Answers to the “Do I Know This Already?” Quizzes - Appendixes - CCNP Security SISAS 300-208 Official Cert Guide (2015)

CCNP Security SISAS 300-208 Official Cert Guide (2015)

Part VIII: Appendixes

Appendix A. Answers to the “Do I Know This Already?” Quizzes

Chapter 2

1. D. Simply put, authentication is the validation of the identity credentials. Authorization is the determination of what is allowed or disallowed based on those credentials.

2. A, D. The two forms of authentication, authorization, and accounting that are relevant to the SISAS exam are network access and device administration.

3. B. TACACS+ is best suited for granular command-level control due to its ability to separate authentication and authorization.

4. C. RADIUS is best suited for network access AAA due to its capability to work with numerous authentication protocols, such as CHAP and MS-CHAPv2, but more importantly the dependency on RADIUS for 802.1X authenticationsand the enhancements to RADIUS for change of authorization.

5. A. Both TACACS+ and RADIUS can be used to provide device administration AAA services; however, TACACS+ offers command-level authorization and RADIUS does not.

6. A. Cisco ACS supports both RADIUS and TACACS+ and command sets, while Cisco ISE version 1.2 supports only RADIUS.

7. D. The majority of the authentication protocols used (EAP, CHAP, MS-CHAPv2, PAP) are Layer-2 protocols meant to be topology independent. RADIUS and TACACS+ are used to connect the end user to the authentication server, even when they are not on the same LAN segment.

8. A. TACACS+ clients send only two message types: START and CONTINUE. REPLY is sent from the AAA server to the AAA client.

9. B. The Service-Type value tells the RADIUS server what is being performed. For example, service-type of Call-Check informs the AAA server that the client is performing a MAB request.

10. A. The RADIUS server may be assigning an attribute to the authentication session, like a VLAN, for example. The VLAN place holder is the attribute, and the actual assigned VLAN number is the value for that place holder, as a pair.

Chapter 3

1. B, C. An identity is a representation of who a user or device is. Cisco ISE uses an endpoint’s MAC address to uniquely identify that endpoint. A username is one method of uniquely identifying an end user. Although SSIDs and IP addresses can be used as conditions or attributes in ISE policies, they are not identities.

2. B, C. Cisco ISE can use identities stored in a database that resides as part of the ISE application itself; these are known as internal identity stores. Examples are the GUEST user identity store and the endpoints identity store. Identities can live outside of ISE, such as Active Directory, and these are known as external identity stores.

3. A, D. ISE has two different types of internal identity stores: users and endpoints. The user identity stores hold identities for interactive users, such as guests or employees. These have attributes such as passwords for the authentication of the user. Endpoints have a different kind of identity. Because they don’t interact with an authentication in most cases, their identities can often just be their MAC addresses.

4. A, D. Either a user or a machine (endpoint) can be authorized for network access. Sometimes it is possible to authorize based on the identity or attributes of both the user and the machine.

5. C. The identity store is known as an identity source or an information source. The data contained in the identity store is used for authentication and authorization purposes.

6. C. An identity source sequence (ISS) is a list of identity stores. Much like an access control list (ACL), the ISS list is processed with from the top to the bottom, where the first entry that has the identity is used and the processing of the ISS ends.

7. A, C, D. Lightweight Directory Access Protocol is a standard directory type that allows vendors to use a common communication structure to provide authentications and information about identities. Microsoft’s Active Directory is an LDAP-like directory source and is one of the most common identity sources in the modern world. In addition to querying an identity source directly, ISE is also able to proxy RADIUS authentications to a different RADIUS server.

8. B, D. Internal identity stores can be used to authenticate user accounts or endpoints. A guest is a type of internal user that ISE can authenticate. MAB is often used to “authenticate” endpoints against the internal endpoints identity store.

9. A, B. ISE has two different types of internal identity stores: users and endpoints. The user identity stores hold identities for interactive users, like guests or employees. These have attributes such as passwords for the authentication of the user. Endpoints have a different kind of identity. Because they don’t interact with an authentication in most cases, their identities can often just be their MAC addresses.

10. C, D. External identity stores often exist already in an organization before ISE would be installed. By pointing to those identity sources, the management overhead is dramatically reduced because the accounts don’t have to be created again in ISE’s internal database(s). Additionally, this enables the organization to scale more effectively by having a single source of truth for identity.

Chapter 4

1. B. EAP communication occurs between the supplicant and the authentication server. The authenticator acts as a middleman and encapsulates the unmodified EAP frames within the RADIUS communication to the authentication server.

2. B. Only Cisco AnyConnect NAM 3.1 and newer are capable of running EAP chaining as of the date this book was published.

3. C. The outer identity provides a mechanism to authenticate the identity of the endpoint during the tunnel establishment phase.

4. B. IEEE 802.1X must use RADIUS or DIAMETER. Note: DIAMETER is out of scope of the exam blueprint.

5. B. Supplicants have the option to not authenticate the server certificate. Additionally, EAP-FAST offers the ability to use PAC files instead of certificates for tunnel establishment.

6. D. Protected access credentials (PACs) are a type of “secure cookie” that can be used instead of or in addition to a certificate.

7. B. MSCHAPv2 may be used for user authentication against LDAP, but not machine authentication.

8. A. The actual tunnel mechanism is unrelated to the ability to do a machine authentication. The requirement is simply that it must be EAP-MSCHAPv2 for the authentication method.

9. C. The three main components of 802.X are the authentication server, supplicant, and authenticator.

10. A. A tunneled EAP type is able to use native EAP types as its inner method.

Chapter 5

1. B. The available options for nonauthenticating endpoints are MAC Authentication Bypass (MAB) and Web Authentication (WebAuth).

2. B. With nonauthenticating endpoints, the authenticator (a switch, for example) can be configured to send the MAC address of the endpoint to the authentication server in a RADIUS Access-Request message. This process is known as MAC authentication bypass (MAB).

3. D. With MAB, it is not recommended to use VLAN assignment, but MAB authorizations do not limit the authorization results.

4. B. With CWA, the authenticator only recognizes a MAB, and ISE maintains administrative control of the entire session and the tracking of the user’s credentials.

5. C. With LWA, the web portal is hosted within the authenticator, the end user enters her credentials into the web portal and the authenticator sends those credentials inside a RADIUS Access-Request message to the authentication server. The authentication server returns the Access-Accept or Access-Reject along with the full response.

6. A. The three main non-802.1X authentication use cases are WebAuth (CWA and LWA), MAB, and Remote Access VPN (RA VPN).

7. B. When changing a VLAN assigned to an endpoint, that endpoint must know (somehow) to renew the DHCP address. The best solution is to not use VLAN changes on open networks because there is nothing on the client to detect the VLAN change and trigger the DHCP renewal.

8. C. Centralized web authentication uses a web portal that is hosted on ISE to receive the user’s credentials. The authenticator sends a MAB request to ISE, and ISE responds with a RADIUS Access-Accept, a URL redirection, and often a dACL that limits the access to the network. After the credentials are received through the web portal, ISE sends a change of authorization (CoA) to the authenticator causing a reauthentication. The reauthentication maintains the same session ID, and ISE is able to tie the user’s credentials to the MAB request, sending the final authorization results for the end user.

9. B. There are many different “headless” endpoints in an organization, such as IP phones, IP cameras, printers, badge readers, IV pumps, medical imaging systems, and so many more. Some do not have supplicants. For those that do, the enablement and configuration of supplicants on the disparate endpoints could be overcomplicated or operationally difficult for the company. Many of the devices do not have a central management platform that is capable of configuring each supplicant across large numbers of devices deployed at scale. Therefore, MAB is chosen to provide network access to those headless devices.

10. A. Web authentication is used for any interactive login when a supplicant is not available, and sometimes it is even used as second authentication after 802.1X.

Chapter 6

1. B. A RADIUS CoA allows an authentication server to trigger a reauthorization. This provides an opportunity for the server to update a user’s level of network access as the server learns additional information about an endpoint, such as endpoint posture information.

2. C. In a situation where a CoA is warranted, an authentication server can perform a number of actions: No COA (that is, do nothing), Port Bounce (i.e. shut/no shut the relevant access “port”), or Reauth (that is, force the endpoint to reauthenticate in cases where multiple endpoints are present on a single access medium.). Supported CoA actions can vary depending on the selected authentication server.

3. C. Those devices that don’t have an 802.1X supplicant available use MAC Authentication Bypass. Without the supplicant, the device does not recognize EAP messages and, therefore, EAP authentication techniques are NOT available. In the absence of EAP, the device will use its MAC address as its unique identifier to authenticate to the network.

4. D. The first three octets of a MAC address are the organizationally unique identifier (OUI). This OUI indicates which vendor manufactured the device. This can be useful, at times, to also indicate the function of the device—for instance, an IP phone or printer.

5. A. Often, the “dumb” network devices are those that lack 802.1X supplicants. From this list, a printer would be the most common device to lack 802.1X support. Other examples would include an IP phone, IP cameras, and badge readers, amongst others.

6. C. Prior to MAB, there wasn’t a mechanism to authenticate a device based strictly on the device’s MAC address. For this reason, the switchport would be configured without port security or any level of end user or device authentication. This would allow any device, either the intended device or an unintended rogue device that was plugged into that switchport, to have unfettered access to the network.

7. A, B, C. Via posture checking, the endpoint can be checked for file conditions (existence, date, and/or version), registry conditions (whether a registry entry is or is not present), and service condition (whether a service is or is not running), so all of the above are correct. posture checking also can confirm the presence, absence, and status of antivirus and antispyware programs running on the endpoint.

8. D. When using posture assessment as a condition for authorization policy, the values of the PostureStatus condition can be Compliant, NonCompliant, or Unknown. Different levels of network access and/or remediation can be authorized based on the status of this variable.

9. B. To remediate a noncompliant endpoint, a redirect ACL must be defined on the switch and the redirect destination must be set to remediation portal.

10. D. A mobile device manager is a software system or service that provides advanced posture assessment for mobile endpoints. The MDM can determine the type of mobile device, the level of operating system on the endpoint, the presence/absence of PIN lock, and whether encryption is being used, as well as provide remote security services such as device lock and secure wipe. Depending on the MDM vendor chosen, additional services also might be available.

Chapter 7

1. C. Cisco Identity Services Engine is a network security and policy platform. Using Cisco ISE, a network administrator can maintain and serve security policy to all network devices from a central location.

2. A, D, E, G. Cisco ISE has four personas. These personas are Administration, Monitoring and Troubleshooting, Policy Services Node, and Inline Posture Node. Each of these personas is required at least once in an ISE deployment, with the exception of the Inline Posture Node. The function of each persona is discussed within the chapter.

3. A. Cisco ISE’s Policy Administration Node (PAN) persona is the instance of Cisco ISE where policy configuration actually happens. This persona will then distribute this policy to all other nodes.

4. D. The Cisco ISE Monitoring and Troubleshooting (MnT) Node persona provides a platform for logging and reporting data from the Cisco ISE deployment. As a user or device authenticates and authorizes to the network, the ability to monitor and log those AAA events will be the responsibility of the Monitoring and Troubleshooting Node.

5. C. The Cisco ISE Policy Service Node (PSN) persona provides policy decision-making. As a user or an endpoint attempts to authenticate to the network, the PSN will be responsible for making the AAA decisions based on the policy as downloaded from the Cisco ISE Policy Administration Node (PAN).

6. A. The Cisco ISE Inline Posture Node is responsible for enforcing access policies and handling the CoA requests for those network access devices that cannot process CoA requests. After an endpoint is authenticated, the Inline Posture Node will ensure that the posture of the endpoint adheres to the network security policy.

7. E. If you choose to deploy ISE as a virtual appliance, it is paramount that you allocate the appropriate virtual resources to best emulate the equivalent SNS-3415 or SNS-3495 physical appliance. Also, you should reserve 100% of these resources to ensure that other virtualized network functions do not starve the ISE of the resources.

8. D. In a single-node deployment of ISE, all ISE personas (PAN, MNT, and PSN) reside on a single appliance. In this deployment, there are no options for redundancy. For instance, if the PSN persona fails, or if the physical appliance fails, RADIUS authentications and authorizations will fail until the issue can be resolved.

9. F. In a four-node ISE deployment, the PAN and MNT personas are combined on two of the appliances, with each acting as primary on one appliance and secondary on the other appliance. On the remaining two appliances, only the PSN persona is configured.

10. F. In a fully distributed ISE deployment, the ISE PAN and MNT personas each reside on a separate appliance (or a separate pair of appliances if redundancy is required). Each of the PAN and MNT appliances will be an SNS-3495 appliance (or equivalent virtual appliance). With these PAN and MNT functions distributed, up to 40 PSNs can be deployed. For each SNS-3415 PSN deployed, up to 5,000 endpoints can be supported. For each SNS-3495 PSN deployed, up to 20,000 endpoints can be supported. A limitation on the PAN/MNT nodes, however, will allow only up to 250,000 endpoints to be supported in a single fully distributed ISE 1.2 deployment.

Chapter 8

1. B. The Cisco ISE GUI is available via an Adobe Flash-capable web-browser. As of Cisco ISE 1.2, the two supported browsers are Mozilla Firefox and Microsoft Internet Explorer.

2. D. The best way to ensure a secure connection is by encrypting the communications between the ISE and the device being used for the administrative portal. If HTTP were to be used, any device in the network flow, between the administrative device and ISE, could eavesdrop or play “man-in-the middle” on the communications, either compromising the administrative credentials or surreptitiously injecting a different security policy. To prevent this from happening, ISE leverages HTTPS, encrypting all traffic between the administrative device and ISE, and ensuring that the traffic sent from the administrative device arrives securely without compromise. SSH and SCP are not protocols that are typically used for GUI-based portals.

3. B. To establish the initial, secure connection with ISE, ISE will generate a self-signed certificate. Because a trusted certificate authority, either a local CA or a third-party, public CA, has not signed it, the certificate can cause a security warning within the web browser that is being used for administrative access. If you are confident that a man-in-the-middle or other nefarious device is NOT presenting this certificate, you can permanently accept this certificate within the web browser to prevent these security warnings in the future. Ideally, it is best to install a certificate from a trusted CA (a CA that already exists in the browser store—either a local CA or a third-party public CA) onto ISE. This, too, will prevent these security warnings in the future.

4. A. The Operations tab of Cisco ISE allows an administrator to monitor, report, and troubleshoot active authentication and authorization sessions.

5. C. The Policy tab of the Cisco ISE GUI allows an administrator to configure authentication, authorization, profiling, posture, client provisioning, and security group access—amongst others. web portals, however, are configured under the Administration tab.

6. G. The Administration tab of Cisco ISE can be used to configure all “setup”-type functions of ISE. These functions are those that are often set up one time and rarely modified thereafter. In this case, certificates and network devices are two items that are configured under the Administration tab and are rarely modified after their initial configurations.

7. B, C, E. When adding a new network access device to Cisco ISE, you must provide a device name and a device IP address. If you intend to use a Cisco ISE RADIUS server for authentication and authorization (the usual purpose of Cisco ISE in a network deployment), you will also need to add a shared secret key for RADIUS. The RADIUS server IP address is configured on the NAD, pointing to Cisco ISE. Mobile device managers and SGA AAA Servers are unrelated to the network device configuration.

8. B. Authentication is the process by which ISE identifies the endpoint or the user of the endpoint as it connects to the network. The authentication policy is used for this purpose.

9. C, E. When an endpoint attempts to access the network, it automatically sends a number of different packets onto the network—“normal” communication for a networked device. The information contained within these packets can often be leveraged by ISE to determine the type of device (profiling the device) that is sending the information. The MAC address of the endpoint—either learned via EAP or via MAC Authentication Bypass on the NAD—is forwarded to ISE via RADIUS. The endpoint’s DHCP requests to get an IP address can also be sent to ISE, allowing ISE to extract key identifying information from this DHCP process. Finally, HTTP(S) communications between the endpoint and ISE portals can be used to further identify the type of device that is accessing the network. Using RADIUS, DHCP, and HTTP (and other protocols), ISE can make a pretty good determination as to the type of device that is accessing the network. ISE currently does not support the use of SSH or FTP as a vehicle for profiling an endpoint.

10. A. During the client provisioning process, the necessary credentials and configurations are deployed to the endpoint, allowing the endpoint to automatically join the network on the next attempt with little or no interaction from the user.

Chapter 9

1. C. The permissions needed to join ISE to AD are Search Active Directory (to see whether ISE machine account already exists), Add workstation to domain (if it does not already exist), and Set attributes on the new machine account (OS type and version—optional).

2. B. The show application status ise command lists all the ISE processes and their statuses.

3. C. In both HTTPS and TLS connections, certificates are used to authenticate the server to client and act as the basis for the encrypted transport between the client and the server.

4. B. Only the CSR is submitted to the signing CA. The private key should be backed up but never given out to a third party.

5. B. Settings such as RADIUS shared secret keys and SNMP strings can be set only on a per-NAD basis.

6. A. Use NDG to build different policy sets for the staged deployment of ISE.

7. B. False. It is a best practice to use endpoint identity groups only for MAC address management instead of profiles.

8. A. ISE 1.2 is capable of joining only a single AD domain.

9. C. Serves as the identity source for certificate authentications and defines the field of a certificate whose data will be extracted and used as the principle identity for the authorization process.

10. A. The Network Time Protocol is critical for all network interactions that require time-sensitive interactions, including the interaction between the Cisco ISE and the Active Directory. Endpoint identity certificates also require an NTP synchronized time on Cisco ISE.

Chapter 10

1. B. The RADIUS packet must have the service-type set to Call-Check. The service-type dictates the method of authentication. The calling-station-id field must be populated with the MAC address of the endpoint.

2. B. Only EAP-FAST and TEAP (RFC 7170) have EAP chaining capabilities as of the publishing of this book.

3. C. An authentication policy is meant to drop traffic that isn’t allowed, meaning it is using an authentication protocol that is not configured, it will route authentication requests to the correct identity store to validate the identity, and “pass” successful authentications over to the authorization policy.

4. B. Only the Process Host Lookup check box must be select in the Allowed Protocols for Cisco MAB to work. Detecting another protocol as Host Lookup is only for non-Cisco network devices.

5. A. Reusable conditions can be built on-the-fly while building the authentication policy, and they are saved as dictionary objects.

6. D. Create one sub-rule for each EAP type under the default 802.1X authentication rule that points to the appropriate identity store per rule.

7. D. The Called-Station-ID attribute is used to match the source SSID.

8. A. The Calling-Station-ID attribute contains the MAC address of the endpoint.

9. C. The continue option is used to send an authentication to the authorization policy even if the authentication was not successful.

10. A. The Drop option for an authentication rule will allow ISE to act as if it were not “alive” so the network device will no longer send authentication requests to that ISE server.

Chapter 11

1. D. An authorization profile is the required authorization result that is made up of multiple RADIUS attributes. These RADIUS results will affect the ultimate security policy deployed to the NAD on behalf of the endpoint.

2. B. It contains the RADIUS response (Access-Accept or Access-Reject) along with the additional authorization attributes to be sent to the network device for enforcement.

3. D. DACL-Name, Web-Redirection, Local WebAuth, Auto Smart Port. These common tasks, as well as the others, are the most often used RADIUS AVPs that will be sent to the NAD for secure policy enforcement of the endpoint.

4. A. An authorization policy contains authorization rules. Each rule will have at least one authorization profile.

5. A. True. Condition attributes can be saved into a library for future use and improved readability.

6. B. It contains the voice domain permission (cisco-av-pair = device-traffic-class = voice), which authorizes the endpoint to access the voice VLAN assigned to the interface.

7. C. Simple conditions contain only one attribute. Compound conditions contain multiple attributes along with an operator such as AND or OR.

8. A. A compound condition can contain a mixture of simple conditions (which are saved dictionary attributes) and raw attributes themselves.

9. D. To provide very specific permissions to any authorization, providing defense-in-depth while meeting the goals of the company’s security policy. A printer, for example, should not have unfettered access to the network; instead it should have only what is needed (such as reaching the print servers).

10. C. Cisco dACLs are created entirely on the RADIUS server, and the full ACL is sent down to the network device within RADIUS AV pairs, while non-Cisco network devices must create the ACL on the individual local network device. This allows the Cisco admin to create and maintain the access lists in a central place and have any changes applied nearly instantly.

Chapter 12

1. C. 802.1X requires global-level configuration for servers, enabling 802.1X on the system itself, configuring change of authorization, and enabling VSAs among others. Additionally, each interface that will be performing authentication will require interface-level commands.

2. B, D. When interacting with an advanced RADIUS server, such as Cisco ISE, Cisco WLCs require that the same ISE PSN be configured as the authentication and accounting server for the WLAN. Additionally, RADIUS NAC must be enabled on the advanced tab of the WLAN configuration.

3. B. Cisco switches can be configured to send syslog to the MNT node, where the data will be correlated as part of the authentication reports. However, this should be configured only when performing active troubleshooting or during an initial pilot/PoC.

4. A. The switch will send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the server, either an Access-Accept or Access-Reject will suffice. The username and password used by the automated test must exist in the configuration.

5. B. Switch interfaces must be configured as Layer-2 access ports to run 802.1X (switchport).

6. C. Flex-Auth allows a network administrator to set an authentication order and priority on the switchport, thereby allowing the port to attempt 802.1X, MAC authentication bypass, and then WebAuth in order. All of these functions are provided while maintaining the same configuration on all access ports, thereby providing a much simpler operational model for customers than traditional 802.1X deployments.

7. D. Multi-Host mode is not commonly used but is still a valid option. Much like Multi-Auth mode, Multi-Host mode is an extension to MDA. There is one authentication on the voice domain and one authentication on the data domain. All other hosts on the data domain will be allowed onto the network using the first successful authentication. It’s an “authenticate one, allow the rest” type of model.

8. A. The authentication port-control auto command will enable authentication on the port and allow the authorization result to be sent from the RADIUS server. Short answer: “Turn authentication on!”

9. C. The show aaa servers command is a quick and simple way to see the current status of the ISE server from the switch’s perspective.

10. D. The command will show that the authentications are being attempted, which are successful, which authorization results have been assigned, and much more. Some of the information that is quickly provided by this command output includes the endpoint’s MAC address, the authentication method used, any assigned redirect URL, Access Control Lists, and other RADIUS AVPs that are provided via the authentication and authorization process.

Chapter 13

1. D. The Cisco switch will need the https server enabled to redirect https traffic. Before that service can be enabled, the switch needs a certificate. One of the prerequisites is a hostname and domain name, providing the switch a fully qualified domain name (FQDN). This FQDN will become the Subject Name of the self-signed certificate.

2. B. The traffic filtering ACL can be downloaded from ISE as a dACL, but the redirection ACL must preexist on the switch and is called by reference using a RADIUS AV-Pair. The AirespaceOS-based Cisco WLCs support only locally configured ACLs; therefore, all ACLs must be called by reference (also named ACLs).

3. C. RADIUS NAC is a critical setting for the WLAN that enables URL redirection and the pre-RUN states. Without this setting, CWA is not possible.

4. B. CWA is controlled by the Authorization Policy. Even an unknown MAC address needs to “continue” out of the Authentication Policy, so the appropriate response can be sent to the NAD, including the URL redirection to the portal.

5. B, D. The first rule should match if no more specific authorization rule is used and should redirect the user to the CWA portal. The second rule types should exist above the redirection rule and allow access to the user after she has successfully authenticated to the CWA portal. The authorization policy rules read like an ACL—from top down, whereby the first matched rule is applied.

6. A. DRW is an older method but uses a base license only. It does not provide a portal for the end user to manage his endpoints. When the end user accepts the AUP, the device’s MAC address is automatically added to the configured Endpoint Identity Group.

7. A. The same URL-Redirect and URL-Redirect-ACL AV pairs are sent to the Cisco NADs regardless of the redirection type. The URL will be different for each portal type. When building the authorization profile, the common tasks area will provide a drop-down to select the type of URL redirection being used and to change the URL accordingly.

8. D. The show authentication sessions interface [interface-name] is like the Swiss Army knife of show commands for authentications. With the output, you see the MAC address, IP address, dACL (listed as an ACS ACL), URL-redirect ACL, and URL to which the end user is being redirected.

9. B. Cisco ISE has a phenomenally useful tool built in to it, commonly called Live Log. Live Log provides a near real-time view of all incoming authentications, change of authorizations (CoAs), and more.

10. A. The CoA is a key function. Specifically, it is a CoA-Reauth and causes the switch to reauthenticate the endpoint without starting a new session. The switch sends another MAB request to ISE, which is able to tie the guest authentication from the centralized portal to the MAB request from the switch and assign the appropriate permission.

Chapter 14

1. B. When a guest connects to the network, they are given a web-redirect authorization policy. This web redirect will intercept any attempts to browse the Internet, forcing the guest user to a webpage where they will authenticate—that is, WebAuth.

2. C. The sponsor and guest portals can run on any PSN that has session services running.

3. B. Currently, the ISE guest portals can run only on those ports between 8000 and 8999.

4. A, D, F. The three default sponsor groups on ISE are SponsorAllAccounts, SponsorGroupGrpAccounts, and SponsorGroupOwnAccounts.

5. F. To use Active Directory group membership as the source of authentication and authorization for sponsors, ISE must first be associated to the domain. Furthermore, the AD identity store must also be a part of the identity source sequence that is in use for the sponsor portal. If you choose, you can provide a differentiated level of guest account creation based on the AD group membership as will be demonstrated in this chapter.

6. E. The Operations tab of the portal configuration page allows a network administrator to define the security policy for the portal. This page outlines how often the guest will be prompted to accept the Acceptable Use Policy, whether a guest can or must change their given password, whether the guest can perform device registration, or whether a user can create their own guest account. A few additional options are also available on the portal configuration page.

7. A. Under the sponsor group, the three settings that are configurable are the Authorization Levels, Guest Roles, and Time Profiles. With Authorization levels, the network administrator can configure which functions a sponsor user can configure for his guest. The Guest Roles option allows the sponsor to create guest users for specific Guest Roles—possibly allowing a differentiated level of access for each role. The final option, Time Profiles, defines the length of time for the guest accounts that can be created by the sponsor.

8. C. From the sponsor portal, when you are creating guest accounts, you have three options—Individual, Import, and Random. The Individual option creates a single guest user account, Import allows you to create multiple accounts using a spreadsheet template, and Random allows you to create a number of random guest accounts. The level of access and the length of the account also are configurable.

9. C. To trigger the WebAuth policy on Cisco ISE, the NAD must be using the MAB process. This MAB process, or RADIUS Service-Type of Call Check, is indicated by the security policy of MAC Filtering on the WLC. RADIUS NAC must also be configured as the NAC State on the Advanced tab of the SSID configuration.

10. D. The correct command to verify the level of access given to a guest user on a Cisco switch is show authentication sessions interface <if_name> details. This output will provide you with any ACLs or URL Redirects that have been deployed to the device from ISE.

Chapter 15

1. A. Profiler is enabled by default on all policy service nodes and standalone nodes. However, not a single probe is enabled by default in ISE 1.2.

2. A, B, D. There is no such thing as an EndPointProfile attribute. Although OS-Scan is used as a condition to determine the endpoint’s profile, it cannot be used directly in an authorization policy. The authorization policy can use identity groups (which contain a list of MAC addresses), EndPoint Policy attribute (which is the actual endpoint profile), and logical profiles (a group of profiles).

3. E. The SNMPQUERY probe will periodically query all the NADs configured with SNMP strings, but it is also a reactive probe. The SNMPQUERY probe will reactively query a NAD when the RADIUS probe receives an accounting START message or when an SNMP trap is received.

4. C. The three probes that exist in device sensor on Cisco switches are CDP, DHCP, and LLDP. Wireless controllers have two probes: DHCP and HTTP.

5. A. Cisco no longer includes profile updates within the ISE version updates or patches. All new profiles are included and downloaded as part of the Cisco Profiler Feed Service.

6. C. Profiling is all about the certainty value. Each profile has a minimum certainty value, and matching the conditions will increase the certainty value. A higher the certainty value of any profile means it will be assigned.

7. A. The Endpoints Drill-down tool is an excellent way to look into the profiled endpoints and verify that the profiling service is working.

8. B, D. HTTP user agent strings could be gleaned through SPAN monitoring and VACLS and directly from the ISE web portals. Wired switches do not currently have an HTTP device sensor probe, but wireless controllers do.

9. B. ISE provides the ability for administrators to create their own custom profiles using any of the attributes available to the profiling engine.

10. C. Profiles are classified as Cisco provided, administratively modified, or administrator created. Only Cisco-provided profiles will be overwritten.

Chapter 16

1. B. A copy of the signing CA’s public key must be stored at Administration > System > Certificates > Certificate Store, and it needs to have the Trust for Client Authentication option selected.

2. D. It’s vital to understand that the Valid-From field is just as important as the Valid-To field. A certificate will be rejected if it is issued for a date and time after the current date and time. This is why NTP is so critical for PKI.

3. B. ISE supports checking both CRL and Online Certificate Status Protocol (OCSP). OCSP is the preferred method for scalability and security reasons.

4. A. ISE will only leverage the CRL distribution point configured within the trusted certificate store for that signing CA and ignore the field that is in the client’s certificate.

5. A. ISE sends some “throw-away data” to the client that is encrypted with the combination of ISE’s private key and the client’s public key (the certificate sent for authentication). Then the endpoint must decrypt the data with the combination of its private key and the server’s public key, proving the client has the full key pair and not just a copy of a public key.

6. C. A certificate issued by Active Directory Certificate Services is still just an X.509 certificate. It will go through all the authentication validation of any other certificate, regardless of the fact that the CA was integrated into AD. The CAP extracts the user’s identity from the fields in the certificate for the authorization with AD.

7. B. Although both EAP-TLS and EAP-GTC are native EAP-Types capable of performing certificate-based authentication, EAP-TLS is more common. EAP-TTLS and EAP-FAST are tunneled EAP types, both of which are capable of having EAP-TLS as an inner-method.

8. D. Allowed Protocols, CAP for an Identity Store, and trusting the signing CA for client authentication are all that is required. Certificate Revocation checking and the authorization rule are both optional.

9. C. Many certificate authorities have a website where they permit the downloading of their public certificate and even the full certificate chain. In this chapter you see an example of downloading the key from a Microsoft CA. Navigating to this web page and downloading the certificate is how an ISE admin can obtain the public certificate of the signing CA to trust for client authentications. However, it is not recommended to use PKCS chain files unless there is no other option. As a best practice, always use Base-64 encoded files instead of DER-encoded files.

10. B. Although I’m flattered that you might want to call me to fix your problems, C is definitely not the correct answer. The first question you would be asked is: “What does it say for Failure Reason in the Authentication Details Report?” which is the correct answer: B. There is no report named Failed Authentications, and besides it would not exist in the root of “reports.”

Chapter 17

1. B. One of the business issues with a BYOD model is walking an end user through the process of configuring his network supplicant to meet corporate policies. Onboarding is used to help an end user perform those actions himself, without requiring interaction from the IT department.

2. C. To maintain a seamless experience for the end user, a CoA-Reauth message is used. This keeps the endpoint connected to the network and simply causes the supplicant to send credentials again. At this point, it will be using the new certificate-based credentials to authenticate. The end user is completely unaware of the actions. A CoA-DM (disconnect message) would drop the endpoint from the network and be a poor user experience. Waiting for a reauth interval or a disconnect/reconnect to the network would not be an optimal user experience either.

3. A. The software is hard-coded to deny guest users from entering the flow. There is no configuration possible to allow guest users to enter the provisioning process through the dual-SSID onboarding flows.

4. D. While both C and D could be viewed as correct answers, only D is technically accurate.

5. B. ISE will authenticate any endpoint that has been configured to authenticate to the network, regardless of the onboarding status. The policy can be configured to send an access-reject or to leave the user in the redirected state to receive a message explaining that she must configure her device on her own or call her IT department for assistance.

6. B. Apple iOS does not use an app to perform the provisioning; instead it leverages the native Over the Air (OTA) provisioning built in to the OS to handle the certificate signing requests and downloading of a network profile.

7. B. The admin may manage endpoints from the Endpoints Identity section within the ISE administrative GUI. The MyDevices portal is designed for an individual to perform self-service of registered devices.

8. A. Live authentications log does not show any information about the registration or the NSA app. It does show all the authentications and the change of authorizations.

9. D. With the ISE 1.2 versions pertinent to this exam, both Windows and Mac are still using a Java applet that is downloaded from ISE’s Client Provisioning Portal (CPP). 1.2 patch 11 and 1.3 versions of ISE will enable the use of a native .exe for Windows and a .dmg for Mac OSX, but that is out of scope of this exam blueprint and therefore out of scope for this book.

10. B. The Client Provisioning Policy determines which NAC agent, NSA Wizard, and Native Supplicant Profile to send to an endpoint. The policy is capable of using the operating system as one of many conditions to determine which result to provide an endpoint.

Chapter 18

1. C. A security group tag (SGT) is a 16-bit value that ISE assigns to the user’s or endpoint’s session upon login. The SGT can represent the context of the user and device and can be carried in the Layer-2 frame or communicated through SXP. The SGT is assigned at ingress and enforced upon egress.

2. B. SGTs are considered an authorization result in the ISE administrative GUI. They are defined within the policy elements section of the GUI as an authorization result. They also can be defined from the Policy > Security Group Access > Egress Policy screens by clicking onConfigure > Create New Security Group; however, that method was never discussed in the text of this chapter.

3. A, B, D. To use the SGT, the tag needs to be assigned (known as classification). This can happen dynamically and be downloaded as the result of an ISE authorization; they also can be assigned manually at the port level or even mapped to IP addresses and downloaded to SGT-capable devices.

4. A. Although that gear might not support the classification and transport natively, it might be capable of assigning different VLANs or IP addresses per authorization result. A distribution layer device may have the ability to map subnets and VLANs and assign all source IP addresses from the subnet or VLAN to a specific tag.

5. D. Cisco has developed a peering protocol (similar to BGP or LDP) to enable devices to communicate their database of IP-address-to-SGT mappings to one another. This peering protocol is called Security Group Exchange Protocol (SXP).

6. A, C. Every SXP peer session has a speaker and listener. A speaker sends the mappings of IP addresses to SGTs. The listener receives those updates and records them. A peer can be configured for both roles simultaneously and can have numerous peers.

7. A. Native tagging of SGTs includes the 16-bit tag as a portion of the Cisco Metadata field of the Layer-2 Ethernet frame. It also can be included as part of an IPSec link.

8. B. The tag can be encrypted within a MACSec encrypted link between network infrastructure devices or even an IPSec connection. The endpoint is never aware of the tag that has been assigned, so enabling downlink MACSec between the endpoint and the switch will not help.

9. A, C. SGTs can be enforced with security group ACLs, which are egress ACLs that use source and destination tags as the condition upon which to invoke the egress ACL. Additionally the ASA, ASR, and ISR can act as security group firewalls, using the source and/or destination tag as ACL conditions.

10. D. Uplink MACSec defines the encrypted connection between network infrastructure components, whereas downlink MACSec defines the encrypted connection between the access layer device and the endpoint. Although uplink and downlink MACSec use different keying mechanisms today, both are still using the same encryption algorithm of AES-GCM-128.

Chapter 19

1. B, C, G. The three major functional areas of the Posture Service are Client Provisioning, Posture Policy, and Authorization Policy. The first, Client Provisioning, is the process by which the NAC agent is installed on the endpoint. The second, Posture Policy, is the configuration of the Posture rules: what is compliant and what is not compliant within the security policy. The final functional area is Authorization Policy. After we have determined the compliance or noncompliance of the endpoint, what will the endpoint have access to.

2. D. The three possible posture outcomes following the initial connection to the network are Compliant, Noncompliant, and Unknown. Compliant implies that the endpoint fully adheres to the company’s security policy as configured on ISE. Noncompliant implies that there is at least one deviation from the company security policy. Unknown implies that there is not an agent present on the device and, therefore, the endpoint is unable to report its posture to ISE.

3. B. One benefit of the NAC web agent is that it does not require administrative privileges to install. Unfortunately, the web agent is lacking additional features that are standard in the persistent agent.

4. B. The Process Check posture condition is not supported on Macintosh operating systems.

5. D. The File condition for Posture can check the existence, date, and version of a file on the client. This can be very useful to determine if a particular endpoint is vulnerable to a new virus or if a specific software package is present on the endpoint. This feature is only supported on Windows PCs.

6. A. These Posture Elements can be updated manually or configured to update automatically on a fixed schedule.

7. D. The CoA process is used to force an endpoint to reauthorize following a change in status or following a change of posture compliance from the NAC agent.

8. C. When configuring the Client Provisioning Policy, a network administrator is responsible for defining what NAC agents or Network Supplicant Provisioning (NSP) client is getting pushed to what endpoints under which circumstances. The network administrator, besides specifying the elected NAC Agent and NSP client, can also specify the period of time between reassessments and whether or not an Acceptable Use Policy will be used.

9. A. Remediation is the process by which an endpoint that is not compliant with security policy can become compliant. This may include downloading the latest virus definitions, installing a service pack, or enabling a screen saver password.

10. D. The only remediation from this list that is available on a Macintosh OS X endpoint is Manual Antivirus Remediation. As an endpoint is found to be noncompliant due to a deviation in his antivirus signatures, the NAC agent will provide a link for the user to download the latest definition file. All other remediations provided in this list are not possible on the Macintosh NAC agent.

Chapter 20

1. C. Monitor Mode is a process, not just a command on a switch. The process is to enable authentication (with authentication open), see exactly what devices fail and which ones succeed, and correct the failed authentications before they cause any problems.

2. A. Low-Impact Mode uses authentication open, but adds security on top of the framework that was built in Monitor Mode. It uses a PACL on the switch port to permit critical traffic of certain endpoints, like thin-clients, to function prior to an attempted authentication. After the authentication, the authorization should provide specific access, unlike Monitor Mode, which is the same pre and post authentication.

3. D. By using a phased deployment approach, you are able to start off in Monitor Mode and gradually transition into the end state of either Low-Impact Mode or Closed Mode. By doing so, you can avoid the denial of service that can often happen with 802.1X deployments.

4. B. authentication open will ignore RADIUS Access-Reject responses, but all other authorization results will be honored and enforced.

5. A. authentication open allows traffic to flow with our without an authentication. When an authorization result is sent back from the authentication server, the switch will ignore RADIUS Access-Reject responses, but all other authorization results will be honored and enforced.

6. B. Policy sets are groupings of authentication and authorization policies. The use of policy sets makes for a nice clean way to differentiate rules for each stage of the deployment.

7. D. Wireless LANs cannot have a mixture of authentication and nonauthentication. The WLAN must either be using Wi-Fi Protected Access (which facilitates the 802.1X authentication) or will be open; it cannot be both.

8. A. The NDG assignment of the NAD is used to determine which policy set ISE uses for the incoming authentications. To change the policy set being used, move the NAD from the Monitor Mode NDG to either the Low-Impact or Closed mode NDGs.

9. A. Wired clients do not get to pick their network; there is no SSID like there is for wireless. Therefore, all the various types of authentication mechanisms possible must work within a single port configuration. Without this, an admin would have to change the port configuration for each type of device that needs to access the network, which would be extremely operationally expensive.

10. A. Just like the default behavior of the original IEEE 802.1X, Closed Mode does not allow any traffic into the switch port until after a result has been received for the attempted authentication or a timeout occurs.

Chapter 21

1. C. After a standalone node has been promoted to primary on the deployment screen, you click Register and enter the FQDN and the credentials for any other node that you want to join the new primary and form an ISE cube.

2. A. When joining the node to the cube, you will specify the persona and whether it will be primary or secondary (Monitoring only).

3. D. The show udi CLI command and the GUI will provide the three required items: SPID, VPID, and serial number.

4. B. There is no automatic failover, but there is a manual promotion from the secondary’s GUI.

5. D. There is no automatic failover, but the ISE nodes are configured to send logging to both primary and secondary MnT automatically. If one fails, the other is still receiving the logs.

6. C. Node groups are made up of Layer-2 adjacent (same VLAN) PSNs, where the PSNs maintain a heartbeat with each other. In the event that a PSN were to go down while a session was being authenticated, one of the other PSNs in the node group would send a CoA to the NAD so the endpoint could restart the session establishment with a new PSN.

7. B. Cisco ISE is commonly deployed with load balancers. There are caveats to pay attention to, such as not to use Source NAT (SNAT).

8. B. Patches are downloaded from cisco.com and applied to the PAN under Administration > System > Maintenance > Patch Management. The PAN will push the patch to the other nodes in the deployment.

9. D. The status of a backup can be viewed from the GUI or the CLI, but the status of a restore can only be viewed from the CLI.

10. D. It is not configurable, and will patch all nodes in alphabetical order. The PAN is patched first, and will push the patch to all other nodes.

Chapter 22

1. D. The Evaluate Configuration Validator tool compares a switch configuration to a “template” configuration built in to ISE, and any differences between the configurations are pointed out.

2. C. The RADIUS Authentication Troubleshooting tool attempts to examine different aspects of a session and provide some additional details that might not have been available in the detailed authentication report, as well as provide some suggestions for items to check next.

3. B. Each ISE component can have its logging levels changed through the graphical user interface only.

4. B. The Live Sessions Log correlates activity related to the entire session, not just the raw entries related to a passed or failed authentication.

5. A. The Live Log displays events related to the raw syslog messages sent from the PSN to the MNT node, focused on passed or failed authentications.

6. D. Logging targets are configured centrally, and the settings are pushed down to each PSN. Each PSN is configured to send syslog messages to all configured logging targets concurrently.

7. B. The Suppress Anomalous Clients setting within Administration > System > Protocols > RADIUS is used to enable log de-duplication.

8. B. Cisco AnyConnect DART is the module used to collect all log files from the endpoint along with other important information, combining them all into a single Zip file for analysis by Cisco TAC.

9. C. Although a firewall can sometimes be a good place to troubleshoot why communication is not successful, the three main locations to troubleshoot network access are ISE, the endpoint, and the NAD.

10. B. debug epm is the go-to debug command for all activities related to URL-redirection, dACLs being applied, SGTs being assigned, and all other activity related to an authentication session advanced capabilities.