CCNP Security FAQ: Initial Configuration of Cisco ISE

CCNP Security FAQ: Initial Configuration of Cisco ISE

Q1. Which rights and permissions are required for the account used to join Cisco ISE to the Active Directory domain?
a. Search Active Directory, Remove workstation from domain, Change passwords
b. Write to Active Directory, Add workstation to organizational unit, Read properties of computer objects
c. Search Active Directory, Add workstation to domain, Set attributes on the new machine account
d. Write to Active Directory, Add workstation to domain, Read properties of computer objects

Answer: C. The permissions needed to join ISE to AD are Search Active Directory (to see whether ISE machine account already exists), Add workstation to domain (if it does not already exist), and Set attributes on the new machine account (OS type and version—optional).

Q2. Which CLI command lists all the ISE processes and their statuses?
a. show status ise
b. show application status ise
c. show application status
d. show version

Answer: B. The show application status ise command lists all the ISE processes and their statuses.

Q3. Which two functions does a certificate fulfill when used with HTTPS and EAPoverLAN?
a. Authenticates the server to the client, and the encryption method is embedded in the transform-set field within the certificate.
b. Identifies the client to the NAD and is used as the basis for the encrypted transport between the client and the NAD.
c. Authenticates the server to the client and is used as the basis for the encrypted transport between the client and server.
d. Authenticates the client to the NAD, and the encryption method is embedded in the transformset field within the certificate.

Answer: C. In both HTTPS and TLS connections, certificates are used to authenticate the server to client and act as the basis for the encrypted transport between the client and the server.

Q4. True or False? When submitting a certificate signing request (CSR), the CSR and the private key are sent to the signing certificate authority (CA), so the CA can sign the key-pair.
a. True
b. False

Answer: B. Only the CSR is submitted to the signing CA. The private key should be backed up but never given out to a third party.


Figure: CSR form

Q5. True or False? Settings such as RADIUS shared secret keys and SNMP strings can be set on a per Network Device Group (NDG) level.
a. True
b. False

Answer: B. Settings such as RADIUS shared secret keys and SNMP strings can be set only on a per-NAD basis.

Q6. What is a valid use of network device groups?
a. Use NDG as the condition by which to build different policy sets for the staged deployment of ISE.
b. Use the incoming authentication protocol type to route the authentication to a network device group that is able to process that authentication type.
c. Use the NDG to determine to which ISE policy node to route the authentication request.
d. The result of an authorization policy will allow the user to log in and control devices within the assigned network device group.

Answer: A. Use NDG to build different policy sets for the staged deployment of ISE.

Q7. True or False? Local endpoint identity groups should be created per endpoint profile instead of using the attribute itself.
a. True
b. False

Answer: B. False. It is a best practice to use endpoint identity groups only for MAC address management instead of profiles.

Q8. True or False? Cisco ISE 1.2 can join 1 Active Directory Forest and process authentications for any domain in the forest with 2-way trusts.
a. True
b. False

Answer: A. ISE 1.2 is capable of joining only a single AD domain.

Q9. What is the purpose of a certificate authentication profile (CAP)?
a. Defines which CA to use for revocation checking via either certificate revocation lists (CRLs) or online certificate status protocol (OCSP).
b. Used with MSCHAPv2 for a client to validate the authentication server.
c. Serves as the identity source for certificate authentications and defines the field of a certificate whose data will be extracted and used as the principle identity for the authorization process.
d. Used with EAP-FAST to allow for faster reauthentications and secure transport without the use of X.509 certificates.

Answer: C. Serves as the identity source for certificate authentications and defines the field of a certificate whose data will be extracted and used as the principle identity for the authorization process.

Q10. True or False? It is critical to use Network Time Protocol (NTP) to ensure the time is synchronized correctly between Cisco ISE and Microsoft Active Directory.
a. True
b. False

Answer: A. The Network Time Protocol is critical for all network interactions that require timesensitive interactions, including the interaction between the Cisco ISE and the Active Directory. Endpoint identity certificates also require an NTP synchronized time on Cisco ISE.

About the author

James Palmer

Leave a Comment