Question 131
An administrator needs to give the same level of access to the network devices when users are logging into them using TACACS+. However, the administrator must restrict certain commands based on one of three user roles that require different commands.
How is this accomplished without creating too many objects using Cisco ISE?
A. Create one shell profile and one command set.
B. Create multiple shell profiles and one command set.
C. Create multiple shell profiles and multiple command sets.
D. Create one shell profile and multiple command sets.
Question 132
What are two differences between the RADIUS and TACACS+ protocols? (Choose two.)
A. RADIUS offers multiprotocol support, whereas TACACS+ does not.
B. RADIUS is a Cisco proprietary protocol, whereas TACACS+ is an open standard protocol.
C. RADIUS enables encryption of all the packets, whereas with TACACS+, only the password is encrypted.
D. RADIUS combines authentication and authorization, whereas TACACS+ does not.
E. TACACS+ uses TCP port 49, whereas RADIUS uses UDP ports 1812 and 1813.
Question 133
An administrator adds a new network device to the Cisco ISE configuration to authenticate endpoints to the network. The RADIUS test fails after the administrator configures all of the settings in Cisco ISE and adds the proper configurations to the switch.
What is the issue?
A. The endpoint profile is showing as ''unknown"
B. The endpoint does not have the appropriate credentials for network access
C. The certificate on the switch is self-signed, not a CA-provided certificate
D. The shared secret is incorrect on the switch or on Cisco ISE
Question 134
An organization is adding nodes to their Cisco ISE deployment and has two nodes designated as primary and secondary PAN and MnT nodes. The organization also has four PSNs. An administrator is adding two more PSNs to this deployment but is having problems adding one of them. What is the problem?
A. Only five PSNs are allowed to be in the Cisco ISE cube if configured this way.
B. One of the new nodes must be designated as a pxGrid node.
C. The new nodes must be set to primary prior to being added to the deployment.
D. The current PAN is only able to track a max of four nodes.
Question 135
Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.)
A. seven PSN nodes with one PxGrid node
B. two PSN nodes with one PxGrid node
C. five PSN nodes with one PxGrid node
D. six PSN nodes:
E. three PSN nodes
Question 136
An organization wants to enable web-based guest access for both employees and visitors. The goal is to use a single portal for both user types
Which two authentication methods should be used to meet this requirement? (Choose two.)
A. LDAP
B. MAC-based
C. Certificate-based
D. LOCAL
E. 802.1X
Question 137
Refer to the exhibit. An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints. After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan. What must be done for this AAA configuration to allow compliant access to the network?
A. Ensure that authorization only mode is not enabled.
B. Enable dynamic authorization within the AAA server group.
C. Fix the CoA port number.
D. Configure the posture authorization so it defaults to unknown status
Question 138
An administrator has added a new Cisco ISE PSN to their distributed deployment
Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two.)
A. Session Services
B. Profiling Services
C. Radius Service
D. Posture Services
E. Endpoint Attribute Filter
Question 139
While configuring Cisco TrustSec on Cisco IOS devices, the engineer must set the CTS device ID and password in order for the devices to authenticate with each other. However, after this is complete, the devices are not able to properly authenticate. What issue would cause this to happen even if the device ID and passwords are correct?
A. EAP-FAST is not enabled.
B. The SGT mappings have not been defined.
C. The device aliases are not matching.
D. The devices are missing the configuration cts credentials trustsec verify 1.
Question 140
Refer to the exhibit. An administrator is manually adding a device to a Cisco ISE identity group to ensure that it is able to access the network when needed without authentication. Upon testing, the administrator notices that the device never hits the correct authorization policy line using the condition EndPoints-LogicalProfileEQUALS static_list. Why is this occurring?
A. The dynamic logical profile is overriding the statically assigned profile.
B. The logical profile is being statically assigned instead of the identity group.
C. The identity group is being assigned instead of the logical profile.
D. The device is changing identity groups after profiling instead of remaining static.
