Cisco 300-208

Implementing Cisco Secure Access Solutions

(Page 1 out of 15)
Showing 15 of 224 Questions
Exam Version: 10.0
Question No : 1 -

Which option is the correct redirect-ACL for Wired-CWA, with 10.201.228.76 being the
Cisco ISE IP address?

  • A. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain deny ip any host 10.201.228.76 permit tcp any any eq 80 permit tcp any any eq 443
  • B. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain permit ip any host 10.201.228.76 deny tcp any any eq 80 permit tcp any any eq 443
  • C. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain permit tcp any host 10.201.228.76 eq 8443 deny ip any host 10.201.228.76 permit tcp any any eq 80 permit tcp any any eq 443
  • D. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain deny ip any host 10.201.228.76 permit tcp any any eq 80permit tcp any any eq 443

Answer : A



Question No : 2 -

What are the initial steps to configure an ACS as a TACACS server?

  • A. 1. Choose Network Devices and AAA Clients > Network Resources.2. Click Create.
  • B. 1. Choose Network Resources > Network Devices and AAA Clients.2. Click Create.
  • C. 1. Choose Network Resources > Network Devices and AAA Clients.2. Click Manage.
  • D. 1. Choose Network Devices and AAA Clients > Network Resources.2. Click Install.

Answer : B



Question No : 3 -

Which three are required steps to enable SXP on a Cisco ASA? (Choose three).

  • A. configure AAA authentication
  • B. configure password
  • C. issue the aaa authorization command aaa-server group command
  • D. configure a peer
  • E. configure TACACS
  • F. issue the cts sxp enable command

Answer : B,D,F



Question No : 4 -

Wireless client supplicants attempting to authenticate to a wireless network are generating
excessive log messages. Which three WLC authentication settings should be disabled?
(Choose three.)

  • A. RADIUS Server Timeout
  • B. RADIUS Aggressive-Failover
  • C. Idle Timer
  • D. Session Timeout
  • E. Client Exclusion
  • F. Roaming

Answer : B,C,D



Question No : 5 -

Which command enables static PAT for TCP port 25?

  • A. nat (outside,inside) static 209.165.201.3 209.165.201.226 eq smtp
  • B. nat static 209.165.201.3 eq smtp
  • C. nat (inside,outside) static 209.165.201.3 service tcp smtp smtp
  • D. static (inside,outside) 209.165.201.3 209.165.201.226 netmask 255.255.255.255

Answer : C



Question No : 6 -

Which model does Cisco support in a RADIUS change of authorization implementation?

  • A. push
  • B. pull
  • C. policy
  • D. security

Answer : A



Question No : 7 -

Which configuration must you perform on a switch to deploy Cisco ISE in low-impact
mode?

  • A. Configure an ingress port ACL on the switchport.
  • B. Configure DHCP snooping globally.
  • C. Configure IP-device tracking.
  • D. Configure BPDU filtering.

Answer : A



Question No : 8 -

Scenario:
Currently, many users are expehecing problems using their AnyConnect NAM supplicant to
login to the network. The rr desktop support staff have already examined and vehfed the
AnyConnect NAM configuration is correct.
In this simulation, you are tasked to examine the various ISE GUI screens to determine the
ISE current configurations to help isolate the problems. Based on the current ISE
configurations, you will need to answer three multiple choice questions.
To access the ISE GUI, click on the ISE icon in the topology diagram to access the ISE
GUI.
Not all the ISE GUI screen are operational in this simulation and some of the ISE GUI
operations have been reduced in this simulation.
Not all the links on each of the ISE GUI screen works, if some of the links are not working
on a screen, click Home to go back to the Home page first. From the Home page, you can
access all the required screens.
To view some larger GUI screens, use the simulation window scroll bars. Some of the
larger GUI screens only shows partially but will include all information required to complete
this simulation.



Which two of the following statements are correct? (Choose two.)

  • A. The ISE is not able to successfully connect to the hq-srv.secure-x. local AD server.
  • B. The ISE internal endpoints database is used authenticate any users not in the Active Directory domain.
  • C. The ISE internal user database has two accounts enabled: student and test that maps to the Employee user identity group.
  • D. Guest_Portal_Sequence is a built-in identity source sequence.

Answer : B,D



Question No : 9 -

The Secure-X company has started to tested the 802.1X authentication deployment using
the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee
desktop will be connected to the 802.1X enabled switch port and will use the Cisco
AnyConnect NAM 802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named
AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE
Internal User database. Once the new identity source sequence has been configured, edit
the existing DotlX authentication policy to use the new AD_internal identity source
sequence.
The Microsoft Active Directory (AD1) identity store has already been successfully
configured, you just need to reference it in your configuration.


In addition to the above, you are also tasked to edit the IT users authorization policy so IT
users who successfully authenticated will get the permission of the existing IT_Corp
authorization profile.
Perform this simulation by accessing the ISE GUI to perform the following tasks:
Create a new identity source sequence named AD_internal to first use the Microsoft
Active Directory (AD1) then use the ISE Internal User database
Edit the existing Dot1X authentication policy to use the new AD_internal identity source
sequence:
If authentication failed-reject the access request
If user is not found in AD-Drop the request without sending a response
If process failed-Drop the request without sending a response
Edit the IT users authorization policy so IT users who successfully authenticated will get
the permission of the existing IT_Corp authorization profile.
To access the ISE GUI, click the ISE icon in the topology diagram. To verify your
configurations, from the ISE GUI, you should also see the Authentication Succeeded event
for the it1 user after you have successfully defined the DotlX authentication po

Answer : Review the explanation for full configuration and solution.

Explanation: Step 1: create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database as shown below:

Step 2: Edit the existing Dot1x policy to use the newly created Identity Source:
Then hit Done and save.



Question No : 10 -

In this simulation, you are task to examine the various authentication events using the ISE
GUI. For example, you should see events like Authentication succeeded. Authentication
failed and etc...




Which two statements are correct regarding the event that occurred at 2014-05-07
00:22:48.175? (Choose two.)

  • A. The DACL will permit http traffic from any host to 10.10.2.20
  • B. The DACL will permit http traffic from any host to 10.10.3.20
  • C. The DACL will permit icmp traffic from any host to 10.10.2.20
  • D. The DACL will permit icmp traffic from any host to 10.10.3.20
  • E. The DACL will permit https traffic from any host to 10.10.3.20

Answer : A,E

Explanation: Event Details:



Question No : 11 -

In a basic ACS deployment consisting of two servers, for which three tasks is the primary
server responsible? (Choose three.)

  • A. configuration
  • B. authentication
  • C. sensing
  • D. policy requirements
  • E. monitoring
  • F. repudiation

Answer : A,B,D



Question No : 12 -

Which type of access list is the most scalable that Cisco ISE can use to implement network
authorization enforcement for a large number of users?

  • A. downloadable access lists
  • B. named access lists
  • C. VLAN access lists
  • D. MAC address access lists

Answer : A



Question No : 13 -

How frequently does the Profiled Endpoints dashlet refresh data?

  • A. every 30 seconds
  • B. every 60 seconds
  • C. every 2 minutes
  • D. every 5 minutes

Answer : B



Question No : 14 -

Changes were made to the ISE server while troubleshooting, and now all wireless
certificate authentications are failing. Logs indicate an EAP failure. What is the most likely
cause of the problem?

  • A. EAP-TLS is not checked in the Allowed Protocols list
  • B. Certificate authentication profile is not configured in the Identity Store
  • C. MS-CHAPv2-is not checked in the Allowed Protocols list
  • D. Default rule denies all traffic
  • E. Client root certificate is not included in the Certificate Store

Answer : A



Question No : 15 -

Refer to the exhibit.


In a distributed deployment of Cisco ISE, which column in Figure 1 is used to fill in the Host
Name field in Figure 2 to collect captures on Cisco ISE while authenticating the specific
endpoint?

  • A. Server
  • B. Network Device
  • C. Endpoint ID
  • D. Identity

Answer : A



(Page 1 out of 15)
Showing of 224 Questions
Exam Version: 10.0