Fundamentals of AAA
1. Which of the following best describes the difference between authentication and authorization?
a. There is no difference between authentication and authorization.
b. Authorization determines what a user may do, whereas an authentication determines what
devices the user can interact with.
c. Authentication is used with both network access and device administration, whereas
authorization applies only to device administration.
d. Authentication validates the user ’s identity, whereas authorization determines what that user is permitted to do.
authentication is the validation of the identity credentials. Authorization is the
determination of what is allowed or disallowed based on those credentials.
2. Which of the following are types of AAA as related to the topics of this exam? (Select two.)
a. Device administration
b. Device access
c. A division of minor league baseball
d. Network access
e. Network administration
The two forms of authentication, authorization, and accounting that are relevant to the
SISAS exam are network access and device administration.
3. Which of the following protocols is best suited for granular command-level control with
device administration AAA?
a. DIAMETER
b. TACACS+
c. RADIUS
d. RADIUS+
TACACS+ is best suited for granular command-level control due to its ability to separate
authentication and authorization
4. Which of the following protocols is best suited for authenticating and authorizing a user for
network access AAA?
a. TACACS+
b. CHAP
c. RADIUS
d. MS-CHAPv2
RADIUS is best suited for network access AAA due to its capability to work with numerous
authentication protocols, such as CHAP and MS-CHAPv2, but more importantly the dependency
on RADIUS for 802.1X authenticationsand the enhancements to RADIUS for change of
authorization.
5. True or False? RADIUS can be used for device administration AAA.
a. True
b. False
Both TACACS+ and RADIUS can be used to provide device administration AAA services;
however, TACACS+ offers command-level authorization and RADIUS does not.
6. Which of the following Cisco products should be used for device administration with
TACACS+?
a. Cisco Secure Access Control Server (ACS)
b. Cisco Identity Services Engine
c. Cisco TACACS+ Control Server (TCS)
d. Cisco Centri
Cisco ACS supports both RADIUS and TACACS+ and command sets, while Cisco ISE
version 1.2 supports only RADIUS
7. Why is RADIUS or TACACS+ needed? Why can’t the end user authenticate directly to the
authentication server?
a. The added level of complexity helps Cisco and other vendors to sell more products.
b. Because the names sound so cool.
c. RADIUS and TACACS+ are used between the end user and the authentication server.
d. Both RADIUS and TACACS+ extend the Layer-2 authentication protocols, allowing the end
user to communicate with an authentication server that is not Layer-2 adjacent.
The majority of the authentication protocols used (EAP, CHAP, MS-CHAPv2, PAP) are
Layer-2 protocols meant to be topology independent. RADIUS and TACACS+ are used to
connect the end user to the authentication server, even when they are not on the same LAN
segment
8. Which of the following are TACACS+ messages sent from the AAA client to the AAA server?
(Select all that apply.)
a. START
b. REPLY
c. CHALLENGE
d. REQUEST
TACACS+ clients send only two message types: START and CONTINUE. REPLY is sent
from the AAA server to the AAA client.
9. When using RADIUS, what tells the AAA server which type of action is being authenticated?
a. The TACACS+ service.
b. The Service-Type field.
c. RADIUS does not distinguish between different services.
d. The action AV-pair.
The Service-Type value tells the RADIUS server what is being performed. For example,
service-type of Call-Check informs the AAA server that the client is performing a MAB request
10. Which of the following best describes an AV-pair?
a. When communicating with an AAA protocol, the AV-pair stipulates a common attribute or
object and its assigned value.
b. Cisco likes to throthrow in terms to confuse the reader.
c. The AV-pair is used to choose either TACACS+ or RADIUS.
d. The AV-pair is used to specify the quality of service (QoS) for audio and video traffic.
The RADIUS server may be assigning an attribute to the authentication session, like a
VLAN, for example. The VLAN place holder is the attribute, and the actual assigned VLAN
number is the value for that place holder, as a pair.
Identity Management
1. What are two types of identities used in Cisco Identity Service Engine?
a. SSID
b. MAC address
c. Username
d. IP address
An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s
MAC address to uniquely identify that endpoint. A username is one method of uniquely
identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes
in ISE policies, they are not identities.
2. What are the two general types of identity stores used by Cisco ISE?
a. Temporary
b. External
c. Internal
d. Permanent
Cisco ISE can use identities stored in a database that resides as part of the ISE application
itself; these are known as internal identity stores. Examples are the GUEST user identity store
and the endpoints identity store. Identities can live outside of ISE, such as Active Directory, and
these are known as external identity stores.
3. Cisco ISE internal identity stores are used to authentication which two of the following?
a. Endpoints
b. AD security groups
c. RADIUS
d. Users
ISE has two different types of internal identity stores: users and endpoints. The user
identity stores hold identities for interactive users, such as guests or employees. These have
attributes such as passwords for the authentication of the user. Endpoints have a different kind of
identity. Because they don’t interact with an authentication in most cases, their identities can
often just be their MAC addresses.
4. Which identity store attributes can be used in an ISE authorization policy? (Choose two.)
a. User
b. Time
c. Accounting
d. Machine
Either a user or a machine (endpoint) can be authorized for network access. Sometimes it
is possible to authorize based on the identity or attributes of both the user and the machine.
5. What is an individual identity store called?
a. Authentication source
b. Identity database
c. Identity source
d. Authentication database
The identity store is known as an identity source or an information source. The data
contained in the identity store is used for authentication and authorization purposes.
6. How is an identity source sequence processed?
a. Bottom to top
b. Left to right
c. Top to bottom
d. No particular order
An identity source sequence (ISS) is a list of identity stores. Much like an access control list
(ACL), the ISS list is processed with from the top to the bottom, where the first entry that has the
identity is used and the processing of the ISS ends.
7. Which of the following identity stores are supported by ISE for authentication? (Choose three.)
a. LDAP
b. TACACS
c. Microsoft Active Directory
d. RADIUS servers
Lightweight Directory Access Protocol is a standard directory type that allows vendors
to use a common communication structure to provide authentications and information about
identities. Microsoft’s Active Directory is an LDAP-like directory source and is one of the most
common identity sources in the modern world. In addition to querying an identity source
directly, ISE is also able to proxy RADIUS authentications to a different RADIUS server.
8. Which of the following can be used with an internal identity store?
a. SSID
b. Guest login
c. Administration
d. MAB
Internal identity stores can be used to authenticate user accounts or endpoints. A guest is a
type of internal user that ISE can authenticate. MAB is often used to “authenticate” endpoints
against the internal endpoints identity store.
9. What are the two types of internal identity stores used in ISE?
a. User database
b. Endpoint database
c. System database
d. Admin database
ISE has two different types of internal identity stores: users and endpoints. The user
identity stores hold identities for interactive users, like guests or employees. These have
attributes such as passwords for the authentication of the user. Endpoints have a different kind of
identity. Because they don’t interact with an authentication in most cases, their identities can
often just be their MAC addresses
10. What are the two primary reasons for using external identity stores?
a. Performance
b. Monitoring
c. Scalability
d. Management
External identity stores often exist already in an organization before ISE would be
installed. By pointing to those identity sources, the management overhead is dramatically
reduced because the accounts don’t have to be created again in ISE’s internal database(s).
Additionally, this enables the organization to scale more effectively by having a single source
of truth for identity.
EAP Over LAN (Also Known As 802.1X)
1. Which of the following is true?
a. The authenticator decides whether the supplicant is allowed on the network.
b. The EAP communication occurs between the supplicant and the authentication server.
c. The supplicant uses RADIUS to communicate the user ’s identity to the authentication server.
d. The authenticator uses EAP to send the user ’s credentials to the authentication server.
EAP communication occurs between the supplicant and the authentication server. The
authenticator acts as a middleman and encapsulates the unmodified EAP frames within the
RADIUS communication to the authentication server.
2. Which supplicant(s) is capable of EAP chaining?
a. Windows Native Supplicant
b. Cisco AnyConnect NAM
c. Cisco Secure Services Client (CSSC)
d. Odyssey Client
Only Cisco AnyConnect NAM 3.1 and newer are capable of running EAP chaining as of the
date this book was published.
3. What is the purpose of an outer identity?
a. The outer identity is used for dual-factor authentications such as a username/password
combined with a one-time password (OTP).
b. The outer identity provides a mechanism to modify the actual identity of the end user or
device to allow for identity spoofing.
c. The outer identity provides a mechanism to authenticate the identity of the endpoint during
the tunnel establishment phase.
d. The outer identity represents the machine, whereas the inner identity represents the user
during EAP chaining.
The outer identity provides a mechanism to authenticate the identity of the endpoint during
the tunnel establishment phase
4. True or False? IEEE 802.1X may use TACACS+ to communicate the EAP identity to the
authentication server.
a. True
b. False
IEEE 802.1X must use RADIUS or DIAMETER. Note: DIAMETER is out of scope of the
exam blueprint.
5. True or False? The supplicant is required to trust the certificate of the authentication server
before it will form the TLS tunnel within which the EAP transaction will occur.
a. True
b. False
Supplicants have the option to not authenticate the server certificate. Additionally, EAP-FAST
offers the ability to use PAC files instead of certificates for tunnel establishment.
6. What is the name of the “secure cookie” used with EAP-FAST that can be used in lieu of a
certificate, or even in addition to a certificate?
a. Protected password file (PPF)
b. Shadow credential file (SCF)
c. Private authorization credential (PAC)
d. Protected access credential (PAC)
Protected access credentials (PACs) are a type of “secure cookie” that can be used instead of
or in addition to a certificate.
7. True or False? MSCHAPv2 may be used to perform machine authentication with an LDAP
connection to Active Directory.
a. True
b. False
MSCHAPv2 may be used for user authentication against LDAP, but not machine
authentication.
8. True or False? A machine authentication may use EAP-FAST.
a. True
b. False
The actual tunnel mechanism is unrelated to the ability to do a machine authentication. The
requirement is simply that it must be EAP-MSCHAPv2 for the authentication method.
9. What are the three main components of IEEE 802.1X?
a. Agent, broker, authentication server
b. Supplicant, authorizer, authorization server
c. Authentication server, supplicant, authenticator
d. EAP, RADIUS, TLS
The three main components of 802.X are the authentication server, supplicant, and
authenticator.
10. True or False? A tunneled EAP type is able to use native EAP types as its inner method.
a. True
b. False
A tunneled EAP type is able to use native EAP types as its inner method.
Non-802.1X Authentications
1. True or False? To allow endpoints without configured supplicants to connect to a network
where IEEE 802.1X has been enabled, the administrator must disable 802.1X on the endpoints’
switch port.
a. True
b. False
The available options for nonauthenticating endpoints are MAC Authentication Bypass
(MAB) and Web Authentication (WebAuth).
2. Which of the following is true?
a. With nonauthenticating endpoints, the authenticator takes over the EAP communication
instead of the endpoint.
b. With nonauthenticating endpoints, the authenticator can be configured to send the MAC
address of the endpoint to the authentication server in a RADIUS Access-Request message.
c. The endpoint’s supplicant uses RADIUS to communicate the endpoint’s MAC address to the
authentication server.
d. The authenticator can use TACACS+ to send the endpoint’s MAC address to the
authentication server.
With nonauthenticating endpoints, the authenticator (a switch, for example) can be
configured to send the MAC address of the endpoint to the authentication server in a RADIUS
Access-Request message. This process is known as MAC authentication bypass (MAB).
3. Which of following is an accurate statement when using MAC authentication bypass (MAB)?
a. An administrator is limited in the types of authorization results that can be sent and is
restricted to a simple Permit-All or Deny-All result.
b. An administrator can assign all authorization results, except for VLAN assignment.
c. An administrator can assign all authorization results, except for security group tags (SGTs).
d. An administrator is not limited in the types of authorization results that can be sent, which
can include dACL, VLAN Assignment, SGT, and others.
With MAB, it is not recommended to use VLAN assignment, but MAB authorizations do not
limit the authorization results.
4. True or False? With centralized web authentication (CWA), ISE sends the username and
password to the authenticator.
a. True
b. False
With CWA, the authenticator only recognizes a MAB, and ISE maintains administrative
control of the entire session and the tracking of the user ’s credentials.
5. Which of following accurately describes local web authentication (LWA)?
a. With LWA, the authenticator redirects the end user ’s web traffic to a centralized portal hosted
on the authentication server, which is then returned to the local device (authenticator).
b. With LWA, the authenticator hosts a local web portal, which is coded to send an HTTP POST
to the authentication server containing the credentials of the end user. The authentication
server returns an HTTP POST with the Access-Accept or Access-Reject.
c. With LWA, the authenticator receives the credentials from the end user through a locally
hosted web portal, and it is the authenticator that sends the credentials to the authentication
server through a RADIUS Access-Request.
d. With LWA, the authenticator receives the credentials from the end user through a locally
hosted web portal, and the authenticator sends the credentials to the authentication server
through a TACACS+ Access-Request.
With LWA, the web portal is hosted within the authenticator, the end user enters her
credentials into the web portal and the authenticator sends those credentials inside a RADIUS
Access-Request message to the authentication server. The authentication server returns the
Access-Accept or Access-Reject along with the full response.
6. Which of the following lists are non-802.1X authentications?
a. WebAuth, MAB, RA VPN
b. Remote Access, WebAuth, EAP-MSChapV2
c. PAP, LWA, RA VPN
d. WebAuth, EAP-GTC, HTTP POST
The three main non-802.1X authentication use cases are WebAuth (CWA and LWA), MAB,
and Remote Access VPN (RA VPN).
7. True or False? Cisco recommends changing the VLAN for a guest user after that visitor has
authenticated through Web Authentication to put that guest user into an isolated “guest network.”
a. True
b. False
When changing a VLAN assigned to an endpoint, that endpoint must know (somehow) to
renew the DHCP address. The best solution is to not use VLAN changes on open networks
because there is nothing on the client to detect the VLAN change and trigger the DHCP renewal.
8. Which non-802.1X authentication method uses specialized authorization results to connect a
user ’s credentials to a MAB session?
a. Remote access
b. Local web authentication with a centralized portal
c. Centralized web authentication (CWA)
d. Local web authentication
Centralized web authentication uses a web portal that is hosted on ISE to receive the user ’s
credentials. The authenticator sends a MAB request to ISE, and ISE responds with a RADIUS
Access-Accept, a URL redirection, and often a dACL that limits the access to the network. After
the credentials are received through the web portal, ISE sends a change of authorization (CoA)
to the authenticator causing a reauthentication. The reauthentication maintains the same session
ID, and ISE is able to tie the user ’s credentials to the MAB request, sending the final
authorization results for the end user.
9. What is one of the main reasons that MAB is used in modern-day networks?
a. Most endpoints, such as printers and IP phones, do not have supplicants and therefore cannot
use 802.1X.
b. The endpoints can have a supplicant, but the enablement and configuration of that supplicant could be overcomplicated or operationally difficult for the company. Therefore, the company opts to use MAB instead.
c. The endpoints mostly do have supplicants, but those are not compatible with Cisco networks.
d. MAB is equally as secure as 802.1X and therefore is chosen often to save the company the
operational difficulties of configuring the supplicants on such disparate endpoints.
There are many different “headless” endpoints in an organization, such as IP phones, IP
cameras, printers, badge readers, IV pumps, medical imaging systems, and so many more.
Some do not have supplicants. For those that do, the enablement and configuration of
supplicants on the disparate endpoints could be overcomplicated or operationally difficult for
the company. Many of the devices do not have a central management platform that is capable of
configuring each supplicant across large numbers of devices deployed at scale. Therefore,
MAB is chosen to provide network access to those headless devices.
10. True or False? Web authentication can be used for guest users as well as internal employees.
a. True
b. False
Web authentication is used for any interactive login when a supplicant is not available, and
sometimes it is even used as second authentication after 802.1X.
Introduction to Advanced Concepts
1. A RADIUS change of authorization enables an authentication server to do which of the
following?
a. Escalate an administrative user ’s access level within the server ’s administration portal
b. Grant context appropriate network access after initial access has previously been granted
c. Gain root-level access of all network devices
d. Take over the world
A RADIUS CoA allows an authentication server to trigger a reauthorization. This provides
an opportunity for the server to update a user ’s level of network access as the server learns
additional information about an endpoint, such as endpoint posture information.
2. Three possible options for change of authorization actions are which of the following?
a. IKEv1, IKEv2, SSL
b. HTTP, FTP, Telnet
c. No COA, Port Bounce, Reauth
d. User mode, privileged mode, configuration mode
In a situation where a CoA is warranted, an authentication server can perform a number of
actions: No COA (that is, do nothing), Port Bounce (i.e. shut/no shut the relevant access “port”),
or Reauth (that is, force the endpoint to reauthenticate in cases where multiple endpoints are
present on a single access medium.). Supported CoA actions can vary depending on the selected
authentication server.
3. MAC Authentication Bypass is a process by which a device does which of the following?
a. Bypasses all authentication and authorization processes by using a supplicant
b. Authenticates with an X.509 certificate to establish a secure tunnel with the network
c. Authenticates without a 802.1X supplicant on the endpoint by using its MAC address as the
RADIUS identity
d. Hides its MAC address from being discovered on the network
Those devices that don’t have an 802.1X supplicant available use MAC Authentication
Bypass. Without the supplicant, the device does not recognize EAP messages and, therefore,
EAP authentication techniques are NOT available. In the absence of EAP, the device will use its
MAC address as its unique identifier to authenticate to the network.
4. A MAC address is six octets in length, of which the first three octets are which of the
following?
a. A duplicate of the IP address subnet in hexadecimal format
b. Always the same across all network devices
c. Assigned dynamically upon connection to the network
d. An organizationally unique identifier (OUI) that indicates the device’s vendor
e. All F’s—that is, FF:FF:FF
The first three octets of a MAC address are the organizationally unique identifier (OUI).
This OUI indicates which vendor manufactured the device. This can be useful, at times, to also
indicate the function of the device—for instance, an IP phone or printer.
5. Which devices often lack an 802.1X supplicant?
a. Printers
b. Laptops
c. Cell phones
d. All of the above
Often, the “dumb” network devices are those that lack 802.1X supplicants. From this list, a
printer would be the most common device to lack 802.1X support. Other examples would
include an IP phone, IP cameras, and badge readers, amongst others.
6. Prior to MAB, a switchport with a non-802.1x client would be configured without 802.1x. This
presented issues because of which of the following?
a. A broadcast storm would be created as the endpoint device was plugged into the interface.
b. A non-802.1x client would still not be able to gain network access.
c. A rogue user could unplug the non-802.1x endpoint and gain unauthorized access to the
network.
d. Rebooting the device would cause the switchport to go into error disable.
Prior to MAB, there wasn’t a mechanism to authenticate a device based strictly on the
device’s MAC address. For this reason, the switchport would be configured without port
security or any level of end user or device authentication. This would allow any device, either
the intended device or an unintended rogue device that was plugged into that switchport, to have
unfettered access to the network.
7. Posture assessment can check for which of the following?
a. File conditions including existence, date, and/or version
b. Registry condition, whether a registry entry is or is not present, on Windows-based
endpoints
c. Service condition, whether a service is or is not running, on Windows-based endpoints
d. A and B
e. B and C
f. A, B, and C
Via posture checking, the endpoint can be checked for file conditions (existence, date,
and/or version), registry conditions (whether a registry entry is or is not present), and service
condition (whether a service is or is not running), so all of the above are correct. posture
checking also can confirm the presence, absence, and status of antivirus and antispyware
programs running on the endpoint.
8. When configuring authorization policy based on posture assessment outcome, which of the
following values are available for the PostureStatus attribute?
a. Permit, Deny, Drop
b. Compliant, NonCompliant, Unchecked
c. Internet Only, Partial Access, Full Access
d. Compliant, NonCompliant, Unknown
e. AntiVirusNotPresent, AntiVirusNeedsUpdate, AntiVirusCurrent
When using posture assessment as a condition for authorization policy, the values of the
PostureStatus condition can be Compliant, NonCompliant, or Unknown. Different levels of
network access and/or remediation can be authorized based on the status of this variable.
9. To remediate noncompliant endpoints, a redirect ACL must be defined _____ and the web
redirection must be destined to ______ portal on the authentication server.
a. as a dACL, remediation
b. on the switch, remediation
c. as a dACL, profiling mitigation
d. on the switch, profiling mitigation
e. as a dACL, authentication DMZ
f. on the switch, authentication DMZ
To remediate a noncompliant endpoint, a redirect ACL must be defined on the switch and the
redirect destination must be set to remediation portal.
10. A mobile device manager is which of the following?
a. A network administrator responsible for onboarding all mobile devices into the
authentication server
b. An application that runs on a mobile device, allowing the user or endpoint to manage the
authentication server and other network devices
c. A wireless access point that detects rogue mobile endpoints
d. A software system or service that provides advanced posture assessment for mobile
endpoints
A mobile device manager is a software system or service that provides advanced posture
assessment for mobile endpoints. The MDM can determine the type of mobile device, the level
of operating system on the endpoint, the presence/absence of PIN lock, and whether encryption
is being used, as well as provide remote security services such as device lock and secure wipe.
Depending on the MDM vendor chosen, additional services also might be available.
Cisco Identity Services Engine
1. Cisco Identity Services Engine (ISE) is which of the following?
a. A switch that provides authenticated access to the network
b. A network management platform
c. A network security and policy platform
d. A unified computing system that incorporates virtualization of endpoints
Cisco Identity Services Engine is a network security and policy platform. Using Cisco ISE, a
network administrator can maintain and serve security policy to all network devices from a
central location.
2. The four key personas of Cisco ISE are which of the following? (Select four.)
a. Administration
b. Authentication Server
c. File Download
d. Monitoring and Troubleshooting
e. Policy Services Node
f. Identity Management
g. Inline Posture Node
Cisco ISE has four personas. These personas are Administration, Monitoring and
Troubleshooting, Policy Services Node, and Inline Posture Node. Each of these personas is
required at least once in an ISE deployment, with the exception of the Inline Posture Node. The
function of each persona is discussed within the chapter.
3. The Cisco ISE Administration Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data
Cisco ISE’s Policy Administration Node (PAN) persona is the instance of Cisco ISE where
policy configuration actually happens. This persona will then distribute this policy to all other
nodes.
4. The Cisco ISE Monitoring and Troubleshooting Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data
The Cisco ISE Monitoring and Troubleshooting (MnT) Node persona provides a platform
for logging and reporting data from the Cisco ISE deployment. As a user or device
authenticates and authorizes to the network, the ability to monitor and log those AAA events will
be the responsibility of the Monitoring and Troubleshooting Node
5. The Cisco ISE Policy Service Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data
The Cisco ISE Policy Service Node (PSN) persona provides policy decision-making. As a
user or an endpoint attempts to authenticate to the network, the PSN will be responsible for
making the AAA decisions based on the policy as downloaded from the Cisco ISE Policy
Administration Node (PAN).
6. Which of the following is true about the Cisco ISE Inline Posture Node persona?
a. A gatekeeper that enforces access policies and handles CoA requests, specifically for those
that cannot process CoA requests
b. Is an ergonomic tool included within Cisco ISE to ensure that network administrators are not
slouching on the job
c. Allows users to always bypass authentication and authorization, giving them unfettered
access to the network.
d. Sniffs all the packets sent from an endpoint, inline, making sure that the endpoint is not
distributing viruses and malware onto the network.
The Cisco ISE Inline Posture Node is responsible for enforcing access policies and handling
the CoA requests for those network access devices that cannot process CoA requests. After an
endpoint is authenticated, the Inline Posture Node will ensure that the posture of the endpoint
adheres to the network security policy.
7. A virtual ISE appliance should do which of the following?
a. Be kept as small as possible for speed and agility
b. Be appropriately sized to match the equivalent physical appliance
c. Reserve the appropriate resources to ensure that other virtualized applications do not
cannibalize the ISE resources
d. A and B
e. B and C
f. A, B, and C
If you choose to deploy ISE as a virtual appliance, it is paramount that you allocate the
appropriate virtual resources to best emulate the equivalent SNS-3415 or SNS-3495 physical
appliance. Also, you should reserve 100% of these resources to ensure that other virtualized
network functions do not starve the ISE of the resources.
8. In a single-node/standalone deployment of ISE which of the following is true?
a. Each ISE appliance services a single network access device.
b. Each ISE appliance services only a single ISE persona.
c. All endpoints bypass authentication.
d. All core ISE personas reside on a single ISE appliance.
In a single-node deployment of ISE, all ISE personas (PAN, MNT, and PSN) reside on a
single appliance. In this deployment, there are no options for redundancy. For instance, if the
PSN persona fails, or if the physical appliance fails, RADIUS authentications and authorizations
will fail until the issue can be resolved.
9. In a four-node deployment of Cisco ISE, the ____ and ____ personas are combined on two of
the appliances, while the ____ persona is by itself on each of the other two appliances.
a. PAN, PSN, MNT
b. PAN, IPN, MNT
c. PSN, MNT, IPN
d. PSN, PAN, MNT
e. PAN, MNT, IPN
f. PAN, MNT, PSN
In a four-node ISE deployment, the PAN and MNT personas are combined on two of the
appliances, with each acting as primary on one appliance and secondary on the other appliance.
On the remaining two appliances, only the PSN persona is configured.
10. The maximum number of PSNs supported with ISE 1.2 in a fully distributed deployment model
is ____, resulting in a maximum number of supported endpoints of ______.
a. 5; 5,000
b. 5; 10,000
c. 5; 50,000
d. 40; 5,000
e. 40; 20,000
f. 40; 250,000
In a fully distributed ISE deployment, the ISE PAN and MNT personas each reside on a
separate appliance (or a separate pair of appliances if redundancy is required). Each of the PAN
and MNT appliances will be an SNS-3495 appliance (or equivalent virtual appliance). With these
PAN and MNT functions distributed, up to 40 PSNs can be deployed. For each SNS-3415 PSN
deployed, up to 5,000 endpoints can be supported. For each SNS-3495 PSN deployed, up to
20,000 endpoints can be supported. A limitation on the PAN/MNT nodes, however, will allow
only up to 250,000 endpoints to be supported in a single fully distributed ISE 1.2 deployment.
Cisco ISE Graphical User Interface
1. Which is true of the Cisco ISE GUI?
a. Requires a separate application to access it
b. Uses a “standard,” Adobe Flash-capable web-browser
c. Does not exist—ISE is only configurable via command-line interface (CLI)
d. Requires Cisco Network Assistant
The Cisco ISE GUI is available via an Adobe Flash-capable web-browser. As of Cisco ISE
1.2, the two supported browsers are Mozilla Firefox and Microsoft Internet Explorer.
2. To ensure the highest level of security, the ISE administrative GUI uses which of the following?
a. SSH
b. SCP
c. HTTP
d. HTTPS
The best way to ensure a secure connection is by encrypting the communications between the
ISE and the device being used for the administrative portal. If HTTP were to be used, any device
in the network flow, between the administrative device and ISE, could eavesdrop or play “manin-
the middle” on the communications, either compromising the administrative credentials or
surreptitiously injecting a different security policy. To prevent this from happening, ISE
leverages HTTPS, encrypting all traffic between the administrative device and ISE, and
ensuring that the traffic sent from the administrative device arrives securely without
compromise. SSH and SCP are not protocols that are typically used for GUI-based portals.
3. The initial certificate presented by the ISE administrative GUI is typically which of the
following?
a. Signed by a trusted, public certificate authority
b. A self-signed certificate automatically generated by ISE
c. Delivered in a separate envelope from the ISE appliance
d. Put in a frame and hung over your desk at work
To establish the initial, secure connection with ISE, ISE will generate a self-signed
certificate. Because a trusted certificate authority, either a local CA or a third-party, public CA,
has not signed it, the certificate can cause a security warning within the web browser that is
being used for administrative access. If you are confident that a man-in-the-middle or other
nefarious device is NOT presenting this certificate, you can permanently accept this certificate
within the web browser to prevent these security warnings in the future. Ideally, it is best to
install a certificate from a trusted CA (a CA that already exists in the browser store—either a
local CA or a third-party public CA) onto ISE. This, too, will prevent these security warnings in
the future.
4. Components within the Operations section of ISE allow an administrator to do which of the
following?
a. Actively monitor, report, and troubleshoot active authentication and authorization sessions
b. Configure how ISE will operate on the network
c. Create the web portals for client provisioning
d. Modify the security policy of ISE
The Operations tab of Cisco ISE allows an administrator to monitor, report, and
troubleshoot active authentication and authorization sessions.
5. The Policy tab of the Cisco ISE GUI allows an administrator to configure all of the following
EXCEPT which?
a. Authorization
b. Client provisioning
c. Web portals
d. Security group access
The Policy tab of the Cisco ISE GUI allows an administrator to configure authentication,
authorization, profiling, posture, client provisioning, and security group access—amongst
others. web portals, however, are configured under the Administration tab.
6. You can configure which of the following item(s) under the Administration tab of Cisco ISE?
a. Policy elements
b. Certificates
c. Dictionaries
d. Network devices
e. A, B, and C
f. B, C, and D
g. B and D
The Administration tab of Cisco ISE can be used to configure all “setup”-type functions of
ISE. These functions are those that are often set up one time and rarely modified thereafter. In
this case, certificates and network devices are two items that are configured under the
Administration tab and are rarely modified after their initial configurations.
7. When adding a network access device to Cisco ISE, which of the following details can be
configured under the network device? (Select three.)
a. MAC address
b. IP address
c. Device name
d. RADIUS server IP address
e. RADIUS shared secret key
f. Mobile device manager
g. SGA AAA Servers
When adding a new network access device to Cisco ISE, you must provide a device
name and a device IP address. If you intend to use a Cisco ISE RADIUS server for authentication
and authorization (the usual purpose of Cisco ISE in a network deployment), you will also need
to add a shared secret key for RADIUS. The RADIUS server IP address is configured on the
NAD, pointing to Cisco ISE. Mobile device managers and SGA AAA Servers are unrelated to
the network device configuration.
8. An authentication policy within ISE is used to do which of the following?
a. Determine what the endpoint will be given access to
b. Identify the endpoint or the user of the endpoint as it connects to the network
c. Determine the type of security software that is running on the endpoint
d. Quarantine a user if the endpoint is on the Blacklist
Authentication is the process by which ISE identifies the endpoint or the user of the endpoint
as it connects to the network. The authentication policy is used for this purpose.
9. Profiling policies within ISE can leverage all of the following protocols to determine the type
of endpoint that is accessing the network EXCEPT which? (Select two.)
a. DHCP
b. RADIUS (by proxy)
c. SSH
d. HTTP(S)
e. FTP
When an endpoint attempts to access the network, it automatically sends a number of
different packets onto the network—“normal” communication for a networked device. The
information contained within these packets can often be leveraged by ISE to determine the type
of device (profiling the device) that is sending the information. The MAC address of the
endpoint—either learned via EAP or via MAC Authentication Bypass on the NAD—is
forwarded to ISE via RADIUS. The endpoint’s DHCP requests to get an IP address can also be
sent to ISE, allowing ISE to extract key identifying information from this DHCP process.
Finally, HTTP(S) communications between the endpoint and ISE portals can be used to further
identify the type of device that is accessing the network. Using RADIUS, DHCP, and HTTP (and
other protocols), ISE can make a pretty good determination as to the type of device that is
accessing the network. ISE currently does not support the use of SSH or FTP as a vehicle for
profiling an endpoint.
10. Client provisioning is a process whereby all necessary _______ and _______ are deployed to
the endpoint, allowing the endpoint to more easily, maybe even automatically, join the network
in the future.
a. credentials, configurations
b. regulations, policies
c. IP addresses, ACLs
d. protocols,processes
During the client provisioning process, the necessary credentials and configurations are
deployed to the endpoint, allowing the endpoint to automatically join the network on the next
attempt with little or no interaction from the user.
Initial Configuration of Cisco ISE
1. Which rights and permissions are required for the account used to join Cisco ISE to the Active
Directory domain?
a. Search Active Directory, Remove workstation from domain, Change passwords
b. Write to Active Directory, Add workstation to organizational unit, Read properties of
computer objects
c. Search Active Directory, Add workstation to domain, Set attributes on the new machine
account
d. Write to Active Directory, Add workstation to domain, Read properties of computer objects
The permissions needed to join ISE to AD are Search Active Directory (to see whether ISE
machine account already exists), Add workstation to domain (if it does not already exist), and
Set attributes on the new machine account (OS type and version—optional).
2. Which CLI command lists all the ISE processes and their statuses?
a. show status ise
b. show application status ise
c. show application status
d. show version
The show application status ise command lists all the ISE processes and their
statuses.
3. Which two functions does a certificate fulfill when used with HTTPS and EAPoverLAN?
a. Authenticates the server to the client, and the encryption method is embedded in the
transform-set field within the certificate.
b. Identifies the client to the NAD and is used as the basis for the encrypted transport between
the client and the NAD.
c. Authenticates the server to the client and is used as the basis for the encrypted transport
between the client and server.
d. Authenticates the client to the NAD, and the encryption method is embedded in the transformset
field within the certificate.
In both HTTPS and TLS connections, certificates are used to authenticate the server to client
and act as the basis for the encrypted transport between the client and the server.
4. True or False? When submitting a certificate signing request (CSR), the CSR and the private
key are sent to the signing certificate authority (CA), so the CA can sign the key-pair.
a. True
b. False
Only the CSR is submitted to the signing CA. The private key should be backed up but never
given out to a third party.
5. True or False? Settings such as RADIUS shared secret keys and SNMP strings can be set on a
per Network Device Group (NDG) level.
a. True
b. False
Settings such as RADIUS shared secret keys and SNMP strings can be set only on a per-NAD
basis.
6. What is a valid use of network device groups?
a. Use NDG as the condition by which to build different policy sets for the staged deployment
of ISE.
b. Use the incoming authentication protocol type to route the authentication to a network device
group that is able to process that authentication type.
c. Use the NDG to determine to which ISE policy node to route the authentication request.
d. The result of an authorization policy will allow the user to log in and control devices within
the assigned network device group.
Use NDG to build different policy sets for the staged deployment of ISE.
7. True or False? Local endpoint identity groups should be created per endpoint profile instead of
using the attribute itself.
a. True
b. False
It is a best practice to use endpoint identity groups only for MAC address management
instead of profiles.
8. True or False? Cisco ISE 1.2 can join 1 Active Directory Forest and process authentications for
any domain in the forest with 2-way trusts.
a. True
b. False
ISE 1.2 is capable of joining only a single AD domain.
9. What is the purpose of a certificate authentication profile (CAP)?
a. Defines which CA to use for revocation checking via either certificate revocation lists
(CRLs) or online certificate status protocol (OCSP).
b. Used with MSCHAPv2 for a client to validate the authentication server.
c. Serves as the identity source for certificate authentications and defines the field of a
certificate whose data will be extracted and used as the principle identity for the authorization
process.
d. Used with EAP-FAST to allow for faster reauthentications and secure transport without the
use of X.509 certificates.
Serves as the identity source for certificate authentications and defines the field of a
certificate whose data will be extracted and used as the principle identity for the authorization
process.
10. True or False? It is critical to use Network Time Protocol (NTP) to ensure the time is
synchronized correctly between Cisco ISE and Microsoft Active Directory.
a. True
b. False
Foundation
The Network Time Protocol is critical for all network interactions that require timesensitive
interactions, including the interaction between the Cisco ISE and the Active Directory.
Endpoint identity certificates also require an NTP synchronized time on Cisco ISE.
Authentication Policies
1. Which of the following is required to perform MAB from a Cisco network device?
a. The RADIUS packet must have the service-type set to login and the calledstation-
id populated with the MAC address of the endpoint.
b. The RADIUS packet must have the service-type set to Call-Check and the
calling-station-id populated with the MAC address of the endpoint.
c. The RADIUS packet must have the service-type set to Call-Check and the calledstation-
id populated with the MAC address of the endpoint
d. The RADIUS packet must have the service-type set to login and the callingstation-
id populated with the MAC address of the endpoint
The RADIUS packet must have the service-type set to Call-Check. The servicetype
dictates the method of authentication. The calling-station-id field must be
populated with the MAC address of the endpoint.
2. Which EAP type is capable of performing EAP chaining?
a. PEAP
b. EAP-FAST
c. EAP-TLS
d. EAP-MD5
Only EAP-FAST and TEAP (RFC 7170) have EAP chaining capabilities as of the publishing
of this book.
3. Which of the following choices are purposes of an authentication policy?
a. To permit or deny access to the network based on the incoming authentication request
b. To apply access control filters, such as dACL or security group tags (SGTs), to the network
device to limit traffic
c. To drop requests using an incorrect authentication method, route authentication requests to
the correct identity store, validate the identity, and “pass” successful authentications over to
the authorization policy
d. To terminate encrypted tunnels for purposes of remote access into the network
An authentication policy is meant to drop traffic that isn’t allowed, meaning it is using an
authentication protocol that is not configured, it will route authentication requests to the correct
identity store to validate the identity, and “pass” successful authentications over to the
authorization policy.
4. True or False? You must select Detect PAP as Host Lookup to enable MAB requests for Cisco
nNetwork devices.
a. True
b. False
Only the Process Host Lookup check box must be select in the Allowed Protocols for Cisco
MAB to work. Detecting another protocol as Host Lookup is only for non-Cisco network
devices.
5. True or False? Policy conditions from attribute dictionaries can be saved as conditions inline
while building authentication policies.
a. True
b. False
Reusable conditions can be built on-the-fly while building the authentication policy, and they
are saved as dictionary objects.
6. Which method will work effectively to allow a different Identity store to be selected for each
EAP type used?
a. This is not possible because the first rule to match 802.1X will be used and no further rules
can be used.
b. Create one authentication rule that matches a service type framed for each of the EAP
protocols. Each authentication rule should have one subrule that matches the
EapAuthentication (such as EAP-TLS, EAP-FAST, and so on).
c. This is only possible for the main EAP types. If there is an inner method of EAP-MSCHAPv2
with PEAP, it must be sent to the same identity store as the EAP-MSCHAPv2 inner method of
EAP-FAST.
d. Create one sub-rule for each EAP type under the default 802.1X authentication rule that
points to the appropriate identity store per rule.
Create one sub-rule for each EAP type under the default 802.1X authentication rule that
points to the appropriate identity store per rule.
7. Which RADIUS attribute is used to match the SSID?
a. calling-station-ID
b. source-wireless-SSID
c. framed-station-ID
d. called-station-ID
The Called-Station-ID attribute is used to match the source SSID.
8. Which RADIUS attribute contains the MAC address of the endpoint?
a. calling-station-ID
b. source-wireless-SSID
c. framed-station-ID
d. called-station-ID
The Calling-Station-ID attribute contains the MAC address of the endpoint
9. What is the purpose of the continue option of an authentication rule?
a. The continue option is used to send an authentication down the list of rules in an
authentication policy until there is a match.
b. The continue option sends an authentication to the next sub-rule within the same
authentication rule.
c. The continue option is used to send an authentication to the authorization policy, even if the
authentication was not successful.
d. The continue option will send an authentication to the selected identity store.
The continue option is used to send an authentication to the authorization policy even if the
authentication was not successful.
10. True or False? The Drop option for an authentication rule will allow ISE to act as if it were not
“alive” so the network device will no longer send authentication requests to that ISE server.
a. True
b. False
The Drop option for an authentication rule will allow ISE to act as if it were not “alive” so
the network device will no longer send authentication requests to that ISE server.
Authorization Policies
1. What is an authorization profile?
a. An authorization profile is a rule in the policy table that is formatted like “IF condition
THEN result.”
b. An authorization profile is created to determine which identity store to validate the
credentials with.
c. An authorization profile is a sequential list of identity stores to validate the credentials with.
d. An authorization profile is the mandatory result of an authorization rule.
An authorization profile is the required authorization result that is made up of multiple
RADIUS attributes. These RADIUS results will affect the ultimate security policy deployed to
the NAD on behalf of the endpoint.
2. What is the purpose of an authorization profile?
a. It contains the TACACS+ response (Access-Accept or Access-Reject) along with the
additional authorization attributes to be sent to the network device for enforcement.
b. It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional
authorization attributes to be sent to the network device for enforcement.
c. It contains the RADIUS response (Continue or Terminate) along with additional
authorization attributes to be sent to the network device for enforcement.
d. It contains the TACACS+ response (Continue or Terminate) along with additional
authorization attributes to be sent to the network device for enforcement.
It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional
authorization attributes to be sent to the network device for enforcement.
3. Which of the following options are part of the common tasks section of an authorization
profile?
a. Access-Type (Continue or Terminate), DACL-Name, Web-Redirection, Auto Smart Port
b. Access-Type (Accept or Reject), DACL-Name, Web-Redirection, Auto Smart Port
c. DACL-Name, Role-Assignment, Local WebAuth, Auto Smart Port
d. DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port
DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port. These common tasks, as
well as the others, are the most often used RADIUS AVPs that will be sent to the NAD for secure
policy enforcement of the endpoint.
4. Which of the following is correct?
a. An authorization policy contains authorization rules. Each rule will have at least one
authorization profile.
b. An authorization rule contains authorization policies. Each policy will have at least one
authorization profile.
c. An authentication policy contains authorization rules. Each rule must have an authentication
result.
d. An authentication rule contains the authorization profiles. Each profile must contain one
authentication result.
An authorization policy contains authorization rules. Each rule will have at least one
authorization profile.
5. True or False? Condition attributes can be saved into a library for future use and improved
readability.
a. True
b. False
True. Condition attributes can be saved into a library for future use and improved
readability.
6. What is special about the authorization profile required for an IP phone?
a. It contains the DNS name or IP address of the Cisco Call Manager Server.
b. It contains the voice domain permission AV pair, which authorizes the endpoint to access the
voice VLAN assigned to the interface.
c. It contains the value for DHCP option 43, which provides the IP address of the Cisco Call
Manager Server.
d. It contains the voice domain permission macro, which reconfigures the switch port to be a
voice interface.
It contains the voice domain permission (cisco-av-pair = device-traffic-class = voice), which
authorizes the endpoint to access the voice VLAN assigned to the interface.
7. What is the difference between a simple condition and compound condition?
a. Simple conditions are easier to use than compound conditions.
b. Simple conditions are created on-the-fly within the expression builder, while compound
conditions must be created separately.
c. Simple conditions contain only one attribute. Compound conditions contain multiple
attributes along with an operator such as AND or OR.
d. Simple conditions and compound conditions can each contain multiple attributes, but
compound conditions can mix operators such as AND or OR.
Simple conditions contain only one attribute. Compound conditions contain multiple
attributes along with an operator such as AND or OR.
8. True or False? A compound condition can contain a mixture of simple conditions and raw
attributes.
a. True
b. False
A compound condition can contain a mixture of simple conditions (which are saved
dictionary attributes) and raw attributes themselves.
9. What should be the end goal of a Secure Access deployment?
a. To provide full access to the network, so security devices such as an ASA firewall can
provide defense-in-depth
b. To provide full access to the network, as long as the authentication is successful, and provide
limited access to any failed authentications
c. To secure the network by purchasing Cisco ISE, thereby increasing the stock value of the
company
d. To provide very specific permissions to any authorization, providing defense-in-depth
To provide very specific permissions to any authorization, providing defense-in-depth while
meeting the goals of the company’s security policy. A printer, for example, should not have
unfettered access to the network; instead it should have only what is needed (such as reaching
the print servers).
10. What is unique about Cisco’s downloadable Access Control Lists (dACLs)?
a. Cisco dACLs allow the RADIUS server to apply ACLs that exist on the switch simply by
sending the name of the ACL in the RADIUS AV pairs, while non-Cisco network devices
cannot apply ACLs.
b. Cisco downloadable ACLs are created by experts at Cisco and published to Cisco.com where
Cisco ISE can download the ACLs.
c. Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the
network device within RADIUS AV pairs, while non-Cisco network devices must create the
ACL on the individual local network device.
d. Cisco dACLs are unique because they are downloaded from ISE and applied to the Cisco
ASA that is in the network path, relieving the network device from the burden of traffic
control.
Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the
network device within RADIUS AV pairs, while non-Cisco network devices must create the ACL
on the individual local network device. This allows the Cisco admin to create and maintain the
access lists in a central place and have any changes applied nearly instantly.
Implementing Secure Network Access
1. When configuring a Cisco switch for 802.1X, at which level of the configuration do the
802.1X-related commands exist?
a. Global configuration only.
b. Interface configuration only.
c. Both at global configuration level as well as per interface.
d. Enabling 802.1X changes the context to a dot1x subconfiguration mode, where all related
commands are entered.
802.1X requires global-level configuration for servers, enabling 802.1X on the system itself,
configuring change of authorization, and enabling VSAs among others. Additionally, each
interface that will be performing authentication will require interface-level commands
2. When configuring a Cisco Wireless LAN Controller (WLC) for communication with ISE, what
must be configured for the wireless LAN (WLAN)? (Choose two.)
a. The authentication and authorization RADIUS servers can be pointed to different ISE PSNs,
as long as those PSNs are part of a node group.
b. The authentication and authorization RADIUS servers can be pointed to the same ISE PSN.
c. The WLAN must be configured for SNMP NAC.
d. The WLAN must be configured for RADIUS NAC.
When interacting with an advanced RADIUS server, such as Cisco ISE, Cisco WLCs
require that the same ISE PSN be configured as the authentication and accounting server for the
WLAN. Additionally, RADIUS NAC must be enabled on the advanced tab of the WLAN
configuration.
3. True or False? Cisco switches should be configured in production to send syslog messages to
the ISE MNT node.
a. True
b. False
Cisco switches can be configured to send syslog to the MNT node, where the data will be
correlated as part of the authentication reports. However, this should be configured only when
performing active troubleshooting or during an initial pilot/PoC.
4. What is the purpose of adding a user with the username radius-test password
password command?
a. The switch can send periodic RADIUS Access-Requests to the AAA servers to verify whether
they are still alive. The username and password will be used for that test.
b. The username and password are used for the local RADIUS server available in the switch,
which is used in WAN down scenarios.
c. The username and password are used for the supplicant’s outer identity to authenticate
against the switch local user database.
d. Without the local username and password in the configuration, an administrator can be
locked out of the switch when the RADIUS server is unavailable.
The switch will send periodic test authentication messages to the RADIUS server (Cisco
ISE). It is looking for a RADIUS response from the server, either an Access-Accept or Access-
Reject will suffice. The username and password used by the automated test must exist in the
configuration.
5. True or False? 802.1X can be configured on all switch interfaces, including Layer-3 interfaces.
a. True
b. False
Switch interfaces must be configured as Layer-2 access ports to run 802.1X (switchport).
6. Which of the following technologies enables an administrator to maintain the same
configuration on all access ports, on all switches, regardless of the type of device connecting to
the network?
a. AnyConnect
b. Multi-Auth
c. Flex-Auth
d. Flex-Connect
Flex-Auth allows a network administrator to set an authentication order and priority on the
switchport, thereby allowing the port to attempt 802.1X, MAC authentication bypass, and then
WebAuth in order. All of these functions are provided while maintaining the same configuration
on all access ports, thereby providing a much simpler operational model for customers than
traditional 802.1X deployments.
7. Which host mode will permit a virtually unlimited number of endpoints per port, allowing all
subsequent MAC addresses to share the authorization result of the first endpoint authorized?
a. Single Mode
b. MDA
c. Multi-Auth
d. Multi-Host
Multi-Host mode is not commonly used but is still a valid option. Much like Multi-Auth
mode, Multi-Host mode is an extension to MDA. There is one authentication on the voice
domain and one authentication on the data domain. All other hosts on the data domain will be
allowed onto the network using the first successful authentication. It’s an “authenticate one,
allow the rest” type of model.
8. Which interface-level command is the equivalent of “turn authentication on”?
a. authentication port-control auto
b. dot1x system-auth-control
c. ip device-tracking
d. aaa server radius dynamic-author
The authentication port-control auto command will enable authentication on
the port and allow the authorization result to be sent from the RADIUS server. Short answer:
“Turn authentication on!”
9. Which command on a Cisco switch will display the current status of the AAA server(s)?
a. show authentication servers
b. show radius servers
c. show aaa servers
d. show ise servers
The show aaa servers command is a quick and simple way to see the current status of
the ISE server from the switch’s perspective.
10. Which command will validate that authentications are being attempted, which authentications
are successful, and which authorization results have been assigned?
a. show authentication method dot1x
b. show aaa servers
c. show authentication statistics
d. show authentication session interface
The command will show that the authentications are being attempted, which are successful,
which authorization results have been assigned, and much more. Some of the information that is
quickly provided by this command output includes the endpoint’s MAC address, the
authentication method used, any assigned redirect URL, Access Control Lists, and other
RADIUS AVPs that are provided via the authentication and authorization process.
Web Authentication
1. Before a Cisco switch will generate a self-signed certificate, which configuration is required?
a. The internal CA must be enabled.
b. An IPv6 address.
c. A Cisco switch cannot generate a self-signed certificate.
d. A domain name.
The Cisco switch will need the https server enabled to redirect https traffic. Before that
service can be enabled, the switch needs a certificate. One of the prerequisites is a hostname and
domain name, providing the switch a fully qualified domain name (FQDN). This FQDN will
become the Subject Name of the self-signed certificate.
2. True or False? The URL redirection ACL can be downloaded from ISE to the NAD.
a. True
b. False
The traffic filtering ACL can be downloaded from ISE as a dACL, but the redirection ACL
must preexist on the switch and is called by reference using a RADIUS AV-Pair. The
AirespaceOS-based Cisco WLCs support only locally configured ACLs; therefore, all ACLs
must be called by reference (also named ACLs).
3. Which of the following settings is required for a WLAN to support CWA on the Cisco WLC?
a. SNMP NAC
b. Layer-3 Authentication
c. RADIUS NAC
d. Fast Transition
RADIUS NAC is a critical setting for the WLAN that enables URL redirection and the pre-
RUN states. Without this setting, CWA is not possible.
4. For wired and wireless MAB, which option must be configured for unknown identities?
a. Drop
b. Continue
c. Reject
d. Pass
CWA is controlled by the Authorization Policy. Even an unknown MAC address needs to
“continue” out of the Authentication Policy, so the appropriate response can be sent to the NAD,
including the URL redirection to the portal.
5. Which of the following rule types need to be created for CWA? (Choose two.)
a. A WebAuth authentication rule must be created for the authentication through the web portal.
b. An authorization rule must be created that redirects the user to the CWA portal.
c. An authentication rule must be created that permits access to users who have successfully
authorized through the CWA portal.
d. An authorization rule must be created that permits access to users who have successfully
authenticated through the CWA portal.
e. A WebAuth authentication rule must be created that redirects the end user to the CWA portal.
The first rule should match if no more specific authorization rule is used and should
redirect the user to the CWA portal. The second rule types should exist above the redirection
rule and allow access to the user after she has successfully authenticated to the CWA portal. The
authorization policy rules read like an ACL—from top down, whereby the first matched rule is
applied.
6. Which of the following capabilities exists for MyDevices portals in ISE 1.2 but not the Device-
Registration portal?
a. MyDevices provide a portal for the end user to manage his endpoints.
b. MyDevices provides the ability to automatically populate the MAC address of the endpoint.
c. MyDevices did not exist in ISE version 1.2.
d. MyDevices is linked to the MDM and has the knowledge of which device belongs to a user.
DRW is an older method but uses a base license only. It does not provide a portal for the end
user to manage his endpoints. When the end user accepts the AUP, the device’s MAC address is
automatically added to the configured Endpoint Identity Group.
7. True or False? CWA and DRW are using the same RADIUS attributes; the difference is in the
actual URL sent down to the NAD.
a. True
b. False
The same URL-Redirect and URL-Redirect-ACL AV pairs are sent to the Cisco NADs
regardless of the redirection type. The URL will be different for each portal type. When
building the authorization profile, the common tasks area will provide a drop-down to select the
type of URL redirection being used and to change the URL accordingly
8. Which command on the NAD will display information about the URL-redirected session,
including the MAC address, IP address, dACL, URL-redirect ACL, and the URL to which the end
user is being redirected?
a. show epm redirection
b. show authentication sessions
c. show epm authentication | include redirection
d. show authentication session interface [interface-name]
The show authentication sessions interface [interface-name] is like the Swiss Army knife
of show commands for authentications. With the output, you see the MAC address, IP address,
dACL (listed as an ACS ACL), URL-redirect ACL, and URL to which the end user is being
redirected.
9. Which of the following locations within the ISE GUI should you examine to validate that CWA
is working? (Choose the best answer.)
a. Policy > Policy Elements > Results > Authorization
b. Operations > Authentications
c. Policy > Policy Elements > Results > Authentication
d. Operations > Results
Cisco ISE has a phenomenally useful tool built in to it, commonly called Live Log. Live Log
provides a near real-time view of all incoming authentications, change of authorizations
(CoAs), and more.
10. Which of the following statements most accurately describes the use of change of authorization
(CoA) in relation to CWA?
a. The CoA-Reauth causes the NAD to reauthenticate the endpoint within the same session, and
ISE is then able to tie the MAB and CWA authentications together.
b. The CoA sends a packet of disconnect (PoD) to the NAD, which starts a new session based on
the web credentials.
c. The CoA-Reauth causes the NAD to reauthenticate the endpoint, which starts a new session
based on the web credentials.
d. The CoA sends a packet of disconnect (PoD) to the NAD. ISE is then able to tie the original
MAB session to the new web-authenticated session by correlating the MAC addresses from
both authentication sessions.
The CoA is a key function. Specifically, it is a CoA-Reauth and causes the switch to
reauthenticate the endpoint without starting a new session. The switch sends another MAB
request to ISE, which is able to tie the guest authentication from the centralized portal to the
MAB request from the switch and assign the appropriate permission.
Deploying Guest Services
1. ISE Guest Services use which of the following approaches to authenticate a user?
a. Badge
b. WebAuth
c. TACACS+
d. SSH
When a guest connects to the network, they are given a web-redirect authorization policy.
This web redirect will intercept any attempts to browse the Internet, forcing the guest user to a
webpage where they will authenticate—that is, WebAuth.
2. The sponsor and guest portals can run on which of the following ISE personas?
a. Admin
b. MnT
c. PSN
d. a and b
e. a and c
f. b and c
The sponsor and guest portals can run on any PSN that has session services running.
3. True or False: A network administrator can customize the guest portals to run on any port
greater than 1024.
a. True
b. False
Currently, the ISE guest portals can run only on those ports between 8000 and 8999.
4. Which default sponsor groups are available on ISE? (Select three.)
a. SponsorAllAccounts
b. SponsorADAccounts
c. SponsorAdministrator
d. SponsorGroupGrpAccounts
e. SponsorAllUsers
f. SponsorGroupOwnAccounts
The three default sponsor groups on ISE are SponsorAllAccounts,
SponsorGroupGrpAccounts, and SponsorGroupOwnAccounts.
5. When using Active Directory group membership as authentication and authorization for
sponsors, which of the following must occur?
a. ISE must be associated to the domain.
b. The sponsor must create all guest accounts on the Active Directory Server.
c. The Active Directory identity store must be part of the identity source sequence for the
sponsor portal.
d. a and b.
e. b and c.
f. a and c.
To use Active Directory group membership as the source of authentication and authorization
for sponsors, ISE must first be associated to the domain. Furthermore, the AD identity store
must also be a part of the identity source sequence that is in use for the sponsor portal. If you
choose, you can provide a differentiated level of guest account creation based on the AD group
membership as will be demonstrated in this chapter.
6. Under the Operations tab of the portal configuration page, which of the following items can be
configured?
a. Guest Device Registration
b. Allow or Require Guest to change password
c. Guest Self-Service
d. Acceptable Use Policy frequency
e. All of the above
The Operations tab of the portal configuration page allows a network administrator to define
the security policy for the portal. This page outlines how often the guest will be prompted to
accept the Acceptable Use Policy, whether a guest can or must change their given password,
whether the guest can perform device registration, or whether a user can create their own guest
account. A few additional options are also available on the portal configuration page.
7. What are the three configurable options for a sponsor group?
a. Authorization Levels, Guest Roles, Time Profiles
b. Access-List, VLAN, Security Group Tag
c. Switch, Router, Firewall
d. Centralized WebAuth, Network Supplicant Provisioning, Device Registration Webpage
Under the sponsor group, the three settings that are configurable are the Authorization
Levels, Guest Roles, and Time Profiles. With Authorization levels, the network administrator
can configure which functions a sponsor user can configure for his guest. The Guest Roles
option allows the sponsor to create guest users for specific Guest Roles—possibly allowing a
differentiated level of access for each role. The final option, Time Profiles, defines the length
of time for the guest accounts that can be created by the sponsor.
8. Which of the following are options for provisioning guest accounts on Cisco ISE?
a. Guest, Contractor, Consultant
b. OneDay, OneWeek, OneMonth
c. Individual, Import, Random
d. Full, Basic, InternetOnly
From the sponsor portal, when you are creating guest accounts, you have three options—
Individual, Import, and Random. The Individual option creates a single guest user account,
Import allows you to create multiple accounts using a spreadsheet template, and Random allows
you to create a number of random guest accounts. The level of access and the length of the
account also are configurable.
9. Which security policy must be enabled on the Guest WLAN/SSID to facilitate WebAuth on a
Cisco WLC?
a. WPA2 with 802.1X Key Management
b. WPA2 with 802.1X and CCKM Key Management
c. MAC Filtering and RADIUS NAC
d. Open
To trigger the WebAuth policy on Cisco ISE, the NAD must be using the MAB process. This
MAB process, or RADIUS Service-Type of Call Check, is indicated by the security policy of
MAC Filtering on the WLC. RADIUS NAC must also be configured as the NAC State on the
Advanced tab of the SSID configuration.
10. To verify a guest user ’s access policy on a Cisco switch, you should run which of the
following commands?
a. show crypto ipsec sa
b. show aaa authorization details
c. show authorization level guest interface
d. show authentication sessions interface details
The correct command to verify the level of access given to a guest user on a Cisco switch is
show authentication sessions interface details. This output will provide you with
any ACLs or URL Redirects that have been deployed to the device from ISE.
Profiling
1. True or False? The profiling service is enabled by default on ISE policy service nodes.
a. True
b. False
Profiler is enabled by default on all policy service nodes and standalone nodes. However,
not a single probe is enabled by default in ISE 1.2.
2. Name three ways in which an endpoint profile can be used in an authorization policy rule?
a. Logical profiles
b. Endpoint identity groups
c. NMAP OS-Scan result
d. EndPointPolicy attribute
e. EndPointProfile attribute
There is no such thing as an EndPointProfile attribute. Although OS-Scan is used as a
condition to determine the endpoint’s profile, it cannot be used directly in an authorization
policy. The authorization policy can use identity groups (which contain a list of MAC
addresses), EndPoint Policy attribute (which is the actual endpoint profile), and logical profiles
(a group of profiles).
3. Which probe is used to trigger the SNMPQUERY probe to query a NAD?
a. RADIUS
b. SNMPQUERY
c. HTTP
d. SNMPTRAP
e. Both A and D
f. Both C and D
The SNMPQUERY probe will periodically query all the NADs configured with SNMP
strings, but it is also a reactive probe. The SNMPQUERY probe will reactively query a NAD
when the RADIUS probe receives an accounting START message or when an SNMP trap is
received.
4. Which three probes exist with device sensor?
a. CDP, DHCP, RADIUS
b. HTTP, CDP, RADIUS
c. CDP, DHCP, LLDP
d. CDP, HTTP, SNMP
The three probes that exist in device sensor on Cisco switches are CDP, DHCP, and LLDP.
Wireless controllers have two probes: DHCP and HTTP.
5. How are updated profiles distributed to customer ISE deployments?
a. Cisco’s Profiler Feed Service.
b. Each new version of ISE or ISE patch includes new profile policies.
c. The profiles are distributed together with the posture checks and compliance modules.
d. Import the update packs that are downloaded from Cisco.com.
Cisco no longer includes profile updates within the ISE version updates or patches. All new
profiles are included and downloaded as part of the Cisco Profiler Feed Service.
6. What determines when an endpoint is assigned to a profile?
a. The profile that matches the most conditions will be assigned.
b. All profiles are manually assigned by the administrator.
c. The certainty value must equal or exceed the minimum certainty value of the profile.
d. The ISE posture agent will identify the profile of an endpoint to ISE.
Profiling is all about the certainty value. Each profile has a minimum certainty value, and
matching the conditions will increase the certainty value. A higher the certainty value of any
profile means it will be assigned.
7. Which ISE tool enables an administrator to drill down in to the profiles that have been assigned
to locate a specific endpoint with that profile?
a. Endpoints Drill-down
b. Cisco Endpoint Profiling Examination Tool (CEPET)
c. Profiled Endpoints Counter
d. Profiler Activity Window
The Endpoints Drill-down tool is an excellent way to look into the profiled endpoints and
verify that the profiling service is working.
8. What are two ways to collect HTTP user agent strings?
a. Through the AnyConnect HTTP User Agent Reporting Tool
b. SPAN port mirroring
c. The Cisco WSA device sensor
d. Directly from ISE web portals
e. Device sensor in the switch
HTTP user agent strings could be gleaned through SPAN monitoring and VACLS and
directly from the ISE web portals. Wired switches do not currently have an HTTP device sensor
probe, but wireless controllers do.
9. True or False? ISE deployments must wait for Feed Service updates for new profiles.
a. True
b. False
ISE provides the ability for administrators to create their own custom profiles using any of
the attributes available to the profiling engine
10. What will happen when an ISE administrator has modified a profile and then a Feed Service
update is downloaded that contains an updated version of that profile?
a. The profile is overwritten with the version in the Feed Service Update.
b. The admin will be prompted to choose to overwrite or ignore the profile update.
c. All nonconflicting profiles will be downloaded and installed. The conflicting profiles will be
ignored.
d. The update will fail and an alarm will be triggered on the dashboard and in email.
Profiles are classified as Cisco provided, administratively modified, or administrator
created. Only Cisco-provided profiles will be overwritten
Advanced Secure Network Access
1. Which of the following is required for ISE to trust a client certificate?
a. The client’s private key must be imported into ISE’s Certificate Store.
b. The signing CA’s public key must be imported to ISE’s Certificate Store.
c. The signing CA’s private key must be imported into ISE’s Certificate Store.
d. The signing CA must be part of the Internet’s master PKI hierarchy.
A copy of the signing CA’s public key must be stored at Administration > System >
Certificates > Certificate Store, and it needs to have the Trust for Client Authentication option
selected.
2. What determines a digital certificate’s validity period?
a. Any time leading up to the date listed in the Certificate Expiration field of the X.509
certificate.
b. A certificate is always valid until it is added to the Certificate Revocation List (CRL).
c. Any time leading up to the date listed in the Revocation Date field of the X.509 certificate.
d. The time span between the dates listed in the Valid-From and Valid-To fields of the X.509
certificate.
It’s vital to understand that the Valid-From field is just as important as the Valid-To field. A
certificate will be rejected if it is issued for a date and time after the current date and time. This
is why NTP is so critical for PKI.
3. True or False? Certificate Revocation List (CRL) is the only revocation status mechanism
supported by ISE.
a. True
b. False
ISE supports checking both CRL and Online Certificate Status Protocol (OCSP). OCSP is the
preferred method for scalability and security reasons
4. True or False? ISE will ignore the CRL distribution point listed in the X.509 client certificate.
a. True
b. False
ISE will only leverage the CRL distribution point configured within the trusted certificate
store for that signing CA and ignore the field that is in the client’s certificate.
5. How does ISE validate proof of possession for a client’s certificate?
a. ISE encrypts data with a combination of ISE’s private key and the client’s public key.
b. ISE encrypts data with a combination of ISE’s public key and the client’s private key.
c. ISE sends a message to the end user, requesting a screen shot of the private key.
d. ISE encrypts data with a combination of ISE’s private key and the client’s private key.
ISE sends some “throw-away data” to the client that is encrypted with the combination of
ISE’s private key and the client’s public key (the certificate sent for authentication). Then the
endpoint must decrypt the data with the combination of its private key and the server ’s public
key, proving the client has the full key pair and not just a copy of a public key
6. Which of the following accurately describes how an Active Directory user is authorized when
using certificate-based authentication?
a. When Active Directory is the certificate authority (CA), ISE sends the full certificate to the
CA and it cross-references it to the end user to which the certificate was issued, returning the
AD Group Membership and other attributes to ISE.
b. It is not possible to perform Active Directory user authorization when performing
certificate-based authentication.
c. Cisco ISE uses CAP to identify the principle identity from the X.509 attributes and then
performs the lookup in Active Directory using that identity. Active Directory returns the AD
Group Membership and other attributes to ISE.
d. This process requires a dual authentication. The first authentication is for the digital
certificate, and then the user is prompted for his username and password for the Active
Directory component.
A certificate issued by Active Directory Certificate Services is still just an X.509 certificate. It
will go through all the authentication validation of any other certificate, regardless of the fact
that the CA was integrated into AD. The CAP extracts the user ’s identity from the fields in the
certificate for the authorization with AD.
7. Which is the most common authentication protocol for network access when using certificates?
a. EAP-TTLS
b. EAP-TLS
c. EAP-FAST
d. EAP-GTC
Although both EAP-TLS and EAP-GTC are native EAP-Types capable of performing
certificate-based authentication, EAP-TLS is more common. EAP-TTLS and EAP-FAST are
tunneled EAP types, both of which are capable of having EAP-TLS as an inner-method.
8. Which of the following lists accurately describes the components required for ISE to process
certificate-based authentications?
a. ISE is capable of processing certificate-based authentications by default, and no additional
configuration is required.
b. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to
the Certificate Store with the Trust for Client Authentication attribute enabled, and either CRL
or OCSP configured.
c. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to
the Certificate Store with the Trust for Client Authentication attribute enabled, and an
authorization rule for the extracted identity.
d. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to
the Certificate Store with the Trust for Client Authentication attribute enabled.
Allowed Protocols, CAP for an Identity Store, and trusting the signing CA for client
authentication are all that is required. Certificate Revocation checking and the authorization rule
are both optional.
9. What does the Download CA certificate chain link on the Microsoft CA provide an ISE
administrator?
a. A form for the admin to fill out and request the CA administrator send its public key,
including any intermediary CAs.
b. Configures the Windows client to provide the signer ’s public key during the authentication
process, along with its own (hence, its certificate chain).
c. Downloads a PKCS file, which is a certificate chain file that will contain the public
certificates for the CA and any intermediate CA in the hierarchy.
d. Redirects the admin to a new page where she can purchase the public key from the certificate
authority.
Many certificate authorities have a website where they permit the downloading of their
public certificate and even the full certificate chain. In this chapter you see an example of
downloading the key from a Microsoft CA. Navigating to this web page and downloading the
certificate is how an ISE admin can obtain the public certificate of the signing CA to trust for
client authentications. However, it is not recommended to use PKCS chain files unless there is
no other option. As a best practice, always use Base-64 encoded files instead of DER-encoded
files.
10. Live Log provides a glance at a lot of information, including a brief failure reason. What
should an admin do to find a more detailed explanation of the failed certificate authentication
and a possible resolution?
a. From Live Log, navigate to Operations > Reports > Failed Authentications.
b. From Live Log, click the Details icon, which will launch the authentication details report.
c. Immediately email Aaron Woland of Cisco and ask him why this isn’t working.
d. Call Cisco TAC because if the detail is not in Live Log, it doesn’t exist.
Although I’m flattered that you might want to call me to fix your problems, C is definitely
not the correct answer. The first question you would be asked is: “What does it say for Failure
Reason in the Authentication Details Report?” which is the correct answer: B. There is no report
named Failed Authentications, and besides it would not exist in the root of “reports.”
Bring Your Own Device
1. What is the process of onboarding as it relates to BYOD?
a. It’s a form of torture used in military interrogations.
b. It prepares an endpoint for network access with supplicant configuration, and possibly even
certificate provisioning.
c. It’s the process in which an IT department will prestage an endpoint for corporate use before
issuing the endpoint to the end user.
d. It prepares an endpoint for network access by preconfiguring an installation package that the
end user runs with administrator privilege to configure the endpoint.
One of the business issues with a BYOD model is walking an end user through the process
of configuring his network supplicant to meet corporate policies. Onboarding is used to help an
end user perform those actions himself, without requiring interaction from the IT department
2. With a single-SSID model for BYOD onboarding, how does the supplicant begin using its new
certificate-based credentials?
a. The endpoint will continue to use the initial credentials until the next reauthentication
interval.
b. ISE will send a CoA-DM, causing a new authentication.
c. ISE will send a CoA-Reauth, causing a new authentication.
d. The endpoint will continue to use the initial credentials until the endpoint is deassociated
from the network and reassociates.
To maintain a seamless experience for the end user, a CoA-Reauth message is used. This
keeps the endpoint connected to the network and simply causes the supplicant to send credentials
again. At this point, it will be using the new certificate-based credentials to authenticate. The end
user is completely unaware of the actions. A CoA-DM (disconnect message) would drop the
endpoint from the network and be a poor user experience. Waiting for a reauth interval or a
disconnect/reconnect to the network would not be an optimal user experience either.
3. With dual-SSID onboarding, what stops a guest user from receiving a certificate and a
supplicant profile?
a. It is hard-coded in ISE to not permit a guest user to enter the provisioning flow.
b. It’s a configurable option, so nothing prevents guests from receiving the certificate and
supplicant profile.
c. It’s a configurable option based on the authorization result given to the user.
d. It’s a configurable option in the client provisioning policies to permit guests to enter the
provisioning flow.
The software is hard-coded to deny guest users from entering the flow. There is no
configuration possible to allow guest users to enter the provisioning process through the dual-
SSID onboarding flows.
4. The same ACL can be used for all endpoints to be onboarded. However, the security of the ACL
needs to be relaxed for Androids. What is that reason?
a. Google just feels that it is so special, so Androids require special access to keep up.
b. Androids require access to the local app store in ISE.
c. Because Android is inherently an insecure operating system, it therefore needs a less secure
ACL.
d. Androids require access to their app store to download and execute Cisco’s Network Setup
Assistant APP.
While both C and D could be viewed as correct answers, only D is technically accurate.
5. What are an ISE admin’s options for dealing with endpoints that are not supported by the
BYOD onboarding process?
a. Cisco ISE will reject an authentication from any endpoint that cannot go through the
onboarding process.
b. The admin has configurable choices to deny access to any nonconfigured endpoint that
reaches the supplicant provisioning flow or to leave it in the current authorization state.
c. Cisco ISE will automatically permit access to any device that can’t be onboarded.
d. After the BYOD onboarding flow is enabled, every device must be onboarded. There are
custom templates to be able to push profiles to any device that is not natively supported.
ISE will authenticate any endpoint that has been configured to authenticate to the network,
regardless of the onboarding status. The policy can be configured to send an access-reject or to
leave the user in the redirected state to receive a message explaining that she must configure her
device on her own or call her IT department for assistance
6. From where does an iOS-based device download the iOS Network Setup Assistant?
a. From the Apple App Store.
b. iOS uses the native OTA functionality.
c. From ISE directly.
d. From the Cisco App Store.
Apple iOS does not use an app to perform the provisioning; instead it leverages the native
Over the Air (OTA) provisioning built in to the OS to handle the certificate signing requests and
downloading of a network profile.
7. True or False? The ISE admin may log in to the MyDevices portal to manage all the registered
devices.
a. True
b. False
The admin may manage endpoints from the Endpoints Identity section within the ISE
administrative GUI. The MyDevices portal is designed for an individual to perform self-service
of registered devices
8. Which of following lists most accurately describes the portions of BYOD onboarding that can
be verified within Live Log?
a. An entry will exist for the initial authentication, CoA, and final authentication.
b. An entry will exist for the initial authentication, successful launch of the NSA app, and the
final authentication.
c. An entry will exist for the initial authentication, successful endpoint registration, download
of the NSA app, and the final authentication.
d. An entry will exist for the initial authentication, successful endpoint registration, CoA, and
the final authentication.
Live authentications log does not show any information about the registration or the NSA
app. It does show all the authentications and the change of authorizations.
9. As it relates to ISE 1.2, from where do Windows and Mac OSX endpoints download their
Network Setup Assistant applications?
a. Windows downloads the NSA app from the Microsoft App Store. Mac OSX uses the native
OTA.
b. Neither Windows nor Mac use NSA; they use native capabilities instead.
c. Windows uses native capabilities, but the Mac will use a Java applet downloaded from the
CPP.
d. Windows and Mac will use a Java applet that is downloaded from the CPP hosted on ISE.
With the ISE 1.2 versions pertinent to this exam, both Windows and Mac are still using a Java
applet that is downloaded from ISE’s Client Provisioning Portal (CPP). 1.2 patch 11 and 1.3
versions of ISE will enable the use of a native .exe for Windows and a .dmg for Mac OSX, but
that is out of scope of this exam blueprint and therefore out of scope for this book.
10. At which one of the following locations does an ISE admin determine which NSP to send to a
client based on any number of attributes, including operating system?
a. Policy > Onboarding
b. Policy > Client Provisioning Policy
c. Policy > Policy Elements > Results > Client Provisioning
d. Policy > BYOD
The Client Provisioning Policy determines which NAC agent, NSA Wizard, and Native
Supplicant Profile to send to an endpoint. The policy is capable of using the operating system as
one of many conditions to determine which result to provide an endpoint.
TrustSec and MACSec
1. What is a security group tag?
a. A luggage tag applied by TSA workers at airports to flag bags as they enter security
checkpoints
b. An internal assignment used in ISE to represent a local copy of an Active Directory group
c. A 16-bit value that represents the context of a user and/or a device
d. An RFID tag used to identify a wireless asset to ISE
A security group tag (SGT) is a 16-bit value that ISE assigns to the user ’s or endpoint’s
session upon login. The SGT can represent the context of the user and device and can be carried
in the Layer-2 frame or communicated through SXP. The SGT is assigned at ingress and
enforced upon egress
2. Where are security groups defined in the ISE administrative GUI?
a. Administration > System > Security Group Access > Security Group
b. Policy > Policy Elements > Results > Security Group Access
c. Policy > Policy Elements > Dictionaries > System > Security Group Access
d. Policy > Firewall > Identity by TrustSec
SGTs are considered an authorization result in the ISE administrative GUI. They are defined
within the policy elements section of the GUI as an authorization result. They also can be
defined from the Policy > Security Group Access > Egress Policy screens by clicking on
Configure > Create New Security Group;
3. What are three ways that an SGT can be assigned to network traffic?
a. Manual binding of the IP address to an SGT
b. Manually configured on the switch port
c. Dynamically assigned by the network access device
d. Dynamically assigned by the 802.1X authorization result
e. Manually configured in the NAC agent profile
f. Dynamically assigned by the AnyConnect network access manager
To use the SGT, the tag needs to be assigned (known as classification). This can happen
dynamically and be downloaded as the result of an ISE authorization; they also can be assigned
manually at the port level or even mapped to IP addresses and downloaded to SGT-capable
devices.
4. True or False? An SGT-capable device can automatically map traffic to an SGT based on the
VLAN of that traffic.
a. True
b. False
Although that gear might not support the classification and transport natively, it might be
capable of assigning different VLANs or IP addresses per authorization result. A distribution
layer device may have the ability to map subnets and VLANs and assign all source IP addresses
from the subnet or VLAN to a specific tag.
5. Which peering protocol can be used to transmit a mapping of IP address to SGTs between SGTcapable
devices when traffic is crossing non–SGT-capable network segments?
a. Enhanced Interior Gateway Routing Protocol (EIGRP)
b. Intermediate System—Intermediate System (IS-IS)
c. Border Gateway Protocol (BGP)
d. Security Group Exchange Protocol (SXP)
Cisco has developed a peering protocol (similar to BGP or LDP) to enable devices to
communicate their database of IP-address-to-SGT mappings to one another. This peering
protocol is called Security Group Exchange Protocol (SXP).
6. What are two modes of SXP peers?
a. Speaker
b. SGT-Reflector
c. Listener
d. SGT-Sender
Every SXP peer session has a speaker and listener. A speaker sends the mappings of IP
addresses to SGTs. The listener receives those updates and records them. A peer can be
configured for both roles simultaneously and can have numerous peers.
7. How is the SGT transmitted when using native tagging?
a. The SGT is included in the Cisco Metadata (CMD) portion of the Layer-2 Frame.
b. The SGT is included in 802.1Q trunking.
c. The SGT is included in Inter-Switch-Link (ISL) trunking.
d. The SGT is carried in Cisco Discovery Protocol (CDP) messages.
Native tagging of SGTs includes the 16-bit tag as a portion of the Cisco Metadata field of the
Layer-2 Ethernet frame. It also can be included as part of an IPSec link.
8. When using native tagging of SGTs, how can an administrator ensure confidentiality and
integrity of the tag?
a. By enabling MD5 authentication between SGT peers
b. By enabling IEEE 802.1AE (MACSec) between the switches
c. By enabling IEEE 802.1AE (MACSec) between the endpoint and the access switch
d. By configuring peer-to-peer GRE tunnels between the switches
The tag can be encrypted within a MACSec encrypted link between network infrastructure
devices or even an IPSec connection. The endpoint is never aware of the tag that has been
assigned, so enabling downlink MACSec between the endpoint and the switch will not help.
9. What are two methods of enforcement with SGTs?
a. SG-ACLs on switches.
b. SG-ACLs on routers.
c. SG-Firewalls.
d. SG-Appliances.
e. SGTs are not enforced.
SGTs can be enforced with security group ACLs, which are egress ACLs that use source
and destination tags as the condition upon which to invoke the egress ACL. Additionally the
ASA, ASR, and ISR can act as security group firewalls, using the source and/or destination tag
as ACL conditions.
10. What is the difference between uplink MACSec and downlink MACSec?
a. Uplink MACSec defines the encrypted traffic entering the switch from the endpoint, whereas
downlink MACSec is the encrypted traffic leaving the switch, destined to the endpoint itself.
b. There is no difference between uplink and downlink MACSec.
c. The difference is solely based on the encryption algorithm used.
d. Uplink MACSec defines the encrypted connection between network infrastructure
components, whereas downlink MACSec defines the encrypted connection between the access
layer device and the endpoint
Uplink MACSec defines the encrypted connection between network infrastructure
components, whereas downlink MACSec defines the encrypted connection between the access
layer device and the endpoint. Although uplink and downlink MACSec use different keying
mechanisms today, both are still using the same encryption algorithm of AES-GCM-128.
Posture Assessment
1. The Posture Service is comprised of which of the following functional components? (Select
three.)
a. Profiling
b. Client provisioning
c. Authorization policy
d. Mobile device managers
e. Access lists
f. Guest Services
g. Posture Policy
The three major functional areas of the Posture Service are Client Provisioning,
Posture Policy, and Authorization Policy. The first, Client Provisioning, is the process by which
the NAC agent is installed on the endpoint. The second, Posture Policy, is the configuration of
the Posture rules: what is compliant and what is not compliant within the security policy. The
final functional area is Authorization Policy. After we have determined the compliance or
noncompliance of the endpoint, what will the endpoint have access to.
2. What are the three possible posture outcomes following the initial connection to the network?
a. Location, Location, and Location
b. Routes, Translations, and Permissions
c. Authentication, Authorization, and Accounting
d. Compliant, Noncompliant, and Unknown
The three possible posture outcomes following the initial connection to the network are
Compliant, Noncompliant, and Unknown. Compliant implies that the endpoint fully adheres to
the company’s security policy as configured on ISE. Noncompliant implies that there is at least
one deviation from the company security policy. Unknown implies that there is not an agent
present on the device and, therefore, the endpoint is unable to report its posture to ISE.
3. Which is a benefit of a NAC web agent versus a persistent agent?
a. The web agent provides enhanced remediation techniques.
b. The web agent does not require Administrator privileges to install.
c. The web agent provides additional firewall functionality for the endpoint.
d. The web agent can provide a greater number of Posture conditions.
One benefit of the NAC web agent is that it does not require administrative privileges to
install. Unfortunately, the web agent is lacking additional features that are standard in the
persistent agent.
4. True or False? The Process Check posture condition is supported on all NAC agent types.
a. True
b. False
The Process Check posture condition is not supported on Macintosh operating systems.
5. The File condition for Posture does which of the following?
a. Checks the existence of a file
b. Checks the date of a file
c. Checks the version of a file on the client
d. All of the above
The File condition for Posture can check the existence, date, and version of a file on the
client. This can be very useful to determine if a particular endpoint is vulnerable to a new virus
or if a specific software package is present on the endpoint. This feature is only supported on
Windows PCs.
6. True or False? Cisco offers periodic Posture Elements updates.
a. True
b. False
These Posture Elements can be updated manually or configured to update automatically on a
fixed schedule.
7. The CoA process is used for which of the following?
a. To force an endpoint to reauthorize following a change in status
b. Following a change of posture compliancy from the NAC agent
c. Only after a NAD has terminated an endpoint’s connection
d. a and b
e. b and c
f. a, b, and c
The CoA process is used to force an endpoint to reauthorize following a change in status or
following a change of posture compliance from the NAC agent.
8. When configuring the Client Provisioning Policy, you can elect each of the following except
which?
a. NAC Agent Configuration
b. Network Supplicant Provisioning
c. Access list
d. Profile
When configuring the Client Provisioning Policy, a network administrator is responsible for
defining what NAC agents or Network Supplicant Provisioning (NSP) client is getting pushed to
what endpoints under which circumstances. The network administrator, besides specifying the
elected NAC Agent and NSP client, can also specify the period of time between reassessments
and whether or not an Acceptable Use Policy will be used.
9. Remediation is a process by which of the following occurs?
a. An endpoint that is not compliant with security policy can become compliant.
b. ISE communicates to the ASA firewall to block known attackers.
c. ISE confirms the identity of the end user based on the associated endpoint.
Remediation is the process by which an endpoint that is not compliant with security policy
can become compliant. This may include downloading the latest virus definitions, installing a
service pack, or enabling a screen saver password.
10. Which remediation type is available on a Macintosh OS X endpoint?
a. Automatic Launch Program Remediation
b. Manual Antispyware remediation
c. File Remediation
d. Manual Antivirus Remediation
The only remediation from this list that is available on a Macintosh OS X endpoint is
Manual Antivirus Remediation. As an endpoint is found to be noncompliant due to a deviation in
his antivirus signatures, the NAC agent will provide a link for the user to download the latest
definition file. All other remediations provided in this list are not possible on the Macintosh
NAC agent.
Safely Deploying in the Enterprise
1. What is Monitor Mode?
a. Using the authentication open interface configuration command on 802.1X enabled interfaces
b. A setting in ISE to record actions but not take them
c. A method for identifying which device would have failed authentication and correcting the
root cause prior to it taking effect
d. A method for alerting the administrator of failed authentications, so the end user may be
called and manually granted network access
Monitor Mode is a process, not just a command on a switch. The process is to enable
authentication (with authentication open), see exactly what devices fail and which ones succeed,
and correct the failed authentications before they cause any problems.
2. What is Low-Impact Mode?
a. One of the two end states of authentication that limits access but still uses the authentication
open interface configuration command
b. One of the two end states of authentication that limits access but is less secure than closed
mode
c. A method to ensure authentications occur, but the authorizations are ignored, so as not to
cause a denial of service
d. A method for identifying which device would have failed authentication and correcting the
root cause prior to it taking effect
Low-Impact Mode uses authentication open, but adds security on top of the framework that
was built in Monitor Mode. It uses a PACL on the switch port to permit critical traffic of certain
endpoints, like thin-clients, to function prior to an attempted authentication. After the
authentication, the authorization should provide specific access, unlike Monitor Mode, which is
the same pre and post authentication.
3. What is the primary benefit of a phased deployment approach?
a. It allows an endpoint to go through multiple phases of authentication prior to gaining
network access, including dual-factor authentication.
b. It permits you to use Cisco proprietary technology and therefore increase Cisco’s stock
value.
c. It enables additional security protocols to extend authentications, such as the use of smart
cards.
d. To ensure that a port, switch, or location is fully ready to be successful before enabling
enforcement and specific authorization results.
By using a phased deployment approach, you are able to start off in Monitor Mode and
gradually transition into the end state of either Low-Impact Mode or Closed Mode. By doing so,
you can avoid the denial of service that can often happen with 802.1X deployments.
4. True or False? The authentication open command performs EAP authentications but ignores
authorization results.
a. True
b. False
authentication open will ignore RADIUS Access-Reject responses, but all other
authorization results will be honored and enforced.
5. True of False? authentication open allows all traffic to pass through the switch port before the
authentication result is received from the AAA server.
a. True
b. False
authentication open allows traffic to flow with our without an authentication. When an
authorization result is sent back from the authentication server, the switch will ignore RADIUS
Access-Reject responses, but all other authorization results will be honored and enforced.
6. What is the ISE configuration that will allow different groups of authentication and
authorization policies?
a. Policy groupings
b. Policy sets
c. Service selection rules
d. Service sets
Policy sets are groupings of authentication and authorization policies. The use of policy sets
makes for a nice clean way to differentiate rules for each stage of the deployment.
7. Where is Monitor Mode configured for wireless LANs?
a. It is configured on the WLC, under the security properties for the WLAN.
b. It is configured in the Wireless Monitor Mode policy set within ISE.
c. It is configured in ISE by enabling wireless monitor mode under the system settings.
d. Monitor Mode is not possible with wireless LANs.
Wireless LANs cannot have a mixture of authentication and nonauthentication. The WLAN
must either be using Wi-Fi Protected Access (which facilitates the 802.1X authentication) or will
be open; it cannot be both.
8. Using policy sets as described in this chapter, how would a switch be transitioned from Monitor
Mode to one of the end state modes?
a. Move the NAD from the Monitor Mode NDG to the final state NDG.
b. Remove the authentication open command from the switch interface.
c. Enter the low-impact or closed keyword for the radius server definition in the switch.
d. Enable enforcement mode on the client supplicants.
The NDG assignment of the NAD is used to determine which policy set ISE uses for the
incoming authentications. To change the policy set being used, move the NAD from the Monitor
Mode NDG to either the Low-Impact or Closed mode NDGs.
9. True or False? A wired port must have a single configuration that supports authenticating
supplicants, guests, and nonauthenticating devices.
a. True
b. False
Wired clients do not get to pick their network; there is no SSID like there is for wireless.
Therefore, all the various types of authentication mechanisms possible must work within a
single port configuration. Without this, an admin would have to change the port configuration
for each type of device that needs to access the network, which would be extremely
operationally expensive.
10. Which of the modes is most closely related to the default of 802.1X?
a. Closed Mode
b. Monitor Mode
c. Low-Impact Mode
d. Cisco Enhanced Security Mode
Just like the default behavior of the original IEEE 802.1X, Closed Mode does not allow any
traffic into the switch port until after a result has been received for the attempted authentication
or a timeout occurs.
ISE Scale and High Availability
1. How does a PSN join an ISE cube?
a. From the Deployment screen on the secondary nodes, select Join Cube and enter the FQDN
and credentials of the cube controller.
b. From the Deployment screen on the PAN, click Create Cube. Then click Register and add the
FQDN and credentials for the other nodes.
c. From the Deployment screen on the PAN, click Register and add the FQDN and credentials
for the other nodes.
d. PSNs are standalone. They do not join an ISE cube.
After a standalone node has been promoted to primary on the deployment screen, you click
Register and enter the FQDN and the credentials for any other node that you want to join the
new primary and form an ISE cube.
2. True or False? When joining a node to an ISE cube, you specify which personas the node
should have.
a. True
b. False
When joining the node to the cube, you will specify the persona and whether it will be
primary or secondary (Monitoring only).
3. Which three pieces of information are needed for an ISE license?
a. The output from the show license CLI command.
b. The unique device ID (UDID), version number (VPID), and serial number
c. The product ID (SPID), unique device ID (UDID), and serial number
d. The product ID (SPID), version number (VPID), and serial number
The show udi CLI command and the GUI will provide the three required items: SPID, VPID,
and serial number.
4. How does HA work for an ISE policy administration node?
a. Gigabit Ethernet 4 is used for stateful heartbeat. When the primary no longer responds, the
secondary takes over.
b. The secondary is manually promoted from the secondary’s GUI.
c. The secondary is manually promoted from the primary’s GUI.
d. There is no HA for the policy administration node.
There is no automatic failover, but there is a manual promotion from the secondary’s GUI
5. How does the monitoring persona’s high availability work?
a. ISE uses TCP syslog, and if the primary node does not respond, then the other nodes will
send logs to the secondary.
b. Gigabit Ethernet 4 is used for stateful heartbeat. When the primary no longer responds, the
secondary takes over.
c. Monitoring persona does not have an HA function.
d. Logs are sent to both MnT nodes automatically. If one MnT node goes down, the other node
is still receiving logs.
There is no automatic failover, but the ISE nodes are configured to send logging to both
primary and secondary MnT automatically. If one fails, the other is still receiving the logs.
6. What is the purpose of a node group?
a. Node groups are used for stateful sync between PSNs. If one PSN goes down, another PSN
from the node group will assume its sessions automatically.
b. Node groups are used for a multicast heartbeat between PANs. If one PAN goes down,
another PAN from the node group will take over.
c. Node groups are used for a multicast heartbeat between PSNs. If one PSN goes down,
another PSN from the node group will send a change of authorization (CoA) for establishing
sessions of the fallen node.
d. Node groups are used for a multicast heartbeat between MnT nodes. If one MnT goes down,
another MnT from the node group will take over.
Node groups are made up of Layer-2 adjacent (same VLAN) PSNs, where the PSNs maintain
a heartbeat with each other. In the event that a PSN were to go down while a session was being
authenticated, one of the other PSNs in the node group would send a CoA to the NAD so the
endpoint could restart the session establishment with a new PSN.
7. True or False? Cisco ISE cannot be used with load balancers.
a. True
b. False
Cisco ISE is commonly deployed with load balancers. There are caveats to pay attention to,
such as not to use Source NAT (SNAT).
8. How are patches applied to Cisco ISE?
a. Patches are downloaded and applied automatically using Cisco github.
b. Patches are downloaded from Cisco.com and applied through the GUI.
c. Patches are downloaded but not applied automatically. They are downloaded from Cisco
github.
d. Patches are downloaded and applied automatically as part of the ISE feed service.
Patches are downloaded from cisco.com and applied to the PAN under Administration >
System > Maintenance > Patch Management. The PAN will push the patch to the other nodes in
the deployment.
9. How do you verify the status of an ISE backup?
a. The status can be viewed only from the CLI.
b. The status of a restore is available in the GUI, but not backup status.
c. The status is not viewable in ISE version 1.2.
d. The status of a backup can be viewed from the GUI under Administration > System > Backup & Restore.
The status of a backup can be viewed from the GUI or the CLI, but the status of a restore can
only be viewed from the CLI.
10. Where do you set the order for patching ISE nodes?
a. This is configured under Administration > System > Settings > Patch Management.
b. It is configured on the Administration > System > Maintenance > Patch Management page.
c. It is not configurable and will patch all nodes simultaneously.
d. It is not configurable and will patch all nodes in alphabetical order.
It is not configurable, and will patch all nodes in alphabetical order. The PAN is patched
first, and will push the patch to all
Troubleshooting Tools
1. Which ISE diagnostic tool can be used to find misconfigurations in a Cisco NAD?
a. TCP Dump
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator
The Evaluate Configuration Validator tool compares a switch configuration to a “template”
configuration built in to ISE, and any differences between the configurations are pointed out.
2. Which ISE diagnostic tool can be used to examine different aspects of a session and provide
some additional details that might not have been available in the detailed authentication report?
a. TCP Dump
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator
The RADIUS Authentication Troubleshooting tool attempts to examine different aspects of a
session and provide some additional details that might not have been available in the detailed
authentication report, as well as provide some suggestions for items to check next.
3. True or False? Logging levels in ISE can be set to debug level only from the command-line
interface.
a. True
b. False
Each ISE component can have its logging levels changed through the graphical user
interface only.
4. Which ISE tool displays a correlated view of authentications, change of authorizations, and
state changes of an endpoint through its lifecycle on a network?
a. Live Log
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator
The Live Sessions Log correlates activity related to the entire session, not just the raw
entries related to a passed or failed authentication.
5. Which ISE tool displays a near real-time view of passed and failed authentications?
a. Live Log
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator
The Live Log displays events related to the raw syslog messages sent from the PSN to the
MNT node, focused on passed or failed authentications.
6. Choose the option that best describes how external syslog servers can receive logs from ISE.
a. Each PSN must be configured locally to send syslog to all sources.
b. It is not possible to configure ISE to log to external logging servers.
c. The MnT node is configured to forward all received syslog to the external recipients.
d. Each PSN sends syslog to the MNT nodes, and the external syslog receivers at the same time.
Logging targets are configured centrally, and the settings are pushed down to each PSN.
Each PSN is configured to send syslog messages to all configured logging targets concurrently
7. Where does an ISE admin disable all event de-duplication?
a. Administration > System > Logging > Message Catalog
b. Administration > System > Protocols > RADIUS
c. Administration > System > Logging > Remote Logging Targets
d. Administration > System > Protocols > IEEE 802.1X
The Suppress Anomalous Clients setting within Administration > System > Protocols >
RADIUS is used to enable log de-duplication.
8. Which tool will gather all the important log files and combine them into a single bundle for
TAC?
a. Cisco AnyConnect Network Access Manager (NAM)
b. Cisco AnyConnect Diagnostic and Reporting Tool (DART)
c. Cisco NAC Agent
d. Cisco ISE Agent
Cisco AnyConnect DART is the module used to collect all log files from the endpoint along
with other important information, combining them all into a single Zip file for analysis by
Cisco TAC.
9. What are the three main locations to troubleshoot network access authentication?
a. ISE, firewall, NAD
b. ISE, endpoint, firewall
c. ISE, endpoint, NAD
d. Endpoint, firewall, NAD
Although a firewall can sometimes be a good place to troubleshoot why communication is
not successful, the three main locations to troubleshoot network access are ISE, the endpoint,
and the NAD.
10. Which debug command will provide the best detail to identify why a URL redirection might not
be working?
a. debug authentication
b. debug epm all
c. debug dot1x all
d. debug aaa all
debug epm is the go-to debug command for all activities related to URL-redirection, dACLs
being applied, SGTs being assigned, and all other activity related to an authentication session
advanced capabilities
