350-701 Secure Network Access, Visibility and Enforcement • Complete Question Bank
Complete 350-701 Secure Network Access, Visibility and Enforcement question bank — all 0 questions with answers and detailed explanations.
Router# show device-tracking database Device-tracking database for Vlan 100: Device ID MAC Address Interface VLAN Last seen * 0050.7966.6800 Gi0/1/0 100 00:00:12 * aaaa.bbbb.cccc Gi0/1/1 100 00:00:05
Refer to the exhibit. interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 authentication host-mode multi-auth authentication order mab dot1x authentication priority dot1x mab authentication port-control auto dot1x pae authenticator spanning-tree portfast ! RADIUS server configuration radius server ISE address ipv4 10.1.1.100 auth-port 1812 acct-port 1813 key cisco123 ! Global AAA aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Next-Generation Firewall
Cloud-Delivered Security
Advanced Malware Protection
Identity Services Engine
Network Visibility and Detection
Drag a concept onto its matching description — or click a concept then click the description.
Display IKE security associations
Display configured access control lists
Display firewall configuration and statistics
Enable IP packet debugging
Save running configuration to startup
Refer to the exhibit.
Switch# show authentication sessions interface GigabitEthernet1/0/10 details
Interface: GigabitEthernet1/0/10
MAC Address: aaaa.bbbb.cccc
IP Address: 192.168.10.55
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 10
Session timeout: 3600s
Client List:
aaaa.bbbb.cccc: dot1x
EAP: PEAP, User-Name: jdoe
Result: PASS
SGT: 0
AudIT: NoneRefer to the exhibit. interface GigabitEthernet1/0/1 description User Access switchport access vlan 100 switchport mode access authentication port-control auto authentication periodic authentication timer reauthenticate 3600 dot1x pae authenticator dot1x timeout tx-period 3 dot1x max-reauth-req 2 mab ! !Global: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.1.1.20 key cisco123
Refer to the exhibit. ISE CLI output: ise/admin# show aaa auth method all | include AD AD_1: Active Directory (example.com) Status: Connected Last contact: 2 seconds ago Last error: None Domain Controllers: dc01.example.com (10.1.1.10), dc02.example.com (10.1.1.11) Is Allowed: True Users Authenticated: 0 ise/admin# show aaa auth method all | include LDAP LDAP_1: LDAP (10.2.2.20) Status: Connected Last contact: 10 minutes ago Last error: Timeout Users Authenticated: 0
Refer to the exhibit. Switch# show authentication sessions interface GigabitEthernet1/0/1 detail Interface: GigabitEthernet1/0/1 MAC Address: 0011.2233.4455 IP Address: 192.168.1.15 User-Name: hostA Status: Unauthorized Domain: DATA Oper host mode: single-host Authorized By: N/A Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A0B0C0D0E0F0001 Acct Session ID: 0x00000001 Handle: 0x81000001 Runnable method list: dot1x Last Authentication: Failed Reason: EAP-timeout
Refer to the exhibit. ! Switch configuration snippet ip access-list extended BLOCK_GUEST deny ip any 10.10.0.0 0.0.255.255 permit ip any any ! vlan access-map BLOCK_MAP 10 match ip address BLOCK_GUEST action drop vlan access-map BLOCK_MAP 20 action forward ! vlan filter BLOCK_MAP vlan-list 200
Refer to the exhibit. ! Cisco ISE Policy Set Condition: EndPointCompliant EQUALS No OR DeviceType NOT_IN ["Windows", "Mac", "Linux"] Result: VLAN_Quarantine (VLAN 999) ! Syslog message ISE: Authentication failed for user 'guest' from MAC 0011.2233.4455. Reason: Invalid username or password.
interface GigabitEthernet1/0/1 switchport mode access authentication port-control auto authentication periodic authentication timer reauthenticate 3600 dot1x pae authenticator dot1x timeout tx-period 5
2019-08-15 14:32:45,123 ERROR [PassiveIDConnector-1] ... Received PassiveID identity in SGT format, but no SGT mapping found.
Suspicious Traffic: Source IP: 10.10.10.5 Destination IP: 10.20.20.5 Protocol: TCP Port: 4444 Bytes: 1.2GB over 5 minutes Score: 85
Switch# show authentication sessions Interface: GigabitEthernet0/1 MAC Address: 0011.2233.4455 IP Address: 10.1.1.10 Status: Authz Success Domain: DATA Oper host mode: single-host Oper control dir: both Authorized by: Authentication Server Vlan Policy: 10 Session Timeout: N/A Idle Timeout: N/A Common Session ID: 0A0B0C0D0E0F0000000000001 Acct Session ID: 0x00000002 Authc Method: MAB Authz Policy: Permit_Access
ISE Radius Live Log: Timestamp: 2025-03-10 10:00:00 User: CN=John Doe, OU=Users, DC=company, DC=com Endpoint MAC: 00:11:22:33:44:55 Auth Protocol: PEAP (MSCHAPv2) Result: Authentication succeeded Authorization Policy: Corporate_Access Authorization Profile: Standard_Access Session Attributes: Cisco-av-pair = "device-traffic-class=voice"
A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module.
Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?
A network engineer is troubleshooting an 802.1X deployment where some Windows 10 endpoints fail to authenticate. Logs show that the client sends an EAPoL-Start but never receives an EAP-Request/Identity. The switch port configuration is:
interface GigabitEthernet0/1 switchport mode access
authentication port-control auto dot1x pae authenticator Which additional command is most likely needed?
Switch1# show authentication sessions interface GigabitEthernet1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: 192.168.1.100
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s
Common Session ID: 0A0B0C0D000000123456789A
Acct Session ID: 0x0000000A
Handle: 0x00000001
Current Method: dot1x
Method State: Authz Success
Auth Method: dot1x
Authorized By: ISE
Vlan Policy: 10
URL Redirect: https://guest-portal.company.com
URL Redirect ACL: GUESt-REDIRECT
SGT Value: 2
dACL name: PERMIT_QUARANTINE