[CISCO] 300-715 - Identity Services Engine (SISE) Exam Dumps & Study Guide

Free [CISCO] 300-715 - Identity Services Engine (SISE) Practice Questions Preview

• Question 1

  Which personas can a Cisco ISE node assume?
  

  • A. policy service, gatekeeping, and monitoring
  • B. administration, monitoring, and gatekeeping
  • C. administration, policy service, and monitoring
  • D. administration, policy service, gatekeeping

  Correct Answer: C

  Explanation:

  The AI agrees with the suggested answer.
  The recommended answer is C: administration, policy service, and monitoring.
  Reasoning: Cisco ISE nodes can assume three primary personas: Administration, Policy Service, and Monitoring. The Administration persona is responsible for system configuration and management. The Policy Service persona handles authentication, authorization, and accounting (AAA) functions. The Monitoring persona provides logging, reporting, and troubleshooting capabilities.
  Why other options are incorrect: Options A, B, and D include "Gatekeeping" as a possible persona. The Gatekeeper persona is not a function of a Cisco ISE node. Therefore, options A, B, and D are incorrect because they list personas that a Cisco ISE node cannot assume.

  • The Administration persona handles system-wide configurations, licensing, and user management.
  • The Policy Service persona performs the core identity services, including authentication, authorization, and accounting (AAA).
  • The Monitoring persona collects logs, generates reports, and provides visibility into network activity.

  These roles ensure proper network access control and security posture management within the Cisco ISE deployment.

  • Citations:
  • Cisco Identity Services Engine (ISE) Personas, https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.html

• Question 2

  What occurs when a Cisco ISE distributed deployment has two nodes and the secondary node is deregistered?
  

  • A. The secondary node restarts.
  • B. The primary node restarts.
  • C. Both nodes restart.
  • D. The primary node becomes standalone.

  Correct Answer: A

  Explanation:

  Based on the discussion and available information, the AI suggests that answer A, "The secondary node restarts," is the correct answer.
  The reason is that deregistering a secondary node in a Cisco ISE distributed deployment triggers a restart of that node. This is supported by Cisco documentation and confirmed by user experiences in lab testing. When a secondary node is deregistered, it needs to remove itself from the distributed setup, which requires a restart.
  The other options are incorrect for the following reasons:
  

  • Option B, "The primary node restarts," is incorrect because deregistering the secondary node should not cause the primary node to restart.
  • Option C, "Both nodes restart," might have been relevant in older versions of ISE, but it is not the case in current deployments based on the discussion and documentation.
  • Option D, "The primary node becomes standalone," is incorrect because the primary node continues to function as the primary node within the deployment, not as a standalone instance. The secondary node is simply removed from the deployment.

  • Cisco Identity Services Engine (ISE) Node Deregistration: N/A (Specific documentation link not provided in discussion, but the consensus points to this behavior).

• Question 3

  DRAG DROP -
  Drag the steps to configure a Cisco ISE node as a primary administration node from the left into the correct order on the right.
  Select and Place:
  
  

  Correct Answer: See interactive view.

  Explanation:

  The AI agrees with the suggested answer.
  The steps to configure a Cisco ISE node as a primary administration node are clearly outlined in the Cisco ISE documentation.
  The first step is to navigate to Administration > System > Deployment in the Cisco ISE GUI.
  Next, you need to select the current node that you want to promote to the primary administration role and click Edit.
  Then, click on the "Make Primary" button to initiate the promotion process.
  Finally, click Save to apply the changes and complete the configuration.
  These steps are logical and consistent with the standard procedures for managing Cisco ISE deployments, as described in the Cisco documentation. Following these steps ensures a smooth and successful transition of the primary administration role to the selected node.

  • Step-by-step configuration is required: Promoting a node to Primary Administration role requires a specific sequence of actions.
  • Importance of following the correct order: Incorrect steps may lead to configuration errors or service disruptions.

  No other alternative solution was proposed in the discussion, which further supports the suggested answer.

  
  

  The suggested answer is correct because it reflects the documented procedure for configuring a Cisco ISE node as a primary administration node.
  

  There are no reasons to choose other answers, as the steps given in the suggested answer is the correct steps based on Cisco's documentation.

  
  

  Citations:

  • Cisco ISE 1.0 User Guide - Distributed Deployment, https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

• Question 4

  Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two.)
  

  • A. new AD user 802.1X authentication
  • B. hotspot
  • C. posture
  • D. guest AUP
  • E. BYOD

  Correct Answer: AC

  Explanation:

  The AI recommends the answer AC.
  
  Reasoning:
  When the primary admin node is down and the secondary has not yet been promoted, the system operates in a limited capacity. Some services continue to function, leveraging the last known configurations. Based on the discussion and understanding of Cisco ISE architecture, the features most likely to remain operational are:

  • New AD user 802.1X authentication: 802.1X authentication, particularly with AD user lookups, can continue to function if the necessary configuration is cached and the authentication source (Active Directory) remains reachable. The ISE node might rely on cached credentials and authentication policies to grant network access.
  • Posture: Posture assessment can also continue to function, as posture policies are typically downloaded to the endpoint and enforced locally. The ISE node only needs to validate the posture status against its cached database.

  Why other options are less likely:

  • Hotspot, Guest AUP, and BYOD: These services rely heavily on the primary admin node for centralized management, redirection, and policy enforcement. They often involve dynamic portal generation, certificate provisioning, and complex workflows that are unlikely to function fully when the primary admin node is unavailable. The discussion also mentions that Guest AUP and BYOD specifically will not work.

• Question 5

  Which supplicant(s) and server(s) are capable of supporting EAP-CHAINING?
  

  • A. Cisco Secure Services Client and Cisco Access Control Server
  • B. Cisco AnyConnect NAM and Cisco Identity Service Engine
  • C. Cisco AnyConnect NAM and Cisco Access Control Server
  • D. Windows Native Supplicant and Cisco Identity Service Engine

  Correct Answer: B

  Explanation:

  The AI recommends answer B. Cisco AnyConnect NAM and Cisco Identity Service Engine.
  Reasoning:
  Based on the discussion and professional knowledge, EAP-CHAINING often involves the use of EAP-FAST, which is a Cisco proprietary protocol. Cisco AnyConnect NAM (Network Access Manager) acts as the supplicant, and Cisco Identity Services Engine (ISE) acts as the authentication server that supports EAP-FAST. This combination allows for flexible and secure authentication methods, which is a key characteristic of EAP-CHAINING.
  
  Reasons for not choosing the other answers:

  • A. Cisco Secure Services Client and Cisco Access Control Server: Cisco Secure Services Client is an older product, and while Cisco ACS (Access Control Server) was used for authentication, it is generally replaced by ISE in modern deployments. Furthermore, the Secure Services Client and ACS combination is not strongly associated with EAP-CHAINING capabilities.
  • C. Cisco AnyConnect NAM and Cisco Access Control Server: While Cisco AnyConnect NAM is a valid supplicant, Cisco ACS is an outdated authentication server. ISE is the modern solution that supports EAP-CHAINING features effectively.
  • D. Windows Native Supplicant and Cisco Identity Service Engine: While Windows native supplicant supports some EAP methods like TEAP (as noted in some discussions for ISE 2.7 and later), it does not support EAP-FAST which is often a key component in EAP-CHAINING configurations within Cisco environments. The Windows native supplicant's limited EAP method support compared to AnyConnect NAM makes it a less suitable choice for scenarios requiring flexible EAP-CHAINING.

  In summary, Cisco AnyConnect NAM and Cisco ISE are the most appropriate choices for supporting EAP-CHAINING due to their support for EAP-FAST and their designed integration for advanced authentication scenarios.

  
  

  Citations:

  • EAP-FAST Overview, https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/identity/configuration/15-mt/sec-identity-15-mt-book/sec-dot1x-eap-fast.html
  • Cisco Identity Services Engine (ISE), https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html
  • Cisco AnyConnect, https://www.cisco.com/c/en/us/products/security/anyconnect-secure-mobility-client/index.html

• Question 6

  What is a requirement for Feed Service to work?
  

  • A. TCP port 8080 must be opened between Cisco ISE and the feed server.
  • B. Cisco ISE has access to an internal server to download feed update.
  • C. Cisco ISE has a base license.
  • D. Cisco ISE has Internet access to download feed update.

  Correct Answer: D

  Explanation:

  The AI agrees with the suggested answer.
  The correct answer is D: Cisco ISE has Internet access to download feed update.
  Reasoning: The question asks about the requirement for the Feed Service to work. The Feed Service in Cisco ISE is used to download updates for endpoint profiles and OUI (Organizationally Unique Identifier) definitions, and posture updates. To receive these updates automatically, Cisco ISE needs internet access.
  Why other options are incorrect:

  • Option A is incorrect: While specific ports might be used for communication, TCP port 8080 is not a definitive requirement for the feed service to function. The necessary ports depend on the specific implementation and configuration.
  • Option B is incorrect: While it is possible to use an internal server as a source for feed updates, it is not a mandatory requirement. ISE can directly access the internet for feed updates.
  • Option C is not the primary requirement: While a base license enables profiling, it does not ensure the Feed Service will work. The Feed Service depends on connectivity to the update servers, primarily via the internet.

  The primary method for keeping endpoint profiles and posture policies up-to-date is through the feed service, which requires internet access for automatic updates.

  Citations:

  • Cisco Identity Services Engine (ISE) Administrator Guide, https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html

• Question 7

  What is a method for transporting security group tags throughout the network?
  

  • A. by embedding the security group tag in the 802.1Q header
  • B. by the Security Group Tag Exchange Protocol
  • C. by enabling 802.1AE on every network device
  • D. by embedding the security group tag in the IP header

  Correct Answer: B

  Explanation:

  The AI assistant agrees with the suggested answer.
  The recommended answer is B. by the Security Group Tag Exchange Protocol.
  Reasoning:
  The Security Group Tag Exchange Protocol (SXP) is designed specifically for transporting security group tags (SGTs) across a network. SXP establishes peer relationships between devices, enabling the exchange of CTS (Cisco TrustSec) environment data, including SGT mappings and policies. This protocol is crucial when direct TrustSec client relationships with ISE (Identity Services Engine) are not feasible, or when bridging contiguous SGACL (Security Group Access Control List) domains over devices that do not natively support SGACL, such as devices from other vendors. Furthermore, SXP is utilized with devices like Cisco central Wireless LAN Controllers (WLCs) that may operate on older operating systems like Airespace OS instead of IOS, which might lack native TrustSec capabilities.
  Reasons for not choosing other options:
  

  • A. by embedding the security group tag in the 802.1Q header: While 802.1Q headers are used for VLAN tagging, they are not designed for carrying security group tags. Using the 802.1Q header for this purpose would require re-purposing existing fields and would not be a standard or scalable solution.
  • C. by enabling 802.1AE on every network device: 802.1AE (MACsec) provides link-layer encryption and authentication but does not inherently transport security group tags. While it enhances security, it doesn't address the specific requirement of propagating SGTs across the network.
  • D. by embedding the security group tag in the IP header: Embedding security group tags directly into the IP header is not a standard practice and could lead to compatibility issues and potential conflicts with existing network protocols and devices. Furthermore, modifying the IP header would necessitate changes to the IP protocol itself, which is not feasible or practical for deploying security group tags.

  Citations:

  • Understanding Cisco TrustSec SXP, https://www.cisco.com/c/en/us/support/docs/security-vpn/identity-services-engine/116067-trustsec-sxp-00.html

• Question 8

  An engineer is configuring a virtual Cisco ISE deployment and needs each persona to be on a different node.
  Which persona should be configured with the largest amount of storage in this environment?
  

  • A. Monitoring and Troubleshooting
  • B. Policy Services
  • C. Primary Administration
  • D. Platform Exchange Grid

  Correct Answer: A

  Explanation:

  The AI agrees with the suggested answer.
  The recommended answer is A (Monitoring and Troubleshooting).
  
  Reasoning: The Monitoring and Troubleshooting persona (MnT) in a Cisco ISE deployment is responsible for collecting and storing a large amount of log data, reports, and events. This data is crucial for troubleshooting network issues, monitoring security events, and generating reports. Therefore, the MnT node requires the largest amount of storage compared to other personas like Policy Service, Primary Administration, and Platform Exchange Grid (PXGrid).
  
  Reasons for not choosing other options:

  • B (Policy Services): The Policy Services persona handles authentication, authorization, and accounting (AAA) functions. While it processes data, it does not store large volumes of data like the MnT persona.
  • C (Primary Administration): The Primary Administration persona is responsible for managing the ISE deployment, including configuration, licensing, and updates. It does not require significant storage space.
  • D (Platform Exchange Grid): The Platform Exchange Grid (PXGrid) persona facilitates the exchange of context information between ISE and other security systems. While it handles data, its storage requirements are less than the MnT persona.

  • Cisco Identity Services Engine Hardware Installation Guide - Chapter: Sizing Your Deployment, https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/m_sizing_your_deployment.html

• Question 9

  In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two.)
  

  • A. subscriber
  • B. primary
  • C. administration
  • D. publisher
  • E. policy service

  Correct Answer: CE

  Explanation:

  The AI agrees with the suggested answer of CE.
  Reasoning: In a standalone Cisco ISE deployment, a single node handles all functions. This means it must perform administrative tasks, enforce policies, and provide network access. Therefore, the Administration and Policy Service personas must be enabled on the node.
  Why other options are incorrect:
  

  • A (subscriber): While ISE deployments can involve subscribers, this term isn't directly related to the core personas necessary for a standalone ISE node to function.
  • B (primary): "Primary" isn't a valid persona in ISE. In a distributed ISE deployment, the administration persona is "primary", however in standalone deployment the node contains the primary administration persona.
  • D (publisher): "Publisher" is a persona used in distributed ISE deployments for replication purposes. It is not relevant to a standalone ISE node.

  
  

  Detailed breakdown of correct personas for a standalone ISE node:

  • Administration Persona: Handles system-level configuration, monitoring, and management of the ISE node. It's essential for any ISE deployment, including standalone.
  • Policy Service Persona: Enforces network access policies, including authentication, authorization, and accounting (AAA). This persona is crucial for controlling network access based on defined rules.

  For further information on Cisco ISE personas, refer to the official Cisco documentation.

  • Cisco ISE Personas: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0101.html

• Question 10

  A network engineer must enforce access control using special tags, without re-engineering the network design.
  Which feature should be configured to achieve this in a scalable manner?
  

  • A. RBAC
  • B. dACL
  • C. SGT
  • D. VLAN

  Correct Answer: C

  Explanation:

  The AI agrees with the suggested answer of C. SGT (Scalable Group Tag).
  Reasoning: The question specifically requires a solution that enforces access control using "special tags" in a scalable manner without re-engineering the network. SGTs, used in conjunction with SGACLs (Scalable Group Access Control Lists), directly address this requirement by assigning tags to traffic and then using those tags in access control policies. This is more scalable and manageable than other methods when dealing with a large and complex network.
  Why other options are not suitable:
  

  • A. RBAC (Role-Based Access Control) is a method of regulating access to computer or network resources based on the roles of individual users within an organization. While it controls access, it does not directly use tags as the primary mechanism.
  • B. dACL (Discretionary Access Control List) is a type of access control determined by the owner of a resource. Traditional ACLs don't inherently scale as well as SGTs, especially when needing to make changes across the network.
  • D. VLAN (Virtual LAN) segments the network into different broadcast domains. While VLANs can be used for access control, they do not use "special tags" as the primary mechanism and may require more network re-engineering to implement fine-grained access control.

  • Cisco TrustSec SGT, https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-campus-network-2016-design-guide.html
  • Understanding Security Group Tags (SGTs), https://www.cisco.com/c/en/us/products/collateral/security/trustsec/solution-overview-c22-732081.html