Fundamentals of AAA
1. Which of the following best describes the difference between authentication and authorization?
a. There is no difference between authentication and authorization.
b. Authorization determines what a user may do, whereas an authentication determines what
devices the user can interact with.
c. Authentication is used with both network access and device administration, whereas
authorization applies only to device administration.
d. Authentication validates the user ’s identity, whereas authorization determines what that user is permitted to do.
authentication is the validation of the identity credentials. Authorization is the
determination of what is allowed or disallowed based on those credentials.
2. Which of the following are types of AAA as related to the topics of this exam? (Select two.)
a. Device administration
b. Device access
c. A division of minor league baseball
d. Network access
e. Network administration
The two forms of authentication, authorization, and accounting that are relevant to the
SISAS exam are network access and device administration.
3. Which of the following protocols is best suited for granular command-level control with
device administration AAA?
a. DIAMETER
b. TACACS+
c. RADIUS
d. RADIUS+
TACACS+ is best suited for granular command-level control due to its ability to separate
authentication and authorization
4. Which of the following protocols is best suited for authenticating and authorizing a user for
network access AAA?
a. TACACS+
b. CHAP
c. RADIUS
d. MS-CHAPv2
RADIUS is best suited for network access AAA due to its capability to work with numerous
authentication protocols, such as CHAP and MS-CHAPv2, but more importantly the dependency
on RADIUS for 802.1X authenticationsand the enhancements to RADIUS for change of
authorization.
5. True or False? RADIUS can be used for device administration AAA.
a. True
b. False
Both TACACS+ and RADIUS can be used to provide device administration AAA services;
however, TACACS+ offers command-level authorization and RADIUS does not.
6. Which of the following Cisco products should be used for device administration with
TACACS+?
a. Cisco Secure Access Control Server (ACS)
b. Cisco Identity Services Engine
c. Cisco TACACS+ Control Server (TCS)
d. Cisco Centri
Cisco ACS supports both RADIUS and TACACS+ and command sets, while Cisco ISE
version 1.2 supports only RADIUS
7. Why is RADIUS or TACACS+ needed? Why can’t the end user authenticate directly to the
authentication server?
a. The added level of complexity helps Cisco and other vendors to sell more products.
b. Because the names sound so cool.
c. RADIUS and TACACS+ are used between the end user and the authentication server.
d. Both RADIUS and TACACS+ extend the Layer-2 authentication protocols, allowing the end
user to communicate with an authentication server that is not Layer-2 adjacent.
The majority of the authentication protocols used (EAP, CHAP, MS-CHAPv2, PAP) are
Layer-2 protocols meant to be topology independent. RADIUS and TACACS+ are used to
connect the end user to the authentication server, even when they are not on the same LAN
segment
8. Which of the following are TACACS+ messages sent from the AAA client to the AAA server?
(Select all that apply.)
a. START
b. REPLY
c. CHALLENGE
d. REQUEST
TACACS+ clients send only two message types: START and CONTINUE. REPLY is sent
from the AAA server to the AAA client.
9. When using RADIUS, what tells the AAA server which type of action is being authenticated?
a. The TACACS+ service.
b. The Service-Type field.
c. RADIUS does not distinguish between different services.
d. The action AV-pair.
The Service-Type value tells the RADIUS server what is being performed. For example,
service-type of Call-Check informs the AAA server that the client is performing a MAB request
10. Which of the following best describes an AV-pair?
a. When communicating with an AAA protocol, the AV-pair stipulates a common attribute or
object and its assigned value.
b. Cisco likes to throthrow in terms to confuse the reader.
c. The AV-pair is used to choose either TACACS+ or RADIUS.
d. The AV-pair is used to specify the quality of service (QoS) for audio and video traffic.
The RADIUS server may be assigning an attribute to the authentication session, like a
VLAN, for example. The VLAN place holder is the attribute, and the actual assigned VLAN
number is the value for that place holder, as a pair.
Identity Management
1. What are two types of identities used in Cisco Identity Service Engine?
a. SSID
b. MAC address
c. Username
d. IP address
An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s
MAC address to uniquely identify that endpoint. A username is one method of uniquely
identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes
in ISE policies, they are not identities.
2. What are the two general types of identity stores used by Cisco ISE?
a. Temporary
b. External
c. Internal
d. Permanent
Cisco ISE can use identities stored in a database that resides as part of the ISE application
itself; these are known as internal identity stores. Examples are the GUEST user identity store
and the endpoints identity store. Identities can live outside of ISE, such as Active Directory, and
these are known as external identity stores.
3. Cisco ISE internal identity stores are used to authentication which two of the following?
a. Endpoints
b. AD security groups
c. RADIUS
d. Users
ISE has two different types of internal identity stores: users and endpoints. The user
identity stores hold identities for interactive users, such as guests or employees. These have
attributes such as passwords for the authentication of the user. Endpoints have a different kind of
identity. Because they don’t interact with an authentication in most cases, their identities can
often just be their MAC addresses.
4. Which identity store attributes can be used in an ISE authorization policy? (Choose two.)
a. User
b. Time
c. Accounting
d. Machine
Either a user or a machine (endpoint) can be authorized for network access. Sometimes it
is possible to authorize based on the identity or attributes of both the user and the machine.
5. What is an individual identity store called?
a. Authentication source
b. Identity database
c. Identity source
d. Authentication database
The identity store is known as an identity source or an information source. The data
contained in the identity store is used for authentication and authorization purposes.
6. How is an identity source sequence processed?
a. Bottom to top
b. Left to right
c. Top to bottom
d. No particular order
An identity source sequence (ISS) is a list of identity stores. Much like an access control list
(ACL), the ISS list is processed with from the top to the bottom, where the first entry that has the
identity is used and the processing of the ISS ends.
7. Which of the following identity stores are supported by ISE for authentication? (Choose three.)
a. LDAP
b. TACACS
c. Microsoft Active Directory
d. RADIUS servers
Lightweight Directory Access Protocol is a standard directory type that allows vendors
to use a common communication structure to provide authentications and information about
identities. Microsoft’s Active Directory is an LDAP-like directory source and is one of the most
common identity sources in the modern world. In addition to querying an identity source
directly, ISE is also able to proxy RADIUS authentications to a different RADIUS server.
8. Which of the following can be used with an internal identity store?
a. SSID
b. Guest login
c. Administration
d. MAB
Internal identity stores can be used to authenticate user accounts or endpoints. A guest is a
type of internal user that ISE can authenticate. MAB is often used to “authenticate” endpoints
against the internal endpoints identity store.
9. What are the two types of internal identity stores used in ISE?
a. User database
b. Endpoint database
c. System database
d. Admin database
ISE has two different types of internal identity stores: users and endpoints. The user
identity stores hold identities for interactive users, like guests or employees. These have
attributes such as passwords for the authentication of the user. Endpoints have a different kind of
identity. Because they don’t interact with an authentication in most cases, their identities can
often just be their MAC addresses
10. What are the two primary reasons for using external identity stores?
a. Performance
b. Monitoring
c. Scalability
d. Management
External identity stores often exist already in an organization before ISE would be
installed. By pointing to those identity sources, the management overhead is dramatically
reduced because the accounts don’t have to be created again in ISE’s internal database(s).
Additionally, this enables the organization to scale more effectively by having a single source
of truth for identity.
EAP Over LAN (Also Known As 802.1X)
1. Which of the following is true?
a. The authenticator decides whether the supplicant is allowed on the network.
b. The EAP communication occurs between the supplicant and the authentication server.
c. The supplicant uses RADIUS to communicate the user ’s identity to the authentication server.
d. The authenticator uses EAP to send the user ’s credentials to the authentication server.
EAP communication occurs between the supplicant and the authentication server. The
authenticator acts as a middleman and encapsulates the unmodified EAP frames within the
RADIUS communication to the authentication server.
2. Which supplicant(s) is capable of EAP chaining?
a. Windows Native Supplicant
b. Cisco AnyConnect NAM
c. Cisco Secure Services Client (CSSC)
d. Odyssey Client
Only Cisco AnyConnect NAM 3.1 and newer are capable of running EAP chaining as of the
date this book was published.
3. What is the purpose of an outer identity?
a. The outer identity is used for dual-factor authentications such as a username/password
combined with a one-time password (OTP).
b. The outer identity provides a mechanism to modify the actual identity of the end user or
device to allow for identity spoofing.
c. The outer identity provides a mechanism to authenticate the identity of the endpoint during
the tunnel establishment phase.
d. The outer identity represents the machine, whereas the inner identity represents the user
during EAP chaining.
The outer identity provides a mechanism to authenticate the identity of the endpoint during
the tunnel establishment phase
4. True or False? IEEE 802.1X may use TACACS+ to communicate the EAP identity to the
authentication server.
a. True
b. False
IEEE 802.1X must use RADIUS or DIAMETER. Note: DIAMETER is out of scope of the
exam blueprint.
5. True or False? The supplicant is required to trust the certificate of the authentication server
before it will form the TLS tunnel within which the EAP transaction will occur.
a. True
b. False
Supplicants have the option to not authenticate the server certificate. Additionally, EAP-FAST
offers the ability to use PAC files instead of certificates for tunnel establishment.
6. What is the name of the “secure cookie” used with EAP-FAST that can be used in lieu of a
certificate, or even in addition to a certificate?
a. Protected password file (PPF)
b. Shadow credential file (SCF)
c. Private authorization credential (PAC)
d. Protected access credential (PAC)
Protected access credentials (PACs) are a type of “secure cookie” that can be used instead of
or in addition to a certificate.
7. True or False? MSCHAPv2 may be used to perform machine authentication with an LDAP
connection to Active Directory.
a. True
b. False
MSCHAPv2 may be used for user authentication against LDAP, but not machine
authentication.
8. True or False? A machine authentication may use EAP-FAST.
a. True
b. False
The actual tunnel mechanism is unrelated to the ability to do a machine authentication. The
requirement is simply that it must be EAP-MSCHAPv2 for the authentication method.
9. What are the three main components of IEEE 802.1X?
a. Agent, broker, authentication server
b. Supplicant, authorizer, authorization server
c. Authentication server, supplicant, authenticator
d. EAP, RADIUS, TLS
The three main components of 802.X are the authentication server, supplicant, and
authenticator.
10. True or False? A tunneled EAP type is able to use native EAP types as its inner method.
a. True
b. False
A tunneled EAP type is able to use native EAP types as its inner method.
Non-802.1X Authentications
1. True or False? To allow endpoints without configured supplicants to connect to a network
where IEEE 802.1X has been enabled, the administrator must disable 802.1X on the endpoints’
switch port.
a. True
b. False
The available options for nonauthenticating endpoints are MAC Authentication Bypass
(MAB) and Web Authentication (WebAuth).
2. Which of the following is true?
a. With nonauthenticating endpoints, the authenticator takes over the EAP communication
instead of the endpoint.
b. With nonauthenticating endpoints, the authenticator can be configured to send the MAC
address of the endpoint to the authentication server in a RADIUS Access-Request message.
c. The endpoint’s supplicant uses RADIUS to communicate the endpoint’s MAC address to the
authentication server.
d. The authenticator can use TACACS+ to send the endpoint’s MAC address to the
authentication server.
With nonauthenticating endpoints, the authenticator (a switch, for example) can be
configured to send the MAC address of the endpoint to the authentication server in a RADIUS
Access-Request message. This process is known as MAC authentication bypass (MAB).
3. Which of following is an accurate statement when using MAC authentication bypass (MAB)?
a. An administrator is limited in the types of authorization results that can be sent and is
restricted to a simple Permit-All or Deny-All result.
b. An administrator can assign all authorization results, except for VLAN assignment.
c. An administrator can assign all authorization results, except for security group tags (SGTs).
d. An administrator is not limited in the types of authorization results that can be sent, which
can include dACL, VLAN Assignment, SGT, and others.
With MAB, it is not recommended to use VLAN assignment, but MAB authorizations do not
limit the authorization results.
4. True or False? With centralized web authentication (CWA), ISE sends the username and
password to the authenticator.
a. True
b. False
With CWA, the authenticator only recognizes a MAB, and ISE maintains administrative
control of the entire session and the tracking of the user ’s credentials.
5. Which of following accurately describes local web authentication (LWA)?
a. With LWA, the authenticator redirects the end user ’s web traffic to a centralized portal hosted
on the authentication server, which is then returned to the local device (authenticator).
b. With LWA, the authenticator hosts a local web portal, which is coded to send an HTTP POST
to the authentication server containing the credentials of the end user. The authentication
server returns an HTTP POST with the Access-Accept or Access-Reject.
c. With LWA, the authenticator receives the credentials from the end user through a locally
hosted web portal, and it is the authenticator that sends the credentials to the authentication
server through a RADIUS Access-Request.
d. With LWA, the authenticator receives the credentials from the end user through a locally
hosted web portal, and the authenticator sends the credentials to the authentication server
through a TACACS+ Access-Request.
With LWA, the web portal is hosted within the authenticator, the end user enters her
credentials into the web portal and the authenticator sends those credentials inside a RADIUS
Access-Request message to the authentication server. The authentication server returns the
Access-Accept or Access-Reject along with the full response.
6. Which of the following lists are non-802.1X authentications?
a. WebAuth, MAB, RA VPN
b. Remote Access, WebAuth, EAP-MSChapV2
c. PAP, LWA, RA VPN
d. WebAuth, EAP-GTC, HTTP POST
The three main non-802.1X authentication use cases are WebAuth (CWA and LWA), MAB,
and Remote Access VPN (RA VPN).
7. True or False? Cisco recommends changing the VLAN for a guest user after that visitor has
authenticated through Web Authentication to put that guest user into an isolated “guest network.”
a. True
b. False
When changing a VLAN assigned to an endpoint, that endpoint must know (somehow) to
renew the DHCP address. The best solution is to not use VLAN changes on open networks
because there is nothing on the client to detect the VLAN change and trigger the DHCP renewal.
8. Which non-802.1X authentication method uses specialized authorization results to connect a
user ’s credentials to a MAB session?
a. Remote access
b. Local web authentication with a centralized portal
c. Centralized web authentication (CWA)
d. Local web authentication
Centralized web authentication uses a web portal that is hosted on ISE to receive the user ’s
credentials. The authenticator sends a MAB request to ISE, and ISE responds with a RADIUS
Access-Accept, a URL redirection, and often a dACL that limits the access to the network. After
the credentials are received through the web portal, ISE sends a change of authorization (CoA)
to the authenticator causing a reauthentication. The reauthentication maintains the same session
ID, and ISE is able to tie the user ’s credentials to the MAB request, sending the final
authorization results for the end user.
9. What is one of the main reasons that MAB is used in modern-day networks?
a. Most endpoints, such as printers and IP phones, do not have supplicants and therefore cannot
use 802.1X.
b. The endpoints can have a supplicant, but the enablement and configuration of that supplicant could be overcomplicated or operationally difficult for the company. Therefore, the company opts to use MAB instead.
c. The endpoints mostly do have supplicants, but those are not compatible with Cisco networks.
d. MAB is equally as secure as 802.1X and therefore is chosen often to save the company the
operational difficulties of configuring the supplicants on such disparate endpoints.
There are many different “headless” endpoints in an organization, such as IP phones, IP
cameras, printers, badge readers, IV pumps, medical imaging systems, and so many more.
Some do not have supplicants. For those that do, the enablement and configuration of
supplicants on the disparate endpoints could be overcomplicated or operationally difficult for
the company. Many of the devices do not have a central management platform that is capable of
configuring each supplicant across large numbers of devices deployed at scale. Therefore,
MAB is chosen to provide network access to those headless devices.
10. True or False? Web authentication can be used for guest users as well as internal employees.
a. True
b. False
Web authentication is used for any interactive login when a supplicant is not available, and
sometimes it is even used as second authentication after 802.1X.
Introduction to Advanced Concepts
1. A RADIUS change of authorization enables an authentication server to do which of the
following?
a. Escalate an administrative user ’s access level within the server ’s administration portal
b. Grant context appropriate network access after initial access has previously been granted
c. Gain root-level access of all network devices
d. Take over the world
A RADIUS CoA allows an authentication server to trigger a reauthorization. This provides
an opportunity for the server to update a user ’s level of network access as the server learns
additional information about an endpoint, such as endpoint posture information.
2. Three possible options for change of authorization actions are which of the following?
a. IKEv1, IKEv2, SSL
b. HTTP, FTP, Telnet
c. No COA, Port Bounce, Reauth
d. User mode, privileged mode, configuration mode
In a situation where a CoA is warranted, an authentication server can perform a number of
actions: No COA (that is, do nothing), Port Bounce (i.e. shut/no shut the relevant access “port”),
or Reauth (that is, force the endpoint to reauthenticate in cases where multiple endpoints are
present on a single access medium.). Supported CoA actions can vary depending on the selected
authentication server.
3. MAC Authentication Bypass is a process by which a device does which of the following?
a. Bypasses all authentication and authorization processes by using a supplicant
b. Authenticates with an X.509 certificate to establish a secure tunnel with the network
c. Authenticates without a 802.1X supplicant on the endpoint by using its MAC address as the
RADIUS identity
d. Hides its MAC address from being discovered on the network
Those devices that don’t have an 802.1X supplicant available use MAC Authentication
Bypass. Without the supplicant, the device does not recognize EAP messages and, therefore,
EAP authentication techniques are NOT available. In the absence of EAP, the device will use its
MAC address as its unique identifier to authenticate to the network.
4. A MAC address is six octets in length, of which the first three octets are which of the
following?
a. A duplicate of the IP address subnet in hexadecimal format
b. Always the same across all network devices
c. Assigned dynamically upon connection to the network
d. An organizationally unique identifier (OUI) that indicates the device’s vendor
e. All F’s—that is, FF:FF:FF
The first three octets of a MAC address are the organizationally unique identifier (OUI).
This OUI indicates which vendor manufactured the device. This can be useful, at times, to also
indicate the function of the device—for instance, an IP phone or printer.
5. Which devices often lack an 802.1X supplicant?
a. Printers
b. Laptops
c. Cell phones
d. All of the above
Often, the “dumb” network devices are those that lack 802.1X supplicants. From this list, a
printer would be the most common device to lack 802.1X support. Other examples would
include an IP phone, IP cameras, and badge readers, amongst others.
6. Prior to MAB, a switchport with a non-802.1x client would be configured without 802.1x. This
presented issues because of which of the following?
a. A broadcast storm would be created as the endpoint device was plugged into the interface.
b. A non-802.1x client would still not be able to gain network access.
c. A rogue user could unplug the non-802.1x endpoint and gain unauthorized access to the
network.
d. Rebooting the device would cause the switchport to go into error disable.
Prior to MAB, there wasn’t a mechanism to authenticate a device based strictly on the
device’s MAC address. For this reason, the switchport would be configured without port
security or any level of end user or device authentication. This would allow any device, either
the intended device or an unintended rogue device that was plugged into that switchport, to have
unfettered access to the network.
7. Posture assessment can check for which of the following?
a. File conditions including existence, date, and/or version
b. Registry condition, whether a registry entry is or is not present, on Windows-based
endpoints
c. Service condition, whether a service is or is not running, on Windows-based endpoints
d. A and B
e. B and C
f. A, B, and C
Via posture checking, the endpoint can be checked for file conditions (existence, date,
and/or version), registry conditions (whether a registry entry is or is not present), and service
condition (whether a service is or is not running), so all of the above are correct. posture
checking also can confirm the presence, absence, and status of antivirus and antispyware
programs running on the endpoint.
8. When configuring authorization policy based on posture assessment outcome, which of the
following values are available for the PostureStatus attribute?
a. Permit, Deny, Drop
b. Compliant, NonCompliant, Unchecked
c. Internet Only, Partial Access, Full Access
d. Compliant, NonCompliant, Unknown
e. AntiVirusNotPresent, AntiVirusNeedsUpdate, AntiVirusCurrent
When using posture assessment as a condition for authorization policy, the values of the
PostureStatus condition can be Compliant, NonCompliant, or Unknown. Different levels of
network access and/or remediation can be authorized based on the status of this variable.
9. To remediate noncompliant endpoints, a redirect ACL must be defined _____ and the web
redirection must be destined to ______ portal on the authentication server.
a. as a dACL, remediation
b. on the switch, remediation
c. as a dACL, profiling mitigation
d. on the switch, profiling mitigation
e. as a dACL, authentication DMZ
f. on the switch, authentication DMZ
To remediate a noncompliant endpoint, a redirect ACL must be defined on the switch and the
redirect destination must be set to remediation portal.
10. A mobile device manager is which of the following?
a. A network administrator responsible for onboarding all mobile devices into the
authentication server
b. An application that runs on a mobile device, allowing the user or endpoint to manage the
authentication server and other network devices
c. A wireless access point that detects rogue mobile endpoints
d. A software system or service that provides advanced posture assessment for mobile
endpoints
A mobile device manager is a software system or service that provides advanced posture
assessment for mobile endpoints. The MDM can determine the type of mobile device, the level
of operating system on the endpoint, the presence/absence of PIN lock, and whether encryption
is being used, as well as provide remote security services such as device lock and secure wipe.
Depending on the MDM vendor chosen, additional services also might be available.
Cisco Identity Services Engine
1. Cisco Identity Services Engine (ISE) is which of the following?
a. A switch that provides authenticated access to the network
b. A network management platform
c. A network security and policy platform
d. A unified computing system that incorporates virtualization of endpoints
Cisco Identity Services Engine is a network security and policy platform. Using Cisco ISE, a
network administrator can maintain and serve security policy to all network devices from a
central location.
2. The four key personas of Cisco ISE are which of the following? (Select four.)
a. Administration
b. Authentication Server
c. File Download
d. Monitoring and Troubleshooting
e. Policy Services Node
f. Identity Management
g. Inline Posture Node
Cisco ISE has four personas. These personas are Administration, Monitoring and
Troubleshooting, Policy Services Node, and Inline Posture Node. Each of these personas is
required at least once in an ISE deployment, with the exception of the Inline Posture Node. The
function of each persona is discussed within the chapter.
3. The Cisco ISE Administration Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data
Cisco ISE’s Policy Administration Node (PAN) persona is the instance of Cisco ISE where
policy configuration actually happens. This persona will then distribute this policy to all other
nodes.
4. The Cisco ISE Monitoring and Troubleshooting Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data
The Cisco ISE Monitoring and Troubleshooting (MnT) Node persona provides a platform
for logging and reporting data from the Cisco ISE deployment. As a user or device
authenticates and authorizes to the network, the ability to monitor and log those AAA events will
be the responsibility of the Monitoring and Troubleshooting Node
5. The Cisco ISE Policy Service Node persona is which of the following?
a. The node where policy configuration changes are made
b. The network management platform for the network
c. The engine where policy decisions are made
d. Responsible for logging and reporting data
The Cisco ISE Policy Service Node (PSN) persona provides policy decision-making. As a
user or an endpoint attempts to authenticate to the network, the PSN will be responsible for
making the AAA decisions based on the policy as downloaded from the Cisco ISE Policy
Administration Node (PAN).
6. Which of the following is true about the Cisco ISE Inline Posture Node persona?
a. A gatekeeper that enforces access policies and handles CoA requests, specifically for those
that cannot process CoA requests
b. Is an ergonomic tool included within Cisco ISE to ensure that network administrators are not
slouching on the job
c. Allows users to always bypass authentication and authorization, giving them unfettered
access to the network.
d. Sniffs all the packets sent from an endpoint, inline, making sure that the endpoint is not
distributing viruses and malware onto the network.
The Cisco ISE Inline Posture Node is responsible for enforcing access policies and handling
the CoA requests for those network access devices that cannot process CoA requests. After an
endpoint is authenticated, the Inline Posture Node will ensure that the posture of the endpoint
adheres to the network security policy.
7. A virtual ISE appliance should do which of the following?
a. Be kept as small as possible for speed and agility
b. Be appropriately sized to match the equivalent physical appliance
c. Reserve the appropriate resources to ensure that other virtualized applications do not
cannibalize the ISE resources
d. A and B
e. B and C
f. A, B, and C
If you choose to deploy ISE as a virtual appliance, it is paramount that you allocate the
appropriate virtual resources to best emulate the equivalent SNS-3415 or SNS-3495 physical
appliance. Also, you should reserve 100% of these resources to ensure that other virtualized
network functions do not starve the ISE of the resources.
8. In a single-node/standalone deployment of ISE which of the following is true?
a. Each ISE appliance services a single network access device.
b. Each ISE appliance services only a single ISE persona.
c. All endpoints bypass authentication.
d. All core ISE personas reside on a single ISE appliance.
In a single-node deployment of ISE, all ISE personas (PAN, MNT, and PSN) reside on a
single appliance. In this deployment, there are no options for redundancy. For instance, if the
PSN persona fails, or if the physical appliance fails, RADIUS authentications and authorizations
will fail until the issue can be resolved.
9. In a four-node deployment of Cisco ISE, the ____ and ____ personas are combined on two of
the appliances, while the ____ persona is by itself on each of the other two appliances.
a. PAN, PSN, MNT
b. PAN, IPN, MNT
c. PSN, MNT, IPN
d. PSN, PAN, MNT
e. PAN, MNT, IPN
f. PAN, MNT, PSN
In a four-node ISE deployment, the PAN and MNT personas are combined on two of the
appliances, with each acting as primary on one appliance and secondary on the other appliance.
On the remaining two appliances, only the PSN persona is configured.
10. The maximum number of PSNs supported with ISE 1.2 in a fully distributed deployment model
is ____, resulting in a maximum number of supported endpoints of ______.
a. 5; 5,000
b. 5; 10,000
c. 5; 50,000
d. 40; 5,000
e. 40; 20,000
f. 40; 250,000
In a fully distributed ISE deployment, the ISE PAN and MNT personas each reside on a
separate appliance (or a separate pair of appliances if redundancy is required). Each of the PAN
and MNT appliances will be an SNS-3495 appliance (or equivalent virtual appliance). With these
PAN and MNT functions distributed, up to 40 PSNs can be deployed. For each SNS-3415 PSN
deployed, up to 5,000 endpoints can be supported. For each SNS-3495 PSN deployed, up to
20,000 endpoints can be supported. A limitation on the PAN/MNT nodes, however, will allow
only up to 250,000 endpoints to be supported in a single fully distributed ISE 1.2 deployment.
Cisco ISE Graphical User Interface
1. Which is true of the Cisco ISE GUI?
a. Requires a separate application to access it
b. Uses a “standard,” Adobe Flash-capable web-browser
c. Does not exist—ISE is only configurable via command-line interface (CLI)
d. Requires Cisco Network Assistant
The Cisco ISE GUI is available via an Adobe Flash-capable web-browser. As of Cisco ISE
1.2, the two supported browsers are Mozilla Firefox and Microsoft Internet Explorer.
2. To ensure the highest level of security, the ISE administrative GUI uses which of the following?
a. SSH
b. SCP
c. HTTP
d. HTTPS
The best way to ensure a secure connection is by encrypting the communications between the
ISE and the device being used for the administrative portal. If HTTP were to be used, any device
in the network flow, between the administrative device and ISE, could eavesdrop or play “manin-
the middle” on the communications, either compromising the administrative credentials or
surreptitiously injecting a different security policy. To prevent this from happening, ISE
leverages HTTPS, encrypting all traffic between the administrative device and ISE, and
ensuring that the traffic sent from the administrative device arrives securely without
compromise. SSH and SCP are not protocols that are typically used for GUI-based portals.
3. The initial certificate presented by the ISE administrative GUI is typically which of the
following?
a. Signed by a trusted, public certificate authority
b. A self-signed certificate automatically generated by ISE
c. Delivered in a separate envelope from the ISE appliance
d. Put in a frame and hung over your desk at work
To establish the initial, secure connection with ISE, ISE will generate a self-signed
certificate. Because a trusted certificate authority, either a local CA or a third-party, public CA,
has not signed it, the certificate can cause a security warning within the web browser that is
being used for administrative access. If you are confident that a man-in-the-middle or other
nefarious device is NOT presenting this certificate, you can permanently accept this certificate
within the web browser to prevent these security warnings in the future. Ideally, it is best to
install a certificate from a trusted CA (a CA that already exists in the browser store—either a
local CA or a third-party public CA) onto ISE. This, too, will prevent these security warnings in
the future.
4. Components within the Operations section of ISE allow an administrator to do which of the
following?
a. Actively monitor, report, and troubleshoot active authentication and authorization sessions
b. Configure how ISE will operate on the network
c. Create the web portals for client provisioning
d. Modify the security policy of ISE
The Operations tab of Cisco ISE allows an administrator to monitor, report, and
troubleshoot active authentication and authorization sessions.
5. The Policy tab of the Cisco ISE GUI allows an administrator to configure all of the following
EXCEPT which?
a. Authorization
b. Client provisioning
c. Web portals
d. Security group access
The Policy tab of the Cisco ISE GUI allows an administrator to configure authentication,
authorization, profiling, posture, client provisioning, and security group access—amongst
others. web portals, however, are configured under the Administration tab.
6. You can configure which of the following item(s) under the Administration tab of Cisco ISE?
a. Policy elements
b. Certificates
c. Dictionaries
d. Network devices
e. A, B, and C
f. B, C, and D
g. B and D
The Administration tab of Cisco ISE can be used to configure all “setup”-type functions of
ISE. These functions are those that are often set up one time and rarely modified thereafter. In
this case, certificates and network devices are two items that are configured under the
Administration tab and are rarely modified after their initial configurations.
7. When adding a network access device to Cisco ISE, which of the following details can be
configured under the network device? (Select three.)
a. MAC address
b. IP address
c. Device name
d. RADIUS server IP address
e. RADIUS shared secret key
f. Mobile device manager
g. SGA AAA Servers
When adding a new network access device to Cisco ISE, you must provide a device
name and a device IP address. If you intend to use a Cisco ISE RADIUS server for authentication
and authorization (the usual purpose of Cisco ISE in a network deployment), you will also need
to add a shared secret key for RADIUS. The RADIUS server IP address is configured on the
NAD, pointing to Cisco ISE. Mobile device managers and SGA AAA Servers are unrelated to
the network device configuration.
8. An authentication policy within ISE is used to do which of the following?
a. Determine what the endpoint will be given access to
b. Identify the endpoint or the user of the endpoint as it connects to the network
c. Determine the type of security software that is running on the endpoint
d. Quarantine a user if the endpoint is on the Blacklist
Authentication is the process by which ISE identifies the endpoint or the user of the endpoint
as it connects to the network. The authentication policy is used for this purpose.
9. Profiling policies within ISE can leverage all of the following protocols to determine the type
of endpoint that is accessing the network EXCEPT which? (Select two.)
a. DHCP
b. RADIUS (by proxy)
c. SSH
d. HTTP(S)
e. FTP
When an endpoint attempts to access the network, it automatically sends a number of
different packets onto the network—“normal” communication for a networked device. The
information contained within these packets can often be leveraged by ISE to determine the type
of device (profiling the device) that is sending the information. The MAC address of the
endpoint—either learned via EAP or via MAC Authentication Bypass on the NAD—is
forwarded to ISE via RADIUS. The endpoint’s DHCP requests to get an IP address can also be
sent to ISE, allowing ISE to extract key identifying information from this DHCP process.
Finally, HTTP(S) communications between the endpoint and ISE portals can be used to further
identify the type of device that is accessing the network. Using RADIUS, DHCP, and HTTP (and
other protocols), ISE can make a pretty good determination as to the type of device that is
accessing the network. ISE currently does not support the use of SSH or FTP as a vehicle for
profiling an endpoint.
10. Client provisioning is a process whereby all necessary _______ and _______ are deployed to
the endpoint, allowing the endpoint to more easily, maybe even automatically, join the network
in the future.
a. credentials, configurations
b. regulations, policies
c. IP addresses, ACLs
d. protocols,processes
During the client provisioning process, the necessary credentials and configurations are
deployed to the endpoint, allowing the endpoint to automatically join the network on the next
attempt with little or no interaction from the user.
Initial Configuration of Cisco ISE
1. Which rights and permissions are required for the account used to join Cisco ISE to the Active
Directory domain?
a. Search Active Directory, Remove workstation from domain, Change passwords
b. Write to Active Directory, Add workstation to organizational unit, Read properties of
computer objects
c. Search Active Directory, Add workstation to domain, Set attributes on the new machine
account
d. Write to Active Directory, Add workstation to domain, Read properties of computer objects
The permissions needed to join ISE to AD are Search Active Directory (to see whether ISE
machine account already exists), Add workstation to domain (if it does not already exist), and
Set attributes on the new machine account (OS type and version—optional).
2. Which CLI command lists all the ISE processes and their statuses?
a. show status ise
b. show application status ise
c. show application status
d. show version
The show application status ise command lists all the ISE processes and their
statuses.
3. Which two functions does a certificate fulfill when used with HTTPS and EAPoverLAN?
a. Authenticates the server to the client, and the encryption method is embedded in the
transform-set field within the certificate.
b. Identifies the client to the NAD and is used as the basis for the encrypted transport between
the client and the NAD.
c. Authenticates the server to the client and is used as the basis for the encrypted transport
between the client and server.
d. Authenticates the client to the NAD, and the encryption method is embedded in the transformset
field within the certificate.
In both HTTPS and TLS connections, certificates are used to authenticate the server to client
and act as the basis for the encrypted transport between the client and the server.
4. True or False? When submitting a certificate signing request (CSR), the CSR and the private
key are sent to the signing certificate authority (CA), so the CA can sign the key-pair.
a. True
b. False
Only the CSR is submitted to the signing CA. The private key should be backed up but never
given out to a third party.
5. True or False? Settings such as RADIUS shared secret keys and SNMP strings can be set on a
per Network Device Group (NDG) level.
a. True
b. False
Settings such as RADIUS shared secret keys and SNMP strings can be set only on a per-NAD
basis.
6. What is a valid use of network device groups?
a. Use NDG as the condition by which to build different policy sets for the staged deployment
of ISE.
b. Use the incoming authentication protocol type to route the authentication to a network device
group that is able to process that authentication type.
c. Use the NDG to determine to which ISE policy node to route the authentication request.
d. The result of an authorization policy will allow the user to log in and control devices within
the assigned network device group.
Use NDG to build different policy sets for the staged deployment of ISE.
7. True or False? Local endpoint identity groups should be created per endpoint profile instead of
using the attribute itself.
a. True
b. False
It is a best practice to use endpoint identity groups only for MAC address management
instead of profiles.
8. True or False? Cisco ISE 1.2 can join 1 Active Directory Forest and process authentications for
any domain in the forest with 2-way trusts.
a. True
b. False
ISE 1.2 is capable of joining only a single AD domain.
9. What is the purpose of a certificate authentication profile (CAP)?
a. Defines which CA to use for revocation checking via either certificate revocation lists
(CRLs) or online certificate status protocol (OCSP).
b. Used with MSCHAPv2 for a client to validate the authentication server.
c. Serves as the identity source for certificate authentications and defines the field of a
certificate whose data will be extracted and used as the principle identity for the authorization
process.
d. Used with EAP-FAST to allow for faster reauthentications and secure transport without the
use of X.509 certificates.
Serves as the identity source for certificate authentications and defines the field of a
certificate whose data will be extracted and used as the principle identity for the authorization
process.
10. True or False? It is critical to use Network Time Protocol (NTP) to ensure the time is
synchronized correctly between Cisco ISE and Microsoft Active Directory.
a. True
b. False
Foundation
The Network Time Protocol is critical for all network interactions that require timesensitive
interactions, including the interaction between the Cisco ISE and the Active Directory.
Endpoint identity certificates also require an NTP synchronized time on Cisco ISE.
Authentication Policies
1. Which of the following is required to perform MAB from a Cisco network device?
a. The RADIUS packet must have the service-type set to login and the calledstation-
id populated with the MAC address of the endpoint.
b. The RADIUS packet must have the service-type set to Call-Check and the
calling-station-id populated with the MAC address of the endpoint.
c. The RADIUS packet must have the service-type set to Call-Check and the calledstation-
id populated with the MAC address of the endpoint
d. The RADIUS packet must have the service-type set to login and the callingstation-
id populated with the MAC address of the endpoint
The RADIUS packet must have the service-type set to Call-Check. The servicetype
dictates the method of authentication. The calling-station-id field must be
populated with the MAC address of the endpoint.
2. Which EAP type is capable of performing EAP chaining?
a. PEAP
b. EAP-FAST
c. EAP-TLS
d. EAP-MD5
Only EAP-FAST and TEAP (RFC 7170) have EAP chaining capabilities as of the publishing
of this book.
3. Which of the following choices are purposes of an authentication policy?
a. To permit or deny access to the network based on the incoming authentication request
b. To apply access control filters, such as dACL or security group tags (SGTs), to the network
device to limit traffic
c. To drop requests using an incorrect authentication method, route authentication requests to
the correct identity store, validate the identity, and “pass” successful authentications over to
the authorization policy
d. To terminate encrypted tunnels for purposes of remote access into the network
An authentication policy is meant to drop traffic that isn’t allowed, meaning it is using an
authentication protocol that is not configured, it will route authentication requests to the correct
identity store to validate the identity, and “pass” successful authentications over to the
authorization policy.
4. True or False? You must select Detect PAP as Host Lookup to enable MAB requests for Cisco
nNetwork devices.
a. True
b. False
Only the Process Host Lookup check box must be select in the Allowed Protocols for Cisco
MAB to work. Detecting another protocol as Host Lookup is only for non-Cisco network
devices.
5. True or False? Policy conditions from attribute dictionaries can be saved as conditions inline
while building authentication policies.
a. True
b. False
Reusable conditions can be built on-the-fly while building the authentication policy, and they
are saved as dictionary objects.
6. Which method will work effectively to allow a different Identity store to be selected for each
EAP type used?
a. This is not possible because the first rule to match 802.1X will be used and no further rules
can be used.
b. Create one authentication rule that matches a service type framed for each of the EAP
protocols. Each authentication rule should have one subrule that matches the
EapAuthentication (such as EAP-TLS, EAP-FAST, and so on).
c. This is only possible for the main EAP types. If there is an inner method of EAP-MSCHAPv2
with PEAP, it must be sent to the same identity store as the EAP-MSCHAPv2 inner method of
EAP-FAST.
d. Create one sub-rule for each EAP type under the default 802.1X authentication rule that
points to the appropriate identity store per rule.
Create one sub-rule for each EAP type under the default 802.1X authentication rule that
points to the appropriate identity store per rule.
7. Which RADIUS attribute is used to match the SSID?
a. calling-station-ID
b. source-wireless-SSID
c. framed-station-ID
d. called-station-ID
The Called-Station-ID attribute is used to match the source SSID.
8. Which RADIUS attribute contains the MAC address of the endpoint?
a. calling-station-ID
b. source-wireless-SSID
c. framed-station-ID
d. called-station-ID
The Calling-Station-ID attribute contains the MAC address of the endpoint
9. What is the purpose of the continue option of an authentication rule?
a. The continue option is used to send an authentication down the list of rules in an
authentication policy until there is a match.
b. The continue option sends an authentication to the next sub-rule within the same
authentication rule.
c. The continue option is used to send an authentication to the authorization policy, even if the
authentication was not successful.
d. The continue option will send an authentication to the selected identity store.
The continue option is used to send an authentication to the authorization policy even if the
authentication was not successful.
10. True or False? The Drop option for an authentication rule will allow ISE to act as if it were not
“alive” so the network device will no longer send authentication requests to that ISE server.
a. True
b. False
The Drop option for an authentication rule will allow ISE to act as if it were not “alive” so
the network device will no longer send authentication requests to that ISE server.
Authorization Policies
1. What is an authorization profile?
a. An authorization profile is a rule in the policy table that is formatted like “IF condition
THEN result.”
b. An authorization profile is created to determine which identity store to validate the
credentials with.
c. An authorization profile is a sequential list of identity stores to validate the credentials with.
d. An authorization profile is the mandatory result of an authorization rule.
An authorization profile is the required authorization result that is made up of multiple
RADIUS attributes. These RADIUS results will affect the ultimate security policy deployed to
the NAD on behalf of the endpoint.
2. What is the purpose of an authorization profile?
a. It contains the TACACS+ response (Access-Accept or Access-Reject) along with the
additional authorization attributes to be sent to the network device for enforcement.
b. It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional
authorization attributes to be sent to the network device for enforcement.
c. It contains the RADIUS response (Continue or Terminate) along with additional
authorization attributes to be sent to the network device for enforcement.
d. It contains the TACACS+ response (Continue or Terminate) along with additional
authorization attributes to be sent to the network device for enforcement.
It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional
authorization attributes to be sent to the network device for enforcement.
3. Which of the following options are part of the common tasks section of an authorization
profile?
a. Access-Type (Continue or Terminate), DACL-Name, Web-Redirection, Auto Smart Port
b. Access-Type (Accept or Reject), DACL-Name, Web-Redirection, Auto Smart Port
c. DACL-Name, Role-Assignment, Local WebAuth, Auto Smart Port
d. DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port
DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port. These common tasks, as
well as the others, are the most often used RADIUS AVPs that will be sent to the NAD for secure
policy enforcement of the endpoint.
4. Which of the following is correct?
a. An authorization policy contains authorization rules. Each rule will have at least one
authorization profile.
b. An authorization rule contains authorization policies. Each policy will have at least one
authorization profile.
c. An authentication policy contains authorization rules. Each rule must have an authentication
result.
d. An authentication rule contains the authorization profiles. Each profile must contain one
authentication result.
An authorization policy contains authorization rules. Each rule will have at least one
authorization profile.
5. True or False? Condition attributes can be saved into a library for future use and improved
readability.
a. True
b. False
True. Condition attributes can be saved into a library for future use and improved
readability.
6. What is special about the authorization profile required for an IP phone?
a. It contains the DNS name or IP address of the Cisco Call Manager Server.
b. It contains the voice domain permission AV pair, which authorizes the endpoint to access the
voice VLAN assigned to the interface.
c. It contains the value for DHCP option 43, which provides the IP address of the Cisco Call
Manager Server.
d. It contains the voice domain permission macro, which reconfigures the switch port to be a
voice interface.
It contains the voice domain permission (cisco-av-pair = device-traffic-class = voice), which
authorizes the endpoint to access the voice VLAN assigned to the interface.
7. What is the difference between a simple condition and compound condition?
a. Simple conditions are easier to use than compound conditions.
b. Simple conditions are created on-the-fly within the expression builder, while compound
conditions must be created separately.
c. Simple conditions contain only one attribute. Compound conditions contain multiple
attributes along with an operator such as AND or OR.
d. Simple conditions and compound conditions can each contain multiple attributes, but
compound conditions can mix operators such as AND or OR.
Simple conditions contain only one attribute. Compound conditions contain multiple
attributes along with an operator such as AND or OR.
8. True or False? A compound condition can contain a mixture of simple conditions and raw
attributes.
a. True
b. False
A compound condition can contain a mixture of simple conditions (which are saved
dictionary attributes) and raw attributes themselves.
9. What should be the end goal of a Secure Access deployment?
a. To provide full access to the network, so security devices such as an ASA firewall can
provide defense-in-depth
b. To provide full access to the network, as long as the authentication is successful, and provide
limited access to any failed authentications
c. To secure the network by purchasing Cisco ISE, thereby increasing the stock value of the
company
d. To provide very specific permissions to any authorization, providing defense-in-depth
To provide very specific permissions to any authorization, providing defense-in-depth while
meeting the goals of the company’s security policy. A printer, for example, should not have
unfettered access to the network; instead it should have only what is needed (such as reaching
the print servers).
10. What is unique about Cisco’s downloadable Access Control Lists (dACLs)?
a. Cisco dACLs allow the RADIUS server to apply ACLs that exist on the switch simply by
sending the name of the ACL in the RADIUS AV pairs, while non-Cisco network devices
cannot apply ACLs.
b. Cisco downloadable ACLs are created by experts at Cisco and published to Cisco.com where
Cisco ISE can download the ACLs.
c. Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the
network device within RADIUS AV pairs, while non-Cisco network devices must create the
ACL on the individual local network device.
d. Cisco dACLs are unique because they are downloaded from ISE and applied to the Cisco
ASA that is in the network path, relieving the network device from the burden of traffic
control.
Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the
network device within RADIUS AV pairs, while non-Cisco network devices must create the ACL
on the individual local network device. This allows the Cisco admin to create and maintain the
access lists in a central place and have any changes applied nearly instantly.
Implementing Secure Network Access
1. When configuring a Cisco switch for 802.1X, at which level of the configuration do the
802.1X-related commands exist?
a. Global configuration only.
b. Interface configuration only.
c. Both at global configuration level as well as per interface.
d. Enabling 802.1X changes the context to a dot1x subconfiguration mode, where all related
commands are entered.
802.1X requires global-level configuration for servers, enabling 802.1X on the system itself,
configuring change of authorization, and enabling VSAs among others. Additionally, each
interface that will be performing authentication will require interface-level commands
2. When configuring a Cisco Wireless LAN Controller (WLC) for communication with ISE, what
must be configured for the wireless LAN (WLAN)? (Choose two.)
a. The authentication and authorization RADIUS servers can be pointed to different ISE PSNs,
as long as those PSNs are part of a node group.
b. The authentication and authorization RADIUS servers can be pointed to the same ISE PSN.
c. The WLAN must be configured for SNMP NAC.
d. The WLAN must be configured for RADIUS NAC.
When interacting with an advanced RADIUS server, such as Cisco ISE, Cisco WLCs
require that the same ISE PSN be configured as the authentication and accounting server for the
WLAN. Additionally, RADIUS NAC must be enabled on the advanced tab of the WLAN
configuration.
3. True or False? Cisco switches should be configured in production to send syslog messages to
the ISE MNT node.
a. True
b. False
Cisco switches can be configured to send syslog to the MNT node, where the data will be
correlated as part of the authentication reports. However, this should be configured only when
performing active troubleshooting or during an initial pilot/PoC.
4. What is the purpose of adding a user with the username radius-test password
password command?
a. The switch can send periodic RADIUS Access-Requests to the AAA servers to verify whether
they are still alive. The username and password will be used for that test.
b. The username and password are used for the local RADIUS server available in the switch,
which is used in WAN down scenarios.
c. The username and password are used for the supplicant’s outer identity to authenticate
against the switch local user database.
d. Without the local username and password in the configuration, an administrator can be
locked out of the switch when the RADIUS server is unavailable.
The switch will send periodic test authentication messages to the RADIUS server (Cisco
ISE). It is looking for a RADIUS response from the server, either an Access-Accept or Access-
Reject will suffice. The username and password used by the automated test must exist in the
configuration.
5. True or False? 802.1X can be configured on all switch interfaces, including Layer-3 interfaces.
a. True
b. False
Switch interfaces must be configured as Layer-2 access ports to run 802.1X (switchport).
6. Which of the following technologies enables an administrator to maintain the same
configuration on all access ports, on all switches, regardless of the type of device connecting to
the network?
a. AnyConnect
b. Multi-Auth
c. Flex-Auth
d. Flex-Connect
Flex-Auth allows a network administrator to set an authentication order and priority on the
switchport, thereby allowing the port to attempt 802.1X, MAC authentication bypass, and then
WebAuth in order. All of these functions are provided while maintaining the same configuration
on all access ports, thereby providing a much simpler operational model for customers than
traditional 802.1X deployments.
7. Which host mode will permit a virtually unlimited number of endpoints per port, allowing all
subsequent MAC addresses to share the authorization result of the first endpoint authorized?
a. Single Mode
b. MDA
c. Multi-Auth
d. Multi-Host
Multi-Host mode is not commonly used but is still a valid option. Much like Multi-Auth
mode, Multi-Host mode is an extension to MDA. There is one authentication on the voice
domain and one authentication on the data domain. All other hosts on the data domain will be
allowed onto the network using the first successful authentication. It’s an “authenticate one,
allow the rest” type of model.
8. Which interface-level command is the equivalent of “turn authentication on”?
a. authentication port-control auto
b. dot1x system-auth-control
c. ip device-tracking
d. aaa server radius dynamic-author
The authentication port-control auto command will enable authentication on
the port and allow the authorization result to be sent from the RADIUS server. Short answer:
“Turn authentication on!”
9. Which command on a Cisco switch will display the current status of the AAA server(s)?
a. show authentication servers
b. show radius servers
c. show aaa servers
d. show ise servers
The show aaa servers command is a quick and simple way to see the current status of
the ISE server from the switch’s perspective.
10. Which command will validate that authentications are