CCNA Scor Endpoint Identity Questions

75 of 125 questions · Page 1/2 · Scor Endpoint Identity topic · Answers revealed

1
MCQhard

A security analyst discovers that an endpoint was infected by a file that initially received a 'clean' disposition from Cisco AMP. The analyst needs to identify all other endpoints that executed the same file and examine their trajectory. Which approach should be used to find these endpoints in the AMP console?

A.Search for the file's SHA-256 hash in the AMP console to see all endpoints with that file
B.Check the Device Trajectory of the infected endpoint and manually correlate with other endpoints
C.Use the IOC scanning feature to scan all endpoints for the file's signature
D.Run a retrospective security scan on all endpoints using the file's SHA-256 hash
AnswerA

Searching by SHA-256 provides a list of all endpoints that have encountered the file, enabling trajectory analysis.

Why this answer

Option A is correct because Cisco AMP maintains a global file disposition database that maps SHA-256 hashes to all endpoints that have ever executed or stored that file. By searching for the file's SHA-256 hash in the AMP console, the analyst can instantly retrieve a list of all endpoints with that file, including those that received a 'clean' disposition before the file was later classified as malicious. This leverages AMP's cloud-based telemetry and file reputation system, enabling rapid identification of all affected systems without requiring additional scans or manual correlation.

Exam trap

Cisco often tests the distinction between searching for a file's SHA-256 hash (which directly lists all endpoints with that file) and using retrospective scans or IOC scanning, which serve different purposes and do not provide a simple list of affected endpoints.

How to eliminate wrong answers

Option B is wrong because manually checking the Device Trajectory of the infected endpoint and correlating with other endpoints is inefficient and error-prone; Device Trajectory shows events for a single endpoint, not a cross-endpoint view, and the analyst would need to manually check each endpoint's trajectory, which is impractical in a large environment. Option C is wrong because the IOC scanning feature scans for indicators of compromise (e.g., IP addresses, domains, registry keys) based on predefined rules, not for a specific file's SHA-256 hash; it is designed for threat hunting using IOCs, not for locating all endpoints that executed a particular file. Option D is wrong because retrospective security scans in AMP are used to re-evaluate files that were previously seen and may have changed disposition, but they do not directly list all endpoints that executed the file; instead, they apply updated analysis to files already in the AMP cloud, and the results are typically viewed via the file's analysis page, not by scanning all endpoints with the hash.

2
Multi-Selecteasy

An organization wants to implement multi-factor authentication for remote VPN access using Cisco AnyConnect. Which TWO authentication methods are supported when integrating with Cisco Duo?

Select 2 answers
A.Biometric fingerprint
B.Push notification
C.Time-based one-time password (TOTP)
D.Smart card
E.SMS passcode
AnswersB, C

Duo push sends a notification to the user's mobile device for approval.

Why this answer

Duo supports push notifications to the Duo Mobile app and TOTP one-time passwords. Hardware tokens and bypass codes are also available but less common for VPN; SMS passcodes are not mentioned in the context.

3
MCQmedium

A security analyst notices that a file that was initially allowed by Cisco AMP for Endpoints has later been determined to be malicious. The analyst needs to investigate the file's propagation across endpoints. Which Cisco AMP feature should the analyst use to view the timeline of events?

A.Exploit Prevention
B.Endpoint IOC scanning
C.SHA-256 file disposition
D.Device Trajectory
AnswerD

Device Trajectory provides a timeline of file activity and propagation across endpoints.

Why this answer

Device Trajectory in Cisco AMP provides a chronological view of events on an endpoint, showing how a file propagated and what actions were taken. Continuous monitoring and retrospective security allow AMP to re-evaluate files that were initially allowed but later deemed malicious.

4
MCQmedium

An administrator configures Cisco ISE for guest access with a sponsor portal. What is the primary purpose of the sponsor portal?

A.Provide network access for non-supplicant devices
B.Enable guests to authenticate with MFA
C.Allow sponsors to create and manage guest accounts
D.Allow guests to self-register
AnswerC

The sponsor portal provides a web interface for sponsors to create, approve, or manage guest accounts.

Why this answer

The sponsor portal in Cisco ISE is specifically designed to allow authorized users (sponsors) to create, manage, and approve guest accounts. This enables controlled guest access where a sponsor, such as an employee or administrator, provisions credentials for visitors, ensuring accountability and policy enforcement without requiring guests to self-register.

Exam trap

Cisco often tests the distinction between the sponsor portal and the guest self-registration portal, trapping candidates who confuse the two because both involve guest access but serve different roles—sponsor-managed vs. user-initiated.

How to eliminate wrong answers

Option A is wrong because non-supplicant device access is typically handled via MAC Authentication Bypass (MAB) or device registration, not the sponsor portal. Option B is wrong because guest authentication with MFA is a feature of the guest portal or authentication policy, not the sponsor portal's purpose. Option D is wrong because guest self-registration is a separate portal (the guest portal), whereas the sponsor portal is for sponsor-managed account creation.

5
MCQmedium

An organization wants to deploy Cisco ISE to authenticate devices that do not support 802.1X supplicant software, such as printers and IoT sensors. Which authentication method should be configured on the switch port to allow these devices network access?

A.EAP-TLS
B.MAB
C.EAP-FAST
D.PEAP-MSCHAPv2
AnswerB

MAB uses the MAC address for authentication, ideal for devices without 802.1X support.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run 802.1X supplicants to authenticate based on their MAC address. The switch sends the MAC address as the username and password to ISE.

6
MCQhard

In a Cisco ISE deployment, after a device passes posture assessment, ISE needs to dynamically change the VLAN assignment for the device. Which protocol or feature enables ISE to send a new authorization policy to the network access device without requiring the endpoint to reauthenticate?

A.TrustSec SGT assignment
B.RADIUS Accounting
C.CoA (Change of Authorization)
D.MAB
AnswerC

Correct. CoA dynamically changes authorization attributes like VLAN or ACL.

Why this answer

Change of Authorization (CoA) allows ISE to send real-time authorization changes (e.g., VLAN change) to the NAD using RADIUS Disconnect or Change of Authorization messages, without requiring the client to reauthenticate.

7
MCQmedium

Cisco ISE performs profiling to identify device type. Which probe collects information by querying the device's MAC address OUI and DHCP options?

A.DHCP probe
B.Device Sensor probe
C.SNMP probe
D.HTTP probe
AnswerA

DHCP probe uses DHCP packets for profiling.

Why this answer

The DHCP probe analyzes DHCP packets to gather information such as vendor class identifier and hostname, helping to profile the device type.

8
MCQhard

A security analyst is investigating an incident on an endpoint protected by Cisco AMP. The analyst needs to isolate the compromised process and prevent it from communicating with other processes or the network. Which EDR capability should be used to achieve this?

A.File quarantine
B.IOC scanning
C.Process isolation
D.Remote shell
AnswerC

Process isolation stops the process and blocks its communication, containing the threat.

Why this answer

Process isolation is an EDR capability that terminates the process and blocks its network and inter-process communication, effectively containing the threat.

9
MCQmedium

An organization uses Cisco ISE to enforce posture compliance. After a user's machine is patched, ISE sends a command to the switch to reclassify the endpoint from a restricted VLAN to a full-access VLAN. Which ISE feature accomplishes this?

A.Posture Assessment
B.Profiling
C.Guest Access
D.Change of Authorization (CoA)
AnswerD

CoA enables dynamic changes to session attributes like VLAN or ACL based on posture updates.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically change an authenticated session's attributes, such as VLAN assignment or ACL, without requiring reauthentication.

10
MCQmedium

A security engineer is configuring Cisco AMP for Endpoints to protect against memory injection attacks. Which feature should be enabled to block exploits that attempt to inject malicious code into legitimate processes?

A.IOC Scanning
B.Device Trajectory
C.Exploit Prevention
D.File quarantine
AnswerC

Exploit Prevention blocks memory injection and other exploit techniques.

Why this answer

Exploit Prevention in Cisco AMP protects against memory injection and other exploit techniques by monitoring process behavior.

11
MCQhard

During a security incident, an analyst uses Cisco AMP for Endpoints to remotely investigate a compromised endpoint. The analyst needs to isolate the endpoint from the network while preserving the ability to continue the investigation. Which AMP action should be taken?

A.Process isolation
B.File quarantine
C.Remove connector
D.Isolate
AnswerD

Correct. Isolate blocks network traffic except to the AMP cloud, allowing remote investigation.

Why this answer

Process isolation is not a standard AMP action; however, AMP allows endpoint isolation (network containment) and remote shell for investigation. The best option is to isolate the endpoint and use remote shell. But since only one action is allowed, 'Isolate' is the correct answer as it blocks network traffic while allowing AMP management.

12
Multi-Selectmedium

A network administrator is deploying Cisco ISE for network access control. The network includes printers and IP phones that do not support 802.1X. Which TWO methods can be used to authenticate these devices?

Select 2 answers
A.802.1X with EAP-TLS
B.Posture assessment
C.MAC Authentication Bypass (MAB)
D.PEAP-MSCHAPv2
E.Profiling
AnswersC, E

MAB bypasses 802.1X and authenticates based on MAC address.

Why this answer

MAB allows non-supplicant devices to be authenticated based on their MAC address. Profiling can identify the device type and apply appropriate policies. 802.1X requires a supplicant, and PEAP-MSCHAPv2 is a credential-based EAP method that also requires a supplicant.

13
MCQmedium

An administrator wants to dynamically change the VLAN assignment for a user after a posture assessment determines that the endpoint is missing a critical patch. Which ISE feature accomplishes this?

A.TrustSec
B.Profiling
C.MAB
D.CoA
AnswerD

CoA enables dynamic session changes, including VLAN/ACL updates.

Why this answer

Change of Authorization (CoA) is the correct answer because it is the ISE feature that allows dynamic, real-time changes to an authenticated session, such as reassigning a VLAN, after a posture assessment. When a posture assessment determines an endpoint is non-compliant (e.g., missing a critical patch), ISE can send a CoA request (RFC 5176) to the network access device (NAD) to modify the session attributes, including VLAN assignment, without requiring the user to reauthenticate.

Exam trap

Cisco often tests the distinction between authentication methods (like MAB) and post-authentication enforcement mechanisms (like CoA), so the trap here is confusing a feature that handles initial access (MAB) with one that modifies an existing session (CoA).

How to eliminate wrong answers

Option A is wrong because TrustSec is a Cisco security architecture that uses Security Group Tags (SGTs) for access control based on identity and context, not for dynamically changing VLAN assignments based on posture assessment results. Option B is wrong because Profiling is an ISE feature that identifies and classifies endpoints based on attributes like MAC address, DHCP, or HTTP fingerprinting, but it does not enforce or change VLAN assignments after authentication. Option C is wrong because MAB (MAC Authentication Bypass) is an authentication method that uses the MAC address as credentials for devices that cannot support 802.1X, but it does not provide dynamic session changes like VLAN reassignment after a posture check.

14
MCQeasy

Which authentication protocol is used in Cisco ISE for certificate-based 802.1X authentication?

A.LEAP
B.EAP-MD5
C.EAP-TLS
D.PEAP-MSCHAPv2
AnswerC

EAP-TLS uses certificates for authentication, providing strong security.

Why this answer

EAP-TLS is the Extensible Authentication Protocol that uses certificates for mutual authentication.

15
MCQhard

Cisco ISE is performing profiling on a network. It receives a DHCP request from a device with vendor class identifier 'MSFT 5.0' and an HTTP user-agent 'Mozilla/5.0 (Windows NT 10.0)'. Which probes are most likely used to collect this information?

A.Device Sensor and SNMP probe
B.DHCP probe and HTTP probe
C.HTTP probe and Device Sensor
D.DHCP probe and SNMP probe
AnswerB

Correct. DHCP probe captures DHCP options; HTTP probe captures HTTP headers.

Why this answer

The DHCP probe captures DHCP packets, including the vendor class identifier (option 60) which reveals the device type (e.g., 'MSFT 5.0' for Windows). The HTTP probe intercepts HTTP traffic and parses the User-Agent header (e.g., 'Mozilla/5.0 (Windows NT 10.0)') to identify the operating system and browser. Together, these two probes collect the exact information described in the question.

Exam trap

Cisco often tests the specific mapping of probe to data source, and the trap here is confusing the Device Sensor probe (which collects data via RADIUS accounting or syslog) with the DHCP or HTTP probes that directly capture packet-level information.

How to eliminate wrong answers

Option A is wrong because the Device Sensor probe collects endpoint attributes via RADIUS or syslog, not DHCP or HTTP headers, and the SNMP probe queries MIBs from network devices, not client-side headers. Option C is wrong because the HTTP probe is correct, but the Device Sensor probe does not capture DHCP vendor class identifiers or HTTP User-Agent strings directly from the endpoint traffic. Option D is wrong because the DHCP probe is correct, but the SNMP probe does not collect HTTP User-Agent headers or DHCP vendor class identifiers; it gathers device information from SNMP-enabled infrastructure devices.

16
MCQhard

An organization is implementing privileged access management (PAM) with Cisco SecureX and CyberArk. Which feature allows administrators to grant temporary elevated privileges for a specific task, after which the privileges are automatically revoked?

A.Session recording
B.Just-in-time access
C.Application whitelisting
D.Password vaulting
AnswerB

JIT access grants temporary privileges that expire automatically.

Why this answer

Just-in-time (JIT) access provides time-limited elevated privileges that are automatically revoked after the task is completed, reducing the risk of standing privileges.

17
MCQhard

In Cisco AMP for Endpoints, which technology prevents exploit techniques such as code injection and memory corruption at runtime without relying on signatures?

A.Indicators of Compromise (IOC)
B.Exploit Prevention
C.File Reputation
D.Orbital Advanced Search
AnswerB

Correct. Exploit Prevention guards against memory-based exploits without signatures.

Why this answer

Exploit Prevention in Cisco AMP uses exploit mitigation techniques like memory protection and injection detection to block common exploit methods (e.g., buffer overflows, DLL injection) without needing signatures.

18
MCQmedium

Which EAP method used with 802.1X provides certificate-based mutual authentication and is commonly used with Cisco ISE?

A.EAP-TLS
B.EAP-MD5
C.EAP-FAST
D.EAP-GTC
AnswerA

EAP-TLS uses certificates for mutual authentication.

Why this answer

EAP-TLS uses certificates for both client and server authentication, providing strong security.

19
Multi-Selecthard

A company is deploying Cisco ISE for network access control. They need to authenticate devices that do not support 802.1X, such as printers and IP phones. Which TWO methods can be used to authenticate these devices? (Choose two.)

Select 2 answers
B.MAB
C.Profiling
D.Guest portal (web authentication)
E.Device registration via posture agent
AnswersB, D

Correct. MAB uses MAC address for authentication.

Why this answer

MAB uses MAC address for authentication. Profiling can identify the device and then ISE can apply policies, but profiling alone does not authenticate; it is often combined with MAB. The question asks for authentication methods, so MAB and (if the device can be profiled and then authenticated via a policy) but typically MAB is the primary method.

Another method is to use a device certificate if the device supports it, but the question says non-802.1X devices. So MAB and possibly web authentication (guest portal) for devices that can browse. However, the most common are MAB and web authentication.

But from ISE perspective, for non-supplicant devices, MAB and web-auth are options. Since the question says 'authenticate', and web-auth is for guest, I'll include MAB and device registration (which is not standard). Better: MAB and local database authentication via web portal.

However, to be precise, the two methods are MAB and authentication using a local or AD account via a web portal (for devices that can do HTTP). But the options: A) 802.1X (not supported), B) MAB, C) Profiling, D) Guest portal, E) Device registration. The correct two: MAB and Guest portal (since guest portal can provide authentication for non-supplicant devices).

20
MCQmedium

An organization requires that endpoints must have antivirus running and up-to-date patches before being granted full network access. Cisco ISE is used for authentication. Which ISE component enforces these requirements?

A.Guest access
B.TrustSec
C.Posture assessment
D.Profiling
AnswerC

Correct. Posture assessment verifies compliance with security policies.

Why this answer

C is correct because Cisco ISE Posture Assessment is the component specifically designed to check endpoints for compliance with security policies, such as having antivirus running and up-to-date patches. It evaluates the endpoint's state before granting full network access, and can enforce remediation or restrict access based on the results.

Exam trap

The trap here is that candidates often confuse Profiling (which identifies device type) with Posture Assessment (which checks security compliance), leading them to select Profiling when the question explicitly requires enforcement of antivirus and patch requirements.

How to eliminate wrong answers

Option A is wrong because Guest access is used to provide temporary network access to visitors or non-employees, not to enforce endpoint compliance checks. Option B is wrong because TrustSec (Cisco TrustSec) provides role-based access control and segmentation using Security Group Tags (SGTs), but it does not perform endpoint posture checks. Option D is wrong because Profiling identifies and classifies endpoints based on attributes like MAC address, DHCP, or HTTP fingerprinting, but it does not verify antivirus status or patch levels.

21
Multi-Selectmedium

A network engineer is configuring Cisco ISE to assign Security Group Tags (SGTs) to endpoints based on their identity and role. Which two components are required for TrustSec SGT classification and enforcement? (Choose two.)

Select 2 answers
A.Cisco AnyConnect client
B.Network devices (switches/firewalls) that enforce SGACLs
C.Cisco AMP for Endpoints
D.Cisco ISE as the policy server
E.Cisco Duo
AnswersB, D

Network devices enforce access based on SGTs using SGACLs.

Why this answer

TrustSec uses SGTs assigned by ISE (policy enforcement point) and enforced by network devices (e.g., switches) that can apply security group ACLs (SGACLs) based on the SGT.

22
MCQhard

A Cisco ISE administrator is configuring guest access with a sponsor portal. Which type of guest account requires approval from a sponsor before network access is granted?

A.Sponsor portal
B.Hotspot guest
C.MAB guest
D.Self-registration
AnswerA

Sponsor portal requires sponsor approval for guest access.

Why this answer

Sponsor portal allows a sponsor to create and approve guest accounts, requiring approval before access.

23
Multi-Selecthard

A security analyst is investigating a malware outbreak that occurred on endpoints protected by Cisco AMP for Endpoints. The malware was initially undetected but later identified as malicious based on new threat intelligence. Which THREE capabilities of AMP allow the analyst to trace the infection and remediate?

Select 3 answers
A.Endpoint IOC scanning
B.SHA-256 file disposition
C.Device Trajectory
D.Exploit Prevention
E.Retrospective security
AnswersA, C, E

IOC scanning searches for indicators of compromise on endpoints.

Why this answer

Device Trajectory shows the timeline of file activity and propagation. Retrospective security allows file disposition to be updated after detection. IOC scanning identifies indicators of compromise on endpoints.

Exploit Prevention is a proactive measure, and SHA-256 disposition is a static verdict.

24
Multi-Selectmedium

An organization wants to implement multi-factor authentication (MFA) for VPN access using Cisco AnyConnect and Duo. Which TWO authentication factors can Duo provide? (Choose two.)

Select 2 answers
A.TOTP
B.LDAP
C.Push notification
AnswersA, C

Time-based one-time password from an authenticator app.

Why this answer

Duo provides TOTP (Time-based One-Time Password) as an authentication factor by generating a temporary six-digit code based on RFC 6238, which the user enters during the AnyConnect VPN login process. Push notification is another Duo factor, where a request is sent to the user's registered mobile device, and the user approves or denies the login attempt via the Duo Mobile app. Both factors satisfy the requirement for multi-factor authentication by adding a second layer beyond the primary password.

Exam trap

Cisco often tests the distinction between authentication factors (like TOTP and push) and authentication protocols (like RADIUS and LDAP), leading candidates to mistakenly select protocols as factors.

25
MCQhard

A security engineer is investigating a suspicious process on an endpoint. Using Cisco Secure Endpoint, which EDR capability allows the engineer to isolate the process and prevent it from executing further?

A.File quarantine
B.IOC scanning
C.Remote shell
D.Process isolation
AnswerD

Process isolation stops and blocks the process.

Why this answer

Cisco Secure Endpoint provides EDR capabilities including process isolation, which terminates and prevents the process from running again.

26
Multi-Selecthard

An engineer is deploying Cisco ISE for posture assessment. Which THREE conditions can ISE check during posture assessment before granting full network access? (Choose three.)

Select 3 answers
A.Patch level
B.SSID
C.Disk encryption status
D.Antivirus status
E.Device MAC address
AnswersA, C, D

Checks for missing critical patches.

Why this answer

ISE posture assessment can check antivirus status, patch level, and disk encryption status to ensure endpoint compliance.

27
MCQmedium

An organization wants to deploy 802.1X for network access control. Which component is responsible for forwarding authentication requests from the endpoint to the authentication server?

A.Authenticator
B.Authentication server
C.Supplicant
D.RADIUS proxy
AnswerA

The authenticator (switch/WLC) forwards authentication traffic.

Why this answer

In 802.1X, the authenticator (switch or wireless LAN controller) acts as the middleman, relaying EAP messages between the supplicant and the authentication server.

28
MCQeasy

An organization wants to enforce multi-factor authentication (MFA) for VPN access using Cisco AnyConnect. Which Cisco product integrates with AnyConnect to provide MFA via push notifications or one-time passwords?

A.Cisco SecureX
B.Cisco Duo
C.Cisco ISE
D.Cisco AMP for Endpoints
AnswerB

Duo is the Cisco MFA solution that integrates with AnyConnect for push, TOTP, etc.

Why this answer

Cisco Duo integrates directly with AnyConnect via the Duo Authentication Proxy or the native Duo AnyConnect client module to provide multi-factor authentication. It supports push notifications to the Duo Mobile app, one-time passwords (OTP) generated by the app or hardware tokens, and phone callback, making it the correct choice for MFA enforcement on VPN access.

Exam trap

Cisco often tests the distinction between policy enforcement (ISE) and actual MFA delivery (Duo), leading candidates to mistakenly choose ISE because it can integrate with MFA, but it does not natively generate push notifications or OTPs.

How to eliminate wrong answers

Option A is wrong because Cisco SecureX is a cloud-native security platform that provides visibility and orchestration across security products, not a dedicated MFA solution for AnyConnect VPN. Option C is wrong because Cisco ISE (Identity Services Engine) can enforce MFA via RADIUS integration with third-party MFA providers or its own internal authentication, but it does not natively provide push notifications or OTPs without an external MFA server like Duo. Option D is wrong because Cisco AMP for Endpoints is an advanced malware protection and endpoint detection and response (EDR) solution, not an MFA product, and it does not integrate with AnyConnect for authentication.

29
MCQhard

A network administrator is configuring Cisco ISE to authenticate devices that do not support 802.1X supplicant software. Which authentication method should be used for these non-supplicant devices?

A.PEAP-MSCHAPv2
B.MAB
C.EAP-TLS
D.EAP-FAST
AnswerB

MAB authenticates based on MAC address, suitable for non-supplicant devices.

Why this answer

MAC Authentication Bypass (MAB) uses the device's MAC address for authentication, allowing non-supplicant devices to gain network access.

30
MCQmedium

A company uses Cisco AMP for Endpoints and wants to deploy it on mobile devices running iOS and Android. Which deployment method is supported for these platforms?

A.Group Policy Object (GPO)
B.SCCM
C.JAMF Pro
D.App Store or Google Play
AnswerD

Correct. AMP for Endpoints mobile app is available via app stores.

Why this answer

Cisco AMP for Endpoints is available for iOS and Android via the respective app stores (MDM is also possible, but the question implies direct deployment).

31
MCQmedium

An organization uses Cisco AMP for Endpoints and wants to perform a remote investigation on an infected endpoint. The security analyst needs to isolate the endpoint from the network while collecting forensic data. Which AMP feature should be used?

A.Device Trajectory
B.File Quarantine
C.Orbital Advanced Search
D.Endpoint Isolation and Remote Shell
AnswerD

Correct. This feature enables network isolation and remote command execution for investigation.

Why this answer

Cisco AMP for Endpoints provides endpoint isolation and remote shell capabilities, allowing analysts to isolate a compromised endpoint from the network and perform forensic investigation remotely.

32
MCQeasy

Which Cisco security product provides multi-factor authentication through push notifications, TOTP, and hardware tokens?

A.Cisco AnyConnect
B.Cisco Duo
C.Cisco ISE
D.Cisco AMP for Endpoints
AnswerB

Duo is the dedicated MFA product offering push, TOTP, and hardware tokens.

Why this answer

Cisco Duo is a multi-factor authentication solution that offers various methods including push notifications, time-based one-time passwords (TOTP), and hardware tokens.

33
MCQmedium

An organization wants to implement privileged access management (PAM) for critical servers. They require just-in-time access and session recording. Which solution integrates with Cisco SecureX to provide these capabilities?

A.Cisco Duo
B.CyberArk
C.Cisco AMP for Endpoints
D.Cisco ISE
AnswerB

CyberArk is a PAM solution that integrates with SecureX for just-in-time access and session recording.

Why this answer

CyberArk is a leading PAM solution that integrates with Cisco SecureX to provide just-in-time access, session recording, and password vaulting.

34
MCQeasy

Cisco ISE uses profiling to identify the type of device connecting to the network. Which probe helps ISE identify a device by analyzing the DHCP requests it sends?

A.HTTP probe
B.Device Sensor
C.SNMP probe
D.DHCP probe
AnswerD

DHCP probe analyzes DHCP packets to extract device information.

Why this answer

The DHCP probe captures DHCP request options to identify the device type.

35
MCQmedium

A security analyst notices that a file initially deemed 'unknown' by Cisco AMP for Endpoints was later reclassified as 'malicious'. The analyst needs to investigate the propagation of this file across endpoints. Which Cisco AMP feature provides a timeline view of file activity and spread?

A.Device Trajectory
B.SHA-256 disposition
C.Exploit Prevention
D.IOC scanning
AnswerA

Device Trajectory shows a chronological sequence of events related to a file, including its movement and impact.

Why this answer

Device Trajectory is the correct feature because it provides a timeline view of a file's activity across endpoints, including its origin, propagation, and subsequent actions. When Cisco AMP for Endpoints reclassifies a file from 'unknown' to 'malicious', Device Trajectory allows the analyst to trace the file's spread and interactions on each affected endpoint, enabling a thorough investigation of the infection chain.

Exam trap

Cisco often tests the distinction between a static file attribute (SHA-256 disposition) and a dynamic forensic tool (Device Trajectory), leading candidates to confuse the file's classification with the ability to track its spread over time.

How to eliminate wrong answers

Option B (SHA-256 disposition) is wrong because it is a static classification (e.g., clean, malicious, unknown) assigned to a file based on its hash, not a timeline or propagation view. Option C (Exploit Prevention) is wrong because it is a protection feature that blocks exploit techniques (e.g., buffer overflows) at runtime, not a forensic tool for tracking file spread. Option D (IOC scanning) is wrong because it checks endpoints against predefined indicators of compromise (e.g., hashes, IPs) to detect threats, but it does not provide a chronological timeline of file activity across endpoints.

36
MCQmedium

An organization uses Cisco ISE for network access control. After a user authenticates via 802.1X, a posture assessment determines that the user's antivirus definitions are outdated. What ISE feature can be used to dynamically restrict the user's network access until the issue is resolved?

A.Profiling
B.Change of Authorization (CoA)
C.TrustSec SGT assignment
D.Guest portal
AnswerB

CoA enables dynamic changes to VLAN or ACL after a session is established, based on posture or other conditions.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically change the user's authorization state, such as moving them to a restricted VLAN or applying a more restrictive ACL, after posture assessment.

37
Multi-Selectmedium

A security administrator is configuring Cisco ISE for guest access. Which TWO components are required to allow guests to self-register and obtain network access? (Choose two.)

Select 2 answers
A.Guest VLAN
B.Device sensor
C.Sponsor portal
D.Posture assessment policy
E.Active Directory integration
AnswersA, C

A guest VLAN provides network access for guest devices after registration.

Why this answer

Guest self-registration requires a sponsor portal (or self-registration portal) and a guest VLAN or restricted ACL to provide limited access initially. The self-registration portal is typically part of the sponsor portal.

38
Multi-Selectmedium

An organization wants to implement multi-factor authentication (MFA) for administrative access to network devices. Which two methods can be used with Cisco Duo to provide MFA for admin access? (Choose two.)

Select 2 answers
A.SMS passcode
B.Push notification
C.TOTP (time-based one-time password)
D.Biometric fingerprint
E.Bypass code
AnswersB, C

Duo Mobile push is a common MFA method for admin access.

Why this answer

Push notification is correct because Cisco Duo can send a push notification to the Duo Mobile app on the administrator's smartphone. The admin approves or denies the login attempt directly from the app, providing a seamless and secure second factor for authentication to network devices.

Exam trap

Cisco often tests the distinction between Duo-supported MFA methods (push, TOTP, phone callback) and methods that are either deprecated (SMS) or not directly supported (biometrics, bypass codes) for administrative access to network devices.

39
MCQeasy

An organization wants to enforce multi-factor authentication for remote VPN access. Cisco AnyConnect is used as the VPN client. Which Cisco product integrates with AnyConnect to provide MFA capabilities such as push notifications and one-time passwords?

A.Cisco ISE
B.Cisco SecureX
C.Cisco Duo
D.Cisco AMP for Endpoints
AnswerC

Correct. Duo provides MFA for AnyConnect VPN.

Why this answer

Cisco Duo is the correct answer because it is the Cisco product specifically designed to integrate with AnyConnect for multi-factor authentication (MFA). Duo provides push notifications, one-time passwords (OTP), and other MFA methods by acting as an authentication proxy that validates secondary factors via RADIUS or SAML before allowing VPN access.

Exam trap

Cisco often tests the distinction between policy enforcement (ISE) and actual MFA provisioning (Duo), leading candidates to incorrectly select ISE because it is a common AAA platform, but ISE lacks native push/OTP capabilities without Duo.

How to eliminate wrong answers

Option A is wrong because Cisco ISE is a policy and access control platform that can enforce MFA but does not natively provide push notifications or OTP generation; it typically integrates with an external MFA provider like Duo for those capabilities. Option B is wrong because Cisco SecureX is a cloud-native security platform that provides visibility and orchestration across security products, not a dedicated MFA solution for AnyConnect VPN. Option D is wrong because Cisco AMP for Endpoints is an endpoint protection platform focused on malware detection and threat prevention, not authentication or MFA.

40
Multi-Selectmedium

A network administrator is configuring Cisco ISE for guest access. The company requires a solution where guests can create their own accounts and receive network access after a sponsor approves. Which two components must be configured? (Choose two.)

Select 2 answers
A.Hotspot portal
B.Self-registration portal
C.Posture assessment
D.MAB
E.Sponsor portal
AnswersB, E

Correct. Allows guests to create their own accounts.

Why this answer

To allow guests to self-register and have a sponsor approve, ISE needs a self-registration portal and a sponsor portal.

41
MCQmedium

During 802.1X authentication, which component acts as the intermediary that forwards authentication requests between the client and the authentication server?

A.Authentication server
B.RADIUS proxy
C.Authenticator
D.Supplicant
AnswerC

The authenticator is the network device that enforces access control and relays EAP frames.

Why this answer

In the 802.1X architecture, the authenticator (typically a switch or wireless LAN controller) is the network device that relays EAP messages between the supplicant and the authentication server (e.g., ISE).

42
MCQmedium

A company wants to implement two-factor authentication for remote VPN access using Cisco AnyConnect. They need a solution that supports push notifications to a mobile app. Which Cisco product meets this requirement?

A.Cisco SecureX
B.Cisco ISE with certificate-based authentication
C.Cisco AMP for Endpoints
D.Cisco Duo
AnswerD

Duo provides MFA including push notifications, TOTP, and hardware tokens, and integrates with AnyConnect.

Why this answer

Cisco Duo provides multi-factor authentication with push notifications, TOTP, and other methods, and integrates with AnyConnect VPN.

43
MCQeasy

An engineer is configuring Cisco Secure Endpoint (AMP) connectors. Which deployment is supported for the macOS platform?

A.macOS
B.Android
C.Linux
D.iOS
AnswerA

macOS is one of the supported platforms for Cisco Secure Endpoint.

Why this answer

Cisco Secure Endpoint connectors are available for Windows, Mac, Linux, Android, and iOS. macOS is supported.

44
MCQmedium

An organization wants to deploy endpoint hardening by allowing only approved applications to run. Which technology should be implemented to achieve this?

A.EDR
B.Host-based IPS
C.Antivirus software
D.Application whitelisting
AnswerD

Application whitelisting ensures only approved applications can run.

Why this answer

Application whitelisting is the correct technology because it enforces endpoint hardening by explicitly allowing only approved applications to execute, blocking all others by default. This is a fundamental principle of least privilege and is often implemented using tools like Windows AppLocker or Cisco AMP's application control, which maintain a hash-based or path-based allow list.

Exam trap

Cisco often tests the misconception that endpoint hardening is achieved by detection-based tools like EDR or antivirus, when the question specifically asks for a preventive control that blocks unapproved applications from running at all.

How to eliminate wrong answers

Option A is wrong because EDR (Endpoint Detection and Response) focuses on monitoring, detecting, and responding to threats after execution, not on preventing unapproved applications from running. Option B is wrong because Host-based IPS (Intrusion Prevention System) analyzes network traffic and system calls for malicious patterns but does not control which applications are allowed to execute. Option C is wrong because Antivirus software relies on signature-based or heuristic detection to block known malware, but it does not prevent the execution of unapproved but non-malicious applications.

45
MCQmedium

In a Cisco ISE deployment, a network administrator needs to dynamically change the VLAN assignment for an endpoint after a posture assessment determines that the endpoint is non-compliant. Which ISE feature enables this dynamic change without re-authentication?

A.MAB
B.Profiling
C.TrustSec
D.Change of Authorization (CoA)
AnswerD

Correct. CoA enables real-time policy changes after posture assessment.

Why this answer

Change of Authorization (CoA) allows ISE to send updates to the network device to change VLAN, ACL, or other attributes without requiring the endpoint to re-authenticate.

46
MCQhard

A security team deploys Cisco AMP for Endpoints and wants to detect and block memory injection attacks. Which AMP feature should be enabled to achieve this?

A.Exploit Prevention
B.Device Trajectory
C.IOC scanning
D.File quarantine
AnswerA

Exploit Prevention specifically blocks memory injection and exploit techniques.

Why this answer

Exploit Prevention in Cisco AMP protects against memory injection and other exploit techniques.

47
MCQeasy

Which Cisco product provides privileged access management (PAM) capabilities such as just-in-time access, session recording, and password vaulting through integration with CyberArk?

A.Cisco AMP for Endpoints
B.Cisco ISE
C.Cisco SecureX
D.Cisco Duo
AnswerC

SecureX integrates with CyberArk for PAM features.

Why this answer

Cisco SecureX integrates with CyberArk to provide PAM capabilities, including just-in-time access, session recording, and password vaulting. SecureX is the Cisco platform for threat response and security analytics.

48
MCQeasy

Which component in an 802.1X deployment is responsible for relaying authentication messages between the client and the authentication server?

A.Authenticator (switch/WLC)
B.Supplicant
C.Authentication server (ISE)
D.RADIUS proxy
AnswerA

The authenticator relays EAP frames between the supplicant and the authentication server.

Why this answer

The authenticator (typically a switch or wireless LAN controller) acts as an intermediary, forwarding EAP messages between the supplicant and the authentication server (ISE).

49
MCQmedium

A company wants to implement privileged access management (PAM) to secure administrative credentials. They need a solution that provides just-in-time access and session recording. Which product integrated with Cisco SecureX can fulfill these requirements?

A.CyberArk
B.Cisco Duo
C.Cisco ISE
D.Cisco AMP for Endpoints
AnswerA

Correct. CyberArk provides just-in-time access and session recording.

Why this answer

CyberArk is a leading PAM solution that provides just-in-time access, session recording, and password vaulting. Cisco SecureX can integrate with CyberArk for unified visibility.

50
MCQhard

A network administrator is configuring Cisco ISE for posture assessment. A Windows laptop connects to the network and passes 802.1X authentication. ISE then checks if the antivirus software is running and if the OS patches are up to date. If the posture check fails, ISE should dynamically restrict the endpoint to a remediation VLAN. Which mechanism allows ISE to change the VLAN assignment after authentication without requiring the user to reauthenticate?

A.Change of Authorization (CoA)
B.802.1X reauthentication
C.MAB reauthentication
D.RADIUS Disconnect
AnswerA

CoA enables dynamic change of authorization attributes like VLAN or ACL after authentication.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically change the authorization state (e.g., VLAN or ACL) on the network device after the initial authentication. This is used to enforce posture policies without requiring the endpoint to reauthenticate.

51
MCQeasy

An organization is implementing privileged access management (PAM) using Cisco SecureX and CyberArk. Which PAM capability provides temporary elevated access that is automatically revoked after a set period?

A.Role-based access control
B.Just-in-time access
C.Session recording
D.Password vaulting
AnswerB

JIT access is temporary and automatically revoked.

Why this answer

Just-in-time (JIT) access grants temporary privileges that expire after the task is completed, reducing standing privileges.

52
MCQhard

A company uses Cisco ISE for network access control. They want to authenticate users connecting via VPN using multi-factor authentication. Which solution integrates with ISE to provide MFA for AnyConnect VPN?

A.Cisco AMP for Endpoints
B.Cisco SecureX
C.CyberArk
D.Cisco Duo
AnswerD

Duo provides MFA capabilities and integrates with AnyConnect and ISE for secure VPN authentication.

Why this answer

Cisco Duo integrates with ISE and AnyConnect to provide multi-factor authentication for VPN access.

53
MCQmedium

A company deploys Cisco Duo for multi-factor authentication to protect VPN access. Employees use AnyConnect to connect to the corporate network. After entering their credentials, they receive a push notification on their mobile device. Which Duo authentication method is being used?

A.Duo Push
B.Bypass code
C.TOTP (Time-based One-Time Password)
D.Hardware token
AnswerA

Duo Push sends a push notification to the Duo Mobile app for approval.

Why this answer

Duo Push sends a push notification to the user's enrolled mobile device, which they can approve or deny. This is the most common method for VPN MFA with AnyConnect.

54
MCQmedium

A security engineer is deploying Cisco AMP for Endpoints and wants to ensure that the client can detect and block memory injection attacks. Which AMP feature should be enabled to provide this protection?

A.Device Trajectory
B.Endpoint IOC scanning
C.File quarantine
D.Exploit Prevention
AnswerD

Exploit Prevention specifically protects against memory injection and exploit techniques.

Why this answer

Exploit Prevention in Cisco AMP focuses on detecting and blocking memory injection attacks, such as buffer overflows and code injection, by monitoring process behavior.

55
MCQhard

A security engineer is configuring Cisco ISE for 802.1X authentication using EAP-TLS. What must be deployed on the endpoints to support this authentication method?

A.A username and password
B.A client certificate
C.A TOTP token
D.A shared secret
AnswerB

Correct. EAP-TLS uses certificate-based authentication.

Why this answer

EAP-TLS requires a client certificate on the supplicant for mutual authentication.

56
MCQhard

An endpoint running Cisco AMP for Endpoints is suspected of being compromised. The security analyst needs to isolate the process and perform a live investigation. Which EDR capability should the analyst use?

A.Remote shell investigation
B.Process isolation
C.IOC scanning
D.File quarantine
AnswerA

Remote shell allows analysts to run commands and investigate live on the endpoint.

Why this answer

Remote shell investigation allows analysts to perform live forensics on endpoints via a secure shell.

57
Multi-Selecthard

An organization wants to implement Privileged Access Management (PAM) using Cisco SecureX and CyberArk. Which THREE capabilities are typically associated with PAM solutions? (Choose three.)

Select 3 answers
A.Endpoint isolation
B.Password vaulting
C.Just-in-time access
D.Session recording
E.File quarantine
AnswersB, C, D

Correct. PAM stores and manages privileged passwords.

Why this answer

Password vaulting (B) is a core PAM capability because it securely stores privileged credentials in an encrypted repository, enforcing policies for checkout, rotation, and access control. CyberArk's Vault, for example, uses AES-256 encryption and integrates with Cisco SecureX to provide centralized credential management, ensuring that passwords are never exposed in plaintext.

Exam trap

Cisco often tests the distinction between PAM-specific features (password vaulting, JIT access, session recording) and general endpoint security controls (isolation, quarantine), so candidates mistakenly select options that sound security-related but are not part of privileged access management.

58
MCQeasy

A security administrator is implementing Cisco AMP for Endpoints and wants to identify files that were initially allowed but later determined to be malicious. Which feature allows the administrator to see the propagation of such a file across the environment?

A.Exploit Prevention
B.IOC Scanning
C.Device Trajectory
D.SHA-256 Disposition
AnswerC

Device Trajectory shows the timeline and spread of a file across endpoints, enabling retrospective analysis.

Why this answer

Device Trajectory in Cisco AMP for Endpoints provides a timeline of file activity, showing where a file originated and how it spread, which is critical for retrospective security analysis.

59
Multi-Selecteasy

An administrator is configuring Cisco Duo for multi-factor authentication. Which THREE authentication methods can Duo provide to users? (Choose three.)

Select 3 answers
A.Duo Push
B.Hardware token
C.Bypass code
D.TOTP (Time-based One-Time Password)
E.SMS passcode
AnswersA, B, D

Duo Push sends a push notification to the user's phone for approval.

Why this answer

Duo offers Duo Push (mobile notification), TOTP (time-based codes from app), and hardware tokens (physical devices). Bypass codes are for emergency access, not a primary method, and SMS is available but not listed. The three correct options are standard MFA methods.

60
Multi-Selecthard

An organization wants to implement EDR capabilities for endpoints. Which three actions are typically associated with EDR? (Choose three.)

Select 3 answers
B.Process isolation
C.Remote shell investigation
D.Application whitelisting
E.File quarantine
AnswersB, C, E

Isolating a process prevents it from causing further harm.

Why this answer

File quarantine, process isolation, and remote shell investigation are EDR actions. Application whitelisting is a hardening technique, and MFA is authentication.

61
MCQeasy

An organization wants to enforce endpoint posture compliance before granting network access. In Cisco ISE, which component performs the actual checks on the endpoint to verify antivirus status and patch levels?

A.Network Access Device (switch/WLC)
B.Posture Agent
C.ISE Policy Service Node
D.Profiling Probe
AnswerB

Correct. The posture agent runs on the endpoint and reports compliance status.

Why this answer

The posture agent (Cisco AnyConnect Posture Module or ISE Posture Agent) runs on the endpoint and performs checks for required software, updates, and configurations, then reports back to ISE.

62
Multi-Selectmedium

A company deploys Cisco ISE for network access control. They need to allow guests to access the internet via a self-registration portal. Which two components must be configured? (Choose two.)

Select 2 answers
A.EAP-TLS authentication
B.Self-registration portal
C.Guest VLAN on the authenticator
D.Posture assessment for guests
E.MAB for guest devices
AnswersB, C

Self-registration portal allows guests to create their own credentials.

Why this answer

Guest access in ISE requires a sponsor portal (for approval) or self-registration portal, and integration with the network devices (switches/WLCs) for guest VLAN assignment.

63
MCQmedium

An organization uses Cisco ISE for guest access. They want to allow guests to create their own accounts through a web portal while requiring approval from a sponsor before network access is granted. Which guest access method should be configured?

A.Hotspot guest access
B.Self-registration with sponsor approval
C.Self-registration without approval
D.Sponsor portal
AnswerB

This allows guests to register themselves and then requires sponsor approval.

Why this answer

Self-registration with sponsor approval allows guests to create accounts, but access is only granted after a sponsor approves the request. This is a common guest access scenario in ISE.

64
MCQmedium

A network administrator configures Cisco ISE to identify devices by analyzing DHCP requests, HTTP user agents, and SNMP queries. Which ISE feature is being used?

A.TrustSec
B.Profiling
C.Guest access
D.Posture assessment
AnswerB

Profiling uses probes to determine device type and characteristics.

Why this answer

Profiling in ISE uses probes (DHCP, HTTP, SNMP, etc.) to identify device type and attributes.

65
MCQeasy

A security administrator notices that a file initially classified as 'unknown' by Cisco AMP for Endpoints was later determined to be malicious after execution. Which feature allows the administrator to see the file's propagation and impact on endpoints?

A.Exploit Prevention
B.Endpoint IOC Scanning
C.SHA-256 Disposition
D.Device Trajectory
AnswerD

Correct. Device Trajectory shows the history of file activity and propagation across endpoints.

Why this answer

Device Trajectory is the correct answer because it provides a chronological timeline of a file's activity across all endpoints, showing its origin, propagation, and actions taken after execution. This feature is specifically designed to visualize the impact and spread of malicious files that were initially unknown but later determined to be malicious by Cisco AMP for Endpoints.

Exam trap

The trap here is that candidates confuse SHA-256 Disposition (a static hash-based classification) with the dynamic, behavioral tracking capability of Device Trajectory, leading them to pick Option C when the question asks about propagation and impact over time.

How to eliminate wrong answers

Option A is wrong because Exploit Prevention is a protection mechanism that blocks known exploit techniques at runtime, not a forensic tool for viewing file propagation and impact. Option B is wrong because Endpoint IOC Scanning checks for indicators of compromise on endpoints at a point in time, but it does not provide a historical timeline of a file's movement and behavior across systems. Option C is wrong because SHA-256 Disposition is simply the classification (e.g., clean, malicious, unknown) of a file based on its hash, not a feature that tracks file propagation or impact.

66
MCQhard

During a security incident, an analyst needs to isolate a compromised endpoint and perform remote forensic analysis using Cisco AMP for Endpoints. Which capability allows the analyst to execute commands on the endpoint remotely?

A.Remote shell investigation
B.Device Trajectory
C.File quarantine
D.Process isolation
AnswerA

Remote shell investigation enables command execution on the endpoint for analysis.

Why this answer

Remote shell investigation is the correct answer because Cisco AMP for Endpoints includes a feature that allows an analyst to establish a secure, encrypted shell session directly with the compromised endpoint. This enables the execution of arbitrary commands for live remote forensic analysis without requiring additional tools or manual intervention on the endpoint.

Exam trap

Cisco often tests the distinction between reactive containment actions (like file quarantine or process isolation) and interactive investigation capabilities (like remote shell), leading candidates to confuse process isolation with remote command execution.

How to eliminate wrong answers

Option B is wrong because Device Trajectory is a timeline-based visualization of file and process events on the endpoint, not a mechanism for remote command execution. Option C is wrong because File quarantine is a containment action that isolates malicious files, preventing their execution, but does not provide a shell for running commands. Option D is wrong because Process isolation terminates or suspends a specific process on the endpoint to stop malicious activity, but it does not allow the analyst to execute commands remotely.

67
MCQeasy

An administrator needs to enforce 802.1X authentication for devices that do not support 802.1X supplicants. Which method should be configured on Cisco ISE to allow these devices to authenticate?

A.802.1X with EAP-TLS
B.Guest portal
C.PEAP-MSCHAPv2
D.MAB
AnswerD

MAB uses the device MAC address for authentication, bypassing the need for a supplicant.

Why this answer

MAC Authentication Bypass (MAB) allows non-supplicant devices to authenticate based on their MAC address.

68
MCQhard

During a security incident, a SOC analyst notices that a malicious file was executed on an endpoint. Using Cisco AMP for Endpoints, which feature should the analyst use to visualize the file's propagation and activities across the network over time?

A.Orbital Advanced Search
B.IOC Scan
C.Device Trajectory
D.File Reputation Lookup
AnswerC

Correct. Device Trajectory shows a chronological view of file events, including propagation and behavior.

Why this answer

Device Trajectory provides a timeline view of file and process activities on an endpoint, showing how a file propagated and what actions it performed, which is crucial for incident investigation.

69
MCQmedium

A network administrator is configuring Cisco ISE profiling to identify devices on the network. Which probe allows ISE to identify device type by analyzing the HTTP User-Agent string?

A.DHCP probe
B.Device Sensor
C.HTTP probe
D.SNMP probe
AnswerC

HTTP probe captures HTTP traffic, including User-Agent strings, for device profiling.

Why this answer

The HTTP probe inspects HTTP packets, including the User-Agent field, to determine the operating system and browser type, aiding in device profiling.

70
MCQeasy

Which component in the 802.1X architecture is responsible for relaying authentication messages between the client and the authentication server?

A.Supplicant
B.Authenticator
C.Authentication Server
D.Policy Service Node
AnswerB

Correct. The authenticator relays EAP messages between supplicant and authentication server.

Why this answer

The authenticator (e.g., switch or wireless LAN controller) acts as a proxy, forwarding EAP messages between the supplicant (client) and the authentication server (ISE).

71
MCQmedium

Cisco ISE is configured with posture assessment to ensure endpoints meet security requirements before gaining network access. After a posture check, ISE needs to dynamically change the VLAN assignment for a non-compliant endpoint. Which ISE feature enables this real-time change?

A.TrustSec
B.Change of Authorization (CoA)
C.Guest portal
D.Profiling
AnswerB

CoA allows ISE to push new authorization changes (e.g., VLAN, ACL) to the network device in real time.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically update authentication and authorization attributes such as VLAN assignment.

72
MCQhard

In a Cisco TrustSec deployment, after successful authentication, ISE assigns a Security Group Tag (SGT) to the user. Which protocol is used to propagate the SGT to the network devices for policy enforcement?

A.SXP (SGT Exchange Protocol)
D.EAP
AnswerA

SXP is the protocol that transports IP-to-SGT mappings between devices.

Why this answer

Cisco TrustSec uses SGT Exchange Protocol (SXP) to propagate SGT mappings from the policy server (ISE) to network devices that do not natively support SGT tagging in hardware.

73
MCQhard

In Cisco ISE, which protocol is used for EAP-TLS authentication, and what is the primary requirement for the client to successfully authenticate?

A.EAP-FAST, requiring a PAC file
B.LEAP, requiring a shared secret
C.EAP-TLS, requiring a client certificate
D.PEAP-MSCHAPv2, requiring username and password
AnswerC

Correct. EAP-TLS is certificate-based; the client must present a certificate.

Why this answer

EAP-TLS uses certificates for mutual authentication. The client must have a valid certificate (typically issued by a CA trusted by ISE) to authenticate successfully.

74
MCQmedium

A security analyst notices that a file previously marked as 'clean' on an endpoint was later determined to be malicious. Using Cisco Secure Endpoint, which feature allows the analyst to see the propagation of that file across the system and understand its impact?

A.IOC scanning
B.SHA-256 disposition
C.Exploit Prevention
D.Device Trajectory
AnswerD

Device Trajectory shows the timeline of file activity and propagation.

Why this answer

Device Trajectory in Cisco Secure Endpoint provides a timeline of events showing file propagation and system changes, enabling retrospective analysis.

75
MCQhard

A security team wants to enforce application whitelisting on endpoints to prevent unauthorized software execution. Which Cisco AMP for Endpoints feature can be used to implement this control?

A.IOC scanning
B.Exploit Prevention
C.Device Trajectory
D.Application whitelisting (via AMP policy)
AnswerD

AMP can be configured with policies that allow only approved applications to run.

Why this answer

Application whitelisting is an endpoint hardening technique that can be enforced using Cisco AMP's advanced policies, including file and application control.

Page 1 of 2 · 125 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Scor Endpoint Identity questions.

CCNA Scor Endpoint Identity Questions — Page 1 of 2 | Courseiva