Free 300-715 Exam Braindumps (page: 32)

Page 31 of 93

An engineer is configuring a new Cisco ISE node. Context-sensitive information must be shared between the Cisco ISE and a Cisco ASA.
Which persona must be enabled?

  1. pxGrid
  2. Administration
  3. Policy Service
  4. Monitoring

Answer(s): A

Explanation:

To share context-sensitive information, such as user identity, device posture, or Security Group Tags (SGTs), between Cisco ISE and a Cisco ASA, the pxGrid (Platform Exchange Grid) persona must be enabled. pxGrid allows Cisco ISE to exchange contextual data with external systems, including Cisco ASA, enabling the enforcement of dynamic security policies.
Use Case:
Cisco ASA can use pxGrid to retrieve real-time context from Cisco ISE, such as user identities or device compliance posture, to apply granular security rules and ensure proper network segmentation.
pxGrid also facilitates seamless integration for dynamic policy enforcement based on context, such as threat intelligence or user roles.



DRAG DROP (Drag and Drop is not supported)
A security engineer configures a Cisco Catalyst switch to use Cisco TrustSec. The engineer must define the PAC key to authenticate the switch to Cisco ISE. Drag and drop the commands from the left into sequence on the right. Not all options are used.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



An engineer must use Cisco ISE to provide network access to endpoints that cannot support 802.1X. The endpoint MAC addresses must be allowlisted by configuring an endpoint identity group. These configurations were performed:
configured an identity group named allowlist
configured the endpoints to use the MAC address of incompatible 802.1X devices added the endpoints to the allowlist identity group
configured an authentication policy for MAB users What must be configured?

  1. logical profile that matches the allowlist identity group based on the configured policy
  2. authorization profile that has the PermitAccess permission and matches the allowlist identity group
  3. authorization policy that has the PermitAccess permission and matches the allowlist identity group
  4. authentication profile that has the PermitAccess permission and matches the allowlist identity group

Answer(s): C

Explanation:

Since the endpoints cannot support 802.1X, they must be authenticated using MAC Authentication Bypass (MAB). The authentication policy has already been configured for MAB users, meaning ISE will attempt to authenticate based on the MAC address. However, to grant network access to these devices, an authorization policy is required.
Authorization Policy determines what level of access should be granted after authentication. The policy must match devices in the allowlist identity group and apply the PermitAccess permission, allowing them onto the network.



Wireless network users authenticate to Cisco ISE using 802.1X through a Cisco Catalyst switch. An engineer must create an updated configuration to assign a security group tag to the user’s traffic using inline tagging to pr server. The configurations were performed:
configured the switch as a RADIUS device in Cisco ISE
configured the wireless LAN controller as a TrustSec device in Cisco ISE created a security group tag for the wireless users
created a certificate authentication profile created an identity source sequence
assigned an appropriate security group tag to the wireless users defined security group access control lists to specify an egress policy
enforced the access control lists on the TrustSec policy matrix in Cisco ISE configured TrustSec on the switch
configured TrustSec on the wireless LAN controller
Which two actions must be taken to complete the configuration? (Choose two.)

  1. Create static IP-to-SGT mapping for the restricted web server.
  2. Configure inline tag propagation on the switch and wireless LAN controller.
  3. Configure Security Group Tag Exchange Protocol to distribute IP to security group tags on Cisco ISE.
  4. Configure Security Group Tag Exchange Protocol on the switch.
  5. Configure Security Group Tag Exchange Protocol on the wireless LAN controller.

Answer(s): A,B

Explanation:

In this TrustSec deployment scenario, the objective is to ensure that wireless network users are tagged with a security group tag (SGT) and that their traffic is properly marked using inline tagging. This allows Cisco ISE to enforce policies - such as preventing unauthenticated users from accessing a restricted server.
The configurations already performed include setting up Cisco ISE as the TrustSec AAA server, configuring TrustSec on both the Catalyst switch and the wireless LAN controller (WLC), and creating the necessary SGT and policies for wireless users.
Two additional actions are required:
1. Static IP-to-SGT Mapping for the Restricted Web Server (Option A):The restricted server is likely a non-authenticating endpoint. To enforce security policies (for example, denying access to unauthenticated users), Cisco ISE must be aware of the server’s SGT. This is achieved by creating a static mapping of the server's IP address to an SGT. With this static mapping in place, the network devices can tag traffic originating from or destined for the server with the appropriate SGT, ensuring that the policy enforced by the TrustSec policy matrix is correctly applied.
2. Inline Tag Propagation on the Switch and Wireless LAN Controller (Option B):
Inline tagging is required to propagate the SGT in the data traffic. Although TrustSec has been configured on the switch and WLC, explicit configuration of inline tag propagation ensures that the SGT assigned by ISE is inserted into the packets as they traverse the network. This tagging is crucial for the downstream enforcement of security policies based on SGTs.






Post your Comments and Discuss Cisco® 300-715 exam with other Community members:

Exam Discussions & Posts