CCNP Security FAQ: Initial Configuration of Cisco ISE
Q1. Which rights and permissions are required for the account used to join Cisco ISE to the Active Directory domain?
a. Search Active Directory, Remove workstation from domain, Change passwords
b. Write to Active Directory, Add workstation to organizational unit, Read properties of computer objects
c. Search Active Directory, Add workstation to domain, Set attributes on the new machine account
d. Write to Active Directory, Add workstation to domain, Read properties of computer objects
Q2. Which CLI command lists all the ISE processes and their statuses?
a. show status ise
b. show application status ise
c. show application status
d. show version
Q3. Which two functions does a certificate fulfill when used with HTTPS and EAPoverLAN?
a. Authenticates the server to the client, and the encryption method is embedded in the transform-set field within the certificate.
b. Identifies the client to the NAD and is used as the basis for the encrypted transport between the client and the NAD.
c. Authenticates the server to the client and is used as the basis for the encrypted transport between the client and server.
d. Authenticates the client to the NAD, and the encryption method is embedded in the transformset field within the certificate.
Q4. True or False? When submitting a certificate signing request (CSR), the CSR and the private key are sent to the signing certificate authority (CA), so the CA can sign the key-pair.
a. True
b. False
Q5. True or False? Settings such as RADIUS shared secret keys and SNMP strings can be set on a per Network Device Group (NDG) level.
a. True
b. False
Q6. What is a valid use of network device groups?
a. Use NDG as the condition by which to build different policy sets for the staged deployment of ISE.
b. Use the incoming authentication protocol type to route the authentication to a network device group that is able to process that authentication type.
c. Use the NDG to determine to which ISE policy node to route the authentication request.
d. The result of an authorization policy will allow the user to log in and control devices within the assigned network device group.
Q7. True or False? Local endpoint identity groups should be created per endpoint profile instead of using the attribute itself.
a. True
b. False
Q8. True or False? Cisco ISE 1.2 can join 1 Active Directory Forest and process authentications for any domain in the forest with 2-way trusts.
a. True
b. False
Q9. What is the purpose of a certificate authentication profile (CAP)?
a. Defines which CA to use for revocation checking via either certificate revocation lists (CRLs) or online certificate status protocol (OCSP).
b. Used with MSCHAPv2 for a client to validate the authentication server.
c. Serves as the identity source for certificate authentications and defines the field of a certificate whose data will be extracted and used as the principle identity for the authorization process.
d. Used with EAP-FAST to allow for faster reauthentications and secure transport without the use of X.509 certificates.
Q10. True or False? It is critical to use Network Time Protocol (NTP) to ensure the time is synchronized correctly between Cisco ISE and Microsoft Active Directory.
a. True
b. False