Implementing Cisco Secure Access Solutions
Question No: 121
Which two EAP types require server side certificates? (Choose two.)
Question No: 122
Which command is useful when troubleshooting AAA Authentication between a Cisco router and the AAA server?
test aaa-server test cisco cisco123 all new-code
test aaa group7 tacacs auth cisco123 new-code
test aaa group tacacs cisco cisco123 new-code
test aaa-server tacacs group7 cisco cisco123 new-code
Question No: 123
Which statement about a distributed Cisco ISE deployment is true?
It can support up to two monitoring Cisco ISE nodes for high availability.
It can support up to three load-balanced Administration ISE nodes.
Policy Service ISE nodes can be configured in a redundant failover configuration.
The Active Directory servers of Cisco ISE can be configured in a load-balanced configuration.
Question No: 124 CORRECT TEXT
which command used to enable SGACL globally ?
Answer: cts role-based-enforcement
Question No: 125
Which RADIUS attribute can be used to dynamically assign the Inactivity active timer for MAB users from the Cisco ISE node?
Explanation: Explanation/Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based- networking-services/
When the inactivity timer is enabled, the switch monitors the activity from authenticated endpoints.
When the inactivity timer expires, the switch removes the authenticated session.
The inactivity timer for MAB can be statically configured on the switch port, or it can be dynamically assigned using the RADIUS Idle-Timeout attribute (Attribute 28).
Cisco recommends setting the timer using the RADIUS attribute because this approach lets gives you control over which endpoints are subject to this timer and the length of the timer for each class of endpoints.
For example, endpoints that are known to be quiet for long periods of time can be assigned a longer inactivity timer value than chatty endpoints.
Question No: 126
Currently, many users are expehecing problems using their AnyConnect NAM supplicant to login to the network. The rr desktop support staff have already examined and vehfed the AnyConnect NAM configuration is correct.
In this simulation, you are tasked to examine the various ISE GUI screens to determine the ISE current configurations to help isolate the problems. Based on the current ISE configurations, you will need to answer three multiple choice questions.
To access the ISE GUI, click on the ISE icon in the topology diagram to access the ISE GUI.
Not all the ISE GUI screen are operational in this simulation and some of the ISE GUI operations have been reduced in this simulation.
Not all the links on each of the ISE GUI screen works, if some of the links are not working on a screen, click Home to go back to the Home page first. From the Home page, you can access all the required screens.
To view some larger GUI screens, use the simulation window scroll bars. Some of the larger GUI screens only shows partially but will include all information required to complete this simulation.
Which two of the following statements are correct? (Choose two.)
The ISE is not able to successfully connect to the hq-srv.secure-x. local AD server.
The ISE internal endpoints database is used authenticate any users not in the Active Directory domain.
The ISE internal user database has two accounts enabled: student and test that maps to the Employee user identity group.
Guest_Portal_Sequence is a built-in identity source sequence.
Question No: 127
Which set of commands allows IPX inbound on all interfaces?
ASA1(config)# access-list IPX-Allow ethertype permit ipxASA1(config)# access-group IPX-Allow in interface global
ASA1(config)# access-list IPX-Allow ethertype permit ipxASA1(config)# access-group IPX-Allow in interface inside
ASA1(config)# access-list IPX-Allow ethertype permit ipxASA1(config)# access-group IPX-Allow in interface outside
ASA1(config)# access-list IPX-Allow ethertype permit ipxASA1(config)# access-group IPX-Allow out interface global
Question No: 128
Which two profile attributes can be collected by a Cisco Catalyst Switch that supports Device Sensor? (Choose two.)
LLDP agent information
Question No: 129
Which valid external identity source can be used with Cisco ISE?
IPsec vpn authentication
local user name and password
Question No: 130 CORRECT TEXT
The Secure-X company has started to tested the 802.1X authentication deployment using the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee desktop will be connected to the 802.1X enabled switch port and will use the Cisco AnyConnect NAM 802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database. Once the new identity source sequence has been configured, edit the existing DotlX authentication policy to use the new AD_internal identity source sequence.
The Microsoft Active Directory (AD1) identity store has already been successfully configured, you just need to reference it in your configuration.
In addition to the above, you are also tasked to edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
Perform this simulation by accessing the ISE GUI to perform the following tasks:
Create a new identity source sequence named AD_internal to first use the Microsoft Active Directory (AD1) then use the ISE Internal User database
Edit the existing Dot1X authentication policy to use the new AD_internal identity source sequence:
If authentication failed-reject the access request
If user is not found in AD-Drop the request without sending a response
If process failed-Drop the request without sending a response
Edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
To access the ISE GUI, click the ISE icon in the topology diagram. To verify your configurations, from the ISE GUI, you should also see the Authentication Succeeded event for the it1 user after you have successfully defined the DotlX authentication policy to use the Microsoft Active Directory first then use the ISE Internal User Database to authenticate the user. And in the Authentication Succeeded event, you should see the IT_Corp authorization profile being applied to the it1 user. If your configuration is not correct and ISE can#39;t authenticate the user against the Microsoft Active Directory, you should see the Authentication Failed event instead for the it1 user.
Note: If you make a mistake in the Identity Source Sequence configuration, please delete the Identity Source Sequence then re-add a new one. The edit Identity Source Sequence function is not implemented in this simulation.
Answer: Review the explanation for full configuration and solution.
Step 1: create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database as shown below:
Step 2: Edit the existing Dot1x policy to use the newly created Identity Source:
Then hit Done and save.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|