CCNA Secure Network Access, Visibility and Enforcement Questions

75 of 102 questions · Page 1/2 · Secure Network Access, Visibility and Enforcement · Answers revealed

1
Multi-Selecthard

A company is deploying Cisco ISE for network access control. Which three policies must be configured to enforce access based on device posture? (Choose three)

Select 3 answers
A.Authorization policy
B.Posture policy
C.Guest access policy
D.Authentication policy
E.Profiling policy
AnswersA, B, D

Defines access based on posture results.

Why this answer

Options A, B, and D are correct. Authentication policy (A) determines how users/devices are authenticated (e.g., 802.1X, MAB). Authorization policy (B) defines the access rights based on conditions including posture.

Posture policy (D) defines posture requirements and remediation. Profiling policy (C) identifies device type but is not directly required for posture enforcement; guest policy (E) is separate. However, profiling is often helpful but not strictly required; posture policy directly handles the compliance check.

2
MCQmedium

A multinational corporation is implementing ISE for wired network access using 802.1X with EAP-TLS certificate authentication. Their Windows 10 laptops have certificates issued by an internal PKI. During testing, some users report that they are repeatedly prompted to select a certificate after connecting, and eventually authentication fails. ISE logs show 'Authentication failed - No matching certificate found'. The engineer checks the client machine and sees multiple certificates, including the correct one, in the personal store. The ISE endpoint identity store is populated with the user's AD credentials. What is the most likely cause of this failure?

A.The client's certificate is expired
B.The Windows supplicant requires a registry modification to enable auto-selection
C.ISE trusted CA certificate list does not include the issuing CA
D.The client certificates lack the 'Client Authentication' extended key usage (EKU)
AnswerD

EAP-TLS requires a certificate with Client Authentication EKU; if missing, ISE will not accept it.

Why this answer

EAP-TLS requires the client to send a certificate that ISE can validate. If the client does not automatically select the correct certificate due to multiple certificates, and ISE receives the wrong one, it may reject if that certificate is not trusted for client authentication. Option A is correct because the client may not have a certificate with the proper EKU (Client Authentication) that matches the ISE configuration.

Option B would cause other errors. Option C is possible but not the primary cause. Option D would affect all users but not specific.

3
MCQmedium

A network engineer is implementing TrustSec on a Cisco switch. The goal is to tag traffic from the engineering VLAN with Security Group Tag (SGT) 10 and enforce policies on upstream switches. Which configuration is required on the access switch to propagate the SGT?

A.cts manual policy static sgt 10
B.switchport voice vlan 10
C.authentication host-mode multi-domain
D.spanning-tree portfast
AnswerA

This enables manual SGT tagging on the interface.

Why this answer

Option A is correct because the 'cts manual policy static sgt 10' command assigns a static Security Group Tag (SGT) to the switch port, which is then propagated to upstream switches via Cisco TrustSec (CTS) using SGT Exchange Protocol (SXP) or inline tagging. This ensures that traffic from the engineering VLAN is tagged with SGT 10, enabling policy enforcement on upstream devices.

Exam trap

The trap here is that candidates confuse VLAN configuration (e.g., voice VLAN) with Security Group Tag assignment, or assume that authentication or STP features are involved in SGT propagation.

How to eliminate wrong answers

Option B is wrong because 'switchport voice vlan 10' configures a voice VLAN for VoIP traffic, not a Security Group Tag; it does not propagate SGTs. Option C is wrong because 'authentication host-mode multi-domain' is used for 802.1X multi-domain authentication (e.g., voice and data devices), not for static SGT assignment or propagation. Option D is wrong because 'spanning-tree portfast' accelerates the port transition to forwarding state to avoid STP delays, but it has no role in SGT tagging or propagation.

4
MCQmedium

A company uses Cisco ISE for posture assessment. They require that all endpoints meet a certain set of compliance rules before being granted network access. Which service is responsible for performing the posture assessment on the endpoint?

A.ISE Policy Service
B.Cisco AnyConnect ISE Posture Module
C.Cisco ISE pxGrid
D.Network Access Device (switch)
AnswerB

The AnyConnect Posture Module runs on the endpoint and performs the actual posture checks.

Why this answer

Option B is correct because the Cisco AnyConnect ISE Posture Module runs on the endpoint, collects posture information, and sends it to ISE. Option A is incorrect because ISE Policy Service evaluates posture reports, not performs the assessment. Option C is incorrect because the network access device only forwards EAP packets.

Option D is incorrect because pxGrid is for data sharing between security products.

5
MCQmedium

An engineer is troubleshooting a user who cannot access the network after successful 802.1X authentication. The user's PC receives an IP address from DHCP, but cannot reach the internet. The switch port is in the correct VLAN (10) after authentication. The ISE posture policy requires the user to install a corporate certificate, but the user skipped that step. What is the most likely cause of the internet access failure?

A.The user is not logged into the domain
B.The switchport is still in the default VLAN
C.The DHCP server does not have a scope for VLAN 10
D.The ISE posture policy returned 'NonCompliant' and ISE applied a Change of Authorization (CoA) to place the port in a remediation VLAN
AnswerD

ISE can use CoA to dynamically move the port to a remediation VLAN with no internet access.

Why this answer

Option B is correct because ISE can send a CoA to place the port in a restricted VLAN after authentication if posture is not compliant. Option A is wrong because AD login is not required for internet access. Option C is wrong because the switchport is already in the correct VLAN as stated.

Option D is wrong because there is no indication of DHCP issues.

6
MCQeasy

Refer to the exhibit. An engineer configured ISE to use both Active Directory and LDAP for authentication. Users from Active Directory are unable to authenticate. What is the most likely reason?

A.Active Directory users are not allowed in the policy
B.The LDAP identity store is unreachable and ISE is attempting LDAP before AD
C.The Active Directory identity store is disconnected
D.The authentication sequence is set to 'AD then LDAP'
AnswerB

If LDAP is configured as the first authentication source, the timeout causes authentication to fail before AD is tried.

Why this answer

Option A is correct because the LDAP server is showing a timeout error, and if LDAP is ranked higher, ISE may attempt LDAP first and fail before falling back. Option B is wrong because AD shows connected. Option C is wrong because the sequence is not shown but the LDAP error indicates the problem.

Option D is wrong because authentication failure does not change the AD identity store.

7
MCQeasy

Which Cisco security product provides network visibility and traffic analytics using NetFlow and IPFIX?

A.Cisco Firepower Management Center
B.Cisco Stealthwatch
C.Cisco Umbrella
D.Cisco ISE
AnswerB

Stealthwatch analyzes network flows for visibility and security.

Why this answer

Option B is correct. Cisco Stealthwatch uses NetFlow/IPFIX for network visibility and threat detection. Option A (FMC) is for firewall management.

Option C (ISE) is for identity services. Option D (Umbrella) is for cloud security.

8
Multi-Selecthard

Which THREE of the following are required for a successful 802.1X authentication on a Cisco switch? (Choose THREE)

Select 3 answers
A.Security Group Tag (SGT) must be assigned
B.A downloadable ACL (dACL) must be configured on ISE
C.The switch must be configured as a RADIUS client to ISE
D.The switch port must be configured with 'authentication port-control auto'
E.The endpoint must have a valid credential (certificate or password)
AnswersC, D, E

The switch must communicate with ISE via RADIUS for authentication.

Why this answer

For 802.1X authentication, the switch must act as a RADIUS client (authenticator) forwarding EAP frames to the ISE (authentication server). Without this configuration, the switch cannot communicate with ISE to validate the endpoint's credentials, making it a mandatory requirement.

Exam trap

Cisco often tests the distinction between authentication prerequisites and post-authentication policies, leading candidates to mistakenly select optional features like dACLs or SGTs as mandatory for the 802.1X authentication step.

9
MCQhard

You are troubleshooting a Cisco ISE deployment where some endpoints are stuck in the 'Not Compliant' posture after a posture scan. ISE logs show 'Conditional NAC Agent result: Not Compliant due to missing required application.' The application is installed on the endpoint. What should you check?

A.The NAC Agent is running an outdated version.
B.The posture policy requires a specific version that is not installed.
C.The endpoint's firewall is blocking the ISE posture probe.
D.The antivirus definition file is outdated.
AnswerB

The policy may require a particular version or update, causing the check to fail even if the application exists.

Why this answer

Option B is correct. The log indicates a missing application, but it is installed. This often occurs when the posture policy requires a specific version or patch level.

Option A is incorrect because antivirus definitions are separate. Option C is incorrect because agent version would cause a different error. Option D is incorrect because firewall blocking would prevent scan results.

10
MCQeasy

An organization wants to implement MAC Authentication Bypass (MAB) for devices that do not support 802.1X. Which configuration is required on a Cisco switch to allow MAB fallback?

A.authentication priority dot1x mab
B.authentication port-control auto
C.authentication fallback mab
D.authentication order mab dot1x
AnswerD

This command configures MAB as the primary method with 802.1X as fallback.

Why this answer

Option A is correct. The command 'authentication order mab dot1x' sets the order of authentication methods, trying MAB first and then 802.1X. Option B is incorrect because 'authentication priority' does not exist in IOS.

Option C is required for port control but not specifically for MAB fallback. Option D is not a valid command.

11
Multi-Selectmedium

Which TWO configuration steps are required to implement 802.1X authentication on a Cisco switch for wired clients?

Select 2 answers
A.Enable dot1x globally on the switch
B.Set the switchport mode to trunk
C.Define the RADIUS server IP and shared secret
D.Configure AAA authentication using RADIUS
E.Configure the interface as a switchport in access mode
AnswersD, E

AAA authentication is required for 802.1X.

Why this answer

Option D is correct because 802.1X requires AAA authentication to be configured on the switch to forward EAP frames to a RADIUS server for user credential verification. Without the 'aaa authentication dot1x default group radius' command, the switch cannot process authentication requests, making this a mandatory step.

Exam trap

The trap here is that candidates often confuse enabling dot1x globally (Option A) as a required step, but Cisco tests that the two mandatory steps are AAA authentication using RADIUS and configuring the interface as an access switchport, while global enablement is optional if per-interface 'dot1x port-control auto' is used.

12
MCQhard

Refer to the exhibit. Based on the exhibit, what is the current state of the client and what action should the network administrator take to allow full network access?

A.The client is in a quarantine state due to posture assessment failure; the administrator should check the ISE posture policy and ensure the client meets compliance.
B.The client's authentication succeeded but authorization is incomplete; the administrator should configure a new dACL on the switch.
C.The client is being redirected to a guest portal; the administrator should disable the URL redirect and assign a new VLAN.
D.The client is fully authenticated and authorized; no action is needed.
AnswerA

The quarantine SGT and dACL, along with guest portal redirect, indicate the client failed posture assessment; fixing the client's compliance will allow full access.

Why this answer

Option D is correct because the output shows "Authz Success" but the presence of a URL redirect to a guest portal and a dACL named "PERMIT_QUARANTINE" along with SGT value 2 (commonly quarantine) indicates the client is in a quarantine state, likely due to posture assessment failure. The administrator should check the ISE posture policy. Option A is wrong because the redirect and quarantine dACL imply limited access.

Option B is wrong because simply disabling the redirect would not resolve the underlying compliance issue. Option C is wrong because the dACL is assigned by ISE based on policy, not manually configured on the switch.

13
MCQhard

Refer to the exhibit. An ISE administrator sees this error in the logs. What is the most likely cause?

A.The ISE license does not support SGT.
B.The PassiveID identity source is not configured with the correct SGT mapping.
C.The SGT number is out of range.
D.The pxGrid connection is down.
AnswerB

PassiveID requires mapping between SGTs and identity groups; if missing, it cannot resolve the identity.

Why this answer

Option D is correct. The error indicates that PassiveID received an SGT from a network device but does not have a mapping to convert it to an identity. This typically happens when the PassiveID identity source is not configured with the correct SGT-to-identity mapping.

Option A is incorrect because pxGrid connection would show different errors. Option B is incorrect because SGT number range is not the issue. Option C is incorrect because license issues would produce different errors.

14
MCQhard

An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?

A.The PAC on the switch has expired
B.SXP is not configured between ISE and the switch
C.The CTRL protocol is not enabled on the switch
D.The SGACL defaults to deny if no explicit permit is found for the source-destination SGT pair
AnswerD

TrustSec applies an implicit deny; the permit rule exists but perhaps the order or condition is not matched.

Why this answer

The SGACL on the switch explicitly permits traffic from source SGT 2 to destination SGT 5. However, TrustSec SGACLs operate with an implicit deny at the end of the access list. Since the administrator only configured a single permit entry and no explicit permit for the specific source-destination SGT pair being tested, the traffic is dropped by the implicit deny.

Option D correctly identifies this default behavior.

Exam trap

Cisco often tests the implicit deny behavior of SGACLs, where candidates mistakenly assume that a single permit entry allows all traffic between the specified SGTs, overlooking that the SGACL must explicitly match the source-destination pair and that any unmatched traffic is denied by default.

How to eliminate wrong answers

Option A is wrong because a PAC (Protected Access Credential) expiration would prevent the switch from establishing a RADIUS or EAP-FAST session with ISE, but the SGACL is already present on the switch, indicating authentication and policy download succeeded. Option B is wrong because SXP (SGT Exchange Protocol) is used to propagate SGT bindings between network devices that do not support inline tagging; the switch already has the SGACL and the SGT assignment from ISE, so SXP is not required for enforcement. Option C is wrong because the CTRL protocol (Cisco TrustSec Control Protocol) is used for environment data download and SGT distribution between TrustSec-capable devices, but the SGACL is already configured on the switch, so the control plane is functioning; the issue is the ACL logic, not the protocol.

15
Multi-Selectmedium

A network engineer is implementing Cisco TrustSec. Which two components are required to enforce Security Group Access Control List (SGACL) policies? (Choose two)

Select 2 answers
A.Cisco Wireless LAN Controller
B.Cisco Catalyst switch with CTS
C.Cisco ISE Policy Service Node
D.Cisco ASA Firewall
E.Cisco AnyConnect Secure Mobility Client
AnswersB, C

Enforces SGACL at the switch level.

Why this answer

Options A and C are correct. Cisco ISE (A) is the policy server that defines SGACL rules and distributes them to enforcement points. A Cisco Catalyst switch with CTS (C) is the enforcement point that applies SGACLs based on SGTs.

Option B (ASA) can also enforce but is not required for basic TrustSec deployment. Option D (WLC) can enforce but is not core. Option E (AnyConnect) is an endpoint client, not for enforcement.

16
MCQeasy

A junior engineer is configuring MAB (MAC Authentication Bypass) on a Cisco switch for legacy printers. After configuration, the printers are still being placed into the default VLAN instead of the authorized VLAN. Which configuration is missing?

A.authentication port-control auto
B.authentication order mab
C.dot1x pae authenticator
D.spanning-tree portfast
AnswerB

This sets MAB as the first authentication method, ensuring it is used.

Why this answer

Option D is correct because the 'authentication order mab' command ensures that MAB is attempted before 802.1X. Without it, the switch may first try 802.1X, which fails, and then fall back to MAB, but if the order is not set, MAB might not be tried at all. Option A is incorrect because 'authentication port-control auto' enables authentication, which is likely already configured.

Option B is incorrect because 'dot1x pae authenticator' is for 802.1X but not required for MAB. Option C is incorrect because 'spanning-tree portfast' is for convergence, not authentication.

17
MCQmedium

A company uses Cisco ISE for network access control. They have deployed TrustSec and want to enforce segmentation using Security Group Tags (SGTs). The network team reports that SGTs are not being propagated correctly. Which protocol is responsible for SGT propagation between switches?

A.NETCONF
B.RADIUS
C.CDP
D.SXP
AnswerD

SXP is the protocol designed to exchange SGT mappings between Cisco devices.

Why this answer

Option A is correct because SXP (SGT Exchange Protocol) is used for SGT propagation between devices that do not support inline tagging. Option B is incorrect because RADIUS carries SGT in AV pairs but is not used for switch-to-switch propagation. Option C is incorrect because NETCONF is a management protocol.

Option D is incorrect because CDP is for device discovery, not SGT propagation.

18
MCQmedium

An organization is using Cisco ISE to enforce posture compliance. Endpoints that are non-compliant should be placed into a quarantine VLAN. Which ISE policy component is used to assign the VLAN?

A.Authorization profile
B.Policy set
C.Profiling policy
D.Authentication policy
AnswerA

Authorization profile contains attributes like VLAN ID, dACL, etc.

Why this answer

The correct answer is A because an Authorization Profile in Cisco ISE defines the enforcement actions to be applied to an endpoint after successful authentication and authorization. When a posture assessment determines an endpoint is non-compliant, the authorization policy can match that condition and return an authorization profile that includes a specific VLAN ID (e.g., quarantine VLAN) via RADIUS attributes such as Tunnel-Private-Group-ID (RFC 2868). This VLAN assignment is a core function of the authorization profile, not of authentication or profiling.

Exam trap

The trap here is that candidates often confuse the role of the Authorization Profile with the Policy Set or Authentication Policy, mistakenly thinking that VLAN assignment is part of the authentication decision rather than a separate authorization action applied after successful authentication.

How to eliminate wrong answers

Option B is wrong because a Policy Set is a container that groups authentication and authorization policies based on conditions like identity source or network device; it does not itself assign VLANs or other enforcement attributes. Option C is wrong because a Profiling Policy is used to identify and classify endpoints based on attributes like MAC OUI or DHCP fingerprint, but it does not enforce network access restrictions such as VLAN assignment. Option D is wrong because an Authentication Policy determines whether a user or device is allowed to access the network (e.g., via credentials or certificate), but it does not define the post-authentication enforcement actions like VLAN placement.

19
MCQhard

A network administrator has configured the above on a Cisco switch port for a device that supports both MAB and 802.1X. The device sends an EAPOL-start but the switch responds with an EAP-Request/Identity. The device does not respond to the EAP-Request/Identity. After a timeout, the switch attempts MAB. However, MAB also fails because the RADIUS server does not have the MAC address. Which of the following best describes the final port state?

A.The port will be placed in a critical authentication VLAN
B.The port will be error-disabled due to authentication failure
C.The port will remain in an unauthorized state, blocking all traffic
D.The port will be placed in VLAN 10 with restricted access
AnswerC

With auto port control, failed auth results in unauthorized state.

Why this answer

When 802.1X authentication fails because the device does not respond to the EAP-Request/Identity, and MAB also fails because the RADIUS server lacks the MAC address, the switch port remains in an unauthorized state. This is the default behavior for a port configured with both authentication methods: if neither succeeds, the port stays in the 802.1X unauthorized state, blocking all traffic until a successful authentication occurs or a fallback action (like a critical VLAN) is explicitly configured.

Exam trap

Cisco often tests the distinction between authentication failure and RADIUS server unavailability, where candidates mistakenly assume a guest VLAN or critical VLAN is automatically applied, but these require explicit configuration and are not default behaviors.

How to eliminate wrong answers

Option A is wrong because a critical authentication VLAN is only used when the RADIUS server is unreachable, not when authentication fails due to a missing MAC address or unresponsive client. Option B is wrong because authentication failure does not cause an error-disabled state; error-disable typically results from port security violations or other physical-layer issues, not from 802.1X or MAB failure. Option D is wrong because VLAN 10 is the configured guest VLAN, which would only be applied if the switch were configured to use a guest VLAN as a fallback for failed authentication, but the scenario does not mention any guest VLAN configuration, and the port remains unauthorized by default.

20
Multi-Selecthard

Which THREE attributes can be used in an ISE authorization policy based on endpoint identity?

Select 3 answers
A.Certificate subject DN
B.AD user group
C.Time of day
D.Switch IP address
E.Device MAC address
AnswersA, B, E

Subject DN from a client certificate identifies the endpoint or user.

Why this answer

Options A, B, and C are correct because endpoint identity can be based on MAC address, Active Directory user group, or certificate subject DN. Option D is incorrect because switch IP address is a network location attribute, not endpoint identity. Option E is incorrect because time of day is an environmental attribute.

21
MCQhard

A company is using Cisco ISE for guest access. They have configured a guest portal with a self-registration page. Some guests report that after registering, they are not redirected to the success page but instead see a '401 Unauthorized' error. What is the most likely cause?

A.The ISE node is not configured for HTTP redirect.
B.The guest portal certificate is not trusted by the client.
C.The central web authentication (CWA) is not enabled on the switch.
D.The authorization policy for guests is missing.
AnswerC

Without CWA, the switch does not redirect HTTP traffic to ISE, causing a 401 unauthorized error.

Why this answer

Option D is correct because for guest portal redirection after authentication, the switch must be configured for central web authentication (CWA). If CWA is not enabled, the switch does not redirect HTTP traffic to the ISE portal, resulting in a 401 error. Option A is incorrect because a certificate trust issue would cause a warning, not a 401.

Option B is incorrect because ISE HTTP redirect is configured as part of the portal. Option C is incorrect because a missing authorization policy would cause a different error, such as 'Access Denied'.

22
MCQmedium

A company wants to implement software-defined segmentation using Cisco ISE and TrustSec. Which component is responsible for assigning the Security Group Tag (SGT) to packets at the ingress?

A.Endpoint with posture agent
B.Firewall with IPS capability
C.Cisco ISE Policy Service Node
D.Cisco Catalyst switch with CTS
AnswerD

Ingress switch classifies and tags packets with SGT.

Why this answer

Option B is correct because a switch with Cisco TrustSec (CTS) capability is responsible for classifying and tagging packets with the SGT at the ingress port. Option A is incorrect because ISE defines the policy but does not tag packets. Option C is incorrect because the endpoint posture agent may report attributes but does not tag.

Option D is incorrect because the firewall enforces policies but is not the primary tagging device at the edge.

23
Drag & Dropmedium

Drag and drop the steps to troubleshoot an IPsec VPN failure where Phase 1 is not completing into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with reachability, then check UDP 500, compare IKE proposals, verify pre-shared keys, and finally use debug for detailed errors.

24
MCQmedium

An organization requires that all endpoint traffic be verified against a security policy before being forwarded. Which Cisco umbrella solution provides this capability?

A.Cisco AnyConnect
B.Cisco Stealthwatch
C.Cisco Umbrella
D.Cisco Firepower NGFW
AnswerC

Cloud-delivered security for traffic enforcement.

Why this answer

Option B is correct because Cisco Umbrella is a cloud-based security solution that enforces policy for all DNS and IP traffic. Option A is incorrect because Stealthwatch provides network visibility and analytics. Option C is incorrect because Firepower is an NGFW.

Option D is incorrect because AnyConnect is a VPN client.

25
Multi-Selectmedium

Which TWO of the following are valid methods for Cisco ISE to collect endpoint attributes for profiling? (Choose TWO)

Select 2 answers
A.Syslog
B.RADIUS Accounting
C.NetFlow Probe
D.SNMP Polling
E.DHCP Probe
AnswersC, E

NetFlow probe analyzes traffic flows to profile endpoints.

Why this answer

Option C is correct because Cisco ISE can use a NetFlow Probe to collect NetFlow records from network devices, which provide metadata about traffic flows (e.g., IP addresses, ports, protocols) that ISE analyzes to profile endpoints. This passive collection method helps identify endpoint attributes without requiring active agent deployment.

Exam trap

Cisco often tests the distinction between 'RADIUS Accounting' (session tracking) and 'RADIUS Authentication' (profiling probe) — candidates mistakenly assume Accounting is used for profiling, but only Authentication is a valid probe.

26
MCQmedium

A company is deploying Cisco ISE to enforce access policies based on endpoint posture. Endpoints must be compliant before being granted full network access. Which policy type is used to define the compliance requirements?

A.Authentication policy
B.Profiling policy
C.Posture policy
D.Authorization policy
AnswerC

Defines compliance requirements.

Why this answer

Option D is correct because Posture policy defines the compliance requirements (e.g., antivirus, patch level) and the remediation actions. Option A is incorrect because Authentication policy determines the method of authentication. Option B is incorrect because Authorization policy determines the resulting access after authentication and posture.

Option C is incorrect because Profiling policy identifies device type.

27
Multi-Selecteasy

Which TWO of the following are features of Cisco TrustSec? (Choose TWO)

Select 2 answers
A.Security Group Tag Exchange Protocol (SXP)
B.Security Group Tag (SGT) assignment
C.IPsec VPN
D.Network Access Control (NAC)
E.802.1X authentication
AnswersA, B

SXP propagates SGTs across network devices.

Why this answer

Security Group Tag Exchange Protocol (SXP) is a Cisco TrustSec feature that propagates Security Group Tag (SGT) bindings between network devices without requiring inline tagging on every packet. It allows devices that do not natively support SGT in hardware to participate in TrustSec by exchanging IP-to-SGT mappings over TCP, enabling consistent policy enforcement across heterogeneous environments.

Exam trap

Cisco often tests the distinction between TrustSec features (SGT assignment and SXP) and supporting technologies like 802.1X or NAC, leading candidates to mistakenly select authentication or access control mechanisms as core TrustSec components.

28
MCQmedium

Refer to the exhibit. A network administrator reviews the ISE live log for a successful 802.1X authentication. After authentication, the user is unable to make VoIP calls. What is the most likely cause?

A.The user's phone is not configured for 802.1X.
B.The RADIUS attribute 'device-traffic-class=voice' is incorrect.
C.The switch port is not configured with 'authentication host-mode multi-domain'.
D.The authorization profile does not include a voice VLAN.
AnswerD

VoIP requires a dedicated voice VLAN; without it, the phone cannot communicate with the call manager.

Why this answer

Option B is correct because the authorization profile 'Standard_Access' likely does not include a voice VLAN assignment, which is required for VoIP traffic. Though the session attributes show 'device-traffic-class=voice', this is a QoS marking, not a VLAN assignment. Option A is incorrect because multi-domain mode is for phones behind PCs, not directly related to VoIP capability.

Option C is incorrect because the user's phone authenticates independently. Option D is incorrect because the attribute is correctly formatted.

29
MCQeasy

A government agency is deploying Cisco ISE with a posture agent to ensure endpoints comply with security policies before accessing the network. The posture policy requires that all Windows computers have antivirus (AV) software running. The engineer configures a condition 'AV installed and running' and binds it to an authorization profile that grants full access if compliant, or quarantine if not. During testing, a computer that has AV installed and running (verified manually) is placed in quarantine. ISE logs show 'Posture - AV condition not satisfied'. The engineer checks the ISE posture configuration: the AV condition uses a default Cisco AV dictionary. What is the most likely cause?

A.The AV vendor is not supported by the ISE default posture dictionary
B.The posture policy is configured to require the AV version as well
C.The client's ISE posture agent is not installed
D.The client's firewall is blocking communication with ISE
AnswerA

ISE's default dictionary includes common AVs; if the vendor is unsupported, the condition cannot be evaluated correctly.

Why this answer

The posture condition uses a dictionary that maps known AV products. If the specific AV brand is not in the Cisco default dictionary, the condition will fail even if AV is running. Option B is correct.

Option A would affect many. Option C would cause other issues. Option D is possible but less likely.

30
MCQmedium

A large enterprise has deployed Cisco ISE for network access control. The network consists of multiple access switches and wireless LAN controllers. The security team wants to enforce that only domain-joined Windows computers with up-to-date antivirus can access the corporate network. Non-compliant devices should be placed in a quarantine VLAN with limited access to remediation servers. The ISE policies are configured with posture assessment. However, during a test, a non-compliant Windows computer is granted full network access instead of being quarantined. The ISE logs show that the posture assessment passed, but the computer's antivirus is outdated. What is the most likely reason for this behavior?

A.The authorization policy is matching before the posture policy is evaluated.
B.The posture policy is configured with 'continue' action for non-compliant status, allowing the user to proceed to authorization.
C.The posture agent is not installed on the endpoint, so the assessment is skipped.
D.The posture requirement is set to 'mandatory' but the agent is set to 'any', allowing non-compliant devices.
AnswerB

The 'continue' action does not enforce remediation; it passes the user to authorization.

Why this answer

Option B is correct because in Cisco ISE, when a posture policy is configured with a 'continue' action for non-compliant status, the session does not terminate; instead, it proceeds to the authorization policy. This means the endpoint is evaluated by authorization rules, which may grant full network access if no quarantine rule is matched. The logs show the posture assessment passed because the 'continue' action treats non-compliance as a passing state for policy flow, not a failure.

Exam trap

Cisco often tests the distinction between posture policy actions ('continue' vs. 'block') and authorization policy conditions, trapping candidates who assume non-compliance always results in quarantine without considering the policy flow.

How to eliminate wrong answers

Option A is wrong because ISE evaluates posture policies before authorization policies; the authorization policy cannot match before posture is assessed. Option C is wrong because if the posture agent were not installed, the posture assessment would typically result in an 'unknown' or 'not applicable' status, not a 'passed' status, and the logs would reflect that. Option D is wrong because a 'mandatory' posture requirement with an 'any' agent setting would still enforce posture checks; the issue is the action taken on non-compliance, not the requirement or agent type.

31
MCQmedium

A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?

A.BYOD Portal
B.Mobile Device Management (MDM)
C.Guest Portal
D.Profiler Service
AnswerC

Guest Portal provides self-service registration and temporary credentials for guests.

Why this answer

C is correct because the Guest Portal in Cisco ISE is specifically designed to provide a self-service registration page where guests can create their own accounts, receive temporary credentials, and gain network access. This portal handles the entire guest lifecycle, including sponsor approval if required, and can deliver the username/password via SMS, email, or on-screen display.

Exam trap

Cisco often tests the distinction between BYOD and Guest portals, and the trap here is that candidates confuse the BYOD Portal (which handles device onboarding with certificates) with the Guest Portal (which handles temporary user credentials for non-employees).

How to eliminate wrong answers

Option A is wrong because the BYOD Portal is used for employees to onboard their personal devices into the corporate network with certificate-based authentication, not for guest self-registration. Option B is wrong because Mobile Device Management (MDM) is an external system that enforces policies on enrolled devices (e.g., compliance checks, remote wipe) and is not a self-service portal for guest credential provisioning. Option D is wrong because the Profiler Service uses passive and active probing techniques (e.g., DHCP, HTTP, SNMP) to identify device attributes like OS or vendor, but it does not provide any user-facing portal for registration or credential delivery.

32
MCQeasy

A network administrator wants to implement 802.1X authentication on a switch port that connects a printer. The printer does not support 802.1X, so the administrator configures MAC Authentication Bypass (MAB) as a fallback method. Which command must be included in the switch port configuration to ensure MAB is attempted after 802.1X times out?

A.authentication priority dot1x mab
B.authentication order dot1x mab
C.dot1x timeout tx-period 30
D.authentication port-control auto
AnswerB

This configures the switch to attempt 802.1X first, and if it fails, fall back to MAB.

Why this answer

Option C is correct because 'authentication order dot1x mab' sets the order: first 802.1X, then MAB. Option A is wrong because 'authentication priority' is not a valid command. Option B is wrong because 'authentication port-control auto' enables authentication but does not set order.

Option D is wrong because 'dot1x timeout tx-period' only affects 802.1X timers.

33
Multi-Selectmedium

Which TWO methods can be used to propagate SGT information between devices that do not support SGT inline tagging?

Select 2 answers
A.NetFlow
B.CDP
C.LLDP
D.SXP
E.VRF-lite
AnswersB, D

CDP can advertise SGTs in its TLVs.

Why this answer

Options A and B are correct because SXP (SGT Exchange Protocol) is the primary protocol for SGT propagation, and CDP can also carry SGT information in some implementations. Option C is incorrect because LLDP does not support SGT. Option D is incorrect because VRF-lite is not related to SGT.

Option E is incorrect because NetFlow does not propagate SGTs.

34
MCQmedium

A university is using Cisco ISE to provide secure wireless access for students and faculty. The wireless network uses WPA2-Enterprise with PEAP-MSCHAPv2. Recently, some faculty members reported that they cannot connect to the wireless network from their personal laptops, while student devices connect without issues. The faculty members are using the same SSID and entering their credentials correctly. The ISE logs show that the authentication attempts from faculty devices are failing with 'RADIUS Access-Reject' due to incorrect credentials. However, the faculty members are certain they are using the correct password. The IT department has verified that the user accounts in Active Directory are active and not locked. What is the most likely cause of the issue?

A.The ISE authentication policy is not configured to query Active Directory for faculty users
B.The faculty laptops do not have a valid client certificate
C.The faculty accounts are locked due to multiple failed attempts
D.The RADIUS shared secret on the wireless controller is incorrect
AnswerA

If the identity store sequence does not include AD, authentication fails.

Why this answer

The most likely cause is that the ISE authentication policy is not configured to query Active Directory for faculty users. Since student devices connect successfully, the policy likely matches students to an AD identity source but fails for faculty because their accounts are in a different AD group or domain not included in the policy. The 'RADIUS Access-Reject' with 'incorrect credentials' error in ISE logs indicates the authentication policy is not finding the user in the configured identity stores, even though the password is correct.

Exam trap

Cisco often tests the misconception that 'incorrect credentials' always means a wrong password, when in fact it can indicate a missing or misconfigured identity source in the authentication policy, especially when some users succeed and others fail.

How to eliminate wrong answers

Option B is wrong because PEAP-MSCHAPv2 does not require client certificates; only the server side presents a certificate for the TLS tunnel, so missing client certificates would not cause authentication failures. Option C is wrong because the IT department has verified that the faculty accounts are active and not locked, so account lockout is not the issue. Option D is wrong because if the RADIUS shared secret were incorrect, the wireless controller would not even forward authentication requests to ISE, and the logs would show a different error (e.g., 'RADIUS Request dropped' or 'Invalid Shared Secret'), not an Access-Reject due to incorrect credentials.

35
MCQhard

Refer to the exhibit. A switch port is configured for 802.1X with MAB. The switch has reached its maximum number of authentication sessions (platform limit). When a new device attempts to connect, what happens?

A.The new device is not authenticated and remains unauthorized
B.The new device is allowed to pass traffic due to fallback
C.The switch sends a CoA to ISE to free up a session
D.The port is automatically shut down
AnswerA

If the platform limit is reached, the switch cannot create new sessions, so the port remains unauthorized for the new device.

Why this answer

Option C is correct because when the maximum number of authentication sessions is reached, new authentication requests are denied unless 'authentication limit authen-fail-action' is configured otherwise. Option A is wrong because the port does not shut down by default. Option B is wrong because the port does not forward immediately.

Option D is wrong because the switch does not fail open automatically.

36
MCQeasy

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

A.Profiling policy
B.Authentication policy
C.Authorization policy
D.Policy set
AnswerC

Authorization policy defines what access is granted after authentication.

Why this answer

Option C is correct because authorization policies in Cisco ISE define the access permissions granted to authenticated users, such as allowing or denying network access. In this scenario, after a user authenticates via Active Directory (handled by the authentication policy), the authorization policy evaluates conditions (e.g., AD group membership) to enforce the required access control for the corporate wireless network.

Exam trap

The trap here is confusing authentication (verifying identity) with authorization (granting permissions), leading candidates to select authentication policy when the question explicitly asks about enforcing access control after authentication.

How to eliminate wrong answers

Option A is wrong because profiling policies are used to identify and classify endpoints based on attributes like MAC address or DHCP fingerprints, not to enforce access control based on user authentication. Option B is wrong because authentication policies only verify user credentials (e.g., against Active Directory) and determine the identity store to use, but they do not grant or deny network access; that is the role of authorization. Option D is wrong because a policy set is a container that groups authentication, authorization, and profiling policies together; it is not a specific policy that enforces access control based on user authentication.

37
MCQeasy

An organization uses ISE for wireless LAN authentication via 802.1X with PEAP-MSCHAPv2. Users authenticate against Active Directory. Recently, some users report that after changing their domain password, they cannot connect to the wireless network for about 30 minutes. What is the most likely cause?

A.DNS records for the domain controller have not updated
B.ISE has cached the previous password and is still using it for authentication
C.The wireless controller has a local password cache
D.The RADIUS server on the wireless controller is caching credentials
AnswerB

ISE can cache AD credentials; the cache may take up to 30 minutes to refresh after a password change.

Why this answer

Option C is correct because ISE caches credentials for a period; if the password is changed, the cached version may still be used until the cache expires. Option A is wrong because RADIUS servers do not typically cache credentials by default. Option B is wrong because DNS issues would affect all users, not just those with password changes.

Option D is wrong because the wireless controller does not cache passwords; it passes through to ISE.

38
MCQmedium

An organization wants to provide guest wireless access with a captive portal. Which Cisco ISE portal type should be used?

A.Sponsored Guest Portal
B.Central Web Authentication (CWA) Portal
C.Hotspot Guest Portal
D.Self-Registered Guest Portal
AnswerD

This portal allows guests to register themselves and create credentials.

Why this answer

Option A is correct. The Self-Registered Guest Portal allows guests to create their own credentials via a captive portal. Option B is for sponsored guests.

Option C is for simple hotspot without registration. Option D (CWA) is used for central web authentication but typically for BYOD, not guest self-registration.

39
Multi-Selecteasy

Which TWO of the following are authentication methods used for wired network access in Cisco ISE?

Select 2 answers
A.TACACS+
B.NetFlow
C.RADIUS
D.802.1X
E.MAC Authentication Bypass (MAB)
AnswersD, E

802.1X is a standard authentication method for wired and wireless.

Why this answer

Options A and B are correct because 802.1X and MAC Authentication Bypass (MAB) are the primary authentication methods for wired ports. Option C is incorrect because RADIUS is a protocol, not an authentication method. Option D is incorrect because TACACS+ is for device administration, not network access.

Option E is incorrect because NetFlow is a monitoring tool.

40
Multi-Selecthard

Which TWO are valid options for configuring a switch port to handle authentication failures in an 802.1X environment? (Select two.)

Select 2 answers
A.authentication event no-response action authorize vlan 100
B.dot1x critical profile
C.authentication event server dead action reinitialize
D.authentication port-control force-authorized
E.authentication event fail action authorize vlan 999
AnswersA, E

This is used when the endpoint does not respond to 802.1X (e.g., non-802.1X device).

Why this answer

Options A and C are correct. A: 'authentication event fail action authorize vlan 999' allows placing the port in a guest VLAN on failure. B: 'authentication event server dead action reinitialize' is for RADIUS server failure, not authentication failure.

C: 'authentication event no-response action authorize vlan 100' is for when the endpoint does not respond to EAPOL. D: 'authentication port-control force-authorized' forces the port to authorized state, bypassing authentication entirely. E: 'dot1x critical' is for critical voice VLAN, not failure handling.

41
MCQmedium

A laptop fails to authenticate via 802.1X on a Cisco switch. The switch logs show: 'Authentication failed for user 'jdoe' on interface GigabitEthernet1/0/24: EAP session timeout.' What is the most likely cause?

A.The supplicant is using an incorrect EAP method.
B.The wired authentication timeout on the switch is too low.
C.The RADIUS server is unreachable.
D.The switch is not configured with a RADIUS server.
AnswerB

Low timeout setting can cause the session to time out before authentication completes.

Why this answer

Option D is correct. The specific 'EAP session timeout' error indicates the authentication process took longer than the configured timeout. Option A is incorrect because unreachable RADIUS would cause a different error.

Option B is incorrect because incorrect EAP method usually results in a different error. Option C is incorrect because missing RADIUS server would prevent any attempt.

42
MCQhard

A security engineer is configuring Cisco ISE to enforce SGT-based access control. The engineer creates an SGACL on the switch that permits traffic from SGT 10 to SGT 20. However, traffic from SGT 10 to SGT 20 is still being dropped. The engineer verifies that the SGTs are correctly assigned. What is a possible reason for the drop?

A.SXP is not configured
B.The CTRL protocol is not enabled
C.The PAC on the switch is expired
D.There is a deny SGACL with a higher priority that matches the traffic
AnswerD

SGACLs are evaluated in order; a deny rule earlier in the list would override the permit rule.

Why this answer

Option D is correct because Cisco ISE enforces SGT-based access control using Security Group ACLs (SGACLs) that are evaluated in priority order. Even if a permit SGACL exists for SGT 10 to SGT 20, a deny SGACL with a higher priority (lower sequence number) that matches the same traffic will take precedence and cause the traffic to be dropped. The engineer must check the full SGACL list and their sequence numbers on the switch to identify conflicting rules.

Exam trap

Cisco often tests the concept that SGACLs are processed in priority order (lowest sequence number first) and that a higher-priority deny rule can silently override a lower-priority permit rule, leading candidates to incorrectly assume the issue is with SGT assignment or protocol configuration.

How to eliminate wrong answers

Option A is wrong because SXP (SGT Exchange Protocol) is used to propagate SGT bindings between network devices, not to enforce SGACL policies; if SGTs are already correctly assigned, SXP is not required for the switch to apply the SGACL. Option B is wrong because the CTRL protocol (Cisco TrustSec Control Protocol) is used for dynamic SGT assignment and environment data download, but the switch can still enforce locally configured SGACLs without it. Option C is wrong because an expired PAC (Protected Access Credential) would prevent the switch from authenticating to ISE or downloading policies, but the engineer has already verified that SGTs are correctly assigned, indicating the switch is already authenticated and has the necessary policies.

43
Multi-Selecthard

Which TWO are common causes for CoA (Change of Authorization) failures in a Cisco ISE deployment? (Choose two.)

Select 2 answers
A.The switch does not support the CoA protocol.
B.The ISE node serving the CoA is not in the same subnet as the switch.
C.The RADIUS shared secret between ISE and switch is mismatched.
D.The switch port is configured with 'authentication periodic'.
E.The endpoint is connected through a wireless controller that proxies RADIUS.
AnswersA, C

The switch must implement RFC 3576 for CoA to work.

Why this answer

Options A and B are correct. The switch must support CoA (RFC 3576), and the RADIUS shared secret must match for CoA packets to be accepted. Option C is not a cause (periodic reauthentication is a feature).

Option D is not inherently a cause (proxy can still forward CoA). Option E is incorrect because ISE and switch can be in different subnets as long as network connectivity exists.

44
MCQmedium

A network engineer is deploying TrustSec using SGT over VXLAN in a data center fabric. The fabric switches are configured as VXLAN Tunnel Endpoints (VTEPs). The engineer must ensure that SGT information is propagated from the border leaves to the spine. Which mechanism should be used?

A.LISP (Locator/ID Separation Protocol)
B.VXLAN Group Policy Option (GPO) in the VXLAN header
C.SXP (SGT Exchange Protocol) between VTEPs
D.IS-IS protocol extensions for SGT
AnswerB

The VXLAN header includes a Group Policy ID field that carries the SGT.

Why this answer

Option A is correct because SGT over VXLAN uses Group Policy Option (GPO) bits in the VXLAN header. Option B is wrong because SXP is for non-VXLAN environments. Option C is wrong because IS-IS carries routing, not SGT.

Option D is wrong because LISP carries endpoint IDs, not SGT.

45
MCQmedium

A company is deploying Cisco TrustSec to enforce micro-segmentation between data center servers. Security team wants to use Security Group Tags (SGTs) assigned dynamically via ISE. Which method should the engineer use to propagate SGTs to the access switches that connect the servers, assuming the network uses Cisco Nexus 9000 switches and ISE as the policy server?

A.Deploy SXP (SGT Exchange Protocol) between ISE and the Nexus switches
B.Configure ISE as a RADIUS server to send CoA with SGT
C.Enable SGT inline tagging on all interswitch links
D.Use a dedicated VLAN per security group
AnswerA

SXP is designed to exchange IP-to-SGT mappings between ISE (policy server) and network devices like Nexus switches.

Why this answer

For dynamic SGT propagation, the best method is SXP (SGT Exchange Protocol) because it can carry SGT bindings from ISE to network devices without needing inline tagging on every link. Option A (SGT inline tagging) requires hardware support; B (CoA) is for reauthentication; D (RADIUS change of authorization) is not for SGT. So answer is C.

46
Multi-Selecthard

Which THREE capabilities are provided by Cisco ISE's visibility services within the Secure Network Access domain? (Choose three.)

Select 3 answers
A.Endpoint profiling and classification (including IoT)
B.802.1X authentication for wired and wireless
C.Security group access control enforcement
D.Guest user registration and sponsor workflows
E.Passive identity monitoring and contextual data collection
AnswersA, D, E

ISE profiles endpoints based on attributes like MAC OUI, DHCP options.

Why this answer

ISE visibility includes profiling, device registration (BYOD), and anomaly detection. Option A (passive traffic monitoring) is part of ISE's network visibility with ASA/FP. Option C (IoT device classification) is a profiling feature.

Option E (guest lifecycle management) is part of visibility for guests. Option B is basic 802.1X, not visibility. Option D is policy enforcement, not visibility.

47
MCQhard

A hospital is deploying Cisco ISE for network access control. They have a mix of employee laptops, medical devices (e.g., infusion pumps), and guest smartphones. The network uses Cisco Catalyst 9300 switches and Aironet 3700 series access points. For medical devices, the policy must use Machine Authentication (MAB) since they are 802.1X incapable. The ISE policy authenticates via MAB and then assigns the device to a specific VLAN for medical devices. During a pilot, the network team notices that some infusion pumps (MAC: 00:1A:2B:3C:4D:5E) are failing MAB authentication. The switch logs show 'Authentication failed for MAC 001a.2b3c.4d5e on interface GigabitEthernet1/0/10'. ISE logs show 'Authentication failed - RADIUS server rejected - Reason: Invalid Endpoint ID'. The engineer has verified the MAC address is in the ISE endpoint repository with correct identity group. What should the engineer check next to resolve this issue?

A.Verify that the switch port is configured with 'authentication port-control auto'
B.Check the MAC address format in the ISE endpoint identity store (such as using lowercase with a hyphen separator)
C.Confirm that the ISE policy for MAB allows the device to authenticate
D.Ensure the RADIUS shared secret is correct on the switch and ISE
AnswerB

The switch sends MAC in form '001a.2b3c.4d5e' (no delimiter) or '00-1a-2b-3c-4d-5e'? ISE expects a specific format; mismatch causes 'Invalid Endpoint ID'.

Why this answer

The error 'Invalid Endpoint ID' typically indicates that the username/password used for MAB is not matching. For MAB, the switch sends the MAC address as both username and password. If the ISE repository has the MAC but the authentication profile expects a different format (e.g., lowercase, colon-separated), it can fail.

Option B is correct because the switch might be sending the MAC in different case (upper vs lower) or without dashes. Option A would cause different error. Option C would prevent any auth.

Option D would cause other services to fail, not specific to MAB.

48
MCQhard

In a Cisco TrustSec deployment, you want to dynamically assign SGTs based on user authentication. Which mechanism should you use?

A.CTS SXP
B.CTS RBACL
C.CTS device classification
D.CTS identity-based networking (IBNS) with RADIUS CoA
AnswerD

IBNS with CoA can dynamically assign SGTs via RADIUS attributes.

Why this answer

Option D is correct. Identity-Based Networking Services (IBNS) with RADIUS Change of Authorization (CoA) allows dynamic assignment of SGTs during authentication. Option A (RBACL) is for role-based access control, not SGT assignment.

Option B (SXP) propagates SGTs but doesn't assign dynamically. Option C (device classification) is for static assignment.

49
MCQhard

Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?

A.The interface Gi0/1/1 is not configured as a trusted interface for RA guard.
B.The device is not in the same VLAN as the RA guard policy.
C.The device tracking entry for aaaa.bbbb.cccc is invalid.
D.The device tracking table has reached its limit.
AnswerA

RA guard only applies to trusted interfaces.

Why this answer

RA Guard protection is applied per interface based on trust configuration. The exhibit shows the device with MAC aaaa.bbbb.cccc is reachable via Gi0/1/1, but if that interface is not explicitly configured as trusted for RA Guard (e.g., using `ipv6 nd raguard trust`), the switch will not apply RA Guard filtering to RAs received on that port. This allows rogue RA messages from that device to bypass protection, making A the correct answer.

Exam trap

Cisco often tests the distinction between device tracking entries being present and the interface trust configuration being applied, leading candidates to incorrectly assume a valid tracking entry implies protection is active.

How to eliminate wrong answers

Option B is wrong because the device is in VLAN 100, and the RA Guard policy is applied to that VLAN (as shown in the exhibit), so the VLAN mismatch is not the issue. Option C is wrong because the device tracking entry for aaaa.bbbb.cccc is listed as valid (state REACHABLE), so it is not invalid. Option D is wrong because the device tracking table shows only two entries, far below typical limits (e.g., 4096 or more), so the table is not full.

50
MCQhard

An engineer is implementing Cisco ISE posture assessment for corporate Windows laptops. The requirement: endpoints that are missing critical Microsoft security patches must be quarantined in a remediation VLAN. The ISE posture policy uses an 'Application Condition' to check for the patch. However, some laptops with missing patches are still allowed access. During testing, the engineer notices that the posture agent reports 'NAC Agent: Posture Unknown' for those laptops. What is the most likely cause?

A.The posture agent software is outdated
B.The missing patches are not on the ISE patch list
C.The ISE server is unreachable from the client VLAN
D.The authorization policy does not include a posture profile
AnswerD

Without a posture profile in the authorization result, the client does not receive instructions to perform posture assessment, leading to 'Posture Unknown'.

Why this answer

Posture Unknown typically means the posture assessment timed out or the client did not complete the scan. Common cause is the posture agent not receiving the necessary credentials or probe from ISE due to a missing 'posture' authorization profile. Option B is correct because if the authorization policy does not invoke posture (i.e., the result includes a posture profile), the agent may not perform the scan.

Option A (patch not installed) would result in non-compliance, not unknown. Option C (ISE not reachable) would break all authentication. Option D (agent version) might cause issues but typically not 'unknown'.

So answer is B.

51
MCQeasy

A network engineer is troubleshooting an 802.1X deployment where some Windows 10 endpoints fail to authenticate. Logs show that the client sends an EAPoL-Start but never receives an EAP-Request/Identity. The switch port configuration is: interface GigabitEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator Which additional command is most likely needed?

A.dot1x reauthentication
B.dot1x system-auth-control
C.spanning-tree portfast
D.dot1x timeout tx-period 3
AnswerB

This global command enables 802.1X authentication on the switch, which is required for the port to process EAPoL messages.

Why this answer

The 'authentication port-control auto' enables 802.1X, but the switch must also be configured to use the RADIUS server for authentication. The missing command is 'dot1x timeout tx-period 3' is irrelevant; 'dot1x reauthentication' is optional; 'spanning-tree portfast' is for STP. The correct answer is A: 'aaa new-model' and 'radius-server host...' but the option must be listed.

Actually the stem asks for 'additional command', so option C 'dot1x system-auth-control' is necessary globally. In many Cisco switches, 'dot1x system-auth-control' must be enabled globally. Thus answer is C.

52
MCQeasy

A security architect is designing network access control for a campus network. The requirement is to authenticate users before granting network access and to enforce policies based on user identity and device posture. Which solution should be deployed?

A.AAA server with TACACS+
B.VPN concentrator with client certificate authentication
C.Next-generation firewall with application control
D.Cisco Identity Services Engine (ISE)
AnswerD

ISE provides centralized policy enforcement for network access with user and device context.

Why this answer

Cisco ISE is the correct solution because it provides centralized policy-based network access control that authenticates users via 802.1X, MAB, or web authentication, and enforces dynamic VLAN assignment, ACLs, or SGTs based on user identity and device posture (e.g., compliance with antivirus, OS patches). Unlike a generic AAA server, ISE integrates with posture assessment (via AnyConnect or NAC Agent) and supports profiling, guest access, and BYOD onboarding, directly meeting the requirement for identity- and posture-based enforcement.

Exam trap

Cisco often tests the distinction between AAA for device administration (TACACS+) and AAA for network access (RADIUS/ISE), leading candidates to mistakenly choose a generic AAA server when the question specifically requires identity- and posture-based enforcement.

How to eliminate wrong answers

Option A is wrong because TACACS+ is a legacy AAA protocol that separates authentication, authorization, and accounting but does not support device posture assessment or dynamic policy enforcement based on endpoint health; it is typically used for device administration (e.g., router/switch CLI access), not for network access control of end-user devices. Option B is wrong because a VPN concentrator with client certificate authentication only secures remote access connections and does not control access to the campus network at the edge (wired/wireless); it lacks the ability to enforce policies based on device posture or integrate with switch/AP port-level control. Option C is wrong because a next-generation firewall with application control inspects traffic at the network perimeter and enforces policies based on application signatures, not user identity or device posture; it cannot authenticate users at the access layer or dynamically assign VLANs/ACLs on switches.

53
MCQeasy

A guest device in VLAN 200 attempts to reach a server at 10.10.1.1. What happens to the traffic?

A.The traffic is permitted
B.The traffic is forwarded without any action
C.The traffic is dropped
D.The traffic is logged and forwarded
AnswerC

Destination 10.10.1.1 matches deny entry.

Why this answer

Option B is correct because the VACL 'BLOCK_MAP' is applied to VLAN 200. The access-list BLOCK_GUEST denies traffic from any source to the 10.10.0.0/16 network. Since the destination 10.10.1.1 falls within this range, the traffic is dropped.

Option A is incorrect because the ACL denies the traffic. Option C is incorrect because the VACL match occurs. Option D is incorrect because logging is not configured in the VACL.

54
MCQhard

During a security incident, an investigator wants to identify all endpoints that communicated with a known malicious IP address within the last 24 hours. Which Cisco tool is best suited for this forensic analysis?

A.Cisco Firepower NGFW
B.Cisco Secure Network Analytics (Stealthwatch)
C.Cisco Umbrella
D.Cisco ISE
AnswerB

Provides network visibility and historical flow analysis.

Why this answer

Option D is correct because Cisco Secure Network Analytics (Stealthwatch) provides network visibility, flow records, and can query historical data for such investigations. Option A is incorrect because Umbrella is real-time DNS protection. Option B is incorrect because Firepower is a firewall.

Option C is incorrect because ISE is for access control.

55
MCQeasy

A network administrator is troubleshooting intermittent authentication failures on a switch port configured for 802.1X with MAB fallback. Users can connect but get dropped after a few minutes. What is the most likely cause?

A.Incorrect VLAN assignment
B.Incorrect RADIUS shared secret
C.Reauthentication timer set too short
D.MAB timeout set too low
AnswerC

Frequent reauth can cause drops if client or server is slow.

Why this answer

Option C is correct because a reauthentication timer that is too short causes frequent reauthentication attempts, which may fail if the RADIUS server is slow or if the client fails to respond in time. Option A is incorrect because an incorrect shared secret would cause all authentications to fail immediately. Option B is incorrect because MAB timeout affects initial authentication, not ongoing sessions.

Option D is incorrect because incorrect VLAN assignment would prevent network access entirely.

56
Multi-Selecthard

Which THREE of the following are valid components of Cisco ISE's visibility and enforcement architecture?

Select 3 answers
A.TrustSec with SGTs
B.Profiling probes (e.g., DHCP, HTTP)
C.pxGrid (Platform Exchange Grid)
D.NetFlow for flow analysis
E.SNMP traps for alerting
AnswersA, B, C

TrustSec provides scalable role-based access control using SGTs.

Why this answer

Cisco ISE's visibility and enforcement architecture relies on TrustSec with Security Group Tags (SGTs) to enforce access policies based on logical groupings rather than IP addresses. SGTs are propagated via SXP or inline tagging, enabling dynamic policy enforcement across the network.

Exam trap

Cisco often tests the distinction between visibility/enforcement components (TrustSec, pxGrid, profiling) and general network monitoring tools (NetFlow, SNMP), leading candidates to incorrectly include the latter as core ISE architecture elements.

57
MCQmedium

A network engineer configures ISE for 802.1X with PEAP-MSCHAPv2. Users report intermittent authentication failures on certain switches. The engineer checks ISE logs and sees 'Authentication failed' with reason 'User not found in identity store'. What is the most likely issue?

A.The switch port is configured with 'authentication periodic'.
B.The user is not in the Active Directory group that ISE is configured to query.
C.The switch is not configured with the correct shared secret.
D.The user's certificate is expired.
AnswerB

ISE cannot find the user in the identity store, likely due to group membership or search base issues.

Why this answer

Option C is correct. The error 'User not found in identity store' indicates that the user's credentials are not present in the configured identity source, such as Active Directory. Option A is incorrect because a shared secret mismatch would result in different errors.

Option B is incorrect because certificate expiration would cause a certificate-related error. Option D is incorrect because periodic reauthentication does not cause this error.

58
MCQmedium

An engineer is configuring ISE for guest access via a sponsor portal. The policy requires that a sponsor must approve each guest. However, guests are being automatically approved without sponsor interaction. What is the most likely misconfiguration?

A.The guest portal's 'Access setting' is set to 'Self-Registration' instead of 'Sponsor Approval'
B.The guest portal is not configured to send email notifications to sponsors
C.The sponsor user account is assigned to the wrong sponsor group
D.The guest endpoint is being profiled as a known device
AnswerA

If the portal is set to self-registration, guests are automatically approved. It must be set to sponsor approval to require manual approval.

Why this answer

Option C is correct because the guest portal settings must be set to 'Sponsor Approval' to require sponsor approval. Option A is wrong because the sponsor account type affects who can sponsor, not the approval process. Option B is wrong because guest report is just for notification.

Option D is wrong because self-registration is the opposite of requiring sponsor approval.

59
Drag & Dropmedium

Drag and drop the steps to configure NetFlow on a Cisco IOS router for traffic monitoring in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enable flow on interface, then configure exporter, create monitor, apply to interface, and verify.

60
MCQhard

An ISE deployment uses TrustSec with SGTs assigned by Active Directory group membership. A group of users in the 'Finance' AD group is correctly receiving SGT 5, but a new user added to that group is getting SGT 0. The ISE policy is unchanged, and other users in the group work fine. What is the most likely cause?

A.The user endpoint has not been profiled by ISE yet
B.ISE has not synchronized the latest AD group membership
C.The user endpoint is running antivirus software that blocks SGT assignment
D.The user does not have a PAC (Protected Access Credential)
E.The switchport is configured with 'authentication violation restrict' which blocks the new user
AnswerB

ISE caches AD groups. If the user was recently added, the cache may be stale, causing ISE to assign a default SGT (0).

Why this answer

Option D is correct because ISE caches AD groups; a new user may not be in the cache until the next sync. Option A is wrong because SGT classification can be based on AD groups without PAC. Option B is wrong because endpoint protection is separate.

Option C is wrong because profiling is not involved in AD group-based SGT assignment.

61
Multi-Selecteasy

Which TWO factors should be considered when designing a Cisco ISE deployment for network access control (NAC) in a multi-site environment? (Choose two.)

Select 2 answers
A.ISE node roles and placement (primary, secondary, monitoring)
B.Endpoint profiling needs
C.Number of endpoints per policy evaluator
D.Type of network access device (switch, WLC, VPN)
E.WAN link latency and reliability between sites
AnswersA, E

Roles define failover and administration; critical for multi-site.

Why this answer

Multi-site NAC design requires reliable connectivity between sites and proper node roles. Option A (WAN latency) is critical for authentication timeliness. Option C (ISE node roles, like Admin vs Monitoring) is important for failover and load balancing.

Option B is irrelevant unless performance. Option D is a detail for wired, not all. Option E is about endpoint attributes, not multi-site design.

62
MCQhard

A multinational corporation is deploying Cisco ISE to enforce network access for both wired and wireless users. The company has 5,000 employees and 2,000 guest users daily. The ISE deployment consists of two nodes: a primary Administration Node (PAN) and a Monitoring Node (MNT). All policies are configured on the PAN. Recently, the company has experienced intermittent authentication failures during peak hours. The failures affect both wired 802.1X and wireless users. The syslogs show 'RADIUS request dropped' messages on the ISE nodes. The network team has verified that the RADIUS shared secret is correct and that the network devices can reach the ISE nodes. The ISE nodes have sufficient CPU and memory. However, the authentication failures correlate with times when the number of concurrent sessions exceeds 500. What is the most likely cause of the issue?

A.The ISE node is running out of RADIUS session capacity
B.The ISE nodes are not reachable from the network devices
C.The RADIUS shared secret is mistyped on some network devices
D.The CPU and memory are insufficient despite appearing sufficient
AnswerA

ISE has a maximum number of concurrent RADIUS sessions; exceeding that causes drops.

Why this answer

The 'RADIUS request dropped' messages and correlation with concurrent sessions exceeding 500 indicate that the ISE node has reached its RADIUS session capacity. Cisco ISE nodes have a finite number of RADIUS session contexts (typically 500 for a single node in many deployments), and once this limit is exceeded, new authentication requests are dropped. This is a licensing and resource limitation, not a CPU or memory issue, and it explains why failures occur only during peak hours.

Exam trap

Cisco often tests the distinction between resource exhaustion (CPU/memory) and session capacity limits, trapping candidates who assume that sufficient CPU and memory means no capacity issue, when in fact the RADIUS session table is a separate finite resource.

How to eliminate wrong answers

Option B is wrong because the network team verified that the network devices can reach the ISE nodes, so reachability is not the issue. Option C is wrong because the RADIUS shared secret was verified as correct on all devices, and mistyped secrets would cause consistent failures, not intermittent ones correlated with session count. Option D is wrong because the ISE nodes have sufficient CPU and memory, and the problem is a session capacity limit, not a resource exhaustion issue.

63
MCQhard

In a Cisco TrustSec environment, a network administrator observes that traffic between two endpoints in the same SGT group is being denied. The relevant switch has CTS configured with 'cts manual' and 'policy static sgt 10'. What is the most probable cause?

A.The SGT classification is not applied to the correct VLAN.
B.The SGT is not propagated to the downstream switch.
C.The endpoint's NAC agent is not reporting posture.
D.The IP-to-SGT mapping is missing on the switch.
AnswerA

If the VLAN on the switchport is not mapped to the SGT, the endpoint may be classified incorrectly, causing denial.

Why this answer

Option D is correct. If the SGT classification is not applied to the correct VLAN, the switch may not classify traffic correctly, leading to default denial. Option A is incorrect because with manual CTS, IP-to-SGT mapping is done via static configuration or RADIUS, and missing mapping would cause unknown SGT.

Option B is irrelevant to traffic forwarding. Option C is incorrect because SGT propagation is not needed for same-switch communication.

64
MCQeasy

A network administrator is configuring 802.1X for wired access on a Cisco switch. The switch is configured for RADIUS using a Cisco ISE server. During testing, a client that supports 802.1X is unable to authenticate and fails to gain network access. The administrator checks the switch logs and sees "Authentication failed: invalid EAP code received". What is the most likely cause?

A.The client is using an unsupported EAP method (e.g., EAP-TLS instead of PEAP).
B.The RADIUS server is unreachable.
C.The switch is configured with the wrong shared secret for RADIUS.
D.The switch port is configured as a trunk port rather than an access port.
AnswerA

The switch cannot process an unrecognized EAP code, which occurs when the client negotiates an unsupported method.

Why this answer

Option C is correct because the error "invalid EAP code received" indicates that the switch received an EAP packet with a code it does not support, typically due to an unsupported EAP method. Option A is wrong because a shared secret mismatch would produce a different RADIUS error. Option B is wrong because trunk port configuration would cause VLAN issues, not EAP parsing errors.

Option D is wrong because RADIUS unreachability would cause timeouts or no response.

65
MCQhard

An organization is deploying Cisco TrustSec and uses SXP to propagate SGTs between routers that do not support SGT inline tagging. The SXP connection is established, but the SGT mappings are not being learned. The administrator checks 'show sxp connections' and sees the connection is in 'On' state. What is the most likely issue?

A.The SXP source IP is not reachable.
B.The SXP hold-down timer expires too quickly.
C.The SXP speaker and listener are both configured as listener.
D.The SXP password is incorrect.
AnswerC

SXP requires one side to be speaker and the other listener; both listener prevents mapping exchange.

Why this answer

Option A is correct because for SXP, one side must be a speaker and the other a listener. If both are configured as listener, the connection state is 'On' but no mappings are exchanged. Option B is incorrect because an incorrect password would prevent the connection from establishing.

Option C is incorrect because if the source IP is unreachable, the connection would not reach 'On' state. Option D is incorrect because the hold-down timer affects stale mappings but not initial learning.

66
Multi-Selectmedium

Which THREE are valid methods to obtain security group tags (SGTs) on a Cisco switch? (Choose three.)

Select 3 answers
A.IP-to-SGT mapping via RADIUS
B.CTS manual configuration
C.Cisco ISE pxGrid subscription
D.VLAN-to-SGT mapping
E.SXP
AnswersA, B, E

RADIUS can send SGT attributes during authentication.

Why this answer

Options A, C, and D are correct. SXP (SGT Exchange Protocol) propagates SGTs, CTS manual configuration statically assigns SGTs, and IP-to-SGT mapping via RADIUS allows dynamic assignment. Option B is not a standard method (VLAN-to-SGT mapping is not directly supported; SGTs are per host).

Option E (pxGrid subscription) is used by ISE to share data, not for the switch to obtain SGTs.

67
Matchingmedium

Match each Cisco security command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Display IKE security associations

Display configured access control lists

Display firewall configuration and statistics

Enable IP packet debugging

Save running configuration to startup

Why these pairings

These are common Cisco IOS security commands.

68
MCQhard

A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module. Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?

A.Upgrade the switch IOS to a version that supports the new ISE posture attributes.
B.Disable posture assessment for the affected switch ports using a different authorization policy.
C.Configure the switches to ignore the Session-Timeout attribute sent by ISE.
D.Increase the session-timeout value in the ISE authorization profile to a larger value.
AnswerA

Upgrading resolves the incompatibility and allows proper handling of posture attributes.

Why this answer

Option B is correct because older IOS versions may not properly interpret the new RADIUS attributes sent by ISE during posture assessment, causing session termination. Upgrading to a supported IOS version resolves the compatibility issue. Option A is incorrect because ignoring the Session-Timeout attribute is not a recommended practice and may cause security issues.

Option C is incorrect because disabling posture for these ports is a workaround, not a solution. Option D is incorrect because increasing the timeout does not address the root cause, which is the switch's inability to handle the attribute.

69
Matchingmedium

Match each Cisco security product to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-Generation Firewall

Cloud-Delivered Security

Advanced Malware Protection

Identity Services Engine

Network Visibility and Detection

Why these pairings

These are key Cisco security solutions and their categories.

70
MCQeasy

A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?

A.802.1X with EAP-MSCHAPv2
B.Downloadable ACL (dACL)
C.Web Authentication (WA)
D.MAC Authentication Bypass (MAB)
AnswerD

MAB allows non-802.1X devices to authenticate using their MAC address.

Why this answer

MAC Authentication Bypass (MAB) is the correct feature because it allows a device that does not support 802.1X supplicant software to authenticate by using its MAC address as the identity. The switch acts as a proxy, sending the MAC address as the username and password to the RADIUS server, which can then grant or deny access based on the MAC address in its database.

Exam trap

The trap here is that candidates confuse MAB with a bypass that skips all security, when in fact MAB still enforces authentication via the RADIUS server using the MAC address as credentials.

How to eliminate wrong answers

Option A is wrong because 802.1X with EAP-MSCHAPv2 requires the endpoint to run an 802.1X supplicant that can respond to EAP challenges, which the non-802.1X device cannot do. Option B is wrong because a downloadable ACL (dACL) is a policy enforcement mechanism applied after authentication, not an authentication method; it does not allow an unsupported device to connect. Option C is wrong because Web Authentication (WA) requires the user to open a web browser to authenticate, which is not suitable for a headless device (e.g., printer, IP phone) that cannot perform interactive web login.

71
MCQmedium

A network engineer is troubleshooting an issue where a user's device is successfully authenticated via 802.1X, but the user cannot access the corporate network. ISE logs show that the user was granted access with a downloadable ACL (dACL). What could be the cause of no network access?

A.The switch does not support downloadable ACLs.
B.The user's device is in a different subnet.
C.The RADIUS server is not reachable after authentication.
D.The switch port is configured with 'access-session port-control auto'.
AnswerA

Switches that do not support dACLs will ignore the attribute, resulting in no access.

Why this answer

Option A is correct because if the switch does not support downloadable ACLs, it will ignore the dACL attribute and not apply any filtering, potentially blocking traffic. Option B is incorrect because subnet placement does not affect dACL application. Option C is incorrect because the RADIUS server is not involved after authentication.

Option D is incorrect because 'access-session port-control auto' is correct configuration.

72
MCQmedium

Refer to the exhibit. A network analyst reviews a Stealthwatch flow analysis output. What is the most likely interpretation?

A.This is likely a data exfiltration attempt using a non-standard port.
B.This is a typical video streaming session.
C.This is normal database replication traffic.
D.This is a misconfigured backup job.
AnswerA

Large data transfer on an unusual port with high score suggests malicious activity.

Why this answer

Option C is correct. The high volume of data (1.2GB) over a short period (5 minutes) on a non-standard TCP port (4444) with a high threat score (85) is indicative of data exfiltration. Option A is incorrect because database replication typically uses standard ports like 1433 or 1521.

Option B is incorrect because video streaming uses different ports and patterns. Option D is incorrect because backup jobs often use standard ports and have regular patterns.

73
MCQhard

During a network audit, an engineer finds that a switch configured for 802.1X is allowing a device to access the network without authentication. The switch logs show 'MAB failed', 'dot1x failed', but the port is in the forwarding state. The port configuration includes 'authentication fallback final mab' and 'dot1x timeout server-timeout 10'. What is the most likely explanation?

A.The device is using a MAC address that matches a static CAM entry
B.The 'authentication fallback final mab' command allows the port to become authorized even if MAB fails
C.The switch has 'aaa authentication dot1x default local' which allows local fallback
D.The 'dot1x timeout server-timeout' is too short, causing the switch to skip authentication
E.The switch is running an IOS version that treats 'authentication fallback final mab' as a no-op
AnswerB

This command treats 'mab' as the final method; if it fails, the port is still authorized.

Why this answer

Option D is correct because 'authentication fallback final mab' means if dot1x and MAB fail, the switch still authorizes the device as a final fallback, effectively overriding the authentication failure. Option A is wrong because the logs show authentication attempts. Option B is wrong because the logs explicitly show failures.

Option C is wrong because server-timeout alone does not cause this behavior.

74
MCQmedium

A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?

A.The switchport is configured as dynamic desirable
B.The RADIUS server is not sending the dACL attribute in the Access-Accept
C.The switch port MTU is set to 1500 bytes
D.ISE is out of licenses for endpoint devices
AnswerB

If the dACL is not included in the RADIUS response, the switch will not apply it.

Why this answer

The most likely cause is that the RADIUS server (ISE) is not sending the dACL attribute in the Access-Accept packet. Even though the authorization policy applies a dACL, if the RADIUS message does not include the dACL name (e.g., Cisco-AV-Pair = "ip:inacl#100=...") or the switch does not receive it, the switch cannot enforce the filter, leaving the user authenticated but with no internet access due to default deny-all behavior.

Exam trap

Cisco often tests the misconception that a correctly configured authorization policy in ISE guarantees the dACL is sent; the trap is that the policy must be linked to an authorization profile that explicitly includes the dACL, and the RADIUS message must carry it—otherwise the switch never receives the filter.

How to eliminate wrong answers

Option A is wrong because switchport mode dynamic desirable is a DTP setting for trunk negotiation and does not affect 802.1X authentication or dACL enforcement. Option C is wrong because an MTU of 1500 bytes is standard and would not prevent internet access after successful authentication; it might cause fragmentation issues but not a complete lack of connectivity. Option D is wrong because ISE license depletion affects the ability to authenticate new endpoints, not the enforcement of already-applied dACLs for authenticated users.

75
MCQhard

During a security incident, an engineer needs to quickly quarantine an endpoint that is connected to a switch via 802.1X. The engineer wants to use ISE to send a Change of Authorization (CoA) to move the port to a restrictive VLAN. What must be configured on the switch to allow ISE to send CoA?

A.The switch must listen on UDP port 1700 for CoA packets
B.The switch must have 'aaa server radius dynamic-author' configured with a client entry for ISE
C.The switch must have a VTY line configured with 'transport input ssh'
D.RADIUS accounting must be enabled on the switch
E.The switch must have 'authentication event server dead action authorize' configured
AnswerB

This command enables the switch to accept CoA requests from ISE.

Why this answer

Option D is correct because CoA requires the switch to act as a RADIUS client for dynamic authorization, configured with 'aaa server radius dynamic-author'. Option A is wrong because RADIUS accounting is separate. Option B is wrong because CoA uses UDP port 3799 by default.

Option C is wrong because 'authentication event server dead action' is for RADIUS server failure, not CoA.

Page 1 of 2 · 102 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure Network Access, Visibility and Enforcement questions.