Verified 300-715 Exam Dumps Q&As - Provide 300-715 with Correct Answers [Q32-Q56]

Verified 300-715 Exam Dumps Q&As - Provide 300-715 with Correct Answers

Pass Your 300-715 Dumps Free Latest Cisco Practice Tests

Once you have completed the session, you will be prepared to sit and pass 300-715 exam. Here are some of the course objectives:

Gaining an understanding of the deployment of Cisco ISE, its advantages, and how each of the different components takes part in these benefits;
Understand and demonstrate the use of components associated with 802.1X & MAC Authentication Bypass (MAB) authentication;
Show how you can use Cisco ISE policies to comply with the requirements of your company;
Show an understanding of BYOD issues, solutions, procedures, and platforms.
Demonstrate knowledge of Network Access Devices (NADs), TrustSec of Cisco, Easy Connect, and how you can use them at work;

Prior to registering, there are vital requirements to meet. They include the awareness of Cisco IOS Software CLI, 802.1X, Microsoft Windows OS, and more. The benefits of studying with this course for exam 300-715 include building skills and qualification for highly-demanded job roles. Plus, completion of this training also comes with 40 CE credits, which will be considered when recertifying.

NEW QUESTION 32
Which scenario does not support Cisco ISE guest services?

A. wireless LAN controller with central WebAuth
B. wired NAD with central WebAuth
C. wireless LAN controller with local WebAuth
D. wired NAD with local WebAuth

Answer: D

NEW QUESTION 33
Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?

A. Cisco Secure Services Client and Cisco Access Control Server
B. Windows Native Supplicant and Cisco Identity Service Engine
C. Cisco AnyConnect NAM and Cisco Access Control Server
D. Cisco AnyConnect NAM and Cisco Identity Service Engine

Answer: D

NEW QUESTION 34
Which protocol must be allowed for a BYOD device to access the BYOD portal?

A. SSH
B. HTTP
C. SMTP
D. HTTPS

Answer: A

NEW QUESTION 35
Which two values are compared by the binary comparison function in authentication that is based on Active Directory? (Choose Two)

A. user-presented certificate and a certificate stored in Active Directory
B. user-presented password hash and a hash stored in Active Directory
C. MS-CHAFV2 provided machine credentials and credentials stored in Active Directory
D. subject alternative name and the common name

Answer: C,D

Explanation:
Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates, you must select an identity source. If you select Active Directory as an identity source, subject and common name and subject alternative name (all values) can be used to look up a user.
https://www.cisco.com/c/en/us/td/docs/security/ise/1-
3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01110.html

NEW QUESTION 36
Which interface-level command is needed to turn on 802 1X authentication?

A. dot1x system-auth-control
B. aaa server radius dynamic-author
C. authentication host-mode single-host
D. Dofl1x pae authenticator

Answer: A

NEW QUESTION 37
Which two values are compared by the binary comparison (unction in authentication that is based on Active Directory?

A. user-presented certificate and a certificate stored in Active Directory
B. user-presented password hash and a hash stored in Active Directory
C. MS-CHAPv2 provided machine credentials and credentials stored in Active Directory
D. subject alternative name and the common name

Answer: C,D

Explanation:
Explanation
Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates, you must select an identity source. If you select Active Directory as an identity source, subject and common name and subject alternative name (all values) can be used to look up a user.
https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01110.html

NEW QUESTION 38
What allows an endpoint to obtain a digital certificate from Cisco ISE during a BYOD flow?

A. Application Visibility and Control
B. Network Access Control
C. My Devices Portal
D. Supplicant Provisioning Wizard

Answer: C

NEW QUESTION 39
What gives Cisco ISE an option to scan endpoints for vulnerabilities?

A. authorization profile
B. authorization policy
C. authentication profile
D. authentication policy

Answer: A

NEW QUESTION 40
What is the minimum certainty factor when creating a profiler policy?

A. the minimum number that a predefined condition provides
B. the maximum number that a predefined condition provides
C. the minimum number that a device certainty factor must reach to become a member of the profile
D. the maximum number that a device certainty factor must reach to become a member of the profile

Answer: B

NEW QUESTION 41
An administrator is configuring TACACS+ on a Cisco switch but cannot authenticate users with Cisco ISE. The configuration contains the correct key of Cisc039712287. but the switch is not receiving a response from the Cisco ISE instance What must be done to validate the AAA configuration and identify the problem with the TACACS+ servers?

A. Validate that the key value is correct using the test aaa authentication admin <key> legacy command.
B. Confirm the authorization policies are correct using the test aaa authorization admin drop legacy command.
C. Check for server reachability using the test aaa group tacacs+ admin <key> legacy command.
D. Test the user account on the server using the test aaa group radius server CUCS user admin pass <key> legacy command.

Answer: C

Explanation:
https://medium.com/training-course-ccna-security-210-260/ccna-security-part-3-implementing-aaa-in-cisco-ios-4b13ab285f51

NEW QUESTION 42
What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node ,s deregistered?

A. The primary node becomes standalone
B. The secondary node restarts.
C. The primary node restarts
D. Both nodes restart.

Answer: D

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-1-
1/installation_guide/ise_install_guide/ise_deploy.html
if your deployment has two nodes and you deregister the secondary node, both nodes in this primary- secondary pair are restarted. (The former primary and secondary nodes become standalone.)

NEW QUESTION 43
A Cisco ISE server sends a CoA to a NAD after a user logs in successfully using CWA Which action does the CoA perform?

A. It terminates the client session
B. It triggers the NAD to reauthenticate the client
C. It applies new permissions provided in the CoA to the client session.
D. It applies the downloadable ACL provided in the CoA

Answer: D

Explanation:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

NEW QUESTION 44
An organization is adding new profiling probes to the system to improve profiling on Oseo ISE The probes must support a common network management protocol to receive information about the endpoints and the ports to which they are connected What must be configured on the network device to accomplish this goal?

A. ARP
B. SNMP
C. ICMP
D. WCCP

Answer: C

NEW QUESTION 45
An organization wants to standardize the 802 1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide What must be configured to accomplish this task?

A. port security on the switch based on the client's information
B. dynamic access list within the authorization profile
C. security group tag within the authorization policy
D. extended access-list on the switch for the client

Answer: C

Explanation:
Explanation
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html#

NEW QUESTION 46
In a Cisco ISE split deployment model, which load is split between the nodes?

A. network admission
B. device admission
C. AAA
D. log collection

Answer: C

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26.pdf

NEW QUESTION 47
What is a valid guest portal type?

A. Captive-Guest
B. My Devices
C. Sponsored-Guest
D. Sponsor

Answer: C

Explanation:
Section: Web Auth and Guest Services
Explanation/Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/ b_ise_admin_guide_sample_chapter_01111.html

NEW QUESTION 48
Which two default endpoint identity groups does Cisco ISE create? (Choose two )

A. block list
B. allow list
C. profiled
D. endpoint
E. unknown

Answer: C,E

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html Default Endpoint Identity Groups Created for Endpoints Cisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
Cisco ISE creates the following endpoint identity groups:
Blacklist-This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
GuestEndpoints-This endpoint identity group includes endpoints that are used by guest users.
Profiled-This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
RegisteredDevices-This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group. These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays "Unauthorised Network Access", a default portal page to the blocked devices.
Unknown-This endpoint identity group includes endpoints that do not match any profile in Cisco ISE.
In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint identity groups, which are associated to the Profiled identity group:
Cisco-IP-Phone-An identity group that contains all the profiled Cisco IP phones on your network.
Workstation-An identity group that contains all the profiled workstations on your network.

NEW QUESTION 49

Refer to the exhibit. In which scenario does this switch configuration apply?

A. when allowing a hub with multiple clients connected
B. when passing IP phone authentication
C. when preventing users with hypervisor
D. when allowing multiple IP phones to be connected

Answer: A

Explanation:
Explanation
https://www.linkedin.com/pulse/mac-authentication-bypass-priyanka-kumari#:~:text=Multi%2Dauthentication%

NEW QUESTION 50
Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two)

A. new AD user 802 1X authentication
B. BYOD
C. hotspot
D. guest AUP

Answer: A,B

NEW QUESTION 51
An administrator is configuring RADIUS on a Cisco switch with a key set to Cisc403012128 but is receiving the error "Authentication failed: 22040 Wrong password or invalid shared secret. "what must be done to address this issue?

A. Configure the key on the Cisco ISE instead of the Cisco switch.
B. Use a key that is between eight and ten characters.
C. Add the network device as a NAD inside Cisco ISE using the existing key.
D. Validate that the key is correct on both the Cisco switch as well as Cisco ISE.

Answer: C

NEW QUESTION 52
Which term refers to an endpoint agent that tries to join an 802 1X-enabled network?

A. client
B. authenticator
C. EAP server
D. supplicant

Answer: D

Explanation:
Reference:
https://www.oreilly.com/library/view/cisco-ise-for/9780133103632/ch16.html#:~:text=What%20is%20a%20supplicant%3F,networks%2C%20both%20wired%20and%20wireless.&text=The%20802.1X%20transactions%20are,Identity%20Services%20Engine%20(ISE).

NEW QUESTION 53
A network administrator changed a Cisco ISE deployment from pilot to production and noticed that the JVM memory utilization increased significantly. The administrator suspects this is due to replication between the nodes What must be configured to minimize performance degradation?

A. Change the reauthenticate interval.
B. Review the profiling policies for any misconfiguration
C. Enable the endpoint attribute filter
D. Ensure that Cisco ISE is updated with the latest profiler feed update

Answer: C

Explanation:
Reference:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_010111.html

NEW QUESTION 54
When setting up profiling in an environment using Cisco ISE for network access control, an organization must use non-proprietary protocols for collecting the information at layer 2. Which two probes will provide this information without forwarding SPAN packets to Cisco ISE? {Choose two.)

A. SNMP query probe
B. NetFlow probe
C. DNS probe
D. RADIUS probe
E. DHCP SPAN probe

Answer: A,D

Explanation:
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-profiling-design

NEW QUESTION 55
An organization wants to implement 802.1X and is debating whether to use PEAP-MSCHAPv2 or PEAP-EAP-TLS for authentication. Drag the characteristics on the left to the corresponding protocol on the right.