, Cisco ISE does not grant full access because it cannot verify the device’s security compliance. Full access is only provided after the posture module reports that the endpoint meets all required security conditions. ISE also does not permanently block the device simply because the agent is missing; doing so would prevent legitimate users from completing the onboarding or remediation steps. Likewise, ISE does not switch the device into guest mode, since guest workflows are designed for temporary visitors and are unrelated to posture requirements.
Instead, ISE places the device into a remediation-required authorization state. In this state, the device is given restricted access—typically allowing only basic connectivity such as DNS, DHCP, and access to Cisco ISE’s posture or onboarding portal. The endpoint is then redirected to a web page where the user is prompted to download and install the posture module, such as the AnyConnect compliance agent. Only after the posture agent is installed and reports a compliant status does ISE elevate the device to a full access authorization profile.
Therefore, the correct behavior is that ISE applies a remediation-required authorization with redirection to install the posture module.
Question 159:
How does Cisco ISE determine the correct enforcement when multiple pxGrid threat feeds report escalating severity values for the same device over time?
A) ISE uses the highest reported severity
B) ISE averages values
C) ISE uses the oldest severity
D) ISE ignores all severity escalations
Answer: A
Explanation:
When multiple pxGrid-connected security tools report threat information for the same endpoint, Cisco ISE does not ignore escalation, average values, or prefer older data. Threat-based policy in ISE is designed to react to the most urgent condition affecting a device. Because of this, ISE evaluates all incoming severity levels and uses the highest one reported. This ensures that if any integrated system detects a high-risk or critical threat, ISE immediately applies the appropriate adaptive network control measures, such as quarantine VLANs, restrictive ACLs, or CoA disconnect actions.
ISE does not average severity, because combining scores would dilute the importance of a critical alert and introduce ambiguity into enforcement. It also does not use the oldest severity, as older reports may no longer reflect the current security state of the endpoint. Ignoring severity escalations would defeat the purpose of integrating threat intelligence through pxGrid.
Therefore, Cisco ISE uses the highest reported severity when multiple threat sources provide information about the same device.
Question 160:
How does Cisco ISE determine authorization when a wireless client transitions from a WPA2-Enterprise SSID to a WPA3-Enterprise SSID using the same identity credentials?
A) ISE treats it as a continuation of the old session
B) ISE treats it as a new session and reevaluates authentication and authorization
C) ISE denies access
D) ISE uses cached results from the old SSID
Answer: B
Explanation:
When a device roams from one SSID to another, Cisco ISE does not treat the new connection as a continuation of the previous wireless session. Each SSID represents a separate network access instance, with its own authentication requirements, VLAN assignments, and authorization rules. Because of this, the session from the previous SSID does not carry over in any meaningful way.
ISE does not deny access automatically when a device switches SSIDs. As long as the device presents valid credentials or certificates during the new authentication attempt, the session will be processed normally. ISE also does not reuse cached results from the old SSID because the authorization context may differ. For example, one SSID may enforce certificate-based authentication, while another may require user credentials, posture checks, or guest portal redirects. Cached results would not be appropriate or secure across SSIDs.
Instead, ISE treats the connection to the new SSID as a completely new session. It performs authentication again—whether that is EAP-TLS, PEAP, MAB, or another method—and reevaluates the authorization policy based on the rules that apply to that SSID. This ensures that all security policies, VLAN assignments, downloadable ACLs, and SGTs are correctly applied according to the new wireless network’s configuration.
Therefore, the correct behavior is that ISE treats it as a new session and reevaluates authentication and authorization.
