[2017 New] Easily Pass 300-208 Exam With Lead2pass New 300-208 VCE And PDF Dumps (176-200)
2017 August Cisco Official New Released 300-208 Dumps in Lead2pass.com! 100% Free Download! 100% Pass Guaranteed! Lead2pass updates Cisco 300-208 exam questions, adds some new changed questions from Cisco Official Exam Center. Want to know 2017 300-208 exam test points? Download the following free Lead2pass latest exam questions today! Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/300-208.html 7 1 QUESTION 176
Which action must an administrator take after joining a Cisco ISE deployment to an Active Directory domain? A. Choose an Active Directory user.
B. Configure the management IP address.
C. Configure replication.
D. Choose an Active Directory group. Answer: D
QUESTION 177
Which feature of Cisco ASA allows VPN users to be postured against Cisco ISE without requiring an inline posture node?
A. RADIUS Change of Authorization
B. device tracking
C. DHCP snooping
D. VLAN hopping Answer: A
QUESTION 178
After an endpoint has completed authentication with MAB, a security violation is triggered because a different MAC address was detected. Which host mode must be active on the port?
A. single-host mode
B. multidomain authentication host mode
C. multiauthentication host mode
D. multihost mode Answer: A
QUESTION 179
Refer to the exhibit. You are configuring permissions for a new Cisco ISE standard authorization profile. If you configure the Tunnel-Private-Group-ID attribute as shown, what does the value 123 represent?
A. the VLAN ID
B. the VRF ID
C. the tunnel ID
D. the group ID Answer: A
QUESTION 180
Where would a Cisco ISE administrator define a named ACL to use in an authorization policy?
A. In the conditions of an authorization rule.
B. In the attributes of an authorization rule.
C. In the permissions of an authorization rule.
D. In an authorization profile associated with an authorization rule. Answer: D
QUESTION 181
Refer to the exhibit. Which URL must you enter in the External Webauth URL field to configure Cisco ISE CWA correctly?
A. https://ip_address:8443/guestportal/Login.action 2
B. https://ip_address:443/guestportal/Welcome.html 3
C. https://ip_address:443/guestportal/action=cpp 4
D. https://ip_address:8905/guestportal/Sponsor.action 5 Answer: A
QUESTION 182
When you configure an endpoint profiling policy rule, which option describes the purpose of the minimum certainty factor?
A. It is compared to the total certainty metric of an individual endpoint to determine whether the endpoint can be trusted.
B. It is compared to the assigned certainty value of an individual endpoint in a device database to determine whether the endpoint can be trusted.
C. It is used to compare the policy condition to other active policies.
D. It is used to determine the likelihood that an endpoint is an active, trusted device on the network. Answer: A
QUESTION 183
You have configured a Cisco ISE 1.2 deployment for self-registration of guest users. What two options can you select from to determine when the account duration timer begins? (Choose two.)
A. CreateTime
B. FirstLogin
C. BeginLogin
D. StartTime Answer: AB
QUESTION 184
Which error in a redirect ACL can cause the redirection of an endpoint to the provisioning portal to fail?
A. The redirect ACL is blocking access to ports 80 and 443.
B. The redirect ACL is applied to an incorrect SVI.
C. The redirect ACL is blocking access to the client provisioning portal.
D. The redirect ACL is blocking access to Cisco ISE port 8905. Answer: A
QUESTION 185
Where must periodic re-authentication be configured to allow a client to come out of the quarantine state and become compliant?
A. on the switch port
B. on the router port
C. on the supplicant
D. on the controller Answer: A
QUESTION 186
Which functionality does the Cisco ISE self-provisioning flow provide?
A. It provides support for native supplicants, allowing users to connect devices directly to the network.
B. It provides the My Devices portal, allowing users to add devices to the network.
C. It provides support for users to install the Cisco NAC agent on enterprise devices.
D. It provides self-registration functionality to allow guest users to access the network. Answer: A
QUESTION 187
During client provisioning on a Mac OS X system, the client system fails to renew its IP address. Which change can you make to the agent profile to correct the problem?
A. Enable the Agent IP Refresh feature.
B. Enable the Enable VLAN Detect Without UI feature.
C. Enable CRL checking.
D. Edit the Discovery Host parameter to use an IP address instead of an FQDN. Answer: A
QUESTION 188
Where is dynamic SGT classification configured?
A. Cisco ISE
B. NAD
C. supplicant
D. RADIUS proxy Answer: A
QUESTION 189
What is the function of the SGACL policy matrix on a Cisco TrustSec domain with SGT Assignment?
A. It determines which access policy to apply to the endpoint.
B. It determines which switches are trusted within the TrustSec domain.
C. It determines the path the SGT of the packet takes when entering the Cisco TrustSec domain.
D. It lists all servers that are permitted to participate in the TrustSec domain.
E. It lists all hosts that are permitted to participate in the TrustSec domain. Answer: A
QUESTION 190
You are configuring SGA on a network device that is unable to perform SGT tagging. How can the device propagate SGT information?
A. The device can use SXP to pass IP-address-to-SGT mappings to a TrustSec-capable hardware peer.
B. The device can use SXP to pass MAC-address-to-STG mappings to a TrustSec-capable hardware peer.
C. The device can use SXP to pass MAC-address-to-IP mappings to a TrustSec-capable hardware peer.
D. The device can propagate SGT information in an encapsulated security payload.
E. The device can use a GRE tunnel to pass the SGT information to a TrustSec-capable hardware peer. Answer: A
QUESTION 191
Refer to the exhibit. The links outside the TrustSec area in the given SGA architecture are unprotected. On which two links does EAC take place? (Choose two.)
A. between switch 2 and switch 3
B. between switch 5 and host 2
C. between host 1 and switch 1
D. between the authentication server and switch 4
E. between switch 1 and switch 2
F. between switch 1 and switch 5 Answer: BD
QUESTION 192
Which three host modes support MACsec? (Choose three.)
A. multidomain authentication host mode
B. multihost mode
C. multi-MAC host mode
D. single-host mode
E. dual-host mode
F. multi-auth host mode Answer: ABD
QUESTION 193
You are troubleshooting wired 802.1X authentications and see the following error: "Authentication failed: 22040 Wrong password or invalid shared secret." What should you inspect to determine the problem?
A. RADIUS shared secret
B. Active Directory shared secret
C. Identity source sequence
D. TACACS+ shared secret
E. Certificate authentication profile Answer: A
QUESTION 194
Refer to the exhibit. You are troubleshooting RADIUS issues on the network and the debug radius command returns the given output. What is the most likely reason for the failure?
A. An invalid username or password was entered.
B. The RADIUS port is incorrect.
C. The NAD is untrusted by the RADIUS server.
D. The RADIUS server is unreachable.
E. RADIUS shared secret does not match Answer: A
QUESTION 195
Which devices support download of environmental data and IP from Cisco ISE to SGT bindings in their SGFW implementation?
A. Cisco ASA devices
B. Cisco ISR G2 and later devices with ZBFW
C. Cisco ISR G3 devices with ZBFW
D. Cisco ASR devices with ZBFW Answer: A
QUESTION 196
In Cisco ISE 1.3, where is BYOD enabled with dual-SSID onboarding?
A. client provisioning policy
B. client provisioning resources
C. BYOD portal
D. guest portal Answer: D
QUESTION 197
Which description of the purpose of the Continue option in an authentication policy rule is true?
A. It allows Cisco ISE to check the list of rules in an authentication policy until there is a match.
B. It sends an authentication to the next subrule within the same authentication rule.
C. It allows Cisco ISE to proceed to the authorization policy regardless of authentication pass/fail.
D. It sends an authentication to the selected identity store.
E. It causes Cisco ISE to ignore the NAD because NAD will treat the Cisco ISE server as dead. Answer: C
QUESTION 198
How many days does Cisco ISE wait before it purges a session from the active session list if no RADIUS Accounting STOP message is received?
A. 1
B. 5
C. 10
D. 15 Answer: B
QUESTION 199
A user configured a Cisco Identity Service Engine and switch to work with downloadable access list for wired dot1x users, though it is failing to work. Which command must be added to address the issue?
A. ip dhcp snooping
B. ip device tracking
C. dot1x pae authenticator
D. aaa authentication dot1x default group radius Answer: B
QUESTION 200
Which option is the correct format of username in MAB authentication?
A. host/LSB67.cisco.com
B. [email protected]
C. 10:41:7F:46:9F:89
D. CISCOchris Answer: C Lead2pass promise that all 300-208 exam questions are the latest updated, we aim to provide latest and guaranteed questions for all certifications. You just need to be braved in trying then we will help you arrange all later things! 100% pass all exams you want or full money back! Do you want to have a try on passing 300-208? 300-208 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDM1I1WlhIdHJZNjA 6 2017 Cisco 300-208 exam dumps (All 300 Q&As) from Lead2pass: https://www.lead2pass.com/300-208.html 7 1 [100% Exam Pass Guaranteed]
|
