Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Secure Network Access, Visibility and Enforcement practice sets

350-701 Secure Network Access, Visibility and Enforcement • Complete Question Bank

350-701 Secure Network Access, Visibility and Enforcement — All Questions With Answers

Complete 350-701 Secure Network Access, Visibility and Enforcement question bank — all 0 questions with answers and detailed explanations.

102
Questions
Free
No signup
Certifications/350-701/Practice Test/Secure Network Access, Visibility and Enforcement/All Questions
Question 1easymultiple choice
Read the full wireless explanation →

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

Question 2mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?

Question 4mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?

Question 5hardmultiple choice
Read the full DHCP explanation →

An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?

Question 6easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?

Question 7mediummultiple choice
Open the full VLAN trunking answer →

An organization is using Cisco ISE to enforce posture compliance. Endpoints that are non-compliant should be placed into a quarantine VLAN. Which ISE policy component is used to assign the VLAN?

Question 8hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A security engineer is configuring Cisco ISE to enforce SGT-based access control. The engineer creates an SGACL on the switch that permits traffic from SGT 10 to SGT 20. However, traffic from SGT 10 to SGT 20 is still being dropped. The engineer verifies that the SGTs are correctly assigned. What is a possible reason for the drop?

Question 9mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO of the following are valid methods for Cisco ISE to collect endpoint attributes for profiling? (Choose TWO)

Question 10hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which THREE of the following are required for a successful 802.1X authentication on a Cisco switch? (Choose THREE)

Question 11easymulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO of the following are features of Cisco TrustSec? (Choose TWO)

Question 12hardmultiple choice
Read the full wireless explanation →

A multinational corporation is deploying Cisco ISE to enforce network access for both wired and wireless users. The company has 5,000 employees and 2,000 guest users daily. The ISE deployment consists of two nodes: a primary Administration Node (PAN) and a Monitoring Node (MNT). All policies are configured on the PAN. Recently, the company has experienced intermittent authentication failures during peak hours. The failures affect both wired 802.1X and wireless users. The syslogs show 'RADIUS request dropped' messages on the ISE nodes. The network team has verified that the RADIUS shared secret is correct and that the network devices can reach the ISE nodes. The ISE nodes have sufficient CPU and memory. However, the authentication failures correlate with times when the number of concurrent sessions exceeds 500. What is the most likely cause of the issue?

Question 13mediummultiple choice
Read the full wireless explanation →

A university is using Cisco ISE to provide secure wireless access for students and faculty. The wireless network uses WPA2-Enterprise with PEAP-MSCHAPv2. Recently, some faculty members reported that they cannot connect to the wireless network from their personal laptops, while student devices connect without issues. The faculty members are using the same SSID and entering their credentials correctly. The ISE logs show that the authentication attempts from faculty devices are failing with 'RADIUS Access-Reject' due to incorrect credentials. However, the faculty members are certain they are using the correct password. The IT department has verified that the user accounts in Active Directory are active and not locked. What is the most likely cause of the issue?

Question 14mediummultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

Question 15easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A security architect is designing network access control for a campus network. The requirement is to authenticate users before granting network access and to enforce policies based on user identity and device posture. Which solution should be deployed?

Question 16hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?

Question 17mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is implementing TrustSec on a Cisco switch. The goal is to tag traffic from the engineering VLAN with Security Group Tag (SGT) 10 and enforce policies on upstream switches. Which configuration is required on the access switch to propagate the SGT?

Question 18hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which THREE of the following are valid components of Cisco ISE's visibility and enforcement architecture?

Question 19hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?

Exhibit

Router# show device-tracking database
 Device-tracking database for Vlan 100:
  Device ID     MAC Address      Interface      VLAN     Last seen
  *             0050.7966.6800   Gi0/1/0        100      00:00:12
  *             aaaa.bbbb.cccc   Gi0/1/1        100      00:00:05
Question 20mediummultiple choice
Open the full VLAN trunking answer →

A large enterprise has deployed Cisco ISE for network access control. The network consists of multiple access switches and wireless LAN controllers. The security team wants to enforce that only domain-joined Windows computers with up-to-date antivirus can access the corporate network. Non-compliant devices should be placed in a quarantine VLAN with limited access to remediation servers. The ISE policies are configured with posture assessment. However, during a test, a non-compliant Windows computer is granted full network access instead of being quarantined. The ISE logs show that the posture assessment passed, but the computer's antivirus is outdated. What is the most likely reason for this behavior?

Question 21easymultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?

Question 22mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO configuration steps are required to implement 802.1X authentication on a Cisco switch for wired clients?

Question 23hardmultiple choice
Study the full AAA explanation →

A network administrator has configured the above on a Cisco switch port for a device that supports both MAB and 802.1X. The device sends an EAPOL-start but the switch responds with an EAP-Request/Identity. The device does not respond to the EAP-Request/Identity. After a timeout, the switch attempts MAB. However, MAB also fails because the RADIUS server does not have the MAC address. Which of the following best describes the final port state?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast

! RADIUS server configuration
radius server ISE
 address ipv4 10.1.1.100 auth-port 1812 acct-port 1813
 key cisco123

! Global AAA
 aaa new-model
 aaa authentication dot1x default group radius
 aaa authorization network default group radius
 aaa accounting dot1x default start-stop group radius
Question 24mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to troubleshoot an IPsec VPN failure where Phase 1 is not completing into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediumdrag order
Read the full network assurance explanation →

Drag and drop the steps to configure NetFlow on a Cisco IOS router for traffic monitoring in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Read the full Secure Network Access, Visibility and Enforcement explanation →

Match each Cisco security product to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-Generation Firewall

Cloud-Delivered Security

Advanced Malware Protection

Identity Services Engine

Network Visibility and Detection

Question 27mediummatching
Read the full Secure Network Access, Visibility and Enforcement explanation →

Match each Cisco security command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Display IKE security associations

Display configured access control lists

Display firewall configuration and statistics

Enable IP packet debugging

Save running configuration to startup

Question 28mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network engineer notices that some Windows 10 clients fail to authenticate via 802.1X after a recent OS update. The supplicant shows 'EAPOL-Start' but never receives an EAP-Request/Identity. The switch port is configured with 'authentication port-control auto' and 'dot1x pae authenticator'. What is the most likely cause?

Question 29hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An ISE deployment uses TrustSec with SGTs assigned by Active Directory group membership. A group of users in the 'Finance' AD group is correctly receiving SGT 5, but a new user added to that group is getting SGT 0. The ISE policy is unchanged, and other users in the group work fine. What is the most likely cause?

Question 30easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network administrator wants to implement 802.1X authentication on a switch port that connects a printer. The printer does not support 802.1X, so the administrator configures MAC Authentication Bypass (MAB) as a fallback method. Which command must be included in the switch port configuration to ensure MAB is attempted after 802.1X times out?

Question 31mediummultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting a user who cannot access the network after successful 802.1X authentication. The user's PC receives an IP address from DHCP, but cannot reach the internet. The switch port is in the correct VLAN (10) after authentication. The ISE posture policy requires the user to install a corporate certificate, but the user skipped that step. What is the most likely cause of the internet access failure?

Question 32hardmultiple choice
Read the full NAT/PAT explanation →

During a network audit, an engineer finds that a switch configured for 802.1X is allowing a device to access the network without authentication. The switch logs show 'MAB failed', 'dot1x failed', but the port is in the forwarding state. The port configuration includes 'authentication fallback final mab' and 'dot1x timeout server-timeout 10'. What is the most likely explanation?

Question 33easymultiple choice
Read the full wireless explanation →

An organization uses ISE for wireless LAN authentication via 802.1X with PEAP-MSCHAPv2. Users authenticate against Active Directory. Recently, some users report that after changing their domain password, they cannot connect to the wireless network for about 30 minutes. What is the most likely cause?

Question 34mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network engineer is deploying TrustSec using SGT over VXLAN in a data center fabric. The fabric switches are configured as VXLAN Tunnel Endpoints (VTEPs). The engineer must ensure that SGT information is propagated from the border leaves to the spine. Which mechanism should be used?

Question 35mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An engineer is configuring ISE for guest access via a sponsor portal. The policy requires that a sponsor must approve each guest. However, guests are being automatically approved without sponsor interaction. What is the most likely misconfiguration?

Question 36hardmultiple choice
Open the full VLAN trunking answer →

During a security incident, an engineer needs to quickly quarantine an endpoint that is connected to a switch via 802.1X. The engineer wants to use ISE to send a Change of Authorization (CoA) to move the port to a restrictive VLAN. What must be configured on the switch to allow ISE to send CoA?

Question 37easymulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO are valid methods for determining the SGT (Security Group Tag) assigned to an endpoint in a TrustSec deployment?

Question 38mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which THREE are characteristics of Cisco ISE profiler service?

Question 39hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO are valid options for configuring a switch port to handle authentication failures in an 802.1X environment? (Select two.)

Question 40mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. A user has successfully authenticated via 802.1X. However, the SGT (Security Group Tag) assigned is 0, which is the default untagged value. Which configuration change would most likely allow ISE to assign a non-zero SGT for this user?

Exhibit

Refer to the exhibit.

Switch# show authentication sessions interface GigabitEthernet1/0/10 details
Interface:  GigabitEthernet1/0/10
  MAC Address: aaaa.bbbb.cccc
  IP Address: 192.168.10.55
  Status: Authz Success
  Domain: DATA
  Oper host mode: multi-auth
  Oper control dir: both
  Authorized By: Authentication Server
  Vlan Policy: 10
  Session timeout: 3600s
  Client List:
    aaaa.bbbb.cccc:  dot1x
      EAP: PEAP, User-Name: jdoe
      Result: PASS
      SGT: 0
  AudIT: None
Question 41hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. A switch port is configured for 802.1X with MAB. The switch has reached its maximum number of authentication sessions (platform limit). When a new device attempts to connect, what happens?

Exhibit

Refer to the exhibit.

interface GigabitEthernet1/0/1
 description User Access
 switchport access vlan 100
 switchport mode access
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 3600
 dot1x pae authenticator
 dot1x timeout tx-period 3
 dot1x max-reauth-req 2
 mab
!
!Global:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 10.1.1.20 key cisco123
Question 42easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. An engineer configured ISE to use both Active Directory and LDAP for authentication. Users from Active Directory are unable to authenticate. What is the most likely reason?

Exhibit

Refer to the exhibit.

ISE CLI output:
ise/admin# show aaa auth method all | include AD
AD_1: Active Directory (example.com)
  Status: Connected
  Last contact: 2 seconds ago
  Last error: None
  Domain Controllers: dc01.example.com (10.1.1.10), dc02.example.com (10.1.1.11)
  Is Allowed: True
  Users Authenticated: 0
ise/admin# show aaa auth method all | include LDAP
LDAP_1: LDAP (10.2.2.20)
  Status: Connected
  Last contact: 10 minutes ago
  Last error: Timeout
  Users Authenticated: 0
Question 43easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network administrator is troubleshooting intermittent authentication failures on a switch port configured for 802.1X with MAB fallback. Users can connect but get dropped after a few minutes. What is the most likely cause?

Question 44mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company wants to implement software-defined segmentation using Cisco ISE and TrustSec. Which component is responsible for assigning the Security Group Tag (SGT) to packets at the ingress?

Question 45hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An engineer is deploying Cisco ISE for guest access. The guest portal uses a self-provisioned username and password. To ensure secure credential transmission, which protocol should be enforced on the portal?

Question 46easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An administrator needs to ensure that only authorized hosts can connect to a switch port. The port is connected to a single PC. Which 802.1X host mode should be configured?

Question 47mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company is deploying Cisco ISE to enforce access policies based on endpoint posture. Endpoints must be compliant before being granted full network access. Which policy type is used to define the compliance requirements?

Question 48hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An engineer notices that the 'show authentication sessions' command on a switch shows a session in 'CRITICAL' state. What does this indicate?

Question 49easymultiple choice
Read the full wireless explanation →

A network administrator wants to centrally manage and enforce access policies for wired and wireless users. Which Cisco product provides this functionality?

Question 50mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An organization requires that all endpoint traffic be verified against a security policy before being forwarded. Which Cisco umbrella solution provides this capability?

Question 51hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

During a security incident, an investigator wants to identify all endpoints that communicated with a known malicious IP address within the last 24 hours. Which Cisco tool is best suited for this forensic analysis?

Question 52mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A user connected to port Gi1/0/1 cannot access the network. Based on the output, what is the most likely cause?

Exhibit

Refer to the exhibit.

Switch# show authentication sessions interface GigabitEthernet1/0/1 detail

Interface: GigabitEthernet1/0/1
  MAC Address: 0011.2233.4455
  IP Address: 192.168.1.15
  User-Name: hostA
  Status: Unauthorized
  Domain: DATA
  Oper host mode: single-host
  Authorized By: N/A
  Vlan Policy: N/A
  Session timeout: N/A
  Idle timeout: N/A
  Common Session ID: 0A0B0C0D0E0F0001
  Acct Session ID: 0x00000001
  Handle: 0x81000001

  Runnable method list: dot1x
  Last Authentication: Failed
  Reason: EAP-timeout
Question 53easymultiple choice
Open the full VLAN trunking answer →

A guest device in VLAN 200 attempts to reach a server at 10.10.1.1. What happens to the traffic?

Exhibit

Refer to the exhibit.

! Switch configuration snippet
ip access-list extended BLOCK_GUEST
 deny ip any 10.10.0.0 0.0.255.255
 permit ip any any
!
vlan access-map BLOCK_MAP 10
 match ip address BLOCK_GUEST
 action drop
vlan access-map BLOCK_MAP 20
 action forward
!
vlan filter BLOCK_MAP vlan-list 200
Question 54hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An endpoint with MAC 0011.2233.4455 and user 'guest' authenticates but fails. However, the device is not assigned to quarantine. Which policy condition is most likely responsible for the unexpected behavior?

Exhibit

Refer to the exhibit.

! Cisco ISE Policy Set
Condition: EndPointCompliant EQUALS No OR DeviceType NOT_IN ["Windows", "Mac", "Linux"]
Result: VLAN_Quarantine (VLAN 999)

! Syslog message
ISE: Authentication failed for user 'guest' from MAC 0011.2233.4455. Reason: Invalid username or password.
Question 55mediummulti select
Study the full ACL explanation →

A network engineer is implementing Cisco TrustSec. Which two components are required to enforce Security Group Access Control List (SGACL) policies? (Choose two)

Question 56mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

An administrator is configuring 802.1X on a switch port for both an IP phone and a PC. Which two commands should be configured to support this scenario? (Choose two)

Question 57hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company is deploying Cisco ISE for network access control. Which three policies must be configured to enforce access based on device posture? (Choose three)

Question 58mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network engineer configures ISE for 802.1X with PEAP-MSCHAPv2. Users report intermittent authentication failures on certain switches. The engineer checks ISE logs and sees 'Authentication failed' with reason 'User not found in identity store'. What is the most likely issue?

Question 59easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An organization wants to implement MAC Authentication Bypass (MAB) for devices that do not support 802.1X. Which configuration is required on a Cisco switch to allow MAB fallback?

Question 60hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

In a Cisco TrustSec environment, a network administrator observes that traffic between two endpoints in the same SGT group is being denied. The relevant switch has CTS configured with 'cts manual' and 'policy static sgt 10'. What is the most probable cause?

Question 61easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which protocol does Cisco ISE use to communicate with the pxGrid controller for sharing contextual data?

Question 62mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A laptop fails to authenticate via 802.1X on a Cisco switch. The switch logs show: 'Authentication failed for user 'jdoe' on interface GigabitEthernet1/0/24: EAP session timeout.' What is the most likely cause?

Question 63hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

You are troubleshooting a Cisco ISE deployment where some endpoints are stuck in the 'Not Compliant' posture after a posture scan. ISE logs show 'Conditional NAC Agent result: Not Compliant due to missing required application.' The application is installed on the endpoint. What should you check?

Question 64mediummultiple choice
Read the full wireless explanation →

An organization wants to provide guest wireless access with a captive portal. Which Cisco ISE portal type should be used?

Question 65easymultiple choice
Read the full network assurance explanation →

Which Cisco security product provides network visibility and traffic analytics using NetFlow and IPFIX?

Question 66hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

In a Cisco TrustSec deployment, you want to dynamically assign SGTs based on user authentication. Which mechanism should you use?

Question 67mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO conditions must be met for a Cisco switch to initiate 802.1X authentication? (Choose two.)

Question 68mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which THREE are valid methods to obtain security group tags (SGTs) on a Cisco switch? (Choose three.)

Question 69hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO are common causes for CoA (Change of Authorization) failures in a Cisco ISE deployment? (Choose two.)

Question 70mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. An engineer configures this interface for 802.1X. Users report that after successful authentication, they are forced to reauthenticate every hour even though the authentication session is still active. What configuration change should be made to prevent reauthentication unless triggered by a change?

Exhibit

interface GigabitEthernet1/0/1
 switchport mode access
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 3600
 dot1x pae authenticator
 dot1x timeout tx-period 5
Question 71hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. An ISE administrator sees this error in the logs. What is the most likely cause?

Exhibit

2019-08-15 14:32:45,123 ERROR [PassiveIDConnector-1] ... Received PassiveID identity in SGT format, but no SGT mapping found.
Question 72mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. A network analyst reviews a Stealthwatch flow analysis output. What is the most likely interpretation?

Exhibit

Suspicious Traffic:
  Source IP: 10.10.10.5
  Destination IP: 10.20.20.5
  Protocol: TCP
  Port: 4444
  Bytes: 1.2GB over 5 minutes
  Score: 85
Question 73easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network engineer is configuring 802.1X on a Cisco switch for wired clients. After configuration, some clients fail authentication. The engineer notices that the clients are not sending any EAP packets. What is the most likely cause?

Question 74mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company uses Cisco ISE for network access control. They have deployed TrustSec and want to enforce segmentation using Security Group Tags (SGTs). The network team reports that SGTs are not being propagated correctly. Which protocol is responsible for SGT propagation between switches?

Question 75hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

An organization is deploying Cisco ISE with passive identity mapping from Active Directory. They notice that users are not being correctly identified on the network, and some workstations are appearing with multiple IP addresses. What is the most likely cause?

Question 76easymultiple choice
Study the full AAA explanation →

The ISE logs show 'Authentication failed - RADIUS attribute Calling-Station-ID is missing' for a wired client. What is the most likely cause?

Question 77mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company uses Cisco ISE for posture assessment. They require that all endpoints meet a certain set of compliance rules before being granted network access. Which service is responsible for performing the posture assessment on the endpoint?

Question 78hardmultiple choice
Review the full routing breakdown →

An organization is deploying Cisco TrustSec and uses SXP to propagate SGTs between routers that do not support SGT inline tagging. The SXP connection is established, but the SGT mappings are not being learned. The administrator checks 'show sxp connections' and sees the connection is in 'On' state. What is the most likely issue?

Question 79easymultiple choice
Open the full VLAN trunking answer →

A junior engineer is configuring MAB (MAC Authentication Bypass) on a Cisco switch for legacy printers. After configuration, the printers are still being placed into the default VLAN instead of the authorized VLAN. Which configuration is missing?

Question 80mediummultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting an issue where a user's device is successfully authenticated via 802.1X, but the user cannot access the corporate network. ISE logs show that the user was granted access with a downloadable ACL (dACL). What could be the cause of no network access?

Question 81hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company is using Cisco ISE for guest access. They have configured a guest portal with a self-registration page. Some guests report that after registering, they are not redirected to the success page but instead see a '401 Unauthorized' error. What is the most likely cause?

Question 82easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A network administrator is troubleshooting a wired client that has successfully authenticated using MAB. However, the client is unable to access resources beyond the local subnet. What is the most likely cause?

Exhibit

Switch# show authentication sessions
Interface: GigabitEthernet0/1
  MAC Address: 0011.2233.4455
  IP Address: 10.1.1.10
  Status: Authz Success
  Domain: DATA
  Oper host mode: single-host
  Oper control dir: both
  Authorized by: Authentication Server
  Vlan Policy: 10
  Session Timeout: N/A
  Idle Timeout: N/A
  Common Session ID: 0A0B0C0D0E0F0000000000001
  Acct Session ID: 0x00000002
  Authc Method: MAB
  Authz Policy: Permit_Access
Question 83mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. A network administrator reviews the ISE live log for a successful 802.1X authentication. After authentication, the user is unable to make VoIP calls. What is the most likely cause?

Exhibit

ISE Radius Live Log:
Timestamp: 2025-03-10 10:00:00
User: CN=John Doe, OU=Users, DC=company, DC=com
Endpoint MAC: 00:11:22:33:44:55
Auth Protocol: PEAP (MSCHAPv2)
Result: Authentication succeeded
Authorization Policy: Corporate_Access
Authorization Profile: Standard_Access
Session Attributes:
  Cisco-av-pair = "device-traffic-class=voice"
Question 84easymulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO of the following are authentication methods used for wired network access in Cisco ISE?

Question 85mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO methods can be used to propagate SGT information between devices that do not support SGT inline tagging?

Question 86hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which THREE attributes can be used in an ISE authorization policy based on endpoint identity?

Question 87hardmultiple choice
Read the full wireless explanation →

A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module.

Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?

Question 88easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A network engineer is troubleshooting an 802.1X deployment where some Windows 10 endpoints fail to authenticate. Logs show that the client sends an EAPoL-Start but never receives an EAP-Request/Identity. The switch port configuration is:

interface GigabitEthernet0/1
 switchport mode access

authentication port-control auto dot1x pae authenticator Which additional command is most likely needed?

Question 89mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A company is deploying Cisco TrustSec to enforce micro-segmentation between data center servers. Security team wants to use Security Group Tags (SGTs) assigned dynamically via ISE. Which method should the engineer use to propagate SGTs to the access switches that connect the servers, assuming the network uses Cisco Nexus 9000 switches and ISE as the policy server?

Question 90hardmultiple choice
Open the full VLAN trunking answer →

An engineer is implementing Cisco ISE posture assessment for corporate Windows laptops. The requirement: endpoints that are missing critical Microsoft security patches must be quarantined in a remediation VLAN. The ISE posture policy uses an 'Application Condition' to check for the patch. However, some laptops with missing patches are still allowed access. During testing, the engineer notices that the posture agent reports 'NAC Agent: Posture Unknown' for those laptops. What is the most likely cause?

Question 91mediummultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A large enterprise uses Cisco ISE with pxGrid to share context with Firepower for threat containment. When a Firepower detects an infected endpoint, it triggers a pxGrid quarantine action that changes the endpoint's authorization profile. The engineer observes that the quarantine is applied, but after the Firepower clears the threat, the endpoint does not regain its original access. What is the most likely reason?

Question 92easymulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which TWO factors should be considered when designing a Cisco ISE deployment for network access control (NAC) in a multi-site environment? (Choose two.)

Question 93hardmulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

Which THREE capabilities are provided by Cisco ISE's visibility services within the Secure Network Access domain? (Choose three.)

Question 94hardmultiple choice
Open the full VLAN trunking answer →

A hospital is deploying Cisco ISE for network access control. They have a mix of employee laptops, medical devices (e.g., infusion pumps), and guest smartphones. The network uses Cisco Catalyst 9300 switches and Aironet 3700 series access points. For medical devices, the policy must use Machine Authentication (MAB) since they are 802.1X incapable. The ISE policy authenticates via MAB and then assigns the device to a specific VLAN for medical devices. During a pilot, the network team notices that some infusion pumps (MAC: 00:1A:2B:3C:4D:5E) are failing MAB authentication. The switch logs show 'Authentication failed for MAC 001a.2b3c.4d5e on interface GigabitEthernet1/0/10'. ISE logs show 'Authentication failed - RADIUS server rejected - Reason: Invalid Endpoint ID'. The engineer has verified the MAC address is in the ISE endpoint repository with correct identity group. What should the engineer check next to resolve this issue?

Question 95mediummultiple choice
Read the full wireless explanation →

A university is implementing 802.1X for student wireless networks using Cisco Wireless LAN Controllers (WLCs) and ISE. Students connect with their personal devices using PEAP-MSCHAPv2. During heavy usage, some students report authentication failures and sporadic disconnections. The network team examines the ISE live logs and sees many 'Authentication failed' entries with reason 'Internal error - unable to find a suitable proxy target'. The team has configured two ISE nodes as authentication proxies for the wireless subnets. What is the most likely cause of this issue?

Question 96hardmultiple choice
Open the full VLAN trunking answer →

A financial company is deploying Cisco ISE with TrustSec to enforce segmentation between application tiers (web, app, DB). They have a Cisco Catalyst 9500 as the core, and Catalyst 9300s as access switches. The SXP is configured between ISE and core switch, and the core switch propagates SGTs to access switches via SGT inline tagging on trunk ports. The engineer has configured SGTs for web (SGT=2), app (SGT=3), DB (SGT=4). However, when testing from a web server (IP 10.1.1.10, SGT=2) to an app server (IP 10.1.2.20, SGT=3), the app server sees the traffic without SGT in the packet, so the access switch cannot enforce policy. The engineer checks 'show cts role-based sgt-map' on the core and sees the mapping for 10.1.1.10 -> 2. What is the most likely issue?

Question 97easymultiple choice
Read the full wireless explanation →

A small business uses Cisco ISE to authenticate employees via Active Directory. The company has a single ISE node and two Catalyst 2960-X switches. Employees connect to the network and are successfully authenticated using 802.1X with PEAP. The business wants to provide guest wireless access using a separate SSID with a captive portal. The engineer configures a new WLAN on the WLC (Cisco 2504) pointing to the same ISE node. Guest users can associate to the WLAN and get an IP address, but when they open a browser, they do not see the captive portal page; instead, they get a 'Connection refused' error. The engineer verifies that the guest portal is enabled on ISE and the WLC is configured to use ISE for RADIUS. What is the most likely cause?

Question 98mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing ISE for wired network access using 802.1X with EAP-TLS certificate authentication. Their Windows 10 laptops have certificates issued by an internal PKI. During testing, some users report that they are repeatedly prompted to select a certificate after connecting, and eventually authentication fails. ISE logs show 'Authentication failed - No matching certificate found'. The engineer checks the client machine and sees multiple certificates, including the correct one, in the personal store. The ISE endpoint identity store is populated with the user's AD credentials. What is the most likely cause of this failure?

Question 99easymultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

A government agency is deploying Cisco ISE with a posture agent to ensure endpoints comply with security policies before accessing the network. The posture policy requires that all Windows computers have antivirus (AV) software running. The engineer configures a condition 'AV installed and running' and binds it to an authorization profile that grants full access if compliant, or quarantine if not. During testing, a computer that has AV installed and running (verified manually) is placed in quarantine. ISE logs show 'Posture - AV condition not satisfied'. The engineer checks the ISE posture configuration: the AV condition uses a default Cisco AV dictionary. What is the most likely cause?

Question 100easymultiple choice
Study the full AAA explanation →

A network administrator is configuring 802.1X for wired access on a Cisco switch. The switch is configured for RADIUS using a Cisco ISE server. During testing, a client that supports 802.1X is unable to authenticate and fails to gain network access. The administrator checks the switch logs and sees "Authentication failed: invalid EAP code received". What is the most likely cause?

Question 101mediummulti select
Read the full Secure Network Access, Visibility and Enforcement explanation →

A Cisco TrustSec deployment is being implemented to enforce micro-segmentation. The security team needs to ensure that Security Group Tags (SGTs) are propagated across the network. Which THREE methods can be used to distribute SGT information in a TrustSec environment? (Choose three.)

Question 102hardmultiple choice
Read the full Secure Network Access, Visibility and Enforcement explanation →

Refer to the exhibit. Based on the exhibit, what is the current state of the client and what action should the network administrator take to allow full network access?

Exhibit

Switch1# show authentication sessions interface GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: 192.168.1.100
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s
Common Session ID: 0A0B0C0D000000123456789A
Acct Session ID: 0x0000000A
Handle: 0x00000001
Current Method: dot1x
    Method State: Authz Success
    Auth Method: dot1x
    Authorized By: ISE
    Vlan Policy: 10
    URL Redirect: https://guest-portal.company.com
    URL Redirect ACL: GUESt-REDIRECT
    SGT Value: 2
    dACL name: PERMIT_QUARANTINE

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 10 Questions→350-701 Practice Test 2 — 10 Questions→350-701 Practice Test 3 — 10 Questions→350-701 Practice Test 4 — 10 Questions→350-701 Practice Test 5 — 10 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Endpoint Protection and DetectionSecure Network Access, Visibility and EnforcementSecurity ConceptsNetwork SecurityCloud SecurityContent Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Secure Network Access, Visibility and Enforcement setsAll Secure Network Access, Visibility and Enforcement questions350-701 Practice Hub