An engineer is configuring the remote access VPN to use Cisco ISE for AAA and needs to conduct posture checks on the connecting endpoints. After the endpoint connects, it receives its initial authorization result and continues onto the compliance scan.
What must be done for this AAA configuration to allow compliant access to the network?

A. Configure the posture authorization so it defaults to unknown status
B. Fix the CoA port number
C. Ensure that authorization only mode is not enabled
D. Enable dynamic authorization within the AAA server group

Answer: D

Which two Cisco ISE deployment models require two nodes configured with dedicated PAN and MnT personas? (Choose two.)

A. three PSN nodes
B. seven PSN nodes with one PxGrid node
C. five PSN nodes with one PxGrid node
D. two PSN nodes with one PxGrid node
E. six PSN nodes

Answer: CD

Which compliance status is set when a matching posture policy has been defined for that endpoint, but all the mandatory requirements during posture assessment are not met?

A. unauthorized
B. untrusted
C. non-compliant
D. unknown

Answer: C

A Cisco device has a port configured in multi-authentication mode and is accepting connections only from hosts assigned the SGT of SGT_0422048549. The VLAN trunk link supports a maximum of 8 VLANS. What is the reason for these restrictions?

A. The device is performing inline tagging without acting as a SXP speaker
B. The device is performing mime tagging while acting as a SXP speaker
C. The IP subnet addresses are dynamically mapped to an SGT.
D. The IP subnet addresses are statically mapped to an SGT

Answer: C

An administrator wants to configure network device administration and is trying to decide whether to use TACACS* or RADIUS. A reliable protocol must be used that can check command authorization. Which protocol meets these requirements and why?

A. TACACS+ because it runs over TCP
B. RADIUS because it runs over UDP
C. RADIUS because it runs over TCP.
D. TACACS+ because it runs over UDP

Answer: A

An administrator has added a new Cisco ISE PSN to their distributed deployment.
Which two features must the administrator enable to accept authentication requests and profile the endpoints correctly, and add them to their respective endpoint identity groups? (Choose two )

A. Session Services
B. Endpoint Attribute Filter
C. Posture Services
D. Profiling Services
E. Radius Service

Answer: DE

Refer to the exhibit. Which two configurations are needed on a catalyst switch for it to be added as a network access device in a Cisco ISE that is being used for 802.1X authentications? (Choose two)

A. Option A
B. Option B
C. Option C
D. Option D
E. Option E

Answer: AC

An administrator is configuring sponsored guest access using Cisco ISE Access must be restricted to the sponsor portal to ensure that only necessary employees can issue sponsored accounts and employees must be classified to do so. What must be done to accomplish this task?

A. Configure an identity-based access list in Cisco ISE to restrict the users allowed to login
B. Edit the sponsor portal to only accept members from the selected groups
C. Modify the sponsor groups assigned to reflect the desired user groups
D. Create an authorization rule using the Guest Flow condition to authorize the administrators

Answer: C

Refer to the exhibit. An engineer is configuring a client but cannot authenticate to Cisco ISE. During troubleshooting, the show authentication sessions command was issued to display the authentication status of each port.
Which command gives additional information to help identify the problem with the authentication?

A. show authentication sessions
B. show authentication sessions Interface Gil/0/1 output
C. show authentication sessions interface Gi1/0/1 details
D. show authentication sessions output

Answer: C

