NEW QUESTION 1
A company manager is hosting a conference. Conference participants must connect to an open guest SSID and only use a preassigned code that they enter into the guest portal prior to gaining access to the network. How should the manager configure Cisco ISE to accomplish this goal?

• A. Create entries in the guest identity group for all participants.
• B. Create an access code to be entered in the AUP page.
• C. Create logins for each participant to give them sponsored access.
• D. Create a registration code to be entered on the portal splash page.

Answer: B

NEW QUESTION 2
Which two default endpoint identity groups does Cisco ISE create? (Choose two )

• A. block list
• B. endpoint
• C. profiled
• D. allow list
• E. unknown

Answer: CE

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide
Default Endpoint Identity Groups Created for EndpointsCisco ISE creates the following five endpoint identity groups by default: Blacklist, GuestEndpoints, Profiled, RegisteredDevices, and Unknown. In addition, it creates two more identity groups, such as Cisco-IP-Phone and Workstation, which are associated to the Profiled (parent) identity group. A parent group is the default identity group that exists in the system.
Cisco ISE creates the following endpoint identity groups:
Blacklist—This endpoint identity group includes endpoints that are statically assigned to this group in Cisco ISE and endpoints that are block listed in the device registration portal. An authorization profile can be defined in Cisco ISE to permit, or deny network access to endpoints in this group.
GuestEndpoints—This endpoint identity group includes endpoints that are used by guest users.
Profiled—This endpoint identity group includes endpoints that match endpoint profiling policies except Cisco IP phones and workstations in Cisco ISE.
RegisteredDevices—This endpoint identity group includes endpoints, which are registered devices that are added by an employee through the devices registration portal. The profiling service continues to profile these devices normally when they are assigned to this group. Endpoints are statically assigned to this group in Cisco ISE, and the profiling service cannot reassign them to any other identity group. These devices will appear like any other endpoint in the endpoints list. You can edit, delete, and block these devices that you added through the device registration portal from the endpoints list in the Endpoints page in Cisco ISE. Devices that you have blocked in the device registration portal are assigned to the Blacklist endpoint identity group, and an authorization profile that exists in Cisco ISE redirects blocked devices to a URL, which displays “Unauthorised Network Access”, a default portal page to the blocked devices.
Unknown—This endpoint identity group includes endpoints that do not match any profile in Cisco ISE. In addition to the above system created endpoint identity groups, Cisco ISE creates the following endpoint
identity groups, which are associated to the Profiled identity group:
Cisco-IP-Phone—An identity group that contains all the profiled Cisco IP phones on your network.
Workstation—An identity group that contains all the profiled workstations on your network.

NEW QUESTION 3
What is a function of client provisioning?

• A. Client provisioning ensures that endpoints receive the appropriate posture agents.
• B. Client provisioning checks a dictionary attribute with a value.
• C. Client provisioning ensures an application process is running on the endpoint.
• D. Client provisioning checks the existence, date, and versions of the file on a client.

Answer: A

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_client_prov.html#:~:text=After%20

NEW QUESTION 4
An engineer is designing a BYOD environment utilizing Cisco ISE for devices that do not support native supplicants Which portal must the security engineer configure to accomplish this task?

• A. MDM
• B. Client provisioning
• C. My devices
• D. BYOD

Answer: C

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide

NEW QUESTION 5
An administrator for a small network is configuring Cisco ISE to provide dynamic network access to users. Management needs Cisco ISE to not automatically trigger a CoA whenever a profile change is detected. Instead, the administrator needs to verify the new profile and manually trigger a CoA. What must be configuring in the profiler to accomplish this goal?

• A. Port Bounce
• B. No CoA
• C. Session Query
• D. Reauth

Answer: B

Explanation:
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-profiling-policies

NEW QUESTION 6
An administrator is trying to collect metadata information about the traffic going across the network to gam added visibility into the hosts. This Information will be used to create profiling policies for devices us mg Cisco ISE so that network access policies can be used What must be done to accomplish this task?

• A. Configure the RADIUS profiling probe within Cisco ISE
• B. Configure NetFlow to be sent to me Cisco ISE appliance.
• C. Configure SNMP to be used with the Cisco ISE appliance
• D. Configure the DHCP probe within Cisco ISE

Answer: D

NEW QUESTION 7
An administrator must block access to BYOD endpoints that were onboarded without a certificate and have been reported as stolen in the Cisco ISE My Devices Portal. Which condition must be used when configuring an authorization policy that sets DenyAccess permission?

• A. Endpoint Identity Group is Blocklist, and the BYOD state is Registered.
• B. Endpoint Identify Group is Blocklist, and the BYOD state is Pending.
• C. Endpoint Identity Group is Blocklist, and the BYOD state is Lost.
• D. Endpoint Identity Group is Blocklist, and the BYOD state is Reinstate.

Answer: A

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_

NEW QUESTION 8
An administrator made changes in Cisco ISE and needs to apply new permissions for endpoints that have already been authenticated by sending a CoA packet to the network devices. Which IOS command must be configured on the devices to accomplish this goal?

• A. aaa server radius dynamic-author
• B. authentication command bounce-port
• C. authentication command disable-port
• D. aaa nas port extended

Answer: A

NEW QUESTION 9
When planning for the deployment of Cisco ISE, an organization's security policy dictates that they must use network access authentication via RADIUS. It also states that the deployment provide an adequate amount of security and visibility for the hosts on the network. Why should the engineer configure MAB in this situation?

• A. The Cisco switches only support MAB.
• B. MAB provides the strongest form of authentication available.
• C. The devices in the network do not have a supplicant.
• D. MAB provides user authentication.

Answer: C

NEW QUESTION 10
Which two components are required for creating a Native Supplicant Profile within a BYOD flow? (Choose two)

• A. Windows Settings
• B. Connection Type
• C. iOS Settings
• D. Redirect ACL
• E. Operating System

Answer: BE

Explanation:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_

NEW QUESTION 11
What is the purpose of the ip http server command on a switch?

• A. It enables the https server for users for web authentication
• B. It enables MAB authentication on the switch
• C. It enables the switch to redirect users for web authentication.
• D. It enables dot1x authentication on the switch.

Answer: C

NEW QUESTION 12
An organization is hosting a conference and must make guest accounts for several of the speakers attending. The conference ended two days early but the guest accounts are still being used to access the network. What must be configured to correct this?

• A. Create an authorization rule denying sponsored guest access.
• B. Navigate to the Guest Portal and delete the guest accounts.
• C. Create an authorization rule denying guest access.
• D. Navigate to the Sponsor Portal and suspend the guest accounts.

Answer: D

NEW QUESTION 13
An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the used to accomplish this task?

• A. policy service
• B. monitoring
• C. pxGrid
• D. primary policy administrator

Answer: B

NEW QUESTION 14
An engineer is configuring Cisco ISE to reprofile endpoints based only on new requests of INIT-REBOOT and SELECTING message types. Which probe should be used to accomplish this task?

• A. MMAP
• B. DNS
• C. DHCP
• D. RADIUS

Answer: C

NEW QUESTION 15
Which two fields are available when creating an endpoint on the context visibility page of Cisco IS? (Choose two)

• A. Policy Assignment
• B. Endpoint Family
• C. Identity Group Assignment
• D. Security Group Tag
• E. IP Address

Answer: AC

NEW QUESTION 16
Which two actions occur when a Cisco ISE server device administrator logs in to a device? (Choose two)

• A. The device queries the internal identity store
• B. The Cisco ISE server queries the internal identity store
• C. The device queries the external identity store
• D. The Cisco ISE server queries the external identity store.
• E. The device queries the Cisco ISE authorization server

Answer: AD

NEW QUESTION 17
An administrator is configuring a new profiling policy in Cisco ISE for a printer type that is missing from the profiler feed The logical profile Printers must be used in the authorization rule and the rule must be hit. What must be done to ensure that this configuration will be successful^

• A. Create a new logical profile for the new printer policy
• B. Enable the EndPoints:EndPointPolicy condition in the authorization policy.
• C. Add the new profiling policy to the logical profile Printers.
• D. Modify the profiler conditions to ensure that it goes into the correct logical profile

Answer: B

NEW QUESTION 18
An engineer is working with a distributed deployment of Cisco ISE and needs to configure various network probes to collect a set of attributes from the endpoints on the network. Which node should be used to accomplish this task?

• A. PSN
• B. primary PAN
• C. pxGrid
• D. MnT

Answer: A

NEW QUESTION 19
......