CCNP Security FAQ: A Guided Tour of the Cisco ISE Graphical User Interface
Figure: Initial ISE administrative GUI login.
Q1. Which is true of the Cisco ISE GUI? a. Requires a separate application to access it b. Uses a “standard,” Adobe Flash-capable web-browser c. Does not exist—ISE is only configurable via command-line interface (CLI) d. Requires Cisco Network Assistant
Answer: B. The Cisco ISE GUI is available via an Adobe Flash-capable web-browser. As of Cisco ISE 1.2, the two supported browsers are Mozilla Firefox and Microsoft Internet Explorer.
Q2. To ensure the highest level of security, the ISE administrative GUI uses which of the following? a. SSH b. SCP c. HTTP d. HTTPS
Answer: D. The best way to ensure a secure connection is by encrypting the communications between the ISE and the device being used for the administrative portal. If HTTP were to be used, any device in the network flow, between the administrative device and ISE, could eavesdrop or play “manin-the middle” on the communications, either compromising the administrative credentials or surreptitiously injecting a different security policy. To prevent this from happening, ISE leverages HTTPS, encrypting all traffic between the administrative device and ISE, and ensuring that the traffic sent from the administrative device arrives securely without compromise. SSH and SCP are not protocols that are typically used for GUI-based portals.
Q3. The initial certificate presented by the ISE administrative GUI is typically which of the following? a. Signed by a trusted, public certificate authority b. A self-signed certificate automatically generated by ISE c. Delivered in a separate envelope from the ISE appliance d. Put in a frame and hung over your desk at work
Answer: B. To establish the initial, secure connection with ISE, ISE will generate a self-signed certificate. Because a trusted certificate authority, either a local CA or a third-party, public CA, has not signed it, the certificate can cause a security warning within the web browser that is being used for administrative access. If you are confident that a man-in-the-middle or other nefarious device is NOT presenting this certificate, you can permanently accept this certificate within the web browser to prevent these security warnings in the future. Ideally, it is best to install a certificate from a trusted CA (a CA that already exists in the browser store—either a local CA or a third-party public CA) onto ISE. This, too, will prevent these security warnings in the future.
Q4. Components within the Operations section of ISE allow an administrator to do which of the following? a. Actively monitor, report, and troubleshoot active authentication and authorization sessions b. Configure how ISE will operate on the network c. Create the web portals for client provisioning d. Modify the security policy of ISE
Answer: A. The Operations tab of Cisco ISE allows an administrator to monitor, report, and troubleshoot active authentication and authorization sessions.
Q5. The Policy tab of the Cisco ISE GUI allows an administrator to configure all of the following EXCEPT which? a. Authorization b. Client provisioning c. Web portals d. Security group access
Answer: C. The Policy tab of the Cisco ISE GUI allows an administrator to configure authentication, authorization, profiling, posture, client provisioning, and security group access—amongstothers. web portals, however, are configured under the Administration tab.
Q6. You can configure which of the following item(s) under the Administration tab of Cisco ISE? a. Policy elements b. Certificates c. Dictionaries d. Network devices e. A, B, and C f. B, C, and D g. B and D
Answer: G. The Administration tab of Cisco ISE can be used to configure all “setup”-type functions of ISE. These functions are those that are often set up one time and rarely modified thereafter. In this case, certificates and network devices are two items that are configured under the Administration tab and are rarely modified after their initial configurations.
Q7. When adding a network access device to Cisco ISE, which of the following details can be configured under the network device? (Select three.) a. MAC address b. IP address c. Device name d. RADIUS server IP address e. RADIUS shared secret key f. Mobile device manager g. SGA AAA Servers
Answer: B, C, E. When adding a new network access device to Cisco ISE, you must provide a device name and a device IP address. If you intend to use a Cisco ISE RADIUS server for authentication and authorization (the usual purpose of Cisco ISE in a network deployment), you will also need to add a shared secret key for RADIUS. The RADIUS server IP address is configured on the NAD, pointing to Cisco ISE. Mobile device managers and SGA AAA Servers are unrelated to the network device configuration.
Q8. An authentication policy within ISE is used to do which of the following? a. Determine what the endpoint will be given access to b. Identify the endpoint or the user of the endpoint as it connects to the network c. Determine the type of security software that is running on the endpoint d. Quarantine a user if the endpoint is on the Blacklist
Answer: B. Authentication is the process by which ISE identifies the endpoint or the user of the endpoint as it connects to the network. The authentication policy is used for this purpose.
Q9. Profiling policies within ISE can leverage all of the following protocols to determine the type of endpoint that is accessing the network EXCEPT which? (Select two.) a. DHCP b. RADIUS (by proxy) c. SSH d. HTTP(S) e. FTP
Answer: C, E. When an endpoint attempts to access the network, it automatically sends a number of different packets onto the network—“normal” communication for a networked device. The information contained within these packets can often be leveraged by ISE to determine the type of device (profiling the device) that is sending the information. The MAC address of the endpoint—either learned via EAP or via MAC Authentication Bypass on the NAD—is forwarded to ISE via RADIUS. The endpoint’s DHCP requests to get an IP address can also be sent to ISE, allowing ISE to extract key identifying information from this DHCP process. Finally, HTTP(S) communications between the endpoint and ISE portals can be used to further identify the type of device that is accessing the network. Using RADIUS, DHCP, and HTTP (and other protocols), ISE can make a pretty good determination as to the type of device that is accessing the network. ISE currently does not support the use of SSH or FTP as a vehicle for profiling an endpoint.
Q10. Client provisioning is a process whereby all necessary _______ and _______ are deployed to the endpoint, allowing the endpoint to more easily, maybe even automatically, join the network in the future. a. credentials, configurations b. regulations, policies c. IP addresses, ACLs d. protocols, processes
Answer: A. During the client provisioning process, the necessary credentials and configurations are deployed to the endpoint, allowing the endpoint to automatically join the network on the next attempt with little or no interaction from the user.