Practice 350-701 Secure Network Access, Visibility and Enforcement questions with full explanations on every answer.
Start practicing
Secure Network Access, Visibility and Enforcement — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?
2A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?
3An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?
4A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?
5An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?
6A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?
7An organization is using Cisco ISE to enforce posture compliance. Endpoints that are non-compliant should be placed into a quarantine VLAN. Which ISE policy component is used to assign the VLAN?
8A security engineer is configuring Cisco ISE to enforce SGT-based access control. The engineer creates an SGACL on the switch that permits traffic from SGT 10 to SGT 20. However, traffic from SGT 10 to SGT 20 is still being dropped. The engineer verifies that the SGTs are correctly assigned. What is a possible reason for the drop?
9Which TWO of the following are valid methods for Cisco ISE to collect endpoint attributes for profiling? (Choose TWO)
10Which THREE of the following are required for a successful 802.1X authentication on a Cisco switch? (Choose THREE)
11Which TWO of the following are features of Cisco TrustSec? (Choose TWO)
12A multinational corporation is deploying Cisco ISE to enforce network access for both wired and wireless users. The company has 5,000 employees and 2,000 guest users daily. The ISE deployment consists of two nodes: a primary Administration Node (PAN) and a Monitoring Node (MNT). All policies are configured on the PAN. Recently, the company has experienced intermittent authentication failures during peak hours. The failures affect both wired 802.1X and wireless users. The syslogs show 'RADIUS request dropped' messages on the ISE nodes. The network team has verified that the RADIUS shared secret is correct and that the network devices can reach the ISE nodes. The ISE nodes have sufficient CPU and memory. However, the authentication failures correlate with times when the number of concurrent sessions exceeds 500. What is the most likely cause of the issue?
13A university is using Cisco ISE to provide secure wireless access for students and faculty. The wireless network uses WPA2-Enterprise with PEAP-MSCHAPv2. Recently, some faculty members reported that they cannot connect to the wireless network from their personal laptops, while student devices connect without issues. The faculty members are using the same SSID and entering their credentials correctly. The ISE logs show that the authentication attempts from faculty devices are failing with 'RADIUS Access-Reject' due to incorrect credentials. However, the faculty members are certain they are using the correct password. The IT department has verified that the user accounts in Active Directory are active and not locked. What is the most likely cause of the issue?
14A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?
15A security architect is designing network access control for a campus network. The requirement is to authenticate users before granting network access and to enforce policies based on user identity and device posture. Which solution should be deployed?
16A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?
17A network engineer is implementing TrustSec on a Cisco switch. The goal is to tag traffic from the engineering VLAN with Security Group Tag (SGT) 10 and enforce policies on upstream switches. Which configuration is required on the access switch to propagate the SGT?
18Which THREE of the following are valid components of Cisco ISE's visibility and enforcement architecture?
19Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?
20A large enterprise has deployed Cisco ISE for network access control. The network consists of multiple access switches and wireless LAN controllers. The security team wants to enforce that only domain-joined Windows computers with up-to-date antivirus can access the corporate network. Non-compliant devices should be placed in a quarantine VLAN with limited access to remediation servers. The ISE policies are configured with posture assessment. However, during a test, a non-compliant Windows computer is granted full network access instead of being quarantined. The ISE logs show that the posture assessment passed, but the computer's antivirus is outdated. What is the most likely reason for this behavior?
21A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?
22Which TWO configuration steps are required to implement 802.1X authentication on a Cisco switch for wired clients?
23A network administrator has configured the above on a Cisco switch port for a device that supports both MAB and 802.1X. The device sends an EAPOL-start but the switch responds with an EAP-Request/Identity. The device does not respond to the EAP-Request/Identity. After a timeout, the switch attempts MAB. However, MAB also fails because the RADIUS server does not have the MAC address. Which of the following best describes the final port state?
24Drag and drop the steps to troubleshoot an IPsec VPN failure where Phase 1 is not completing into the correct order.
25Drag and drop the steps to configure NetFlow on a Cisco IOS router for traffic monitoring in the correct order.
26Match each Cisco security product to its category.
27Match each Cisco security command to its function.
28A network engineer notices that some Windows 10 clients fail to authenticate via 802.1X after a recent OS update. The supplicant shows 'EAPOL-Start' but never receives an EAP-Request/Identity. The switch port is configured with 'authentication port-control auto' and 'dot1x pae authenticator'. What is the most likely cause?
29An ISE deployment uses TrustSec with SGTs assigned by Active Directory group membership. A group of users in the 'Finance' AD group is correctly receiving SGT 5, but a new user added to that group is getting SGT 0. The ISE policy is unchanged, and other users in the group work fine. What is the most likely cause?
30A network administrator wants to implement 802.1X authentication on a switch port that connects a printer. The printer does not support 802.1X, so the administrator configures MAC Authentication Bypass (MAB) as a fallback method. Which command must be included in the switch port configuration to ensure MAB is attempted after 802.1X times out?
31An engineer is troubleshooting a user who cannot access the network after successful 802.1X authentication. The user's PC receives an IP address from DHCP, but cannot reach the internet. The switch port is in the correct VLAN (10) after authentication. The ISE posture policy requires the user to install a corporate certificate, but the user skipped that step. What is the most likely cause of the internet access failure?
32During a network audit, an engineer finds that a switch configured for 802.1X is allowing a device to access the network without authentication. The switch logs show 'MAB failed', 'dot1x failed', but the port is in the forwarding state. The port configuration includes 'authentication fallback final mab' and 'dot1x timeout server-timeout 10'. What is the most likely explanation?
33An organization uses ISE for wireless LAN authentication via 802.1X with PEAP-MSCHAPv2. Users authenticate against Active Directory. Recently, some users report that after changing their domain password, they cannot connect to the wireless network for about 30 minutes. What is the most likely cause?
34A network engineer is deploying TrustSec using SGT over VXLAN in a data center fabric. The fabric switches are configured as VXLAN Tunnel Endpoints (VTEPs). The engineer must ensure that SGT information is propagated from the border leaves to the spine. Which mechanism should be used?
35An engineer is configuring ISE for guest access via a sponsor portal. The policy requires that a sponsor must approve each guest. However, guests are being automatically approved without sponsor interaction. What is the most likely misconfiguration?
36During a security incident, an engineer needs to quickly quarantine an endpoint that is connected to a switch via 802.1X. The engineer wants to use ISE to send a Change of Authorization (CoA) to move the port to a restrictive VLAN. What must be configured on the switch to allow ISE to send CoA?
37Which TWO are valid methods for determining the SGT (Security Group Tag) assigned to an endpoint in a TrustSec deployment?
38Which THREE are characteristics of Cisco ISE profiler service?
39Which TWO are valid options for configuring a switch port to handle authentication failures in an 802.1X environment? (Select two.)
40Refer to the exhibit. A user has successfully authenticated via 802.1X. However, the SGT (Security Group Tag) assigned is 0, which is the default untagged value. Which configuration change would most likely allow ISE to assign a non-zero SGT for this user?
41Refer to the exhibit. A switch port is configured for 802.1X with MAB. The switch has reached its maximum number of authentication sessions (platform limit). When a new device attempts to connect, what happens?
42Refer to the exhibit. An engineer configured ISE to use both Active Directory and LDAP for authentication. Users from Active Directory are unable to authenticate. What is the most likely reason?
43A network administrator is troubleshooting intermittent authentication failures on a switch port configured for 802.1X with MAB fallback. Users can connect but get dropped after a few minutes. What is the most likely cause?
44A company wants to implement software-defined segmentation using Cisco ISE and TrustSec. Which component is responsible for assigning the Security Group Tag (SGT) to packets at the ingress?
45An engineer is deploying Cisco ISE for guest access. The guest portal uses a self-provisioned username and password. To ensure secure credential transmission, which protocol should be enforced on the portal?
46An administrator needs to ensure that only authorized hosts can connect to a switch port. The port is connected to a single PC. Which 802.1X host mode should be configured?
47A company is deploying Cisco ISE to enforce access policies based on endpoint posture. Endpoints must be compliant before being granted full network access. Which policy type is used to define the compliance requirements?
48An engineer notices that the 'show authentication sessions' command on a switch shows a session in 'CRITICAL' state. What does this indicate?
49A network administrator wants to centrally manage and enforce access policies for wired and wireless users. Which Cisco product provides this functionality?
50An organization requires that all endpoint traffic be verified against a security policy before being forwarded. Which Cisco umbrella solution provides this capability?
51During a security incident, an investigator wants to identify all endpoints that communicated with a known malicious IP address within the last 24 hours. Which Cisco tool is best suited for this forensic analysis?
52A user connected to port Gi1/0/1 cannot access the network. Based on the output, what is the most likely cause?
53A guest device in VLAN 200 attempts to reach a server at 10.10.1.1. What happens to the traffic?
54An endpoint with MAC 0011.2233.4455 and user 'guest' authenticates but fails. However, the device is not assigned to quarantine. Which policy condition is most likely responsible for the unexpected behavior?
55A network engineer is implementing Cisco TrustSec. Which two components are required to enforce Security Group Access Control List (SGACL) policies? (Choose two)
56An administrator is configuring 802.1X on a switch port for both an IP phone and a PC. Which two commands should be configured to support this scenario? (Choose two)
57A company is deploying Cisco ISE for network access control. Which three policies must be configured to enforce access based on device posture? (Choose three)
58A network engineer configures ISE for 802.1X with PEAP-MSCHAPv2. Users report intermittent authentication failures on certain switches. The engineer checks ISE logs and sees 'Authentication failed' with reason 'User not found in identity store'. What is the most likely issue?
59An organization wants to implement MAC Authentication Bypass (MAB) for devices that do not support 802.1X. Which configuration is required on a Cisco switch to allow MAB fallback?
60In a Cisco TrustSec environment, a network administrator observes that traffic between two endpoints in the same SGT group is being denied. The relevant switch has CTS configured with 'cts manual' and 'policy static sgt 10'. What is the most probable cause?
61Which protocol does Cisco ISE use to communicate with the pxGrid controller for sharing contextual data?
62A laptop fails to authenticate via 802.1X on a Cisco switch. The switch logs show: 'Authentication failed for user 'jdoe' on interface GigabitEthernet1/0/24: EAP session timeout.' What is the most likely cause?
63You are troubleshooting a Cisco ISE deployment where some endpoints are stuck in the 'Not Compliant' posture after a posture scan. ISE logs show 'Conditional NAC Agent result: Not Compliant due to missing required application.' The application is installed on the endpoint. What should you check?
64An organization wants to provide guest wireless access with a captive portal. Which Cisco ISE portal type should be used?
65Which Cisco security product provides network visibility and traffic analytics using NetFlow and IPFIX?
66In a Cisco TrustSec deployment, you want to dynamically assign SGTs based on user authentication. Which mechanism should you use?
67Which TWO conditions must be met for a Cisco switch to initiate 802.1X authentication? (Choose two.)
68Which THREE are valid methods to obtain security group tags (SGTs) on a Cisco switch? (Choose three.)
69Which TWO are common causes for CoA (Change of Authorization) failures in a Cisco ISE deployment? (Choose two.)
70Refer to the exhibit. An engineer configures this interface for 802.1X. Users report that after successful authentication, they are forced to reauthenticate every hour even though the authentication session is still active. What configuration change should be made to prevent reauthentication unless triggered by a change?
71Refer to the exhibit. An ISE administrator sees this error in the logs. What is the most likely cause?
72Refer to the exhibit. A network analyst reviews a Stealthwatch flow analysis output. What is the most likely interpretation?
73A network engineer is configuring 802.1X on a Cisco switch for wired clients. After configuration, some clients fail authentication. The engineer notices that the clients are not sending any EAP packets. What is the most likely cause?
74A company uses Cisco ISE for network access control. They have deployed TrustSec and want to enforce segmentation using Security Group Tags (SGTs). The network team reports that SGTs are not being propagated correctly. Which protocol is responsible for SGT propagation between switches?
75An organization is deploying Cisco ISE with passive identity mapping from Active Directory. They notice that users are not being correctly identified on the network, and some workstations are appearing with multiple IP addresses. What is the most likely cause?
76The ISE logs show 'Authentication failed - RADIUS attribute Calling-Station-ID is missing' for a wired client. What is the most likely cause?
77A company uses Cisco ISE for posture assessment. They require that all endpoints meet a certain set of compliance rules before being granted network access. Which service is responsible for performing the posture assessment on the endpoint?
78An organization is deploying Cisco TrustSec and uses SXP to propagate SGTs between routers that do not support SGT inline tagging. The SXP connection is established, but the SGT mappings are not being learned. The administrator checks 'show sxp connections' and sees the connection is in 'On' state. What is the most likely issue?
79A junior engineer is configuring MAB (MAC Authentication Bypass) on a Cisco switch for legacy printers. After configuration, the printers are still being placed into the default VLAN instead of the authorized VLAN. Which configuration is missing?
80A network engineer is troubleshooting an issue where a user's device is successfully authenticated via 802.1X, but the user cannot access the corporate network. ISE logs show that the user was granted access with a downloadable ACL (dACL). What could be the cause of no network access?
81A company is using Cisco ISE for guest access. They have configured a guest portal with a self-registration page. Some guests report that after registering, they are not redirected to the success page but instead see a '401 Unauthorized' error. What is the most likely cause?
82Refer to the exhibit. A network administrator is troubleshooting a wired client that has successfully authenticated using MAB. However, the client is unable to access resources beyond the local subnet. What is the most likely cause?
83Refer to the exhibit. A network administrator reviews the ISE live log for a successful 802.1X authentication. After authentication, the user is unable to make VoIP calls. What is the most likely cause?
84Which TWO of the following are authentication methods used for wired network access in Cisco ISE?
85Which TWO methods can be used to propagate SGT information between devices that do not support SGT inline tagging?
86Which THREE attributes can be used in an ISE authorization policy based on endpoint identity?
87A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module. Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?
88A network engineer is troubleshooting an 802.1X deployment where some Windows 10 endpoints fail to authenticate. Logs show that the client sends an EAPoL-Start but never receives an EAP-Request/Identity. The switch port configuration is: interface GigabitEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator Which additional command is most likely needed?
89A company is deploying Cisco TrustSec to enforce micro-segmentation between data center servers. Security team wants to use Security Group Tags (SGTs) assigned dynamically via ISE. Which method should the engineer use to propagate SGTs to the access switches that connect the servers, assuming the network uses Cisco Nexus 9000 switches and ISE as the policy server?
90An engineer is implementing Cisco ISE posture assessment for corporate Windows laptops. The requirement: endpoints that are missing critical Microsoft security patches must be quarantined in a remediation VLAN. The ISE posture policy uses an 'Application Condition' to check for the patch. However, some laptops with missing patches are still allowed access. During testing, the engineer notices that the posture agent reports 'NAC Agent: Posture Unknown' for those laptops. What is the most likely cause?
91A large enterprise uses Cisco ISE with pxGrid to share context with Firepower for threat containment. When a Firepower detects an infected endpoint, it triggers a pxGrid quarantine action that changes the endpoint's authorization profile. The engineer observes that the quarantine is applied, but after the Firepower clears the threat, the endpoint does not regain its original access. What is the most likely reason?
92Which TWO factors should be considered when designing a Cisco ISE deployment for network access control (NAC) in a multi-site environment? (Choose two.)
93Which THREE capabilities are provided by Cisco ISE's visibility services within the Secure Network Access domain? (Choose three.)
94A hospital is deploying Cisco ISE for network access control. They have a mix of employee laptops, medical devices (e.g., infusion pumps), and guest smartphones. The network uses Cisco Catalyst 9300 switches and Aironet 3700 series access points. For medical devices, the policy must use Machine Authentication (MAB) since they are 802.1X incapable. The ISE policy authenticates via MAB and then assigns the device to a specific VLAN for medical devices. During a pilot, the network team notices that some infusion pumps (MAC: 00:1A:2B:3C:4D:5E) are failing MAB authentication. The switch logs show 'Authentication failed for MAC 001a.2b3c.4d5e on interface GigabitEthernet1/0/10'. ISE logs show 'Authentication failed - RADIUS server rejected - Reason: Invalid Endpoint ID'. The engineer has verified the MAC address is in the ISE endpoint repository with correct identity group. What should the engineer check next to resolve this issue?
95A university is implementing 802.1X for student wireless networks using Cisco Wireless LAN Controllers (WLCs) and ISE. Students connect with their personal devices using PEAP-MSCHAPv2. During heavy usage, some students report authentication failures and sporadic disconnections. The network team examines the ISE live logs and sees many 'Authentication failed' entries with reason 'Internal error - unable to find a suitable proxy target'. The team has configured two ISE nodes as authentication proxies for the wireless subnets. What is the most likely cause of this issue?
96A financial company is deploying Cisco ISE with TrustSec to enforce segmentation between application tiers (web, app, DB). They have a Cisco Catalyst 9500 as the core, and Catalyst 9300s as access switches. The SXP is configured between ISE and core switch, and the core switch propagates SGTs to access switches via SGT inline tagging on trunk ports. The engineer has configured SGTs for web (SGT=2), app (SGT=3), DB (SGT=4). However, when testing from a web server (IP 10.1.1.10, SGT=2) to an app server (IP 10.1.2.20, SGT=3), the app server sees the traffic without SGT in the packet, so the access switch cannot enforce policy. The engineer checks 'show cts role-based sgt-map' on the core and sees the mapping for 10.1.1.10 -> 2. What is the most likely issue?
97A small business uses Cisco ISE to authenticate employees via Active Directory. The company has a single ISE node and two Catalyst 2960-X switches. Employees connect to the network and are successfully authenticated using 802.1X with PEAP. The business wants to provide guest wireless access using a separate SSID with a captive portal. The engineer configures a new WLAN on the WLC (Cisco 2504) pointing to the same ISE node. Guest users can associate to the WLAN and get an IP address, but when they open a browser, they do not see the captive portal page; instead, they get a 'Connection refused' error. The engineer verifies that the guest portal is enabled on ISE and the WLC is configured to use ISE for RADIUS. What is the most likely cause?
98A multinational corporation is implementing ISE for wired network access using 802.1X with EAP-TLS certificate authentication. Their Windows 10 laptops have certificates issued by an internal PKI. During testing, some users report that they are repeatedly prompted to select a certificate after connecting, and eventually authentication fails. ISE logs show 'Authentication failed - No matching certificate found'. The engineer checks the client machine and sees multiple certificates, including the correct one, in the personal store. The ISE endpoint identity store is populated with the user's AD credentials. What is the most likely cause of this failure?
99A government agency is deploying Cisco ISE with a posture agent to ensure endpoints comply with security policies before accessing the network. The posture policy requires that all Windows computers have antivirus (AV) software running. The engineer configures a condition 'AV installed and running' and binds it to an authorization profile that grants full access if compliant, or quarantine if not. During testing, a computer that has AV installed and running (verified manually) is placed in quarantine. ISE logs show 'Posture - AV condition not satisfied'. The engineer checks the ISE posture configuration: the AV condition uses a default Cisco AV dictionary. What is the most likely cause?
100A network administrator is configuring 802.1X for wired access on a Cisco switch. The switch is configured for RADIUS using a Cisco ISE server. During testing, a client that supports 802.1X is unable to authenticate and fails to gain network access. The administrator checks the switch logs and sees "Authentication failed: invalid EAP code received". What is the most likely cause?
101A Cisco TrustSec deployment is being implemented to enforce micro-segmentation. The security team needs to ensure that Security Group Tags (SGTs) are propagated across the network. Which THREE methods can be used to distribute SGT information in a TrustSec environment? (Choose three.)
102Refer to the exhibit. Based on the exhibit, what is the current state of the client and what action should the network administrator take to allow full network access?
The Secure Network Access, Visibility and Enforcement domain covers the key concepts tested in this area of the 350-701 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-701 domains — no account required.
The Courseiva 350-701 question bank contains 102 questions in the Secure Network Access, Visibility and Enforcement domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Secure Network Access, Visibility and Enforcement domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included