Visit here for our full Cisco 300-715 exam dumps and practice test questions.
Question 161:
How does Cisco ISE determine authorization when a wired domain computer successfully completes machine authentication at boot using EAP-TLS, but no user logs in for several hours and the inactivity timer expires?
A) ISE maintains machine authorization indefinitely
B) ISE triggers reauthentication and applies machine-only authorization again upon successful 802.1X
C) ISE forces MAB because no user is logged in
D) ISE drops the session and denies all access until a user logs in
Answer: B
Explanation:
Machine authentication occurs when a domain-joined device boots and performs 802.1X authentication using the computer certificate. This establishes that the device itself is trusted and belongs to the organization. However, machine authentication does not imply a user session is active. Device-only access is typically restrictive, granting connectivity to domain controllers, update servers, certificate enrollment systems, and limited internal infrastructure. Because many devices sit idle at the login screen for long periods, Cisco ISE must determine how to handle authorization when inactivity timers expire or the switch initiates periodic reauthentication.
When the inactivity timer expires, the switch requests reauthentication. Because no user has logged in, there is no user EAP method or credential available, so the device again performs machine authentication using its device certificate. ISE evaluates the request and recognizes it as a machine-only session. For this reason, option B is correct: ISE applies machine-only authorization again after the fresh 802.1X cycle. The device remains in a restricted pre-login state until a user initiates a login that triggers user authentication.
Option A is incorrect because ISE does not maintain authorization indefinitely. Expired sessions must reauthenticate to maintain a Zero Trust posture.
Option C is incorrect because the device is fully capable of performing 802.1X machine authentication. It does not fall back to MAB unless 802.1X signaling fails entirely.
Option D is incorrect because ISE does not deny access simply because no user is present. Machines often require network connectivity before user login for patching, GPO updates, and certificate renewal. Removing all access would break normal enterprise workflows.
Machine-only authorization is a fundamental NAC concept that supports security while enabling essential background functions. It ensures that domain machines maintain limited but necessary access even when no user is present. Therefore, B is correct.
Question 162:
How does Cisco ISE determine access when a user authenticates on a wired port using PEAP-MSCHAPv2, but the device is simultaneously profiled as a VoIP phone based on CDP and LLDP attributes?
A) ISE prioritizes user authentication and grants user-level access
B) ISE prioritizes the profiling result and applies the VoIP authorization policy
C) ISE blocks the port due to conflicting device identity information
D) ISE merges both authorization outcomes into a combined policy
Answer: B
Explanation:
VoIP phones and similar network-attached devices often include an integrated switch port that allows a workstation to connect through the phone. In such designs, the phone performs MAB while the workstation performs 802.1X authentication. However, sometimes a workstation is mistakenly connected to a phone-designated port or the phone firmware misreports LLDP/CDP attributes. This creates a scenario where ISE sees user authentication but also receives profiling probes classifying the device as a phone.
Option B is correct because Cisco ISE considers profiling data a strong indicator of device type, and device-type restrictions often take precedence over user authentication. A VoIP device typically requires highly specific network access, such as voice VLAN assignment or restricted ACLs allowing SIP and TFTP. If profiling conclusively identifies the endpoint as a VoIP device, ISE applies the VoIP authorization result—even if PEAP authentication succeeded. This prevents unauthorized devices from receiving full network access simply by logging in with user credentials.
Option A is incorrect because authentication is not always the dominant factor. User authentication cannot override device profile restrictions that protect network segmentation.
Option C is incorrect because ISE does not block the port by default. Instead, it applies the most appropriate authorization profile based on known behavior and policy.
Option D is incorrect because merging dACLs, SGTs, and VLAN assignments from multiple policies is unsupported and would create unpredictable enforcement.
Profiling protects networks from users attempting to bypass access controls by connecting unauthorized devices. If profiling and authentication conflict, profiling often takes precedence because device identity is harder to forge. Thus, B is the correct answer.
Question 163:
How does Cisco ISE determine the enforcement result when an AnyConnect VPN session establishes successfully but downloads a new posture requirement list midway through the session?
A) ISE ignores the new posture requirements until the next VPN reconnect
B) ISE triggers immediate posture re-evaluation and may update authorization through CoA
C) ISE terminates the VPN tunnel
D) ISE considers the existing posture decision final for the entire session
Answer: B
Explanation:
Posture assessments are not one-time events; they are dynamic evaluations that adapt to changing policies and endpoint conditions. VPN environments frequently update posture requirements, especially in large deployments where new compliance mandates or threat advisories require rapid enforcement. When the posture module receives new requirements from ISE during an active VPN session—such as disk encryption must now be enabled, or antivirus must be updated—ISE must reevaluate the posture state in real time.
Option B is correct because ISE uses AnyConnect posture events combined with CoA capabilities to reevaluate the session immediately. When the agent detects new posture requirements, it notifies ISE, which recalculates the device’s compliance status. If the device does not meet the new conditions, ISE applies a posture-required or non-compliant authorization profile. This may restrict access using dACLs, quarantine groups, or VPN policy limitations. If requirements are met, full access continues without interruption.
Option A is incorrect because delaying posture enforcement until reconnect would leave the network vulnerable.
Option C is incorrect because termination is used only in extreme NAC violations, not for normal posture policy updates.
Option D is incorrect because posture statuses are not final; they are continuously evaluated.
Dynamic posture updates are essential to Zero Trust security, enabling rapid enforcement changes across large remote worker populations. Therefore, B is correct.
Question 164:
How does Cisco ISE determine authorization when a switch is configured for multi-auth and two devices on the same port authenticate using different methods, such as one with 802.1X and one with MAB?
A) ISE applies a single authorization profile to all devices on the port
B) ISE applies separate authorization results to each authenticated MAC address
C) ISE denies MAB if 802.1X is present
D) ISE limits the port to voice VLAN only
Answer: B
Explanation:
When a switchport is configured for multi-auth, Cisco ISE does not apply one blanket authorization result to every device on that port. Multi-auth is specifically designed for environments where multiple independently authenticated endpoints may connect through the same port, such as a laptop connected behind a phone or multiple devices behind a mini-switch. Because each device presents its own authentication, ISE evaluates each MAC address separately.
ISE does not deny MAB simply because 802.1X is present. In multi-auth setups, some devices will use 802.1X while others may rely on MAB, depending on their capabilities. Both methods can coexist and are processed individually. Likewise, ISE does not force the port into a voice-only VLAN. Voice VLAN assignments are used only for phone endpoints and do not limit the authorization of data devices.
The correct behavior is that ISE applies separate authorization results to each authenticated MAC address. Each device’s policy is determined independently, allowing for different VLANs, ACLs, or Security Group Tags based on its identity and authentication method.
Question 165:
How does Cisco ISE determine enforcement when an EAP-TLS wireless client roams between access points and fast transition mechanisms like 802.11r are enabled?
A) ISE performs full authentication for every roam event
B) ISE uses session caching and skip-authentication mechanisms to maintain authorization
C) ISE forces the device to reauthenticate using PEAP
D) ISE drops the session every time the client roams
Answer: B
Explanation:
When a wireless client roams between access points, Cisco ISE does not force a full authentication cycle for every movement. Modern wireless deployments rely on mechanisms such as fast secure roaming, session caching, and key caching to avoid unnecessary reauthentication events. These mechanisms allow the controller or access points to preserve the security context of the client so that the session remains active while the device moves across the network. Because the authorization has already been established, ISE does not need to reprocess a complete authentication flow each time the client transitions between APs.
ISE also does not force the device to reauthenticate with PEAP or any other EAP method on every roam. This would introduce delays, increase authentication load, and degrade user experience. Likewise, ISE does not drop or terminate the session during roaming. Dropping sessions would cause constant disruptions, especially in environments like voice-over-Wi-Fi or real-time applications where seamless continuity is essential.
Instead, ISE relies on the wireless infrastructure’s caching and fast-roam capabilities to maintain the client’s existing authorization without requiring full reauthentication. This allows the device to move freely across the wireless environment while keeping its policies intact. Thus, ISE maintains authorization by using session caching and skip-authentication mechanisms rather than reauthenticating or dropping the session each time the client roams.
Question 166:
How does Cisco ISE determine access when a device authenticated by MAB later starts sending EAPOL frames indicating an attempt to switch to 802.1X?
A) ISE maintains MAB indefinitely
B) The switch restarts authentication and ISE handles the new 802.1X session
C) ISE denies the new authentication attempt
D) ISE blocks all traffic until reauthentication completes
Answer: B
Explanation:
When a device initially authenticated using MAC Authentication Bypass and later begins sending valid 802.1X traffic, the switch does not continue using MAB. Instead, it restarts authentication using 802.1X, which is the stronger and preferred method. The arrival of 802.1X EAP frames triggers the switch to replace the existing MAB session with a new 802.1X session. Cisco ISE then processes this new authentication attempt as a fresh session and evaluates it according to the configured identity and authorization policies.
ISE does not deny the new authentication attempt, because switching from MAB to 802.1X is expected behavior in many device boot-up processes. It also does not block all traffic during this transition. The session change is handled smoothly, and the device’s access is updated once the new 802.1X authentication completes. Likewise, ISE does not maintain MAB indefinitely; MAB is only a fallback when 802.1X is unavailable. Once 802.1X becomes active, it fully replaces MAB.
Therefore, the correct behavior is that the switch restarts authentication and ISE handles the new 802.1X session.
Question 167:
How does Cisco ISE determine posture state when the AnyConnect agent reports partial compliance, meaning some checks pass while others fail?
A) ISE treats partial compliance as full success
B) ISE treats partial compliance as non-compliant
C) ISE approves compliance if at least half the checks pass
D) ISE ignores failing checks
Answer: B
Explanation:
ISE does not treat partial compliance as a successful posture result. In a posture policy, any check marked as required must pass for the device to be considered compliant. If even one required condition fails—such as antivirus being disabled, firewall off, patches missing, or disk encryption not detected—ISE marks the entire posture evaluation as non-compliant.
ISE does not approve a device based on a percentage of checks passing, and it does not ignore failing checks. Allowing partial success would weaken posture enforcement and create gaps in security. Instead, the endpoint is placed into a remediation or restricted authorization state until all required checks report success.
Therefore, partial compliance is treated as non-compliance.
Question 168:
How does Cisco ISE handle authorization when a wireless client authenticates successfully but fails the post-authentication redirect to a required onboarding or posture portal?
A) ISE grants full access
B) ISE keeps the client in redirect authorization until the redirect is completed
C) ISE disconnects the session
D) ISE bypasses portal checks
Answer: B
Explanation:
When a client is placed into a redirect authorization state, Cisco ISE does not grant full access because the user has not yet completed the required portal workflow. Redirect states are intentionally restrictive and provide only enough network access for the client to reach the necessary web portal, such as a guest login page, onboarding portal, or posture redirection site. Until the workflow is completed, ISE maintains this limited-access state.
ISE does not disconnect the session simply because the redirect has not been completed. Doing so would prevent users from progressing through the portal and would break the intended workflow. Likewise, ISE does not bypass portal checks, because the entire purpose of the redirect is to ensure that the user takes the required action before receiving higher levels of access.
Instead, ISE keeps the client in the redirect authorization state until the redirect process is successfully completed. Only after the portal authentication, onboarding step, or posture validation is finished will ISE update the authorization and trigger the switch or controller to apply the appropriate full-access policy.
Therefore, the correct behavior is that ISE keeps the client in redirect authorization until the redirect is completed.
Question 169:
How does Cisco ISE determine authorization when a switch port is configured for multi-domain authentication and both a phone and workstation authenticate using 802.1X?
A) Only one device is allowed
B) ISE applies separate results to voice and data domains
C) ISE blocks the data device
D) ISE combines both into a single dACL
Answer: B
Explanation:
When a switchport is configured to support both a voice device (such as an IP phone) and a data device (such as a connected workstation), Cisco ISE does not treat them as a single session. The port operates with two separate authentication domains: the voice VLAN domain and the data VLAN domain. Each domain creates its own authentication session, which ISE evaluates independently.
ISE does not limit the port to only one device. Multi-domain authentication is specifically designed for this common phone-plus-PC topology. Likewise, ISE does not block the data device, since the purpose of the configuration is to allow both endpoints to authenticate. The switch also does not combine voice and data results into a single downloadable ACL, because each device may require very different access policies. An IP phone typically needs limited access to call control systems, while the attached workstation requires user-based authorization.
Instead, ISE applies separate authentication and authorization results to each domain. The phone may authenticate with MAB or 802.1X and receive a voice-specific policy, VLAN, or QoS settings, while the workstation receives its own authorization based on EAP-TLS, PEAP, or MAB. The switch maintains these as independent sessions, ensuring that security policies remain accurate for each device type.
Therefore, the correct behavior is that ISE applies separate results to the voice and data domains.
Question 170:
How does Cisco ISE determine access when a device fails EAP-TLS due to certificate expiration but succeeds immediately with MAB fallback?
A) ISE gives full access
B) ISE applies restricted MAB authorization
C) ISE denies MAB because 802.1X failed
D) ISE forcefully disconnects the port
Answer: B
Explanation:
When 802.1X fails on a port and the switch falls back to MAC Authentication Bypass, Cisco ISE does not treat the endpoint as a fully trusted device. Because MAB relies only on a MAC address—which provides no identity assurance and can be spoofed—ISE never grants full access in this situation. Full access is reserved for strong authentication methods such as EAP-TLS or other 802.1X methods.
ISE also does not deny MAB just because 802.1X failed. MAB is the intended fallback mechanism for devices that either cannot complete 802.1X or are not yet ready to begin it. As long as MAB is enabled on the switchport, the MAB request will be forwarded to ISE and evaluated normally.
Forcefully disconnecting the port is not part of the MAB workflow. Port shutdowns occur only when administrators explicitly configure errdisable-type protections, which are unrelated to authentication outcomes. ISE does not instruct the switch to disconnect the port simply because a device fell back to MAB.
What actually happens is that ISE applies a restricted or low-trust MAB authorization profile. This typically includes a limited VLAN, a remediation ACL, or a highly restricted dACL. The idea is to allow the device only the minimal connectivity necessary for onboarding or remediation without exposing the network to unnecessary risk.
Therefore, the correct behavior is that ISE applies restricted MAB authorization.
Question 171:
How does Cisco ISE determine the correct authorization when a wireless client authenticates successfully using EAP-TLS, but the endpoint is simultaneously flagged by the Endpoint Compliance module as requiring mandatory OS patch updates?
A) ISE ignores compliance flags because authentication was successful
B) ISE applies a posture-required authorization profile through CoA, even though EAP-TLS succeeded
C) ISE disconnects the session immediately
D) ISE moves the device into guest mode
Answer: B
Explanation:
Even though EAP-TLS provides one of the strongest identity verification mechanisms, Cisco ISE does not rely on authentication alone to determine full authorization. Endpoint security posture is equally important because strong identity without proper system hygiene creates unacceptable attack surfaces. A device can possess a valid certificate and still pose security risks if its operating system lacks required security patches, contains outdated software, or fails internal compliance rules set by the organization.
When ISE receives a compliance signal from an external or internal posture module indicating that the device needs OS patches, it must update authorization results accordingly. Posture is always evaluated after authentication and can override otherwise successful authentication states. This is why option B is correct: ISE uses Change of Authorization (CoA) to transition the device from its original authorization state to a posture-required state. During this update, the device is restricted to a remediation VLAN or a dACL that only permits patch servers, update repositories, or compliance portals.
Option A is incorrect because authentication success does not supersede posture requirements. Zero Trust NAC principles require continuous verification of device health.
Option C is incorrect because disconnecting the device is not the intended workflow for posture remediation. ISE typically aims to maintain connectivity while guiding the device toward compliance.
Option D is incorrect because guest mode is reserved for non-authenticated and non-managed endpoints. A non-compliant but authenticated corporate device does not fall into the guest category.
The entire design of Cisco ISE’s posture integration is built around dynamically adapting authorization based on compliance status. Even if identity authentication is perfect, authorization can be downgraded, restricted, or elevated as the device’s posture changes. As soon as the compliance issue is resolved and the posture module reports success, ISE again sends a CoA to restore appropriate access. For these reasons, B is the correct answer.
Question 172:
How does Cisco ISE determine access when a device authenticates via PEAP-MSCHAPv2, but the switch’s DHCP snooping and profiling data identify the device as a personal mobile hotspot violating corporate onboarding policy?
A) ISE provides full network access because a valid user logged in
B) ISE overrides user authentication and applies hotspot-restricted authorization
C) ISE blocks the port and disables it permanently
D) ISE forces the device into VPN-only mode
Answer: B
Explanation:
A major responsibility of Cisco ISE in enterprise NAC environments is preventing rogue devices from acquiring unauthorized network access. Although PEAP-MSCHAPv2 validates user credentials, it does not validate the actual device type. Users may unintentionally (or intentionally) connect personal devices such as mobile hotspots, which can undermine network security by allowing external connections, bypassing firewalls, and exposing sensitive traffic.
Cisco ISE’s profiling engine plays a critical role here. DHCP snooping information, OUI patterns, vendor class identifiers, and traffic fingerprinting often allow ISE to detect that a device is functioning as a personal hotspot. Profiling data carries high weight in ISE’s authorization decisions because device type is a key factor in enforcing Zero Trust principles.
Option B is correct because authorization can be reduced or completely restricted based on profiling results, even if authentication was successful. When a hotspot is detected, ISE can apply a restricted dACL, place the endpoint into a quarantine VLAN, or otherwise prevent normal internal access. This enforces compliance with corporate device policies and reduces risk from unmanaged devices.
Option A is incorrect because authentication does not override security policy. Profiling often has priority over user authentication because authentication only validates credentials—not device legitimacy.
Option C is incorrect because ISE does not permanently disable ports unless explicitly configured under switch-level policies. NAC systems avoid permanent disruptions.
Option D is incorrect because forcing VPN usage is not part of hotspot mitigation in Cisco ISE workflows.
Profiling is essential for identifying unauthorized device behavior. When profiling contradicts user authentication, profiling usually wins. Therefore, B is the correct answer.
Question 173:
How does Cisco ISE determine final authorization when TEAP EAP-chaining succeeds for both machine and user identities, but the machine is part of a restricted AD organizational unit requiring stricter network controls?
A) ISE grants full access because user authentication overrides machine identity
B) ISE applies the most restrictive authorization between machine and user policies
C) ISE denies all access due to conflicting identity attributes
D) ISE applies only the user policy and ignores machine OU membership
Answer: B
Explanation:
TEAP EAP-chaining allows Cisco ISE to evaluate machine and user identity simultaneously within the same authentication transaction. This enables granular policy decisions that consider both the device status and the user privileges. In many enterprise environments, machines are grouped into Active Directory OUs based on risk or business function. Devices in certain OUs—such as administrative, staging, R&D, HR, or restricted compliance zones—may require stricter access levels regardless of user identity.
Option B is correct because ISE is designed to evaluate all available identity attributes and apply the most restrictive policy when conflicts arise. Even if the user is fully authorized, the device itself may require segmentation due to compliance or security concerns. For example, a device belonging to a quarantined OU may be placed in a limited-access VLAN, even if an authorized employee logs in.
Option A is incorrect because user authentication does not override machine restrictions. Machine identity provides critical context for NAC.
Option C is incorrect because conflicts do not result in denial unless explicitly configured.
Option D is incorrect because ISE does not ignore machine identity during TEAP chaining; both are first-class citizens in policy decisions.
Cisco ISE’s approach ensures that risky or restricted devices cannot escalate access simply because a privileged user logs in. This is a core principle of Zero Trust access control. Therefore, B is correct.
Question 174:
How does Cisco ISE determine appropriate enforcement when an EAP-FAST client reconnects and attempts to use an outdated PAC while the server requires a newer PAC version due to policy changes?
A) ISE accepts the outdated PAC and grants full access
B) ISE triggers PAC renewal by rejecting authentication and forcing provisioning
C) ISE falls back to MAB because PAC is invalid
D) ISE switches the client to PEAP automatically
Answer: B
Explanation:
Protected Access Credentials (PACs) are essential components of EAP-FAST authentication. They serve as cryptographically secure tokens that accelerate future authentications. PACs have lifetimes, version numbers, and policy requirements. When administrators update authentication policies, rotate PAC keys, or modify certificate hierarchies, new PACs must be issued. If a client attempts authentication using an outdated PAC, Cisco ISE cannot complete the EAP-FAST handshake correctly.
Option B is correct because ISE forces a new PAC provisioning cycle. The outdated PAC is rejected, and the client is guided through the provisioning phase to install a new PAC that matches the updated server configuration. This ensures continued secure authentication and alignment with security policy.
Option A is incorrect because accepting outdated PACs would pose a significant security risk.
Option C is incorrect because EAP-FAST does not fall back to MAB. A PAC issue is not an authentication method failure.
Option D is incorrect because automatic switching to a different EAP method is not supported.
PAC renewal ensures continued trustworthiness of EAP-FAST as security requirements evolve. Thus, B is correct.
Question 175:
How does Cisco ISE determine authorization when a device first authenticates via MAB, but during the same session the profiling engine later identifies it as a high-risk IoT device based on NMAP-like behavior or unusual traffic signatures?
A) ISE ignores profiling changes once the device is authenticated
B) ISE triggers an adaptive network control action and updates authorization
C) ISE leaves the session unchanged until the next authentication cycle
D) ISE deletes the endpoint from its database
Answer: B
Explanation:
IoT devices authenticated via MAB are common in enterprise environments. Since MAB does not provide identity assurance, profiling becomes essential to determine device type and risk. Cisco ISE continuously monitors profiling attributes using DHCP, SNMP, HTTP, RADIUS accounting, and pxGrid threat signals. If the device begins exhibiting unusual traffic patterns—such as scanning ports, probing networks, or performing lateral movement—profiling policies may classify the device as high-risk.
Option B is correct because ISE uses Adaptive Network Control (ANC) to update authorization dynamically based on new risk classification. A CoA may be triggered, and the device could be placed in a quarantine VLAN, restricted using a dACL, or isolated entirely.
Option A is incorrect because profiling continues after authentication.
Option C is incorrect because NAC requires real-time reaction, not delayed enforcement.
Option D is incorrect because deleting the endpoint does not solve the issue.
ISE’s adaptive policy model ensures that authorization reflects real-time risk, especially for IoT devices. Thus, B is correct.
Question 176:
How does Cisco ISE determine final policy when a TEAP-chained session succeeds but the resulting SGT is not supported by the downstream switch due to hardware limitations?
A) ISE denies access
B) The switch applies the default SGT such as Unknown
C) ISE forces a fallback to MAB
D) ISE instructs the switch to use VLAN assignment only
Answer: B
Explanation:
When Cisco ISE authenticates a device but does not return a Security Group Tag (SGT), the switch does not reject the session and does not force MAB fallback. Authentication has already succeeded, so there is no reason for the switch or ISE to deny access or restart the authentication workflow. Likewise, ISE does not automatically revert to MAB because 802.1X (or the chosen method) is already functioning correctly.
The switch also does not assign the default SGT in this specific scenario if the authorization profile explicitly provides no SGT at all. Default/Unknown SGT is used when TrustSec tagging is active but undefined; however, in environments where the policy intentionally omits SGT assignments, the switch simply falls back on other authorization parameters such as VLAN, ACLs, or dACLs provided by ISE.
In these situations, ISE instructs the switch to enforce whatever non-SGT authorization elements are included in the authorization profile. Most commonly, that means the switch relies on VLAN assignment, ACLs, or other policy elements defined in the ISE authorization result, without tagging traffic.
Therefore, the correct behavior is:
The switch applies the VLAN assignment (or other policy elements) provided by ISE even when no SGT is included.
Question 177:
How does Cisco ISE determine access when AnyConnect VPN authentication succeeds, but the connecting device is simultaneously flagged by EDR tools through pxGrid as infected or compromised?
A) ISE grants full access because authentication succeeded
B) ISE applies threat-based authorization and quarantines the device
C) ISE disconnects all VPN sessions globally
D) ISE switches the device into guest mode
Answer: B
Explanation:
When a device successfully authenticates but Cisco ISE receives a threat alert about it through pxGrid or another integrated security feed, ISE does not simply grant full access. Authentication only confirms identity; it does not guarantee that the device is safe. Because of this, ISE continues to evaluate the device’s risk level based on external threat intelligence.
ISE also does not disconnect all VPN sessions globally. Threat responses are always targeted at the specific endpoint that triggered the alert, not at unrelated users. Likewise, ISE does not switch the device into guest mode, because guest workflows are unrelated to threat posture and require an explicit guest authentication process.
Instead, when a threat alert is received, ISE applies the threat-based authorization rules defined in policy. This often results in quarantining the device, issuing a Change of Authorization, applying a restrictive ACL, or moving the device into a containment VLAN. The purpose is to isolate the compromised endpoint while still allowing administrators to investigate and remediate the issue.
Therefore, the correct behavior is that ISE applies threat-based authorization and quarantines the device.
Question 178:
How does Cisco ISE determine the authorization result when a device authenticated via EAP-TLS loses its certificate due to local corruption and falls back to MAB on the next connection attempt?
A) ISE grants the same authorization as EAP-TLS
B) ISE applies low-trust MAB authorization
C) ISE denies all access
D) ISE forces the device to re-install its certificate
Answer: B
Explanation:
When a device that normally authenticates using EAP-TLS suddenly fails certificate-based authentication and falls back to MAC Authentication Bypass, Cisco ISE does not treat the session as equivalent to EAP-TLS. Certificate-based authentication provides a strong, cryptographically validated identity tied to a known machine or user. MAB, on the other hand, relies only on a MAC address, which is weak, spoofable, and provides no user or device assurance. Because of this, ISE cannot grant the device the same level of access it would receive under EAP-TLS.
ISE does not deny all access outright, because MAB is intentionally used as a fallback method to allow limited connectivity for devices that cannot authenticate with 802.1X. Denial would prevent basic remediation or onboarding actions. ISE also does not force the device to reinstall its certificate—certificate lifecycle management happens outside the authorization process and is not triggered automatically from MAB events.
Instead, when the endpoint falls back to MAB, ISE applies the low-trust authorization profile associated with MAC Authentication Bypass. This typically results in limited connectivity, such as placement in a remediation VLAN, a restricted downloadable ACL, or a minimal-access role. The goal is to avoid granting excessive access to an identity that cannot be cryptographically validated.
Therefore, the correct behavior is that ISE applies low-trust MAB authorization.
Question 179:
How does Cisco ISE determine access when a device authenticates successfully but subsequently violates dACL policy by attempting prohibited lateral communication?
A) ISE ignores violations
B) ISE may trigger adaptive network actions and reassign authorization
C) ISE forces reauthentication
D) ISE moves device to guest network
Answer: B
Explanation:
When Cisco ISE detects CoA violations, it does not simply ignore them. CoA-related issues usually indicate that an endpoint is not behaving as expected during changes in authorization, posture transitions, or profiling updates. Because these events can affect the security posture of the network, ISE may take action based on the violation type and the policies in place. It does not automatically force a reauthentication unless a specific policy requires it, and it does not move the device to a guest network, since guest access is designed for visitors who complete a guest workflow, not for handling violations. Instead, ISE may trigger adaptive network actions that adjust the device’s authorization. These actions can include applying a more restrictive authorization profile, placing the endpoint into a quarantine VLAN, sending an updated ACL, or reassigning the device’s access rights. This allows ISE to maintain security while responding appropriately to unexpected session behavior.
Question 180:
How does Cisco ISE determine final enforcement when a wireless client uses WPA3-Enterprise with EAP-TLS but attempts to access resources restricted by an SGT-to-SGT matrix rule?
A) ISE overrides the SGT matrix
B) The SGT matrix determines allowed traffic regardless of authentication strength
C) ISE grants full access
D) ISE falls back to VLAN-only enforcement
Answer: B
Explanation:
When Cisco ISE detects profiling anomalies, it does not ignore them. Profiling exists specifically to recognize devices accurately and detect when their behavior changes in a way that may indicate misclassification or a potential security issue. Ignoring these anomalies would defeat the purpose of profiling intelligence.
ISE also does not delete the endpoint record. Endpoint deletion is an administrative action and is not automatically triggered by profiling changes. Likewise, converting the session to guest mode is not appropriate, because guest workflows are based on explicit guest authentication or onboarding, not on profiling behavior.
Instead, when profiling anomalies occur—especially when new device characteristics conflict with the previously assigned profile—ISE may trigger adaptive network control actions. These actions can include placing the device into a quarantine or restricted VLAN, applying a more restrictive ACL, or issuing a Change of Authorization to reevaluate the device’s access. This response helps contain potentially suspicious behavior while allowing administrators to investigate further.
Therefore, the correct behavior is that ISE triggers adaptive network control actions such as quarantine.
