CCNA Network Access Visibility Questions

27 of 102 questions · Page 2/2 · Network Access Visibility topic · Answers revealed

76
MCQhard

A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?

A.The passive identity feature is overriding the user's group assignment.
B.The authorization policy rules are not in the correct order, causing a different rule to match first.
C.The network device group assignment has changed, causing the device to be in a different group.
D.The authentication policy is misconfigured, causing users to be placed in the wrong identity group.
AnswerB

ISE uses first-match logic for authorization policies.

Why this answer

In Cisco ISE, authorization policies are evaluated in top-down order, and the first matching rule is applied. Even if users are correctly assigned to an identity group, a higher-priority authorization policy rule that matches on other conditions (e.g., endpoint profile, device type, or time condition) can override the expected result. This is the most likely cause when authentication and group assignment are correct but the authorization result is unexpected.

Exam trap

Cisco often tests the concept that authorization policies are evaluated in order of precedence, and candidates mistakenly focus on authentication or group assignment when the real issue is rule ordering in the authorization policy.

How to eliminate wrong answers

Option A is wrong because the passive identity feature (e.g., Active Directory passive identity) is used for identity mapping and does not override group assignments; it only provides identity context for authentication. Option C is wrong because if the network device group assignment had changed, the device would likely fail authentication or be matched to a different policy set, not cause incorrect authorization profiles while still matching the correct identity group. Option D is wrong because the question states that users are being matched to the correct identity group, which means the authentication policy is working correctly; a misconfigured authentication policy would place users in the wrong group, not result in correct group matching with wrong authorization.

77
Multi-Selectmedium

A Cisco TrustSec deployment is being implemented to enforce micro-segmentation. The security team needs to ensure that Security Group Tags (SGTs) are propagated across the network. Which THREE methods can be used to distribute SGT information in a TrustSec environment? (Choose three.)

Select 3 answers
A.SGT over SXP (SGT Exchange Protocol)
B.SGT over Cisco Discovery Protocol (CDP)
C.SGT over VXLAN
D.SGT inline tagging (in the Ethernet header)
E.SGT over MPLS
AnswersA, C, D

SXP is a standard protocol to propagate SGTs between network devices without inline tagging.

Why this answer

The correct methods are SGT over SXP (SGT Exchange Protocol), SGT over VXLAN, and SGT inline tagging in the Ethernet header. SGT over MPLS is not a standard TrustSec propagation method. SGT over CDP is not supported; CDP is used for device discovery, not SGT propagation.

78
MCQhard

An organization is deploying Cisco ISE with passive identity mapping from Active Directory. They notice that users are not being correctly identified on the network, and some workstations are appearing with multiple IP addresses. What is the most likely cause?

A.ISE is configured with incorrect Active Directory domain join credentials.
B.The DHCP server is not configured to forward DHCP packets to ISE.
C.The ISE node is not configured for passive identity service.
D.The network switches are not configured with SNMP traps for MAC notification.
AnswerB

Without DHCP forwarding, ISE cannot correlate IP addresses to MAC addresses, leading to identification issues.

Why this answer

Option B is correct because passive identity mapping via DHCP requires the DHCP server to forward DHCP packets to ISE. Without this, IP-to-MAC mappings are incomplete. Option A is incorrect because domain join credentials affect ISE-AD communication, not DHCP mapping.

Option C is incorrect because SNMP traps are used for endpoint classification, not passive identity. Option D is incorrect because the passive identity service must be enabled, but the symptom points to missing DHCP data.

79
MCQeasy

A small business uses Cisco ISE to authenticate employees via Active Directory. The company has a single ISE node and two Catalyst 2960-X switches. Employees connect to the network and are successfully authenticated using 802.1X with PEAP. The business wants to provide guest wireless access using a separate SSID with a captive portal. The engineer configures a new WLAN on the WLC (Cisco 2504) pointing to the same ISE node. Guest users can associate to the WLAN and get an IP address, but when they open a browser, they do not see the captive portal page; instead, they get a 'Connection refused' error. The engineer verifies that the guest portal is enabled on ISE and the WLC is configured to use ISE for RADIUS. What is the most likely cause?

A.The ISE guest portal service is not running
B.The guest user's device does not have a valid DNS server
C.The WLC is not configured with the ISE portal IP address for redirection
D.The guest WLAN does not have a pre-authentication ACL
AnswerC

The WLC needs to know where to redirect HTTP traffic; without that, the captive portal cannot appear.

Why this answer

The captive portal requires the guest traffic to be redirected to ISE's portal service. Typically, this is done by the WLC redirecting HTTP traffic to the ISE IP. If the DNS resolution for the portal fails or the WLC does not know the portal address, the redirect fails.

Option C is correct because the WLC must be configured with the portal IP (or domain) for redirection. Option A would affect all authentication. Option B might be needed but without proper redirect, portal won't show.

Option D is irrelevant.

80
MCQeasy

The ISE logs show 'Authentication failed - RADIUS attribute Calling-Station-ID is missing' for a wired client. What is the most likely cause?

A.The switch is not configured to include the calling-station-id in RADIUS requests.
B.The switch is configured with 'authentication mac-move deny'.
C.The switch port is configured as a trunk port.
D.The client's MAC address is not registered in ISE.
AnswerA

The switch must send the MAC address via the Calling-Station-ID attribute; if not configured, it is missing.

Why this answer

Option D is correct because the switch must be configured to include the calling-station-id (MAC address) in RADIUS requests; if not, the attribute is missing. Option A is incorrect because the MAC address not being registered would cause a different failure. Option B is incorrect because 'authentication mac-move deny' affects MAC mobility, not attribute delivery.

Option C is incorrect because trunk ports do not affect 802.1X authentication.

81
MCQmedium

A user connected to port Gi1/0/1 cannot access the network. Based on the output, what is the most likely cause?

A.The RADIUS server is unreachable
B.The client does not support 802.1X
C.The switch has a misconfigured AAA command
D.The port is in errdisable state
AnswerB

EAP-timeout indicates client not responding to EAP.

Why this answer

Option B is correct because the 'Reason: EAP-timeout' indicates that the client did not respond to 802.1X EAP requests, which typically means the client does not support 802.1X or it is not enabled. Option A is incorrect because if the RADIUS server were unreachable, the switch would likely use a critical VLAN, but the reason is EAP-timeout from the client side. Option C is incorrect because AAA configuration would cause different errors.

Option D is incorrect because 'Errdisable' would show a different port state.

82
MCQeasy

An administrator needs to ensure that only authorized hosts can connect to a switch port. The port is connected to a single PC. Which 802.1X host mode should be configured?

A.Single-Host
B.Multi-Domain
C.Multi-Auth
D.Multi-Host
AnswerA

Allows only one authenticated device.

Why this answer

Option A is correct because 'Single-Host' mode allows only one authenticated device per port, which is appropriate for a single PC. Option B is incorrect because 'Multi-Host' allows multiple devices after one authentication. Option C is incorrect because 'Multi-Domain' allows one device per domain (data and voice).

Option D is incorrect because 'Multi-Auth' allows multiple authentications but is overkill for a single PC.

83
MCQeasy

A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?

A.Identity policy
B.SSL decryption policy
C.Intrusion prevention policy
D.URL filtering policy
AnswerD

URL filtering can block traffic even if the security policy allows it.

Why this answer

The correct answer is D, URL filtering policy. Even though the security policy allows traffic from the Sales subnet to any destination, a URL filtering policy can block internet access by categorizing or matching the destination URLs. If the policy is set to block all URLs or a specific category (e.g., 'Uncategorized URLs'), traffic will be dropped before it reaches the internet, regardless of the allow rule in the access control policy.

Exam trap

The trap here is that candidates assume an 'Allow' rule in the access control policy guarantees traffic flow, but Cisco tests the understanding that subordinate policies (like URL filtering) can override the parent rule's action, causing traffic to be blocked despite a seemingly permissive policy.

How to eliminate wrong answers

Option A is wrong because Identity policy is used to map users to groups for authentication and authorization, not to block or allow internet traffic based on URL or destination; it does not directly block traffic that is already allowed by the security policy. Option B is wrong because SSL decryption policy controls whether encrypted traffic is decrypted for inspection, but it does not block traffic by itself; traffic can still flow even if decryption is disabled or bypassed. Option C is wrong because Intrusion prevention policy (IPS) inspects traffic for malicious patterns and can drop malicious packets, but it would not block all internet traffic from a subnet unless a specific signature triggered; it is not a blanket block for internet access.

84
MCQeasy

Refer to the exhibit. A network administrator is troubleshooting a wired client that has successfully authenticated using MAB. However, the client is unable to access resources beyond the local subnet. What is the most likely cause?

A.The client's IP address is from a DHCP scope that does not include a default gateway.
B.The VLAN policy is incorrect; the client should be in VLAN 20.
C.The switch is not configured for inter-VLAN routing.
D.The authorization policy is missing a downloadable ACL (dACL) to allow traffic.
AnswerD

Without a dACL, the switch may default to deny all traffic beyond the local subnet.

Why this answer

Option C is correct because the authorization policy 'Permit_Access' likely does not include a downloadable ACL (dACL), so no traffic filtering is applied on the switch to allow inter-subnet traffic. Option A is incorrect because VLAN 10 is assigned; subnet routing is separate. Option B is incorrect because routing is not configured per port.

Option D is incorrect because the DHCP scope is not directly related to the issue.

85
MCQmedium

A network engineer notices that some Windows 10 clients fail to authenticate via 802.1X after a recent OS update. The supplicant shows 'EAPOL-Start' but never receives an EAP-Request/Identity. The switch port is configured with 'authentication port-control auto' and 'dot1x pae authenticator'. What is the most likely cause?

A.The switch port is configured as a trunk port
B.The switch has 'aaa authentication dot1x default none' globally
C.The switch port is configured with 'authentication order mab dot1x'
D.The switch is configured with 'snmp-server community' which disables 802.1X
AnswerA

802.1X is not supported on trunk ports by default. The switch will not respond to EAPOL-Start on trunk ports.

Why this answer

Option B is correct because if the switch port is configured as a trunk, 802.1X is not supported on trunk ports by default. Option A is wrong because SNMP does not affect EAPOL. Option C is wrong because global authentication mode 'none' would not affect a single port.

Option D is wrong because MAB is a fallback method, not the cause of EAPOL-Start not being answered.

86
Multi-Selectmedium

Which THREE are characteristics of Cisco ISE profiler service?

Select 3 answers
A.It can determine the endpoint operating system based on MAC OUI and DHCP fingerprints
B.It uses a combination of active and passive probes to identify endpoint attributes
C.It can provide attributes used in authorization policy conditions
D.It performs posture compliance checking on endpoints
E.It requires the installation of an ISE agent on all endpoints
AnswersA, B, C

Profiling uses these attributes to identify OS.

Why this answer

Options B, D, and E are correct. B: Profiling uses both active and passive probes. C: Profiling does not require an agent; it is agentless.

A: Profiler does not perform posture assessments; that's posture service. D: Profiling can be based on MAC OUI and DHCP fingerprints. E: Profiler can feed attributes to authorization policies.

87
MCQhard

An engineer notices that the 'show authentication sessions' command on a switch shows a session in 'CRITICAL' state. What does this indicate?

A.The host is being authenticated via MAB
B.The authentication server is unreachable and the port is using the critical VLAN
C.The port is administratively down
D.The authentication attempt was rejected by the RADIUS server
AnswerB

CRITICAL state indicates critical fallback.

Why this answer

Option C is correct because a CRITICAL state means the port has fallen back to the critical VLAN due to authentication server unavailability. Option A is incorrect because 'Authz Failed' indicates a different failure. Option B is incorrect because administratively down would show different state.

Option D is incorrect because MAB is a method, not a state.

88
MCQmedium

A large enterprise uses Cisco ISE with pxGrid to share context with Firepower for threat containment. When a Firepower detects an infected endpoint, it triggers a pxGrid quarantine action that changes the endpoint's authorization profile. The engineer observes that the quarantine is applied, but after the Firepower clears the threat, the endpoint does not regain its original access. What is the most likely reason?

A.Firepower failed to send the clearance message to ISE
B.The ISE session is not forced to reauthenticate after quarantine release
C.The network access device does not support CoA
D.ISE authorization policy is not ordered correctly
AnswerB

After quarantine release, ISE must send a CoA to reauthenticate the endpoint; otherwise the NAD maintains the original quarantine session.

Why this answer

pxGrid quarantine actions typically override the existing session and require a cleanup. If the endpoint is not configured to reauthenticate after quarantine release, it remains in a quarantine state. Option D is correct because the session on the NAD might not be updated unless a CoA is sent.

Option A: Firepower clearance sends a message but might not trigger re-auth. Option B: ISE policy might be correct. Option C: NAD might not support CoA but it did accept quarantine.

So answer is D.

89
Multi-Selectmedium

Which TWO conditions must be met for a Cisco switch to initiate 802.1X authentication? (Choose two.)

Select 2 answers
A.The switch port is configured with 'authentication port-control auto'.
B.The switch port is configured with 'switchport mode access'.
C.The endpoint has a 802.1X supplicant enabled.
D.The switch has a VLAN configured for guest access.
E.The switch has a reachable RADIUS server configured.
AnswersA, E

This command enables 802.1X on the port.

Why this answer

Options A and B are correct. The switch port must be configured with 'authentication port-control auto' to enable 802.1X, and a RADIUS server must be reachable for authentication. Option C is not mandatory (trunk ports can also be used).

Option D is not required for the switch to initiate (the switch initiates regardless of supplicant status). Option E is optional for guest VLAN.

90
MCQhard

An engineer is deploying Cisco ISE for guest access. The guest portal uses a self-provisioned username and password. To ensure secure credential transmission, which protocol should be enforced on the portal?

A.DNSSEC
B.RADIUS over TLS
C.HTTPS with a valid certificate
D.HTTP with redirect to captive portal
AnswerC

Encrypts credentials between client and portal.

Why this answer

Option A is correct because HTTPS with a valid certificate encrypts the credential transmission between the client and the portal. Option B is incorrect because HTTP transmits credentials in cleartext. Option C is incorrect because RADIUS over TLS is used between the NAS and ISE, not between the client and portal.

Option D is incorrect because DNSSEC does not encrypt traffic.

91
MCQeasy

A network administrator wants to centrally manage and enforce access policies for wired and wireless users. Which Cisco product provides this functionality?

A.Cisco Identity Services Engine (ISE)
B.Cisco Prime Infrastructure
C.Cisco Adaptive Security Appliance (ASA)
D.Cisco Wireless LAN Controller (WLC)
AnswerA

Central policy engine for network access.

Why this answer

Option A is correct because Cisco ISE is the policy administration point for network access control across wired, wireless, and VPN. Option B is incorrect because WLC manages only wireless. Option C is incorrect because ASA is a firewall.

Option D is incorrect because Prime Infrastructure is for management and assurance, not policy enforcement.

92
Multi-Selecteasy

Which TWO are valid methods for determining the SGT (Security Group Tag) assigned to an endpoint in a TrustSec deployment?

Select 2 answers
A.DNS resolution of the endpoint hostname
B.Static assignment on the network access device (switch) using the 'cts role-based sgt' command
C.The IP address of the endpoint
D.DHCP Option 141
E.Dynamic assignment from ISE based on authentication or authorization policy
AnswersB, E

The switch can be configured with a static SGT per port or per VLAN.

Why this answer

Options A and C are correct. A: Static assignment on switch port via 'cts role-based sgt'. B: DHCP Option 141 is not used for SGT.

C: ISE can dynamically assign SGT via authentication policy. D: DNS is not involved. E: IP address does not determine SGT; it's based on identity.

93
MCQmedium

A university is implementing 802.1X for student wireless networks using Cisco Wireless LAN Controllers (WLCs) and ISE. Students connect with their personal devices using PEAP-MSCHAPv2. During heavy usage, some students report authentication failures and sporadic disconnections. The network team examines the ISE live logs and sees many 'Authentication failed' entries with reason 'Internal error - unable to find a suitable proxy target'. The team has configured two ISE nodes as authentication proxies for the wireless subnets. What is the most likely cause of this issue?

A.The WLC is not configured to use the ISE proxy nodes as RADIUS servers
B.The RADIUS shared secret is mismatched between WLC and ISE
C.ISE node CPU is overloaded due to high authentication load
D.The proxy target rules in ISE do not match the WLC's NAS-IP-Address
AnswerD

Proxy target rules must include the NAS-IP-Address of the WLC to forward requests to the appropriate authentication node.

Why this answer

The error 'unable to find a suitable proxy target' indicates that the ISE node cannot determine which proxy to use for the authentication request, often due to proxy target rules not matching the incoming request attributes like NAS-IP-Address. Option D is correct because if the proxy target rules are missing or incorrect, ISE cannot forward the request. Option A would cause different errors.

Option B might cause performance but not internal error. Option C would cause connection errors, not proxy target errors.

94
MCQmedium

Refer to the exhibit. An engineer configures this interface for 802.1X. Users report that after successful authentication, they are forced to reauthenticate every hour even though the authentication session is still active. What configuration change should be made to prevent reauthentication unless triggered by a change?

A.Increase 'dot1x timeout tx-period' to 60.
B.Change 'authentication timer reauthenticate' to 0.
C.Remove 'authentication periodic'.
D.Add 'authentication event server dead action authorize'.
AnswerC

Removing this command disables periodic reauthentication.

Why this answer

Option A is correct. The 'authentication periodic' command enables periodic reauthentication. Removing it stops automatic reauthentication.

Option B is incorrect because setting the timer to 0 is invalid. Option C is incorrect because increasing the tx-period affects initial timeout, not reauthentication. Option D is incorrect because it configures server dead action, not reauthentication behavior.

95
MCQmedium

Refer to the exhibit. A user has successfully authenticated via 802.1X. However, the SGT (Security Group Tag) assigned is 0, which is the default untagged value. Which configuration change would most likely allow ISE to assign a non-zero SGT for this user?

A.In ISE authorization profile, add Cisco AV pair 'cts:security-group-tag=15'
B.Enable 'cts manual' globally on the switch
C.Ensure that the switch has a RADIUS server defined with 'radius-server host 10.1.1.1 auth-port 1645'
D.Configure 'aaa authorization network default group radius' on the switch
E.Enable 'sgt caching' on the switch port
AnswerA

ISE must send the SGT as a RADIUS attribute in the Access-Accept. Currently, it is not sending any SGT, so SGT is 0.

Why this answer

Option D is correct because ISE must include the SGT in the RADIUS Access-Accept (e.g., via cisco-av-pair). Option A is wrong because the show command indicates authorization success, so AAA is functional. Option B is wrong because the session already shows authorization by server.

Option C is wrong because SGT assignment does not require SGT caching on the switch. Option E is wrong because global 'cts' command is required for TrustSec, but it must be enabled.

96
Multi-Selectmedium

An administrator is configuring 802.1X on a switch port for both an IP phone and a PC. Which two commands should be configured to support this scenario? (Choose two)

Select 2 answers
A.authentication host-mode multi-domain
B.dot1x pae authenticator
C.authentication violation restrict
D.authentication port-control auto
E.authentication host-mode multi-auth
AnswersA, D

Allows one voice and one data device.

Why this answer

Options B and C are correct. 'authentication host-mode multi-domain' (B) allows one device per domain (voice and data). 'authentication port-control auto' (C) enables 802.1X authentication on the port. Option A (multi-auth) allows multiple devices in the same domain, which is not needed. Option D (violation restrict) is an action when a violation occurs, not mandatory.

Option E (dot1x pae authenticator) is required but not among the two most specific; it is often enabled by default.

97
MCQmedium

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

A.The switch ports are configured as trunks and are not allowing the finance VLAN.
B.802.1X authentication is failing for the finance users.
C.Spanning Tree Protocol (STP) is blocking the ports in the finance VLAN.
D.Switchport security violation has caused the ports to error-disable or drop traffic.
AnswerD

Switchport security violation can disable the port or drop traffic from unauthorized MAC addresses.

Why this answer

The switch logs show 'Authentication failed' messages for MAC addresses in the finance VLAN, and switchport security is enabled. When a switchport security violation occurs (e.g., due to a MAC address limit or an unauthorized MAC address), the port can be configured to error-disable or drop traffic. This explains why users in the finance VLAN cannot reach the server, as the access ports are effectively blocking traffic due to the security violation.

Exam trap

Cisco often tests the distinction between switchport security MAC authentication and 802.1X authentication; the trap here is assuming 'Authentication failed' always refers to 802.1X, when it can also be generated by switchport security's 'restrict' or 'shutdown' violation modes.

How to eliminate wrong answers

Option A is wrong because the question states switchport security is enabled on access ports, not trunk ports, and the issue is specific to the finance VLAN's access ports, not trunk VLAN filtering. Option B is wrong because 802.1X authentication is a separate IEEE 802.1X-based network access control mechanism; the logs mention 'Authentication failed' in the context of switchport security MAC address authentication, not 802.1X EAPOL exchanges. Option C is wrong because Spanning Tree Protocol (STP) blocking would cause a different log message (e.g., 'topology change' or 'port moved to blocking state') and would not generate 'Authentication failed' messages; STP operates at Layer 2 to prevent loops, not to authenticate MAC addresses.

98
MCQeasy

A network engineer is configuring 802.1X on a Cisco switch for wired clients. After configuration, some clients fail authentication. The engineer notices that the clients are not sending any EAP packets. What is the most likely cause?

A.The switch port is configured with access VLAN instead of voice VLAN.
B.The RADIUS server is unreachable.
C.The clients do not have an 802.1X supplicant enabled.
D.The switch port is configured with 'authentication port-control auto'.
AnswerC

Without a supplicant, clients cannot initiate EAP.

Why this answer

Option C is correct because if no EAP packets are sent, the client likely does not have an 802.1X supplicant enabled. Option A is incorrect because access VLAN assignment does not affect EAP transmission. Option B is incorrect because 'authentication port-control auto' is the correct command to enable 802.1X.

Option D is incorrect because if the RADIUS server were unreachable, the switch would still see EAP packets from the client.

99
MCQhard

A financial company is deploying Cisco ISE with TrustSec to enforce segmentation between application tiers (web, app, DB). They have a Cisco Catalyst 9500 as the core, and Catalyst 9300s as access switches. The SXP is configured between ISE and core switch, and the core switch propagates SGTs to access switches via SGT inline tagging on trunk ports. The engineer has configured SGTs for web (SGT=2), app (SGT=3), DB (SGT=4). However, when testing from a web server (IP 10.1.1.10, SGT=2) to an app server (IP 10.1.2.20, SGT=3), the app server sees the traffic without SGT in the packet, so the access switch cannot enforce policy. The engineer checks 'show cts role-based sgt-map' on the core and sees the mapping for 10.1.1.10 -> 2. What is the most likely issue?

A.The ISE policy does not allow the traffic from web to app
B.The access switch does not have the security group ACL configured
C.The trunk between core and access is not configured for SGT inline tagging
D.The SXP connection between ISE and core is not established
AnswerC

Without 'cts manual' or 'trust sec' on the trunk, the core switch will not insert the SGT into packets going to the access switch.

Why this answer

If the access switch is not receiving the SGT mapping, the issue is likely that the SXP connection is not sharing mappings to the access switch, or the inline tagging is not correctly configured. Option B is correct because if the trunk between core and access does not have 'cts manual' enabled, the access switch will not strip the tag from the packet. Option A would cause no SGT at all.

Option C would affect enforcement. Option D would affect policy, not packet tagging.

100
MCQhard

An endpoint with MAC 0011.2233.4455 and user 'guest' authenticates but fails. However, the device is not assigned to quarantine. Which policy condition is most likely responsible for the unexpected behavior?

A.The authentication failure overrides authorization
B.The quarantine VLAN is not configured on the switch
C.The device is compliant and the device type is in the allowed list
D.The device is authenticated via MAB, bypassing posture
AnswerC

Condition false, so quarantine not applied.

Why this answer

Option C is correct because the condition requires either 'EndPointCompliant EQUALS No' OR device type not in the list. If the device is compliant (posture passed) and the device type is in the list, the condition is false, so the quarantine rule is not applied, and a default permit rule might apply instead. Option A is incorrect because authentication failure would show 'Failed' and not reach authorization.

Option B is incorrect because MAB is not in use here. Option D is incorrect because if the device were in quarantine, it would have been assigned.

101
MCQhard

An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?

A.NetFlow probe
B.DHCP probe
C.HTTP probe
D.DNS probe
AnswerA

NetFlow probe analyzes traffic flows and can profile endpoints based on IP and port information.

Why this answer

The correct answer is A (NetFlow probe) because when endpoints do not send DHCP requests, the DHCP probe cannot collect any data. The NetFlow probe analyzes network traffic flows to identify endpoints based on IP addresses, ports, and protocols, even without DHCP activity. This allows Cisco ISE to profile endpoints by observing their communication patterns, such as HTTP or DNS traffic, which still occur even if DHCP is not used.

Exam trap

Cisco often tests the misconception that DHCP is the only way to profile endpoints, leading candidates to choose the DHCP probe, but the trap here is recognizing that NetFlow provides visibility even when DHCP traffic is absent.

How to eliminate wrong answers

Option B (DHCP probe) is wrong because it relies on DHCP requests and acknowledgments; if endpoints are not sending DHCP requests, this probe will not capture any data to profile them. Option C (HTTP probe) is wrong because it only identifies endpoints that generate HTTP traffic, which may not be present for all devices, and it is not the primary probe for endpoints lacking DHCP activity. Option D (DNS probe) is wrong because it depends on DNS queries, which may not be sent by all endpoints, and it is not the primary method when DHCP is absent.

102
MCQeasy

Which protocol does Cisco ISE use to communicate with the pxGrid controller for sharing contextual data?

A.JSON-RPC over certificate-based TLS
AnswerA

pxGrid uses JSON-RPC over TLS with mutual certificate authentication.

Why this answer

Option D is correct. pxGrid uses JSON-RPC over certificate-based TLS for secure communication. Option A is incorrect because REST API is used for other integrations but not pxGrid. Options B and C are authentication protocols, not used for pxGrid.

← PreviousPage 2 of 2 · 102 questions total

Ready to test yourself?

Try a timed practice session using only Network Access Visibility questions.