Cisco 300-208 Dumps
Exam: CCNP Security Implementing Cisco Secure Access Solutions (SISAS)
|300-208 Premium VCE File|
|300-208.vce - Exam-Labs Verified - Instant Download
Get Latest & Verified 300-208 Exam Questions with 30-Days Free Updates
337 Questions & Answers
Free 300-208 Exam Questions in VCE Format
Cisco 300-208 Exam Tutorial
Question No : 1
Which option is the correct redirect-ACL for Wired-CWA, with 10.201.228.76 being the
Cisco ISE IP address?
A. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain deny ip any host 10.201.228.76 permit tcp any any eq 80 permit tcp any any eq 443
B. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain permit ip any host 10.201.228.76 deny tcp any any eq 80 permit tcp any any eq 443
C. ip access-l ex ACL-WEBAUTH-REDIRECT deny udp any any eq domain permit tcp any host 10.201.228.76 eq 8443 deny ip any host 10.201.228.76 permit tcp any any eq 80 permit tcp any any eq 443
D. ip access-l ex ACL-WEBAUTH-REDIRECT permit udp any any eq domain deny ip any host 10.201.228.76 permit tcp any any eq 80permit tcp any any eq 443
Question No : 2
What are the initial steps to configure an ACS as a TACACS server?
A. 1. Choose Network Devices and AAA Clients > Network Resources.2. Click Create.
B. 1. Choose Network Resources > Network Devices and AAA Clients.2. Click Create.
C. 1. Choose Network Resources > Network Devices and AAA Clients.2. Click Manage.
D. 1. Choose Network Devices and AAA Clients > Network Resources.2. Click Install.
Question No : 3
Which three are required steps to enable SXP on a Cisco ASA? (Choose three).
A. configure AAA authentication
B. configure password
C. issue the aaa authorization command aaa-server group command
D. configure a peer
E. configure TACACS
F. issue the cts sxp enable command
Question No : 4
Wireless client supplicants attempting to authenticate to a wireless network are generating
excessive log messages. Which three WLC authentication settings should be disabled?
A. RADIUS Server Timeout
B. RADIUS Aggressive-Failover
C. Idle Timer
D. Session Timeout
E. Client Exclusion
Question No : 5
Which command enables static PAT for TCP port 25?
A. nat (outside,inside) static 126.96.36.199 188.8.131.52 eq smtp
B. nat static 184.108.40.206 eq smtp
C. nat (inside,outside) static 220.127.116.11 service tcp smtp smtp
D. static (inside,outside) 18.104.22.168 22.214.171.124 netmask 255.255.255.255
Question No : 6
Which model does Cisco support in a RADIUS change of authorization implementation?
Question No : 7
Which configuration must you perform on a switch to deploy Cisco ISE in low-impact
A. Configure an ingress port ACL on the switchport.
B. Configure DHCP snooping globally.
C. Configure IP-device tracking.
D. Configure BPDU filtering.
Question No : 8
Currently, many users are expehecing problems using their AnyConnect NAM supplicant to
login to the network. The rr desktop support staff have already examined and vehfed the
AnyConnect NAM configuration is correct.
In this simulation, you are tasked to examine the various ISE GUI screens to determine the
ISE current configurations to help isolate the problems. Based on the current ISE
configurations, you will need to answer three multiple choice questions.
To access the ISE GUI, click on the ISE icon in the topology diagram to access the ISE
Not all the ISE GUI screen are operational in this simulation and some of the ISE GUI
operations have been reduced in this simulation.
Not all the links on each of the ISE GUI screen works, if some of the links are not working
on a screen, click Home to go back to the Home page first. From the Home page, you can
access all the required screens.
To view some larger GUI screens, use the simulation window scroll bars. Some of the
larger GUI screens only shows partially but will include all information required to complete
Which two of the following statements are correct? (Choose two.)
A. The ISE is not able to successfully connect to the hq-srv.secure-x. local AD server.
B. The ISE internal endpoints database is used authenticate any users not in the Active Directory domain.
C. The ISE internal user database has two accounts enabled: student and test that maps to the Employee user identity group.
D. Guest_Portal_Sequence is a built-in identity source sequence.
Question No : 9
The Secure-X company has started to tested the 802.1X authentication deployment using
the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee
desktop will be connected to the 802.1X enabled switch port and will use the Cisco
AnyConnect NAM 802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named
AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE
Internal User database. Once the new identity source sequence has been configured, edit
the existing DotlX authentication policy to use the new AD_internal identity source
The Microsoft Active Directory (AD1) identity store has already been successfully
configured, you just need to reference it in your configuration.
In addition to the above, you are also tasked to edit the IT users authorization policy so IT
users who successfully authenticated will get the permission of the existing IT_Corp
Perform this simulation by accessing the ISE GUI to perform the following tasks:
Create a new identity source sequence named AD_internal to first use the Microsoft
Active Directory (AD1) then use the ISE Internal User database
Edit the existing Dot1X authentication policy to use the new AD_internal identity source
If authentication failed-reject the access request
If user is not found in AD-Drop the request without sending a response
If process failed-Drop the request without sending a response
Edit the IT users authorization policy so IT users who successfully authenticated will get
the permission of the existing IT_Corp authorization profile.
To access the ISE GUI, click the ISE icon in the topology diagram. To verify your
configurations, from the ISE GUI, you should also see the Authentication Succeeded event
for the it1 user after you have successfully defined the DotlX authentication po
Question No : 10
In this simulation, you are task to examine the various authentication events using the ISE
GUI. For example, you should see events like Authentication succeeded. Authentication
failed and etc...
Which two statements are correct regarding the event that occurred at 2014-05-07
00:22:48.175? (Choose two.)
A. The DACL will permit http traffic from any host to 10.10.2.20
B. The DACL will permit http traffic from any host to 10.10.3.20
C. The DACL will permit icmp traffic from any host to 10.10.2.20
D. The DACL will permit icmp traffic from any host to 10.10.3.20
E. The DACL will permit https traffic from any host to 10.10.3.20
Question No : 11
In a basic ACS deployment consisting of two servers, for which three tasks is the primary
server responsible? (Choose three.)
D. policy requirements
Question No : 12
Which type of access list is the most scalable that Cisco ISE can use to implement network
authorization enforcement for a large number of users?
A. downloadable access lists
B. named access lists
C. VLAN access lists
D. MAC address access lists
Question No : 13
How frequently does the Profiled Endpoints dashlet refresh data?
A. every 30 seconds
B. every 60 seconds
C. every 2 minutes
D. every 5 minutes
Question No : 14
Changes were made to the ISE server while troubleshooting, and now all wireless
certificate authentications are failing. Logs indicate an EAP failure. What is the most likely
cause of the problem?
A. EAP-TLS is not checked in the Allowed Protocols list
B. Certificate authentication profile is not configured in the Identity Store
C. MS-CHAPv2-is not checked in the Allowed Protocols list
D. Default rule denies all traffic
E. Client root certificate is not included in the Certificate Store
Question No : 15
Refer to the exhibit.
In a distributed deployment of Cisco ISE, which column in Figure 1 is used to fill in the Host
Name field in Figure 2 to collect captures on Cisco ISE while authenticating the specific
B. Network Device
C. Endpoint ID
Question No : 16
Which two statements about Cisco NAC Agents that are installed on clients that interact
with the Cisco ISE profiler are true? (Choose two.)
A. They send endpoint data to AAA servers.
B. They collect endpoint attributes.
C. They interact with the posture service to enforce endpoint security policies.
D. They block access from the network through noncompliant endpoints.
E. They store endpoints in the Cisco ISE with their profiles.
F. They evaluate clients against posture policies, to enforce requirements.
Question No : 17
Which profiling capability allows you to gather and forward network packets to an analyzer?
Question No : 18
Which two EAP types require server side certificates? (Choose two.)
Question No : 19
During BYOD flow, where does a Microsoft Windows 8.1 PC download the Network Setup
A. from Cisco App Store
B. from Cisco ISE directly
C. from Microsoft App Store
D. It uses the native OTA functionality.
Question No : 20
A network administrator needs to determine the ability of existing network devices to deliver
key BYOD services. Which tool will complete a readiness assessment and outline
hardware and software capable and incapable devices?
A. Prime Infrastructure
B. Network Control System
C. Cisco Security Manager
D. Identity Services Engine