CCNP Security FAQ: Posture Assessment

CCNP Security FAQ: Posture Assessment


Figure: ISE authentication and authorization flow.

Q1. The Posture Service is comprised of which of the following functional components? (Select three.)
a. Profiling
b. Client provisioning
c. Authorization policy
d. Mobile device managers
e. Access lists
f. Guest Services
g. Posture Policy

Answer: B, C, G. The three major functional areas of the Posture Service are Client Provisioning, Posture Policy, and Authorization Policy. The first, Client Provisioning, is the process by which the NAC agent is installed on the endpoint. The second, Posture Policy, is the configuration of the Posture rules: what is compliant and what is not compliant within the security policy. The final functional area is Authorization Policy. After we have determined the compliance or noncompliance of the endpoint, what will the endpoint have access to.

Q2. What are the three possible posture outcomes following the initial connection to the network?
a. Location, Location, and Location
b. Routes, Translations, and Permissions
c. Authentication, Authorization, and Accounting
d. Compliant, Noncompliant, and Unknown

Answer: D. The three possible posture outcomes following the initial connection to the network are Compliant, Noncompliant, and Unknown. Compliant implies that the endpoint fully adheres to the company’s security policy as configured on ISE. Noncompliant implies that there is at least one deviation from the company security policy. Unknown implies that there is not an agent present on the device and, therefore, the endpoint is unable to report its posture to ISE.

Q3. Which is a benefit of a NAC web agent versus a persistent agent?
a. The web agent provides enhanced remediation techniques.
b. The web agent does not require Administrator privileges to install.
c. The web agent provides additional firewall functionality for the endpoint.
d. The web agent can provide a greater number of Posture conditions.

Answer: B. One benefit of the NAC web agent is that it does not require administrative privileges to install. Unfortunately, the web agent is lacking additional features that are standard in the persistent agent.

Q4. True or False? The Process Check posture condition is supported on all NAC agent types.
a. True
b. False

Answer: B. The Process Check posture condition is not supported on Macintosh operating systems.

Q5. The File condition for Posture does which of the following?
a. Checks the existence of a file
b. Checks the date of a file
c. Checks the version of a file on the client
d. All of the above

Answer: D. The File condition for Posture can check the existence, date, and version of a file on the client. This can be very useful to determine if a particular endpoint is vulnerable to a new virus or if a specific software package is present on the endpoint. This feature is only supported on Windows PCs.

Q6. True or False? Cisco offers periodic Posture Elements updates.
a. True
b. False

Answer: A. These Posture Elements can be updated manually or configured to update automatically on a fixed schedule.

Q7. The CoA process is used for which of the following?
a. To force an endpoint to reauthorize following a change in status
b. Following a change of posture compliancy from the NAC agent
c. Only after a NAD has terminated an endpoint’s connection
d. a and b
e. b and c
f. a, b, and c

Answer: D. The CoA process is used to force an endpoint to reauthorize following a change in status or following a change of posture compliance from the NAC agent.

Q8. When configuring the Client Provisioning Policy, you can elect each of the following except which?
a. NAC Agent Configuration
b. Network Supplicant Provisioning
c. Access list
d. Profile

Answer: C. When configuring the Client Provisioning Policy, a network administrator is responsible for defining what NAC agents or Network Supplicant Provisioning (NSP) client is getting pushed to what endpoints under which circumstances. The network administrator, besides specifying the elected NAC Agent and NSP client, can also specify the period of time between reassessments and whether or not an Acceptable Use Policy will be used.

Q9. Remediation is a process by which of the following occurs?
a. An endpoint that is not compliant with security policy can become compliant.
b. ISE communicates to the ASA firewall to block known attackers.
c. ISE confirms the identity of the end user based on the associated endpoint.

Answer: A. Remediation is the process by which an endpoint that is not compliant with security policy can become compliant. This may include downloading the latest virus definitions, installing a service pack, or enabling a screen saver password.

Q10. Which remediation type is available on a Macintosh OS X endpoint?
a. Automatic Launch Program Remediation
b. Manual Antispyware remediation
c. File Remediation
d. Manual Antivirus Remediation

Answer: D. The only remediation from this list that is available on a Macintosh OS X endpoint is Manual Antivirus Remediation. As an endpoint is found to be noncompliant due to a deviation in his antivirus signatures, the NAC agent will provide a link for the user to download the latest definition file. All other remediations provided in this list are not possible on the Macintosh NAC agent.

About the author

James Palmer

Leave a Comment