CCNA Scor Endpoint Identity Questions

50 of 125 questions · Page 2/2 · Scor Endpoint Identity topic · Answers revealed

76
MCQhard

An organization deploys Cisco ISE for network access control. After successful 802.1X authentication, a user's device is found to be missing critical patches via posture assessment. The administrator wants to dynamically move the user to a remediation VLAN without requiring the user to reconnect. Which ISE capability enables this?

A.Change of Authorization (CoA)
B.RADIUS Accounting
C.MAB reauthentication
D.Device Sensor profiling
AnswerA

CoA enables ISE to update session authorization in real time, such as moving to a remediation VLAN.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically change authorization attributes (e.g., VLAN, ACL) for an already authenticated session.

77
Multi-Selectmedium

A network engineer is configuring Cisco TrustSec on a switch to enforce segmentation. Which THREE components are required for TrustSec to assign a Security Group Tag (SGT) to a user after successful authentication via ISE?

Select 3 answers
A.SGT classification on the switch
B.802.1X authentication
C.RADIUS communication between ISE and switch
D.Change of Authorization (CoA)
E.VLAN assignment
AnswersB, C, D

802.1X is typically used to authenticate the user before SGT assignment.

Why this answer

B is correct because 802.1X authentication is the foundational mechanism that initiates the identity-based access control flow. When a user connects to the switch port, 802.1X (using EAP over LAN) authenticates the user against ISE, which then triggers the assignment of a Security Group Tag (SGT) via RADIUS attributes. Without 802.1X, the switch has no user identity to classify, and TrustSec cannot enforce segmentation at the user level.

Exam trap

Cisco often tests the misconception that SGT classification on the switch is a prerequisite for SGT assignment, when in fact classification is the downstream action that applies the tag after ISE has assigned it via RADIUS and CoA.

78
MCQhard

A security team is implementing Privileged Access Management (PAM) using CyberArk integrated with Cisco SecureX. They need to provide just-in-time access to a critical server for a specific task, with automatic password rotation after use. Which PAM capability addresses this requirement?

A.Remote shell investigation
B.Password vaulting
C.Session recording
D.EDR file quarantine
AnswerB

Password vaulting stores, rotates, and provides on-demand access to privileged credentials.

Why this answer

Password vaulting securely stores and manages privileged credentials, enabling just-in-time access and automatic rotation after use to minimize exposure.

79
MCQeasy

An endpoint security engineer wants to protect against memory injection attacks on endpoints running Windows. Which Cisco AMP feature should be enabled?

A.Retrospective security
B.Exploit Prevention
C.IOC scanning
D.Device Trajectory
AnswerB

Exploit Prevention specifically guards against memory injection and other exploit techniques.

Why this answer

Exploit Prevention in Cisco AMP protects against memory-based attacks by monitoring and blocking techniques like buffer overflows and code injection.

80
MCQmedium

A network engineer is troubleshooting 802.1X authentication on a Cisco switch. Users report that they cannot authenticate. The engineer verifies that the switch (authenticator) is configured correctly and the RADIUS server (ISE) is reachable. Which component is most likely misconfigured on the client side?

A.Authentication server
B.RADIUS shared secret
C.Supplicant
D.Authenticator
AnswerC

Correct. The supplicant on the client may be misconfigured or not enabled.

Why this answer

The supplicant is the client software that initiates 802.1X authentication. If users cannot authenticate, the supplicant configuration (e.g., EAP method, credentials) is often the issue.

81
MCQeasy

Which 802.1X component is responsible for enforcing access control on the network and relaying authentication messages between the client and the authentication server?

A.Authentication server
B.RADIUS server
C.Supplicant
D.Authenticator
AnswerD

The authenticator (switch/WLC) enforces access and relays EAP messages.

Why this answer

The authenticator (typically a switch or WLC) enforces access control and acts as a proxy between the supplicant and the authentication server (ISE).

82
Multi-Selecthard

A security team is implementing endpoint hardening measures. They want to ensure that only approved applications can run, monitor for suspicious behavior, and have the ability to isolate processes if needed. Which THREE Cisco AMP features should they enable? (Choose three.)

Select 3 answers
A.Host-based IPS (Exploit Prevention)
B.Application whitelisting
C.File quarantine
D.Retrospective security
E.EDR process isolation
AnswersA, B, E

Exploit Prevention monitors for suspicious behavior like memory injection.

Why this answer

Application whitelisting (via Cisco AMP's application control) restricts execution to approved apps; host-based IPS (Exploit Prevention) monitors behavior; and EDR capabilities (process isolation) allow containment. These three together harden endpoints.

83
MCQeasy

A security administrator notices that a file initially classified as 'unknown' by Cisco AMP for Endpoints has been later determined to be malicious. Which Cisco AMP feature allows the administrator to see the file's propagation and impacts across endpoints?

A.Device Trajectory
B.SHA-256 Disposition
C.IOC Scanning
D.Exploit Prevention
AnswerA

Device Trajectory shows the historical activity and propagation of a file or process, enabling retrospective analysis.

Why this answer

Device Trajectory provides a timeline view of file and process activity, showing the propagation of a threat after it is discovered to be malicious.

84
Multi-Selectmedium

A security analyst is configuring Cisco Secure Endpoint (AMP) to detect and respond to threats. Which TWO features are part of the Exploit Prevention capability? (Choose two.)

Select 2 answers
A.Memory injection protection
B.File quarantine
C.SHA-256 disposition
D.Rogue process detection
E.Device Trajectory
AnswersA, D

Blocks attempts to inject code into running processes.

Why this answer

Exploit Prevention in Cisco Secure Endpoint includes memory injection protection and other exploit mitigations like rogue process detection.

85
Multi-Selecthard

A company wants to deploy endpoint hardening measures to prevent unauthorized applications from executing. Which THREE techniques are commonly used for application control? (Choose three.)

Select 3 answers
A.Application whitelisting
B.Host-based IPS
C.Patch management
D.EDR capabilities (e.g., file quarantine)
E.Application blacklisting
AnswersA, B, D

Whitelisting permits only pre-approved applications to execute.

Why this answer

Application whitelisting allows only approved applications to run. Host-based IPS monitors/prevents malicious behavior. EDR capabilities like file quarantine and process isolation help control applications.

Blacklisting is less effective; patch management is not application control.

86
MCQeasy

In a Cisco ISE 802.1X deployment, which component acts as the authenticator?

A.RADIUS server
B.Authentication server (ISE)
C.Supplicant (client software)
D.Authenticator (switch/WLC)
AnswerD

The authenticator is the network device that mediates authentication between supplicant and server.

Why this answer

The authenticator is the network device (switch or wireless LAN controller) that enforces authentication before granting access.

87
MCQmedium

A security analyst wants to investigate a remote endpoint that is suspected of being compromised. Using Cisco AMP for Endpoints, which capability allows the analyst to run commands on the endpoint and perform live analysis?

A.Process isolation
B.File quarantine
C.IOC scanning
D.Remote shell investigation
AnswerD

Remote shell provides a command-line interface to the endpoint for live analysis.

Why this answer

Cisco AMP for Endpoints includes endpoint detection and response (EDR) capabilities such as remote shell, which allows analysts to execute commands on the endpoint for investigation.

88
Multi-Selecteasy

An administrator is configuring Cisco ISE profiling using Device Sensor. Which two types of information can the Device Sensor collect from endpoints? (Choose two.)

Select 2 answers
A.RADIUS accounting logs
B.DHCP details (hostname, vendor class)
C.HTTP user-agent strings
D.NetFlow data
E.SNMP MIB objects
AnswersB, C

Correct. Device Sensor can capture DHCP data.

Why this answer

Cisco Device Sensor can collect DHCP information (e.g., hostname, vendor class) and HTTP information (e.g., user-agent) to identify device type and operating system.

89
MCQeasy

Cisco ISE is configured to assign Security Group Tags (SGTs) to endpoints based on their identity. This is part of which Cisco security architecture?

A.Cisco Duo
B.Cisco TrustSec
C.Cisco SecureX
D.Cisco AMP
AnswerB

Correct. TrustSec uses SGTs for identity-based segmentation.

Why this answer

Cisco TrustSec is the security architecture that uses Security Group Tags (SGTs) to enforce access control based on identity rather than IP addresses. Cisco ISE acts as the policy decision point, dynamically assigning SGTs to endpoints and distributing them via protocols like SXP or inline tagging, enabling consistent policy enforcement across the network.

Exam trap

Cisco often tests the distinction between TrustSec (which handles SGT assignment and network segmentation) and other security products like Duo or SecureX, so the trap here is confusing identity-based tagging with MFA or cloud security platforms.

How to eliminate wrong answers

Option A is wrong because Cisco Duo is a multi-factor authentication (MFA) and zero-trust access solution, not an architecture for SGT assignment or network segmentation. Option C is wrong because Cisco SecureX is a cloud-native security platform that integrates multiple Cisco security products for visibility and orchestration, but it does not directly assign SGTs or implement TrustSec policies. Option D is wrong because Cisco AMP (Advanced Malware Protection) is an endpoint threat detection and response solution focused on malware analysis and prevention, not on identity-based network segmentation via SGTs.

90
Multi-Selectmedium

A network administrator is deploying Cisco ISE for network access control. The administrator needs to profile devices that connect to the network. Which TWO probes can be used to gather information for device profiling? (Choose two.)

Select 2 answers
A.SNMP probe
B.DNS probe
C.DHCP probe
D.HTTP probe
E.Device Sensor
AnswersC, D

DHCP probe gathers information from DHCP requests, such as hostname and vendor class.

Why this answer

DHCP probe collects hostname and other DHCP options; HTTP probe captures User-Agent strings. Both are common profiling probes. SNMP and Device Sensor are also probes, but the question asks for TWO only.

91
MCQeasy

Which EAP method used with 802.1X requires a client-side certificate for authentication?

A.LEAP
B.PEAP-MSCHAPv2
C.EAP-TLS
D.EAP-MD5
AnswerC

EAP-TLS requires certificates on both client and server.

Why this answer

EAP-TLS uses certificates on both the client and server sides for mutual authentication. PEAP-MSCHAPv2 uses server certificate and client credentials (password).

92
MCQmedium

An organization wants to provide network access to guest users through Cisco ISE. Guests must register themselves and accept an acceptable use policy before gaining internet-only access. Which guest access method should be configured?

A.802.1X with PEAP-MSCHAPv2
B.Self-registration
C.MAB
D.Sponsor portal
AnswerB

Correct. Self-registration allows guests to register themselves and accept policies.

Why this answer

Self-registration is the correct guest access method because it allows guest users to create their own credentials and accept an acceptable use policy (AUP) before being granted internet-only access. Cisco ISE's self-registration portal handles the entire workflow: user provides details, accepts the AUP, and ISE provisions a temporary account with restricted access, typically via a sponsored or direct access policy.

Exam trap

The trap here is that candidates often confuse the sponsor portal (which requires an internal user to create accounts) with self-registration (where guests create their own accounts), leading them to select sponsor portal when the question explicitly states 'guests must register themselves'.

How to eliminate wrong answers

Option A is wrong because 802.1X with PEAP-MSCHAPv2 is an enterprise authentication method requiring pre-provisioned credentials and certificates, not a guest self-service registration flow. Option C is wrong because MAB (MAC Authentication Bypass) authenticates devices based on their MAC address without any user interaction, so it cannot enforce user registration or AUP acceptance. Option D is wrong because a sponsor portal requires an existing employee or sponsor to create guest accounts, whereas the question specifies that guests must register themselves without sponsor involvement.

93
Multi-Selecthard

An organization wants to deploy endpoint hardening measures. Which three capabilities are provided by Cisco AMP for Endpoints as part of EDR (Endpoint Detection and Response)? (Choose three.)

Select 3 answers
A.TrustSec SGT assignment
B.Device Sensor profiling
C.Remote shell investigation
D.File quarantine
E.Process isolation
AnswersC, D, E

Remote shell allows analysts to run commands on endpoints.

Why this answer

EDR capabilities include file quarantine, process isolation, and remote shell investigation for incident response.

94
Multi-Selectmedium

Cisco TrustSec uses Security Group Tags (SGTs) for policy enforcement. Which two components are required for TrustSec to function? (Choose two.)

Select 2 answers
A.SGT assignment via ISE
B.SGT enforcement on switches/firewalls
C.802.1X with EAP-TLS
D.MAC Authentication Bypass
E.Device profiling
AnswersA, B

ISE assigns SGTs to endpoints based on identity.

Why this answer

TrustSec requires SGT assignment and SGT-based policies on network devices. Profiling is used to assign SGTs but is not a core component; MAB and 802.1X are authentication methods.

95
MCQmedium

An organization wants to grant temporary administrative access to a server for a specific task and automatically revoke the access after the task is completed. Which Cisco solution should be used?

A.Cisco Duo
B.Cisco SecureX with CyberArk
C.Cisco ISE
D.Cisco AMP for Endpoints
AnswerB

SecureX integrates with CyberArk to provide JIT access and session management for privileged accounts.

Why this answer

Cisco SecureX integrates with CyberArk to provide just-in-time (JIT) privileged access management.

96
MCQmedium

Cisco ISE posture assessment requires that endpoints meet certain security requirements before being granted network access. Which of the following is a typical posture requirement?

A.SGT assignment
B.Device type identification via profiling
C.Antivirus definition file version
D.MAC address registration
AnswerC

Posture can verify that antivirus definitions are current.

Why this answer

Posture assessment checks for compliance with security policies, such as having antivirus software installed and up-to-date, patch levels, and disk encryption enabled.

97
MCQmedium

An engineer is configuring Cisco ISE for 802.1X authentication. The organization has a mix of devices, including some that do not support 802.1X supplicants. Which method should the engineer use to allow these non-supplicant devices to authenticate?

A.Enable MAC Authentication Bypass on the authenticator
B.Deploy Cisco AMP connectors on all endpoints
C.Configure a guest portal for self-registration
D.Use EAP-TLS with device certificates
AnswerA

Correct. MAB allows devices to authenticate using their MAC address when they cannot run an 802.1X supplicant.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run an 802.1X supplicant to authenticate based on their MAC address, which is sent as the username and password.

98
MCQmedium

In Cisco ISE, profiling is used to identify device types. Which probe must be enabled for ISE to determine the operating system of a device by analyzing DHCP options?

A.Device Sensor
B.DHCP Probe
C.HTTP Probe
D.SNMP Probe
AnswerB

Correct. DHCP Probe extracts device information from DHCP packets for profiling.

Why this answer

DHCP Probe analyzes DHCP packet options (e.g., option 55) to identify the device's OS or vendor class, enabling ISE to profile the device type.

99
MCQmedium

A security engineer is deploying Cisco AMP for Endpoints in an organization. To ensure that any malicious file that was initially allowed but later determined to be malicious can be traced, which feature should be used?

A.SHA-256 file disposition
B.Exploit Prevention
C.Device Trajectory
D.Endpoint IOC scanning
AnswerC

Device Trajectory provides a timeline of file activity, enabling retrospective analysis and visibility into file propagation.

Why this answer

Cisco AMP uses retrospective security to continuously analyze file behavior. If a file is later deemed malicious, the Device Trajectory shows its propagation path and actions, allowing for containment and remediation.

100
MCQhard

A network administrator is configuring Cisco ISE for device profiling. The goal is to identify the type of device (e.g., Windows PC, iPhone, printer) connecting to the network. Which probe should be used to gather the DHCP option 60 (vendor class identifier) and option 12 (hostname) information?

A.DHCP probe
B.Cisco Device Sensor
C.SNMP probe
D.HTTP probe
AnswerA

The DHCP probe captures DHCP packets and extracts options like vendor class and hostname.

Why this answer

The DHCP probe in ISE collects information from DHCP packets, including option 60 (vendor class identifier) and option 12 (hostname), which are used for device profiling.

101
Multi-Selectmedium

An organization uses Cisco ISE for network access control. They want to authenticate users with certificates for strong security. Which two EAP methods support certificate-based authentication? (Choose two.)

Select 2 answers
A.PEAP-MSCHAPv2
B.LEAP
C.EAP-MD5
D.EAP-TLS
E.EAP-FAST
AnswersA, D

PEAP-MSCHAPv2 uses server certificate for tunnel establishment, then MSCHAPv2 for client authentication.

Why this answer

EAP-TLS and PEAP-MSCHAPv2 both support certificate-based authentication, though PEAP-MSCHAPv2 uses certificates for server-side only.

102
Multi-Selecteasy

Cisco AMP for Endpoints provides endpoint protection. Which two are core capabilities of AMP? (Choose two.)

Select 2 answers
A.Privileged access management
B.Exploit prevention
C.Continuous monitoring
E.Retrospective security
AnswersC, E

AMP continuously monitors file activity and network connections.

Why this answer

C is correct because Cisco AMP for Endpoints provides continuous monitoring of file activity and telemetry across endpoints, analyzing behavior in real time to detect threats. This capability ensures that even if a file is initially deemed safe, any subsequent malicious activity is identified and blocked, leveraging cloud-based threat intelligence and analytics.

Exam trap

Cisco often tests the distinction between 'continuous monitoring' and 'retrospective security' as unique AMP capabilities versus generic security features like exploit prevention or MFA, which are associated with other Cisco products (e.g., Firepower, Duo).

103
MCQmedium

Which protocol does Cisco ISE use to communicate with network devices for 802.1X authentication?

B.LDAP
AnswerA

RADIUS is the protocol for network access control.

Why this answer

Cisco ISE uses RADIUS for authentication, authorization, and accounting. 802.1X leverages EAP over RADIUS.

104
MCQhard

A network administrator needs to provide network access to a legacy printer that does not support 802.1X. Which Cisco ISE feature should be used to authenticate this device?

A.Posture assessment
B.Guest access with self-registration
C.Profiling using DHCP probe
D.MAC Authentication Bypass
AnswerD

MAB uses the device's MAC address for authentication, suitable for non-802.1X devices.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run 802.1X supplicant software to authenticate based on their MAC address. ISE can be configured to accept the MAC address as the credential.

105
Multi-Selectmedium

An organization is deploying Cisco Duo for multi-factor authentication. Which TWO authentication methods can be used with Duo? (Choose two.)

Select 2 answers
A.Kerberos ticket
B.Smart card
C.Time-based one-time password (TOTP)
D.Biometric authentication
E.Push notification
AnswersC, E

Duo Mobile can generate TOTP codes for offline authentication.

Why this answer

Duo provides push notifications to a mobile app and time-based one-time passwords (TOTP) as authenticator methods. Biometrics is not a Duo method; SMS passcodes are available but legacy; hardware tokens are supported but the question asks for TWO, and push and TOTP are the most common. However, hardware token is also valid.

The exam expects push and TOTP as primary.

106
MCQmedium

A security analyst needs to investigate a potential breach on an endpoint running Cisco AMP. The analyst wants to remotely execute commands to gather forensic data and potentially isolate the endpoint from the network. Which Cisco AMP EDR capability should the analyst use?

A.Process isolation
B.Device Trajectory
C.File quarantine
D.Remote shell investigation
AnswerD

Remote shell provides command-line access to the endpoint for investigation and response.

Why this answer

Remote shell investigation allows security analysts to execute commands on an endpoint remotely for live forensics, and process isolation can be used to contain threats.

107
Multi-Selectmedium

A network engineer is troubleshooting 802.1X authentication failures. Which two components are required for a successful 802.1X authentication? (Choose two.)

Select 2 answers
A.DHCP server
B.Authentication server (ISE)
C.Supplicant (client software)
D.DNS server
E.RADIUS proxy
AnswersB, C

ISE validates credentials and grants access.

Why this answer

In 802.1X authentication, the supplicant (client software) initiates the authentication process by sending an EAPOL-Start message, and the authentication server (ISE) validates the client's credentials via RADIUS. Without both, the authentication cannot complete. The supplicant provides identity, while the authentication server makes the final permit/deny decision.

Exam trap

Cisco often tests that candidates mistakenly include supporting infrastructure (DHCP, DNS) as required components, but 802.1X authentication is purely Layer 2 and does not depend on IP-based services until after successful authentication.

108
MCQmedium

A security engineer is configuring Duo for VPN authentication with AnyConnect. Which authentication factor does Duo provide in addition to the user's primary credentials?

A.RADIUS accounting
B.SAML assertion
C.Machine certificate validation
D.Second-factor authentication (push, TOTP, etc.)
AnswerD

Correct. Duo provides a second factor after primary authentication.

Why this answer

Duo provides second-factor authentication, typically via push notification, TOTP, or hardware token, which is used after the user enters their primary credentials (e.g., LDAP password).

109
Multi-Selectmedium

Cisco ISE can profile endpoints using various probes. Which three probes are used for device profiling? (Choose three.)

Select 3 answers
A.HTTP probe
B.DNS probe
C.DHCP probe
D.SNMP probe
E.RADIUS probe
AnswersA, C, D

HTTP probe analyzes HTTP traffic to identify device type.

Why this answer

The HTTP probe (A) is correct because Cisco ISE uses it to profile endpoints by inspecting HTTP user-agent strings and other HTTP header fields, which reveal the operating system or browser type. This passive fingerprinting helps classify devices like smartphones, tablets, or PCs without requiring credentials.

Exam trap

Cisco often tests the distinction between authentication/authorization protocols (RADIUS) and profiling probes, leading candidates to mistakenly select RADIUS because it is commonly associated with endpoint identity in ISE.

110
MCQeasy

A network administrator wants to deploy Cisco AMP for Endpoints to protect endpoints. Which feature allows the detection of a file that was initially deemed benign but later discovered to be malicious?

A.File Reputation
B.IOC Scanning
C.Exploit Prevention
D.Retrospective Security
AnswerD

Correct. Retrospective security enables detection after execution by analyzing file behavior over time.

Why this answer

Retrospective security in Cisco AMP for Endpoints continuously monitors file behavior and can re-evaluate files that were previously allowed, updating their disposition if malicious activity is detected later.

111
MCQhard

An organization uses Cisco ISE with TrustSec to assign Security Group Tags (SGTs) to endpoints based on their role. An endpoint initially receives an SGT for 'Employees' but after a posture check reveals missing antivirus updates, ISE changes the SGT to 'Quarantine'. Which ISE feature dynamically updates the SGT?

A.Change of Authorization (CoA)
B.Posture assessment
C.Guest access
D.Profiling
AnswerA

CoA allows ISE to update session attributes, including SGT, without reauthentication.

Why this answer

Change of Authorization (CoA) is the correct answer because it is the RADIUS-based mechanism (RFC 5176) that allows Cisco ISE to dynamically update an endpoint's Security Group Tag (SGT) after a posture check. When the posture assessment detects missing antivirus updates, ISE sends a CoA request to the network access device (e.g., switch or wireless LAN controller) to reauthenticate the session or push a new SGT, effectively moving the endpoint from 'Employees' to 'Quarantine' without requiring the user to manually reconnect.

Exam trap

Cisco often tests the distinction between the feature that triggers the change (posture assessment) and the protocol that enforces the change (CoA), leading candidates to mistakenly select 'Posture assessment' as the answer.

How to eliminate wrong answers

Option B (Posture assessment) is wrong because posture assessment is the process that evaluates the endpoint's compliance (e.g., antivirus status), but it does not directly update the SGT; it triggers the CoA to enforce the change. Option C (Guest access) is wrong because guest access is a separate ISE feature for managing temporary network access for visitors, not for dynamically updating SGTs based on posture results. Option D (Profiling) is wrong because profiling identifies endpoint attributes (e.g., OS, device type) to assign initial SGTs, but it does not dynamically change SGTs in response to real-time posture compliance changes.

112
MCQeasy

Which Cisco ISE probe is used to identify the operating system and open ports of an endpoint by actively scanning it?

A.DNS probe
B.DHCP probe
C.HTTP probe
D.SNMP probe
AnswerC

HTTP probe can identify OS via User-Agent string and open ports via web server responses.

Why this answer

The HTTP probe can be used for profiling by analyzing HTTP traffic and headers, but for OS and open ports, the NMAP probe (or similar) is used. However, among the options, the HTTP probe is the only one listed that can provide some OS information via HTTP User-Agent. But the most accurate answer is the NMAP probe, which is not listed.

Given the options, DHCP probe gives vendor info, SNMP gives device type, HTTP gives OS via User-Agent. The question expects 'HTTP probe' as it can identify OS. Actually, the standard Cisco ISE probes: DHCP (vendor), HTTP (OS/browser), SNMP (device type).

So HTTP is correct for OS.

113
MCQmedium

A security analyst needs to enforce that all endpoints have antivirus software running and are up-to-date with patches before granting full network access. Which Cisco ISE feature should be used to enforce this policy?

A.Change of Authorization (CoA)
B.Profiling
C.Posture assessment
D.TrustSec SGT assignment
AnswerC

Posture assessment evaluates endpoint security posture and can restrict access until compliance is met.

Why this answer

Posture assessment checks endpoints for compliance with security policies (e.g., antivirus status, patch level) before granting access.

114
Multi-Selectmedium

A security analyst is investigating an alert from Cisco AMP for Endpoints. The analyst wants to perform remote actions on the endpoint. Which TWO actions are available in AMP for Endpoints? (Choose two.)

Select 2 answers
A.Just-in-time access
B.File quarantine
C.Remote shell
D.Password vaulting
E.Process isolation
AnswersB, C

Correct. AMP can quarantine a file on the endpoint.

Why this answer

AMP for Endpoints allows file quarantine and remote shell for investigation. Process isolation is not a standard action; endpoint isolation is a separate action.

115
Multi-Selecthard

An organization wants to deploy endpoint hardening measures. Which three of the following are considered endpoint hardening techniques? (Choose three.)

Select 3 answers
A.Application whitelisting
B.RADIUS authentication
C.EDR capabilities (file quarantine, process isolation)
D.Host-based IPS
E.SNMP polling
AnswersA, C, D

Correct. Whitelisting only allows approved applications to run.

Why this answer

Application whitelisting, host-based IPS, and EDR capabilities are all endpoint hardening techniques that protect endpoints by controlling what runs, detecting threats, and enabling response.

116
MCQeasy

Which Cisco Duo authentication method involves a one-time code generated by a hardware token?

A.Bypass codes
B.TOTP
C.Push notification
D.Hardware token
AnswerD

Hardware token generates OTPs physically.

Why this answer

Hardware token generates a one-time passcode (OTP) that the user enters to authenticate.

117
MCQmedium

A network engineer is configuring 802.1X on a switch port that connects to a VoIP phone and a PC behind the phone. Which authentication method should be used to authenticate both devices separately?

A.Single-host authentication
B.Multi-domain authentication (MDA)
C.MAC Authentication Bypass (MAB)
D.Guest VLAN
AnswerB

MDA enables separate authentication for voice and data domains on the same port.

Why this answer

Multi-domain authentication (MDA) allows a switch port to authenticate multiple devices (e.g., phone and PC) separately, each with its own VLAN.

118
Multi-Selecthard

An organization is implementing Privileged Access Management (PAM) using CyberArk integrated with Cisco SecureX. Which THREE capabilities are typically provided by such a PAM solution?

Select 3 answers
A.Firewall rule management
B.Session recording of administrative activities
C.Password vaulting for service accounts
D.Antivirus scanning of administrative workstations
E.Just-in-time access to critical systems
AnswersB, C, E

Session recording captures actions for auditing.

Why this answer

Session recording of administrative activities (Option B) is a core capability of CyberArk PAM, as it captures and logs all keystrokes, commands, and screen activity during privileged sessions. This recording is stored securely and can be replayed for audit and compliance purposes, integrating with Cisco SecureX for centralized visibility and threat detection.

Exam trap

The trap here is that candidates often confuse PAM capabilities with general security functions like firewall management or antivirus, forgetting that PAM specifically addresses privileged credential vaulting, session monitoring, and just-in-time access, not network or endpoint protection tasks.

119
MCQmedium

An engineer is configuring Cisco ISE for 802.1X authentication. The network has many printers and IP phones that do not support 802.1X supplicant software. Which ISE feature should be used to allow these devices to authenticate?

A.Posture assessment
B.MAC Authentication Bypass (MAB)
C.Guest access with sponsor portal
D.Profiling via DHCP probe
AnswerB

MAB authenticates devices by MAC address when 802.1X supplicant is not available.

Why this answer

MAC Authentication Bypass (MAB) allows non-802.1X-capable devices to authenticate based on their MAC address.

120
Multi-Selecthard

A security analyst needs to investigate a potential breach on an endpoint. Cisco AMP for Endpoints provides several EDR capabilities. Which three actions can the analyst perform using AMP's EDR features? (Choose three.)

Select 3 answers
A.SGT assignment
B.VLAN reassignment
C.Remote shell investigation
D.Process isolation
E.File quarantine
AnswersC, D, E

Allows interactive command-line investigation of the endpoint.

Why this answer

Cisco AMP's EDR capabilities include file quarantine, process isolation, and remote shell investigation. These allow investigation and containment of threats on endpoints.

121
MCQmedium

An engineer is configuring Cisco ISE for 802.1X authentication in a corporate network. A printer that does not support 802.1X needs to be granted network access. Which method should the engineer use to authenticate the printer?

A.Guest Portal
B.PEAP-MSCHAPv2
C.EAP-TLS
D.MAB
AnswerD

MAB uses the MAC address of the device for authentication, suitable for non-supplicant devices like printers.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run an 802.1X supplicant to authenticate based on their MAC address. The printer's MAC is used as the credential against the authentication server.

122
MCQmedium

A network administrator is configuring 802.1X on a Cisco switch for corporate Windows laptops. The organization uses certificates for authentication. Which EAP method should be configured on the supplicant and ISE to provide certificate-based mutual authentication?

A.PEAP-MSCHAPv2
B.EAP-MD5
C.EAP-TLS
D.EAP-FAST
AnswerC

EAP-TLS provides certificate-based mutual authentication.

Why this answer

EAP-TLS (Transport Layer Security) is the correct choice because it provides certificate-based mutual authentication, where both the supplicant (Windows laptop) and the authentication server (ISE) present X.509 certificates to verify each other's identity. This meets the requirement for certificate-based authentication and is the only EAP method listed that inherently requires certificates on both sides for mutual authentication.

Exam trap

Cisco often tests the distinction between EAP methods that use certificates only on the server side (like PEAP) versus those that require certificates on both sides (EAP-TLS), leading candidates to mistakenly choose PEAP-MSCHAPv2 when the question explicitly states 'certificate-based mutual authentication'.

How to eliminate wrong answers

Option A (PEAP-MSCHAPv2) is wrong because while PEAP uses a server-side certificate to create a TLS tunnel, the inner authentication uses MSCHAPv2 (username/password) rather than client certificates, so it does not provide certificate-based mutual authentication. Option B (EAP-MD5) is wrong because it uses only a simple MD5 challenge-response with a shared password, provides no mutual authentication, and is vulnerable to man-in-the-middle attacks; it also does not support certificates at all. Option D (EAP-FAST) is wrong because it relies on a Protected Access Credential (PAC) for authentication, not certificates, and while it can be configured with certificates for server-side authentication, it is not inherently certificate-based for mutual authentication like EAP-TLS.

123
MCQeasy

A company wants to implement network access control for IoT devices that do not support 802.1X. Which Cisco ISE feature can be used to grant these devices network access based on their MAC address?

A.MAB
B.Guest access
C.Profiling
D.Posture assessment
AnswerA

Correct. MAB uses MAC address for authentication.

Why this answer

MAC Authentication Bypass (MAB) is the correct Cisco ISE feature because it allows network access for devices that cannot perform 802.1X, such as IoT devices. MAB works by using the device’s MAC address as the authentication credential; ISE checks the MAC address against an allowed list (e.g., endpoint identity store) and grants or denies access accordingly. This is the standard fallback mechanism for non-802.1X-capable endpoints in a wired or wireless network.

Exam trap

Cisco often tests the misconception that Profiling (Option C) can grant network access, but profiling is a classification tool, not an authentication method; candidates confuse the two because profiling results can influence authorization policies after MAB or 802.1X authentication has occurred.

How to eliminate wrong answers

Option B (Guest access) is wrong because guest access is designed for temporary, unauthenticated users (e.g., visitors) and typically uses a captive portal or sponsor approval, not MAC-based authentication for IoT devices. Option C (Profiling) is wrong because profiling is a passive or active process that identifies device type and attributes (e.g., OS, vendor) but does not itself grant or deny network access; it is often used alongside MAB or 802.1X for policy decisions. Option D (Posture assessment) is wrong because posture assessment checks endpoint compliance (e.g., antivirus, patches) after authentication, and IoT devices usually cannot run posture agents; it is not a method for initial network access based on MAC address.

124
MCQmedium

A network engineer is configuring Cisco ISE for wireless 802.1X authentication. The company wants to use certificate-based authentication for all corporate devices. Which EAP method should be configured?

A.EAP-MD5
B.PEAP-MSCHAPv2
C.EAP-TLS
D.LEAP
AnswerC

EAP-TLS requires client and server certificates for authentication.

Why this answer

EAP-TLS uses digital certificates for mutual authentication between the client and the server, providing strong security without requiring passwords.

125
MCQeasy

In the 802.1X authentication process, which component is responsible for relaying authentication messages between the client and the authentication server?

A.Authentication server (ISE)
B.RADIUS proxy
C.Authenticator
D.Supplicant
AnswerC

The authenticator (e.g., switch) forwards EAP messages between the supplicant and the authentication server.

Why this answer

In the 802.1X authentication process, the authenticator (typically a switch or wireless access point) is responsible for relaying Extensible Authentication Protocol (EAP) messages between the supplicant (client) and the authentication server (e.g., ISE). The authenticator encapsulates EAP frames into RADIUS packets for transmission to the server, acting as a transparent proxy that does not modify or terminate the EAP conversation. This role is defined in IEEE 802.1X-2010, where the authenticator controls port access based on the authentication result.

Exam trap

Cisco often tests the misconception that the RADIUS proxy is the relay component, but the authenticator (switch/AP) is the standard relay in 802.1X, while a RADIUS proxy is an optional network element for routing RADIUS traffic between different administrative domains.

How to eliminate wrong answers

Option A is wrong because the authentication server (ISE) is the endpoint that validates credentials and makes the final access decision, not the relay of messages between client and server. Option B is wrong because a RADIUS proxy is an optional intermediary that forwards RADIUS packets between different RADIUS realms or domains, but it is not a required component in the standard 802.1X architecture; the authenticator itself performs the relay. Option D is wrong because the supplicant is the client software (e.g., on a laptop) that initiates authentication and responds to EAP requests, but it does not relay messages to the server.

← PreviousPage 2 of 2 · 125 questions total

Ready to test yourself?

Try a timed practice session using only Scor Endpoint Identity questions.