350-701 · topic practice

Secure Network Access, Visibility and Enforcement practice questions

Practise Cisco SCOR / CCNP Security Core 350-701 Secure Network Access, Visibility and Enforcement practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Secure Network Access, Visibility and Enforcement

What the exam tests

What to know about Secure Network Access, Visibility and Enforcement

Secure Network Access, Visibility and Enforcement questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Secure Network Access, Visibility and Enforcement exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Secure Network Access, Visibility and Enforcement questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full wireless explanation →

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?

A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?

Question 5hardmultiple choice
Read the full DHCP explanation →

An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?

A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?

Question 7mediummultiple choice
Open the full VLAN trunking answer →

An organization is using Cisco ISE to enforce posture compliance. Endpoints that are non-compliant should be placed into a quarantine VLAN. Which ISE policy component is used to assign the VLAN?

A security engineer is configuring Cisco ISE to enforce SGT-based access control. The engineer creates an SGACL on the switch that permits traffic from SGT 10 to SGT 20. However, traffic from SGT 10 to SGT 20 is still being dropped. The engineer verifies that the SGTs are correctly assigned. What is a possible reason for the drop?

Which TWO of the following are valid methods for Cisco ISE to collect endpoint attributes for profiling? (Choose TWO)

Which THREE of the following are required for a successful 802.1X authentication on a Cisco switch? (Choose THREE)

Which TWO of the following are features of Cisco TrustSec? (Choose TWO)

Question 12hardmultiple choice
Read the full wireless explanation →

A multinational corporation is deploying Cisco ISE to enforce network access for both wired and wireless users. The company has 5,000 employees and 2,000 guest users daily. The ISE deployment consists of two nodes: a primary Administration Node (PAN) and a Monitoring Node (MNT). All policies are configured on the PAN. Recently, the company has experienced intermittent authentication failures during peak hours. The failures affect both wired 802.1X and wireless users. The syslogs show 'RADIUS request dropped' messages on the ISE nodes. The network team has verified that the RADIUS shared secret is correct and that the network devices can reach the ISE nodes. The ISE nodes have sufficient CPU and memory. However, the authentication failures correlate with times when the number of concurrent sessions exceeds 500. What is the most likely cause of the issue?

Question 13mediummultiple choice
Read the full wireless explanation →

A university is using Cisco ISE to provide secure wireless access for students and faculty. The wireless network uses WPA2-Enterprise with PEAP-MSCHAPv2. Recently, some faculty members reported that they cannot connect to the wireless network from their personal laptops, while student devices connect without issues. The faculty members are using the same SSID and entering their credentials correctly. The ISE logs show that the authentication attempts from faculty devices are failing with 'RADIUS Access-Reject' due to incorrect credentials. However, the faculty members are certain they are using the correct password. The IT department has verified that the user accounts in Active Directory are active and not locked. What is the most likely cause of the issue?

Question 14mediummultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

A security architect is designing network access control for a campus network. The requirement is to authenticate users before granting network access and to enforce policies based on user identity and device posture. Which solution should be deployed?

A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?

Question 17mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is implementing TrustSec on a Cisco switch. The goal is to tag traffic from the engineering VLAN with Security Group Tag (SGT) 10 and enforce policies on upstream switches. Which configuration is required on the access switch to propagate the SGT?

Which THREE of the following are valid components of Cisco ISE's visibility and enforcement architecture?

Question 19hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?

Exhibit

Router# show device-tracking database
 Device-tracking database for Vlan 100:
  Device ID     MAC Address      Interface      VLAN     Last seen
  *             0050.7966.6800   Gi0/1/0        100      00:00:12
  *             aaaa.bbbb.cccc   Gi0/1/1        100      00:00:05
Question 20mediummultiple choice
Open the full VLAN trunking answer →

A large enterprise has deployed Cisco ISE for network access control. The network consists of multiple access switches and wireless LAN controllers. The security team wants to enforce that only domain-joined Windows computers with up-to-date antivirus can access the corporate network. Non-compliant devices should be placed in a quarantine VLAN with limited access to remediation servers. The ISE policies are configured with posture assessment. However, during a test, a non-compliant Windows computer is granted full network access instead of being quarantined. The ISE logs show that the posture assessment passed, but the computer's antivirus is outdated. What is the most likely reason for this behavior?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Secure Network Access, Visibility and Enforcement sessions

Start a Secure Network Access, Visibility and Enforcement only practice session

Every question in these sessions is drawn from the Secure Network Access, Visibility and Enforcement domain — nothing else.

Related practice questions

Related 350-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-701 exam test about Secure Network Access, Visibility and Enforcement?
Secure Network Access, Visibility and Enforcement questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Secure Network Access, Visibility and Enforcement questions in a focused session?
Yes — the session launcher on this page draws every question from the Secure Network Access, Visibility and Enforcement domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-701 topics?
Use the topic links above to move to related areas, or go back to the 350-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-701 exam covers. They are not copied from any real exam or dump site.