An ISE deployment uses TrustSec with SGTs assigned by Active Directory group membership. A group of users in the 'Finance' AD group is correctly receiving SGT 5, but a new user added to that group is getting SGT 0. The ISE policy is unchanged, and other users in the group work fine. What is the most likely cause?
ISE caches AD groups. If the user was recently added, the cache may be stale, causing ISE to assign a default SGT (0).
Why this answer
Option B is correct because ISE uses Active Directory (AD) as an identity source and must synchronize group membership changes before it can map the new user to the correct Security Group Tag (SGT). If the AD group membership has not been refreshed via the scheduled or manual sync, ISE will not know the new user belongs to the 'Finance' group, resulting in a default SGT of 0 (unknown/untrusted). Other users already in the group work fine because their membership was present during the last successful sync.
Exam trap
Cisco often tests the misconception that SGT assignment is immediate upon AD group membership change, but the trap here is that ISE must synchronize the AD group membership before it can apply the correct SGT, and a default SGT of 0 indicates the user is not matched to any authorization policy.
How to eliminate wrong answers
Option A is wrong because endpoint profiling is not required for SGT assignment based on AD group membership; SGTs are assigned after authentication and authorization, not after profiling. Option C is wrong because antivirus software does not interfere with SGT assignment, which is a network-level attribute applied by the switch or ISE based on the user's identity, not a client-side process. Option D is wrong because a PAC (Protected Access Credential) is used in EAP-FAST for secure tunnel establishment, not for SGT assignment; SGTs are assigned via RADIUS attributes (e.g., Cisco-AVPair) after successful authentication.
Option E is wrong because 'authentication violation restrict' places the port in an err-disabled state upon a violation, but the scenario describes the user successfully authenticating (getting SGT 0), not being blocked; a violation would prevent access entirely.