CCNP Security Practice Test | Secure Access (SISAS)

What are the four posture conditions that can be used to evaluate the state of a software component on a client endpoint? (Choose four)

A. File

B. Service

C. Node

D. Application

E. Registry

F. Command

What option simplifies ACL management?

A. dACLs

B. VLANs

C. Security Group Access

What considerations must you take into account when using an External Authentication solution with Cisco ISE? (Choose three)

A. NAT is not supported

B. It requires accurate time on the ISE and Authentication servers

C. Active Directory is the only supported external authentication source

D. Certain ports must be opened on any firewalls between the servers

Which is an accurate step in the WebAuth process?

A. NAD authenticates the user

B. NAD initiates access request

C. MAB is configured

D. ISE redirects the client browser

Which tool enables portal authentication when accessing with HTTPS?

A. User Name policy

B. MACsec

C. Cisco ISE guest services

D. Web Authentication

What needs to be done to authenticate Active Directory users with Cisco ISE?

A. Configure a local source.

B. Configure an identity source sequence.

C. Configure an external source.

D. Download the appropriate groups into the dictionary.

When using 802.1X authentication, which type of VLAN will have a centralized audit trail in the AAA system?

A. Assigned

B. Guest

C. Default

D. Restricted

E. Critical

What is the function of the CoA used in Cisco ISE posture service?

A. It is used for authenticating and encrypting packets between two adjacent devices.

B. It is used to categorize incoming packets into flows.

C. It is used to change endpoint status after authorization and compliance checks.

D. It is used to ensure accurate local timekeeping of endpoints.

What is the most common BYOD design model?

A. Guest Enabled SSID

B. Dual SSID

C. Single SSID

D. Mixed Mode SSID

What information is not used in conjunction with Security Group information for SGFW enforcement?

A. IP version

B. Destination IP address

C. Port numbers

D. Protocol numbers

What are the two default ISE preconfigured dACLs? (Choose two)

A. Fullaccess_DACL

B. Permit all traffic

C. Deny all traffic

D. Secure traffic only

Which is an access issue not covered in the guest services?

A. Lifetime of a guest account

B. Customizable guest portals

C. Sponsor account privileges

D. Password hashing

When connecting an Active Directory, or AD source to Cisco ISE the connection does not automatically join the AD. What must you also do to complete the connection?

A. Refresh the Active Directory configuration page

B. Test the connection

C. You must select the "Auto-join" checkbox

D. Click the Join button

Which statement about Cisco NAC web agent is true?

A. Typically used on managed devices

B. Guides users through the posture and remediation process

C. Typically used for unmanaged PCs

D. Handles user logons and SSO in an 802.1X environment

What command allows you to create the user certificate for EAP-TLS?

A. certmgr.msc

B. devmgmt.msc

C. mmc

D. compmgmt.msc

Refer to the SXP connection command output. Which options correctly describe the result of this output? (Choose two)

Refer to the SXP connection command output. Which options correctly describe the result of this output?

A. Only the HQ device can be configured as a speaker.

B. The current configuration will not function.

C. Either device needs to be configured as the speaker.

D. Both devices would need to be configured as the speaker.

E. The current configuration will work, but sub-optimally.

Which posture configuration component defines the NAC agent appropriate for each device type?

A. Client provisioning policy

B. Posture administrative settings

C. Authorization policy

D. Posture policy

What are some of the fields you would expect to see in a Certificate? (Choose three)

A. Valid to

B. Key Version

C. MailTo

D. Valid from

E. Public key

Identify the six components of the Life cycle. (Choose six)

A. Identify

B. Enforce

C. Harden

D. Monitor

E. Isolate

F. Correlate

G. Archive

Which two statements are true regarding the client provisioning policy? (Choose two)

A. It can redirect endpoints to a client provisioning portal.

B. It maps resources to device types.

C. It defines the compliance requirements.

D. It is responsible for the automatic update of installed NAC agent software.

E. It needs to be adjusted to reflect the Compliant, Noncompliant, and Unknown endpoint states.

Which three settings are required for the configuration of NADs in a Cisco Identity Services Engine deployment? (Choose three)

A. SNMP

B. Network device group

C. Security Group Access parameters

D. Device name

E. IP address

Which two services can be carried out through Cisco ISE Guest Services Sponsor portal? (Choose two)

A. Register a device

B. Create guest accounts

C. Modify guest accounts

D. Policy configuration

Which two Cisco ISE guest settings are affected by the use of customized portals? (Choose two)

A. Username policy

B. Language templates

C. Password policy

D. Details policy

Which is not a policy function of the Cisco TrustSec architecture?

A. Classify

B. Enforce

C. Transport

D. Create

Which Cisco ISE probe gathers data from the Cisco IOS Device Sensor feature?

A. NMAP

B. HTTP

C. RADIUS

D. DHCP

What are the two steps required to validate the ISE certificate? (Choose two)

A. Second, verify the server certificate

B. Second, verify the server signature

C. First, verify the server signature

D. First, verify the server certificate

From which location in the Cisco ISE can you view endpoint profiler summary information?

A. Administration | Identity Management | Groups | Endpoint Identity Groups | Profiled

B. |b Policy |p || |b Policy Elements |p || |b Results |p || |b Authentication |p || |b Allowed Protocols Services |p

C. |b Policy |p || |b Policy Elements |p || |b Conditions, Profiler |p

D. |b Operations |p || |b Reports |p || |b Catalog |p || |b Endpoint |p

What command is used to see if a particular dynamic ACL has been applied to an interface?

A. speed

B. show

C. ssh

D. send

Which two components make up the Cisco ISE profiler? (Choose two)

A. Sponsor portal

B. Analyzer

C. Sensor

D. dACL

With a zone-based firewall configuration, how are security groups specified?

A. SAP

B. Access-list

C. Permission matrix

D. Class-map statements

What is the purpose and use of agents? (Choose three)

A. Typically used on managed devices

B. Installed from Web or MSI with administrator rights

C. Typically used on client or user facing systems only

D. Available for Windows and Macintosh computers

E. Web installation can be done without administrator rights but is limited

What ports must not be blocked for the NAC agents using the SWISS protocol? (Choose two)

A. UDP 8906 for Layer 3 deployment

B. UDP 8905 for Layer 2 deployment

C. TCP 8907 for Layer 3 deployment

D. UDP/TCP 8900

E. UDP 9804 for Layer 2 deployment

When configuring an endpoint identity using Cisco ISE, which values are available to be configured? (Choose three)

A. First name

B. Policy assignment

C. Last name

D. Identity group assignment

E. Password

F. MAC address

What command configures a switch to use user-RADIUS authorization for all network related service requests?

A. aaa authorization dot1x network default group radius

B. aaa authorization network default group radius

C. aaa authentication network default group radius

D. aaa authentication dot1x default group radius

What is the default URL that can be used by employees to access the My Devices Portal of an ISE server?

A. https://:8443/sponsorportal

B. https://:8443/mydevices

C. http://:443/sponsorportal

D. https://:80/mydevices

Which field is not encrypted in the frame payload?

A. PAYLOAD

B. CMD

C. 802.1Q

D. DMAC

Which command is use to verify traffic redirection to a client provisioning portal on a switch?

A. show authentication session interface

B. |b debug radius authentication |p

C. |b show wccp |p

D. |b show authentication interface |p

For Cisco switches, on which ports can MACsec be used? (Choose three)

A. CMD

B. 802.1Q

C. ETYPE

D. SMAC

E. DMAC

Which of the following is true when creating NDGs?

A. The NDG name and type is required when creating a child NDG.

B. NDGs can be imported using a CSV file.

C. Predefined root NDGs can be modified.

D. Network devices can only be assigned to one NDG.

Which functions are provided by enabling Cisco ISE guest services? (Choose two)

A. Operation of guest users

B. Guest user management

C. Allows access with an 802.1X supplicant

D. Client provisioning

What application security feature is used with Exchange servers?

A. WSA

B. ISE

C. ESA

D. NFP

Which AAA authentication feature specifies a set of MAC addresses that are allowed to skip authentication?

A. Web authentication

B. MAB

C. 802.1X

D. VPN authentication

Which of the following are the three CoA types available for configuring CoA for the ISE Profiler service? (Choose three)

A. Reauth

B. Port Bounce

C. Disabled

D. No CoA

E. Standalone

Which two statements regarding the Cisco NAC Web agent are true? (Choose two)

A. It is typically used for unmanaged computers and guest access.

B. It offers the most remediation options.

C. It is typically used on managed devices.

D. It requires ActiveX or Java to be installed on the endpoints.

E. It can be installed from a Web browser or an MSI package.

What does the Cisco ISE use to change an endpoint authorization status after successful authentication and after confirmation of endpoint compliance?

A. CoA

B. TrustSec

C. PKI

D. MACsec

What is used to propagate SGT within the network? (Choose two)

A. Inline tagging

B. SGFW

C. SGACL

D. SXP

What can ISE apply to an endpoint through a NAC agent? (Choose three)

A. NAC Agent updates

B. Agent customization packages and profiles

C. An internal scan for security issues and malware

D. Auto-detection of copyright infringement and missing licenses

E. Compliance modules for antivirus and antispyware

What command allows you to view the authentication status and the ACS ACL on interface gi0/1?

A. show authentication sess int gi0/1

B. show authentication gi0/1 sessions acls

C. show authorization acls int gi0/1

D. show sess acls int gi0/1

Which three statements are true regarding BYOD guest access? (Choose three)

A. Guests are sent to WebAuth.

B. The Wireless_MAB rule will be applied to guests.

C. Guest endpoints are provisioned.

D. Connection is limited to the open SSID.

E. The open SSID is only used during the initial connection phase.

Which MACsec policy rejects access if either the supplicant or the switch are not MACsec capable?

A. Should-secure

B. NEAT

C. Must-not-secure

D. Must-secure

Which three roles are used with 802.1X port-based authentication? (Choose three)

A. Authentication server

B. Profiler

C. CoA

D. Supplicant

E. Authenticator

Which 802.1X host mode provides independent authentication of an IP phone and a computer, and only allows one MAC address per VLAN?

A. Multiple host mode

B. Multiple authentication mode

C. MDA mode

D. Single host mode

What occurs when an EAPOL packet is detected on a MAB enabled port?

A. WebAuth is used.

B. 802.1X authentication is used.

C. The port is disabled.

D. The posture service is initiated.

You need to verify that an endpoint is using the latest profile. Which report should you run?

A. Endpoint Profile Changes

B. Registered Endpoints

C. Profiled Endpoint Summary

D. Top Authorizations by Endpoint

Which 802.1X host mode allows for the use of multiple clients using MAB, web authorization, or 802.1X on the data VLAN?

A. Multiple host mode

B. Multiple domain authentication mode

C. Multiple authentication mode

D. Single host mode

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

Our Recommended Premium Cisco Training Resources:

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

Our Recommended Premium Cisco Training Resources:

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?