Question 141
An administrator is configuring sponsored guest access using Cisco ISE. Access must be restricted to the sponsor portal to ensure that only necessary employees can issue sponsored accounts, and employees must be classified to do so. What must be done to accomplish this task?
A. Modify the sponsor groups assigned to reflect the desired user groups.
B. Configure an identity-based access list in Cisco ISE to restrict the users allowed to login.
C. Edit the sponsor portal to only accept members from the selected groups.
D. Create an authorization rule using the Guest Flow condition to authorize the administrators.
Question 142
During a 802.1X deployment, an engineer must identify failed authentications without causing problems for the connected endpoint
Which command will successfully achieve this?
A. authentication open
B. dot1x pae authenticator
C. authentication port-control auto
D. dot1x system-auth-control
Question 143
An engineer is configuring TACACS+ within Cisco ISE for use with a non-Cisco network device. They need to send special attributes in the Access-Accept response to ensure that the users are given the appropriate access. What must be configured to accomplish this?
A. custom access conditions for defining the different roles
B. shell profiles with custom attributes that define the various roles
C. dACLs to enforce the various access policies for the users
D. TACACS+ command sets to provide appropriate access
Question 144
An administrator wants to configure network device administration and is trying to decide whether to use TACACS+ or RADIUS. A reliable protocol must be used that can check command authorization
Which protocol meets these requirements and why?
A. RADIUS because it runs over TCP.
B. RADIUS because it runs over UDP.
C. TACACS+ because it runs over TCP.
D. TACACS+ because it runs over UDP.
Question 145
An engineer is creating a new authorization policy to give the endpoints access to VLAN 310 upon successful authentication. The administrator tests the 802.1X authentication for the endpoint and sees that it is authenticating successful. What must be done to ensure that the endpoint is placed into the correct VLAN?
A. Configure the switchport access vlan 310 command on the switch port.
B. Add VLAN 310 in the common tasks of the authorization profile.
C. Ensure that the endpoint is using the correct policy set.
D. Ensure that the security group is not preventing the endpoint from being in VLAN 310.
Question 146
An engineer is configuring Cisco ISE for network device administration and has devices that support both protocols. What are two benefits of choosing TACACS+ over RADIUS for these devices? (Choose two.)
A. TACACS+ uses secure EAP-TLS while RADIUS does not.
B. TACACS+ is FIPS compliant while RADIUS is not.
C. TACACS+ encrypts the entire payload being sent while RADIUS only encrypts the password.
D. TACACS+ is designed for network access control while RADIUS is designed for role-based access.
E. TACACS+ provides the ability to authorize specific commands while RADIUS does not.
Question 147
A Cisco device has a port configured in multi-authentication mode and is accepting connections only from hosts assigned the SGT of SGT_0123456789. TheVLAN trunk link supports a maximum of 8 VLANS. What is the reason for these restrictions?
A. The device is performing inline tagging without acting as a SXP speaker.
B. The device is performing inline tagging while acting as a SXP speaker.
C. The IP subnet addresses are dynamically mapped to an SGT.
D. The IP subnet addresses are statically mapped to an SGT.
Question 148
Which Cisco ISE deployment model provides redundancy by having every node in the deployment configured with the Administration, Policy Service, andMonitoring personas to protect from a complete node failure?
A. dispersed
B. distributed
C. two-node
D. hybrid
