January/2023 Latest Braindump2go 300-715 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go 300-715 Real Exam Questions!

QUESTION 66
Which portal is used to customize the settings for a user to log in and download the compliance module?

A. Client Profiling
B. Client Endpoint
C. Client Provisioning
D. Client Guest

Answer: C

QUESTION 67
Which term refers to an endpoint agent that tries to join an 802.1X-enabled network?

A. EAP server
B. supplicant
C. client
D. authenticator

Answer: B

QUESTION 68
Which two features are available when the primary admin node is down and the secondary admin node has not been promoted? (Choose two)

A. hotspot
B. new AD user 802.1X authentication
C. posture
D. BYOD
E. guest AUP

Answer: BC

QUESTION 69
Which protocol must be allowed for a BYOD device to access the BYOD portal?

A. HTTP
B. SMTP
C. HTTPS
D. SSH

Answer: C

QUESTION 70
An administrator enables the profiling service for Cisco ISE to use for authorization policies while in closed mode. When the endpoints connect, they receive limited access so that the profiling probes can gather information and Cisco ISE can assign the correct profiles. They are using the default values within Cisco ISE, but the devices do not change their access due to the new profile. What is the problem?

A. In closed mode, profiling does not work unless CDP is enabled.
B. The profiling probes are not able to collect enough information to change the device profile
C. The profiler feed is not downloading new information so the profiler is inactive
D. The default profiler configuration is set to No CoA for the reauthentication setting

Answer: D

QUESTION 71
Which types of design are required in the Cisco ISE ATP program?

A. schematic and detailed
B. preliminary and final
C. high-level and low-level designs
D. top down and bottom up

Answer: C

QUESTION 72
If there is a firewall between Cisco ISE and an Active Directory external identity store, which port does not need to be open?

A. UDP/TCP 389
B. UDP123
C. TCP 21
D. TCP 445
E. TCP 88

Answer: C

QUESTION 73
What are the three default behaviors of Cisco ISE with respect to authentication, when a user connects to a switch that is configured for 802.1X, MAB, and WebAuth? (Choose three)

A. MAB traffic uses internal endpoints for retrieving identity.
B. Dot1X traffic uses a user-defined identity store for retrieving identity.
C. Unmatched traffic is allowed on the network.
D. Unmatched traffic is dropped because of the Reject/Reject/Drop action that is configured under Options.
E. Dot1 traffic uses internal users for retrieving identity.

Answer: ADE

QUESTION 74
Which statement is true?

A. A Cisco ISE Advanced license is perpetual in nature.
B. A Cisco ISE Advanced license can be installed on top of a Base and/or Wireless license.
C. A Cisco ISE Wireless license can be installed on top of a Base and/or Advanced license.
D. A Cisco ISE Advanced license can be used without any Base licenses.

Answer: B

QUESTION 75
In which scenario does Cisco ISE allocate an Advanced license?

A. guest services with dACL enforcement
B. endpoint authorization using SGA enforcement
C. dynamic device profiling
D. high availability Administrator nodes

Answer: C

QUESTION 76
Which Cisco ISE node does not support automatic failover?

A. Inline Posture node
B. Monitoring node
C. Policy Services node
D. Admin node

Answer: C
Explanation:
Admin node have Auto PAN failover, Monitor Node have Primary/Secondary and – both active all times.
https://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2

QUESTION 77
Which scenario does not support Cisco ISE guest services?

A. wired NAD with local WebAuth
B. wireless LAN controller with central WebAuth
C. wireless LAN controller with local WebAuth
D. wired NAD with central WebAuth

Answer: B

QUESTION 78
By default, which traffic does an 802.IX-enabled switch allow before authentication?

A. all traffic
B. no traffic
C. traffic permitted in the port dACL on Cisco ISE
D. traffic permitted in the default ACL on the switch

Answer: D

QUESTION 79
What does MAB leverage a MAC address for?

A. Calling-Station-ID
B. password
C. cisco-av-pair
D. username

Answer: D

QUESTION 80
Which three conditions can be used for posture checking? (Choose three.)

A. certificate
B. operating system
C. file
D. application
E. service

Answer: CDE

QUESTION 81
Which use case validates a change of authorization?

A. An authenticated, wired EAP-capable endpoint is discovered
B. An endpoint profiling policy is changed for authorization policy.
C. An endpoint that is disconnected from the network is discovered
D. Endpoints are created through device registration for the guests

Answer: B
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html

QUESTION 82
An administrator is adding a switch to a network that is running Cisco ISE and is only for IP Phones.
The phones do not have the ability to authenticate via 802.1X.
Which command is needed on each switch port for authentication?

A. enable bypass-MAC
B. dot1x system-auth-control
C. mab
D. enable network-authentication

Answer: C
Explanation:
Standalone MAC Authentication Bypass (MAB) is an authentication method that grants network access to specific MAC addresses regardless of 802.1X capability or credentials. As a result, devices such as cash registers, fax machines, and printers can be readily authenticated, and network features that are based on authorization policies can be made available.
Before standalone MAB support was available, MAB could be configured only as a failover method for 802.1x authentication. Standalone MAB is independent of 802.1x authentication.
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html

QUESTION 83
A network engineer is configuring a network device that needs to filter traffic based on security group tags using a security policy on a routed into this task?

A. cts authorization list
B. cts role-based enforcement
C. cts cache enable
D. cts role-based policy priority-static

Answer: B

QUESTION 84
An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the used to accomplish this task?

A. policy service
B. monitoring
C. pxGrid
D. primary policy administrator

Answer: A

QUESTION 85
An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types. Which probe should be used to accomplish this task?

A. MMAP
B. DNS
C. DHCP
D. RADIUS

Answer: C

QUESTION 86
An engineer is using Cisco ISE and configuring guest services to allow wireless devices to access the network. Which action should accomplish this task?

A. Create the redirect ACL on the WLC and add it to the WLC policy
B. Create the redirect ACL on the WLC and add it to the Cisco ISE policy.
C. Create the redirect ACL on Cisco ISE and add it to the WLC policy
D. Create the redirect ACL on Cisco ISE and add it to the Cisco ISE Policy

Answer: B

QUESTION 87
An engineer is configuring web authentication using non-standard ports and needs the switch to redirect traffic to the correct port. Which command should be used to accomplish this task?

A. permit tcp any any eq <port number>
B. aaa group server radius proxy
C. ip http port <port number>
D. aaa group server radius

Answer: C

QUESTION 88
An administrator needs to connect ISE to Active Directory as an external authentication source and allow the proper ports through the firewall. Which two ports should be opened to accomplish this task? (Choose two)

A. TELNET 23
B. LDAP 389
C. HTTP 80
D. HTTPS 443
E. MSRPC 445

Answer: BE

QUESTION 89
Refer to the exhibit. A network engineers configuring the switch to accept downloadable ACLs from a Cisco ISC server.
Which two commands should be run to complete the configuration? (Choose two)

A. aaa authorization auth-proxy default group radius
B. radius server vsa sand authentication
C. radius-server attribute 8 include-in-access-req
D. ip device tracking
E. dot1x system-auth-control

Answer: BD
Explanation:
To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip device tracking
4. aaa new-model
5. aaa authorization network default group radius
6. radius-server vsa send authentication
7. interface interface-id
8. ip access-group acl-id in
9. end
10. show running-config interfaceinterface-id
11. copy running-config startup-config
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-acl-assign.html

QUESTION 90
An engineer is using the low-impact mode for a phased deployment of Cisco ISE and is trying to connect to the network prior to authentication. Which access will be denied in this?

A. HTTP
B. DNS
C. EAP
D. DHCP

Answer: A

QUESTION 91
A network engineer needs to ensure that the access credentials are not exposed during the 802.1x authentication among components. Which two protocols should complete this task?

A. PEAP
B. EAP-MD5
C. LEAP
D. EAP-TLS
E. EAP-TTLS

Answer: AE
Explanation:
https://www.intel.it/content/www/it/it/support/articles/000006999/wireless/legacy-intel-wireless-products.html

QUESTION 92
An engineer is configuring a guest password policy and needs to ensure that the password complexity requirements are set to mitigate brute force attacks. Which two requirement complete this policy? (Choose two)

A. minimum password length
B. active username limit
C. access code control
D. gpassword expiration period
E. username expiration date

Answer: AD

QUESTION 93
Which two actions occur when a Cisco ISE server device administrator logs in to a device? (Choose two)

A. The device queries the internal identity store
B. The Cisco ISE server queries the internal identity store
C. The device queries the external identity store
D. The Cisco ISE server queries the external identity store.
E. The device queries the Cisco ISE authorization server

Answer: BD
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_device_admin.html#concept_9B1DD5A7AD9C445AAC764722E6E7D32A
The device administrator performs the task of setting up a device to communicate with the Cisco ISE server. When a device administrator logs on to a device, the device queries the Cisco ISE server, which in turn queries an internal or external identity store, to validate the details of the device administrator. When the validation is done by the Cisco ISE server, the device informs the Cisco ISE server of the final outcome of each session or command authorization operation for accounting and auditing purposes.

QUESTION 94
When planning for the deployment of Cisco ISE, an organization’s security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment provide an adequate amount of security and visibility for the hosts on the network. Why should the engineer configure MAB in this situation?

A. The Cisco switches only support MAB.
B. MAB provides the strongest form of authentication available.
C. The devices in the network do not have a supplicant.
D. MAB provides user authentication.

Answer: C

QUESTION 95
In a Cisco ISE split deployment model, which load is split between the nodes?

A. AAA
B. network admission
C. log collection
D. device admission

Answer: A
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26.pdf

QUESTION 96
An engineer is implementing Cisco ISE and needs to configure 802.1X. The port settings are configured for port-based authentication.
Which command should be used to complete this configuration?

A. dot1x pae authenticator
B. dot1x system-auth-control
C. authentication port-control auto
D. aaa authentication dot1x default group radius

Answer: B
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26.pdf

QUESTION 97
Which two default endpoint identity groups does Cisco ISE create? (Choose two )

A. block list
B. endpoint
C. profiled
D. allow list
E. unknown

Answer: CE
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html
Default Endpoint Identity Groups Created for Endpoints Cisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system. Cisco ISE creates the following endpoint identity groups:
Blacklist–This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
GuestEndpoints–This endpoint identity group includes endpoints that are used by guest users.
Profiled–This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
RegisteredDevices–This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group. These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays “Unauthorised Network Access”, a default portal page to the blocked devices.
Unknown–This endpoint identity group includes endpoints that do not match any profile in Cisco ISE.
In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint identity groups, which are associated to the Profiled identity group:
Cisco-IP-Phone–An identity group that contains all the profiled Cisco IP phones on your network.
Workstation–An identity group that contains all the profiled workstations on your network.

QUESTION 98
In a standalone Cisco ISE deployment, which two personas are configured on a node? (Choose two )

A. publisher
B. administration
C. primary
D. policy service
E. subscriber

Answer: BD
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html

QUESTION 99
What happens when an internal user is configured with an external identity store for authentication, but an engineer uses the Cisco ISE admin portal to select an internal identity store as the identity source?

A. Authentication is redirected to the internal identity source.
B. Authentication is redirected to the external identity source.
C. Authentication is granted.
D. Authentication fails.

Answer: D

QUESTION 100
An engineer is configuring web authentication and needs to allow specific protocols to permit DNS traffic. Which type of access list should be used for this configuration?

A. reflexive ACL
B. extended ACL
C. standard ACL
D. numbered ACL

Answer: B


Resources From:

1.2022 Latest Braindump2go 300-715 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/300-715.html

2.2022 Latest Braindump2go 300-715 PDF and 300-715 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1-jcJT1SxbH3DDB-cgSq_cPEhlxMEfvFK?usp=sharing

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!