CCNP Security FAQ: Troubleshooting Tools

Q: Which ISE tool displays a near real-time view of passed and failed authentications?

A. The Live Log displays events related to the raw syslog messages sent from the PSN to the MNT node, focused on passed or failed authentications.

Q: Choose the option that best describes how external syslog servers can receive logs from ISE.

D. Logging targets are configured centrally, and the settings are pushed down to each PSN. Each PSN is configured to send syslog messages to all configured logging targets concurrently.

Q: Where does an ISE admin disable all event de-duplication?

B. The Suppress Anomalous Clients setting within Administration > System > Protocols > RADIUS is used to enable log de-duplication.

Q: What are the three main locations to troubleshoot network access authentication?

C. Although a firewall can sometimes be a good place to troubleshoot why communication is not successful, the three main locations to troubleshoot network access are ISE, the endpoint, and the NAD.

CCNP Security FAQ: Troubleshooting Tools

Figure: Live sessions

Q1. Which ISE diagnostic tool can be used to find misconfigurations in a Cisco NAD?
a. TCP Dump
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator

Answer: D. The Evaluate Configuration Validator tool compares a switch configuration to a “template” configuration built in to ISE, and any differences between the configurations are pointed out.

Q2. Which ISE diagnostic tool can be used to examine different aspects of a session and provide some additional details that might not have been available in the detailed authentication report?
a. TCP Dump
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator

Answer: C. The RADIUS Authentication Troubleshooting tool attempts to examine different aspects of a session and provide some additional details that might not have been available in the detailed authentication report, as well as provide some suggestions for items to check next.

Q3. True or False? Logging levels in ISE can be set to debug level only from the command-line interface.
a. True
b. False

Answer: B. Each ISE component can have its logging levels changed through the graphical user interface only.

Q4. Which ISE tool displays a correlated view of authentications, change of authorizations, and state changes of an endpoint through its lifecycle on a network?
a. Live Log
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator

Answer: B. The Live Sessions Log correlates activity related to the entire session, not just the raw entries related to a passed or failed authentication.

Q5. Which ISE tool displays a near real-time view of passed and failed authentications?
a. Live Log
b. Live Sessions Log
c. RADIUS Authentication Troubleshooting Tool
d. Evaluate Configuration Validator

Answer: A. The Live Log displays events related to the raw syslog messages sent from the PSN to the MNT node, focused on passed or failed authentications.

Q6. Choose the option that best describes how external syslog servers can receive logs from ISE.
a. Each PSN must be configured locally to send syslog to all sources.
b. It is not possible to configure ISE to log to external logging servers.
c. The MnT node is configured to forward all received syslog to the external recipients.
d. Each PSN sends syslog to the MNT nodes, and the external syslog receivers at the same time.

Answer: D. Logging targets are configured centrally, and the settings are pushed down to each PSN. Each PSN is configured to send syslog messages to all configured logging targets concurrently.

Q7. Where does an ISE admin disable all event de-duplication?
a. Administration > System > Logging > Message Catalog
b. Administration > System > Protocols > RADIUS
c. Administration > System > Logging > Remote Logging Targets
d. Administration > System > Protocols > IEEE 802.1X

Answer: B. The Suppress Anomalous Clients setting within Administration > System > Protocols > RADIUS is used to enable log de-duplication.

Q8. Which tool will gather all the important log files and combine them into a single bundle for TAC?
a. Cisco AnyConnect Network Access Manager (NAM)
b. Cisco AnyConnect Diagnostic and Reporting Tool (DART)
c. Cisco NAC Agent
d. Cisco ISE Agent

Answer: B. Cisco AnyConnect DART is the module used to collect all log files from the endpoint along with other important information, combining them all into a single Zip file for analysis by Cisco TAC.

Q9. What are the three main locations to troubleshoot network access authentication?
a. ISE, firewall, NAD
b. ISE, endpoint, firewall
c. ISE, endpoint, NAD
d. Endpoint, firewall, NAD

Answer: C. Although a firewall can sometimes be a good place to troubleshoot why communication is not successful, the three main locations to troubleshoot network access are ISE, the endpoint, and the NAD.

Q10. Which debug command will provide the best detail to identify why a URL redirection might not be working?
a. debug authentication
b. debug epm all
c. debug dot1x all
d. debug aaa all

Answer: B. debug epm is the go-to debug command for all activities related to URL-redirection, dACLs being applied, SGTs being assigned, and all other activity related to an authentication session advanced capabilities.

More Resources

CCNP Security FAQ: Troubleshooting Tools

Related