All Braindump2go PDF Dumps and VCE Dumps

Braindump2go Latest and Hottest Dumps with PDF and VCE are free Shared Here!

300-715 Exam Dumps300-715 Exam Questions300-715 PDF Dumps300-715 VCE DumpsCisco

[2025-December-New]Braindump2go 300-715 VCE Dumps Free Share[Q245-Q321]

admin

2025/December Latest Braindump2go 300-715 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go 300-715 Real Exam Questions!

QUESTION 245
Which type of identity store allows for creating single-use access credentials in Cisco ISE?

A. OpenLDAP
B. Local
C. PKI
D. RSA SecurID

Answer: D

QUESTION 246
A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?

A. closed
B. restricted
C. monitor
D. low-impact

Answer: D

QUESTION 247
An ISE administrator must change the inactivity timer for MAB endpoints to terminate the authentication session whenever a switch port that is connected to an IP phone does not detect packets from the device for 30 minutes. Which action must be taken to accomplish this task?

A. Add the authentication timer reauthenticate server command to the switchport.
B. Add the authentication timer inactivity 3600 command to the switchport.
C. Change the idle-timeout on the Radius server to 3600 seconds for IP Phone endpoints.
D. Configure the session-timeout to be 3600 seconds on Cisco ISE.

Answer: C
Explanation:
The inactivity timer for MAB can be statically configured on the switch port, or it can be dynamically assigned using the RADIUS Idle-Timeout attribute (Attribute 28). Cisco recommends setting the timer using the RADIUS attribute because this approach lets gives you control over which endpoints are subject to this timer and the length of the timer for each class of endpoints. For example, endpoints that are known to be quiet for long periods of time can be assigned a longer inactivity timer value than chatty endpoints.
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392385

QUESTION 248
An engineer is configuring static SGT classification. Which configuration should be used when authentication is disabled and third-party switches are in use?

A. VLAN to SGT mapping
B. IP Address to SGT mapping
C. L3IF to SGT mapping
D. Subnet to SGT mapping

Answer: B
Explanation:
The method of sending out IP to SGT mappings from ISE is particularly useful if the access switch does not support TrustSec.
https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424

QUESTION 249
An engineer must configure Cisco ISE to provide internet access for guests in which guests are required to enter a code to gain network access. Which action accomplishes the goal?

A. Configure the hotspot portal for guest access and require an access code.
B. Configure the sponsor portal with a single account and use the access code as the password.
C. Configure the self-registered guest portal to allow guests to create a personal access code.
D. Create a BYOD policy that bypasses the authentication of the user and authorizes access codes.

Answer: A

QUESTION 250
An engineer wants to learn more about Cisco ISE and deployed a new lab with two nodes. Which two persona configurations allow the engineer to successfully test redundancy of a failed node? (Choose two.)

A. Configure one of the Cisco ISE nodes as the Health Check node.
B. Configure both nodes with the PAN and MnT personas only.
C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary.
D. Configure both nodes with the PAN, MnT, and PSN personas.
E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.

Answer: CE

QUESTION 251
Which Cisco ISE deployment model is recommended for an enterprise that has over 50,000 concurrent active endpoints?

A. large deployment with fully distributed nodes running all personas
B. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs
C. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs
D. small deployment with one primary and one secondary node running all personas

Answer: C

QUESTION 252
What is a restriction of a standalone Cisco ISE node deployment?

A. Only the Policy Service persona can be disabled on the node.
B. The domain name of the node cannot be changed after installation.
C. Personas are enabled by default and cannot be edited on the node.
D. The hostname of the node cannot be changed after installation.

Answer: C
Explanation:
After you install a Cisco ISE node, all the default services provided by the Administration, Policy Service, and Monitoring personas run on it. This node is in a standalone state. You must log in to the Admin portal of the Cisco ISE node to configure it. You cannot edit the personas or services of a standalone Cisco ISE node. You can, however, edit the personas and services of the primary and secondary Cisco ISE nodes. You must first configure a primary ISE node and then register secondary ISE nodes to the primary ISE node.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.html

QUESTION 253
What are the minimum requirements for deploying the Automatic Failover feature on Administration nodes in a distributed Cisco ISE deployment?

A. a primary and secondary PAN and a health check node for the Secondary PAN
B. a primary and secondary PAN and no health check nodes
C. a primary and secondary PAN and a pair of health check nodes
D. a primary and secondary PAN and a health check node for the Primary PAN

Answer: D
Explanation:
In a high availability configuration, the Primary Administration Node (PAN) is in the active state. The Secondary PAN (backup PAN) is in the standby state, which means it receives all configuration updates from the Primary PAN, but is not active in the ISE network.
Cisco ISE supports manual and automatic failover. With automatic failover, when the Primary PAN goes down, an automatic promotion of the Secondary PAN is initiated. Automatic failover requires a non-administration secondary node, which is called a health check node. The health check node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the health check node initiates the promotion of the Secondary PAN to take over the primary role.
To deploy the auto-failover feature, you must have at least three nodes, where two of the nodes assume the Administration persona, and one node acts as the health check node. A health check node is a non-administration node and can be a Policy Service, Monitoring, or pxGrid node, or a combination of these. If the PANs are in different data centers, you must have a health check node for each PAN.

QUESTION 254
An administrator is attempting to join a new node to the primary Cisco ISE node, but receives the error message “Node is Unreachable”. What is causing this error?

A. The second node is a PAN node.
B. No administrative certificate is available for the second node.
C. The second node is in standalone mode.
D. No admin privileges are available on the second node.

Answer: B

QUESTION 255
An engineer is using profiling to determine what access an endpoint must receive. After configuring both Cisco ISE and the network devices for 802.1X and profiling, the endpoints do not profile prior to authentication.
What are two reasons this is happening? (Choose two.)

A. Closed mode is restricting the collection of the attributes prior to authentication.
B. The HTTP probe is malfunctioning due to closed mode being enabled.
C. The SNMP probe is not enabled.
D. NetFlow is not enable on the switch, so the attributes will not be collected.
E. The switch is collecting the attributes via RADIUS but the probes are not sending them.

Answer: AE

QUESTION 256
While configuring Cisco TrustSec on Cisco IOS devices, the engineer must set the CTS device ID and password in order for the devices to authenticate with each other. However, after this is complete, the devices are not able to properly authenticate. What issue would cause this to happen even if the device ID and passwords are correct?

A. EAP-FAST is not enabled.
B. The SGT mappings have not been defined.
C. The device aliases are not matching.
D. The devices are missing the configuration cts credentials trustsec verify 1.

Answer: A
Explanation:
The Cisco TrustSec device ID and password for this switch to use when authenticating with other Cisco TrustSec devices with EAP-FAST.

QUESTION 257
An engineer is testing low-impact mode for a phased deployment of Cisco ISE. Which type of traffic is denied when a host tries to connect to the network prior to authentication?

A. DNS
B. EAP
C. DHCP
D. HTTP

Answer: D

QUESTION 258
The security team wants to secure the wired network. A legacy printer on the network with the MAC address 00:43:08:50:64:60 does not support 802.1X. Which setting must be enabled in the Allowed Authentication Protocols list in your Authentication Policy for Cisco ISE to support MAB for this MAC address?

A. MS-CHAPv2
B. EAP-TLS
C. PAP
D. Process Host Lookup

Answer: D

QUESTION 259
An organization is using Cisco ISE to provide AAA services to non-Cisco switches with IP phones connected. An engineer needs to use Profiling Services to authorize network access for IP phones that do not support 802.1X. What must be configured to accomplish this goal?

A. DHCP
B. SNMPTRAP
C. SNMPQUERY
D. RADIUS

Answer: A
Explanation:
DHCP Probes
Collect DHCP request attributes from endpoints and IP helper. Generally used for third-party NADs.

QUESTION 260
Drag and Drop Question
An engineer needs to export a file in CSV format, encrypted with the password C1$c0438563935, and contains users currently configured in Cisco ISE. Drag and drop the steps from the left into the sequence on the right to complete this task.

Answer:

QUESTION 261
Drag and Drop Question
An engineer needs to configure a compliance policy on Cisco ISE to ensure that the latest encryption software is running on the C drive of all endpoints. Drag and drop the configuration steps from the left into the sequence on the right to accomplish this task.

Answer:

QUESTION 262
An engineer configured posture assessment for their network access control with the goal of using an agent that supports using service conditions for the assessment. The agent should run as a background process to avoid user interruption, but the user can see it when it is run. What is the problem?

A. The selected posture agent does not support the engineer’s goal.
B. The posture module was deployed using the headend instead of installing it with SCCM.
C. The proper permissions were not given to the temporal agent to conduct the assessment.
D. The user required remediation so the agent appeared in the notifications.

Answer: A

QUESTION 263
An engineer is deploying Cisco ISE to use 802.1X authentication for controlling access to the company’s wired network. The request from company management is to minimize the impact on users during the rollout of 802.1X on the company switches. Which mode must be used first in a phased 802.1X deployment to fulfill this request?

A. Monitor
B. Open
C. Low-impact
D. Closed

Answer: A

QUESTION 264
An engineer needs to create a Self-Registered Guest Portal in Cisco ISE in which guest users receive their passwords via SMS. Which two settings must be configured to accomplish this task? (Choose two.)

A. Choose the SMS provider previously configured as a SMS gateway under the Registration Form Settings.
B. Select SMS for the Send Credential upon notification setting under Registration Form Settings.
C. Choose the SMS provider previously configured as a SMS gateway under Device Registration Settings.
D. Select Allow employees to use personal devices and SMS for notifications under BYOD.
E. Select SMS for the Send Credential upon notification setting under the Login Page Settings.

Answer: AE

QUESTION 265
Refer to the exhibit. Which checkbox must be enabled to allow Cisco ISE to publish group membership information for active users that can be shared with Cisco Firepower devices?

A. Enable Passive Identity Service
B. Enable SXP Service
C. Enable Device Admin Service
D. pxGrid

Answer: D

QUESTION 266
To configure BYOD using Cisco ISE. an administrator is considering issuing certificates to the devices connecting to provide a better user experience. External CA servers cannot be used for this purpose because everything must be local to the Cisco ISE. What must be done to accomplish this?

A. Use the captive portal network assistant to issue certificates to the endpoints as they authenticate.
B. Use ISE as a sub CA for the BYOD portal and redirect users to the Root CA for certificate issuance.
C. Configure the Cisco ISE Internal CA to issue certificates to each endpoint connecting to the BYOD network.
D. Configure MS SCEP so that endpoints can query their local AD server for the correct certificate.

Answer: C

QUESTION 267
An engineer must configure an HTTP probe on a Cisco ISE virtual appliance running on VMWare using a dedicated interface for profiling. The interface is assigned to the VM Network port group. The engineer is logged into the hypervisor with a user account that only provides access to the Cisco ISE VM and the network settings for the VM. Which security setting must be changed for this interface to accept SPAN traffic?

A. Set Promiscuous mode to inherit from vSwitch in the Port Group properties.
B. Set Promiscuous mode to inherit from Port Group in the vSwitch properties.
C. Set Promiscuous mode to Accept in the Port Group properties.
D. Set Promiscuous mode to Accept in the vSwitch properties.

Answer: C

QUESTION 268
An administrator is configuring MAB and needs to create profiling policies to support devices that do not match the built-in profiles. Which two steps must the administrator take in order to use these new profiles in authorization policies? (Choose two.)

A. Edit the authorization policy to give the profiles as a result of the authentication and authorization results
B. Use the profiling policies as the matching conditions in each authorization policy
C. Modify the endpoint identity group to feed the profiling policies into and match the parent group in the policy
D. Configure the profiling policy to make a matching identity group and use the group in the authorization policy
E. Feed the profiling policies into a logical profile and use the logical profile in the authorization policy

Answer: BE

QUESTION 269
An administrator must enable scanning for specific endpoints when they attempt to access the network. The scanning must be triggered as a result of successful authentication. Which action accomplishes this task?

A. Modify the authorization policy to send init_endpoint_scan as a result to the authenticator.
B. Create an authorization profile with scanning enabled and add it to the authorization policy that the endpoints will hit.
C. Add an entry in the authentication conditions to allow only scanned endpoints access, then redirect everything else to the portal to initiate the scan.
D. Configure the endpoint scanning probe to profile the endpoint correctly and assign it a risk score.

Answer: B

QUESTION 270
A network engineer responsible for the switching environment must provision a new switch to properly propagate security group tags within the TrustSec inline method. Which CLI command must the network engineer enter on the switch to globally enable the tagging of SGTs?

A. cts sxp enable
B. cts manual
C. cts role-based sgt-map
D. cts role-based enforcement

Answer: B

QUESTION 271
Due to a recent network incident, all access to network devices must be centrally logged and tracked in Cisco ISE. On which nodes must the Device Admin service be enabled?

A. one PAN
B. each PSN
C. each PAN
D. one PSN

Answer: B

QUESTION 272
A client connects to a network and the authenticator device learns the MAC address 11:22:33:44:55:AA of this client. After the MAC address is learned, the 802.1 x authentication process begins on this port. Which ISE deployment mode restricts all traffic initially, applies a rule for access control if 802.1x authentication is successful, and can be configured to grant only limited access if 802.1 x authentication is unsuccessful?

A. open mode
B. monitor mode
C. closed mode
D. low-impact mode

Answer: C
Explanation:
In closed mode, the port is initially in a restricted state, allowing no traffic until the 802.1x authentication process is completed successfully. Once the client passes authentication, access control rules are applied based on policies defined in Cisco ISE. These rules determine the level of access the authenticated client is granted.

QUESTION 273
An organization has a SGACL locally configured on a switch port, but when a user in the Executives group connects to the network, they receive a different level of network access than expected. When Cisco ISE pushes SGACLs to the switch after the authorization phase, how does the switch decide which access to grant the user?

A. Dynamically downloaded policies override local policies in all cases.
B. Local policies override dynamically downloaded policies in all cases.
C. The policies are merged, but local policies receive priority.
D. The policies are merged, but dynamically downloaded policies receive priority.

Answer: D

QUESTION 274
An administrator is configuring endpoint profiling and needs to enable CoA for devices that change profiles. Which two actions must be taken to accomplish this goal? (Choose two.)

A. Ensure that the firewall is not blocking port 1700
B. Define “reauth” in the default CoA action to be used
C. Use an API to detect when profile changes occur and send instructions to ISE to provide a CoA
D. Modify the RADIUS endpoint attribute filters to send CoA actions as the profiles change
E. Enable the CoA policy and create rules for each type

Answer: AB

QUESTION 275
A Cisco ISE administrator is setting up Central Web Authentication to be used for user endpoint authentication. The client cannot reach the guest portal to log in and gain access, but DNS is functioning properly and the guest portal is enabled. What else must be configured to gain access?

A. Allow port TCP/8443 on the firewall.
B. Configure HTTP to HTTPS redirection.
C. Configure the guest portal to listen on TCP/8443.
D. Allow redirection from any client IP range.

Answer: A

QUESTION 276
An administrator is configuring an AD domain to be used with authentication for endpoints and users within Cisco ISE. Which two steps are required to configure this to be used as an external identity store? (Choose two.)

A. Add an Authentication Joint Point.
B. Configure Authentication Domains.
C. Configure Active Directory Schema.
D. Configure Active Directory Domains.
E. Add an Active Directory Join Point.

Answer: DE

QUESTION 277
A network engineer is attempting to terminate and reinitialize wireless user sessions individually by using the Live Sessions tab in Cisco ISE. Cisco ISE and the Cisco WLC are separated by a firewall. Which port must be allowed on the firewall so that the network engineer can perform this function from Cisco ISE?

A. TCP port 8443
B. UDP port 5246
C. UDP port 1700
D. TCP port 3791

Answer: C

QUESTION 278
An engineer is configuring Central Web Authentication in Cisco ISE to provide guest access. When an authentication rule is configured in the Default Policy Set for the Wired_MAB or Wireless_MAB conditions, what must be selected for the “if user not found” setting?

A. ACCEPT
B. DROP
C. REJECT
D. CONTINUE

Answer: D

QUESTION 279
A network engineer is configuring a new certificate template on the internal CA within Cisco ISE to provision certificates to BYOD devices that must be enrolled in the network. What must be configured in the SAN field of the certificate to identify the devices after enrollment?

A. MAC address
B. email address
C. user principal name
D. common name

Answer: A

QUESTION 280
An engineer is configuring a new Cisco ISE node. The Device Admin service must run on this node to handle authentication requests for network device access via TACACS+. Which persona must be enabled on this node to perform this function?

A. pxGrid
B. Administration
C. Policy Service
D. Monitoring

Answer: C

QUESTION 281
An engineer has been tasked with using Cisco ISE to restrict network access at the switchport level using 802.1X authentication. Users who fail 802.1X authentication should e redirected via web redirection and have their access restricted via an ACL. What must be configured in Cisco ISE to accomplish this task?

A. an authorization profile
B. an authorization rule
C. an authentication policy
D. an authentication profile

Answer: A

QUESTION 282
A Cisco ISE engineer is creating certificate authentication profile to be used with machine authentication for the network. The engineer wants to be able to compare the user-presented certificate with a certificate stored in Active Directory. What must be done to accomplish this?

A. Add the subject alternative name and the common name to the CAP
B. Use MS-CHAPv2 since it provides machine credentials and matches them to credentials stored in Active Directory.
C. Configure the user-presented password hash and a hash stored in Active Directory for comparison.
D. Enable the option for performing binary comparison.

Answer: D

QUESTION 283
Which two statements regarding Zero Touch Provisioning (ZTP) on Cisco ISE are correct? (Choose two.)

A. All passwords must be encrypted in the configuration file
B. ZTP cannot be used if ICMP is blocked
C. ZTP is only supported on VMWare
D. ZTP is only supported on virtual appliances
E. Linux is required to create the configuration image

Answer: DE

QUESTION 284
An administrator needs to add a new third party network device to be used with Cisco ISE for Guest and BYOD authorizations. Which two features must be configured under Network Device Profile to achieve this? (Choose two.)

A. TACACS
B. SNMP community
C. CoA Type
D. dACL
E. URL Redirect

Answer: CE

QUESTION 285
Which two probes provide IP-to-MAC address binding information to the ARP cache in Cisco ISE? (Choose two.)

A. HTTP
B. RADIUS
C. DHCP
D. DNS
E. NetFlow

Answer: BC

QUESTION 286
When configuring Active Directory groups, an administrator is attempting to retrieve a group that has a name that is ambiguous with another group. What must be done so that the correct group is returned?

A. Use the SID as the identifier for the group.
B. Configure MAB to utilize one group, and 802 1xto utilize the conflicting group.
C. Select both groups, and use a TCT pointer to identity the appropriate one.
D. Utilize MIB entries to identify the desired group.

Answer: A

QUESTION 287
An administrator has manually added the MAC address of a wireless device to the Blocklist Identity Group for testing. When the device connects to the wireless network it triggers the Wireless Block List Default rule, but the device is still allowed to access the wireless network. What additional step must be taken to resolve tissue?

A. Disable URL redirection on the Authorization Profile.
B. Enable SNMP with read and write access on the Cisco WLC.
C. Create an ACL named BLOCKHOLE on the Cisco WLC.
D. Change the Access Type under the Authorization Profile lo ACCESS_REJECT.

Answer: D

QUESTION 288
What is the difference between how RADIUS and TACACS+ handle encryption?

A. RADIUS encrypts only the username and password fields, whereas TACACS+ encrypts the entire packet.
B. RADIUS only encrypts the password field, whereas TACACS+ encrypts the entire packet.
C. RADIUS encrypts the entire packet, whereas TACACS+ encrypts only the username and password fields.
D. RADIUS encrypts the entire packet, whereas TACACS+ only encrypts the password field.

Answer: B

QUESTION 289
Which CLI command must be configured on the switchport to immediately run the MAB process if a non-802 1X capable endpoint connects to the port?

A. authentication order mab dot1x
B. dot1x pae authenticator
C. authentication fallback
D. access-session port-control auto

Answer: A

QUESTION 290
The security engineer for a company has recently deployed Cisco ISE to perform centralized authentication of all network device logins using TACACSs+ against the local AD domain. Some of the other network engineers are having a hard time remembering to enter their AD account password instead of the local admin password that they have used for years. The security engineer wants to change the password prompt to “Use Local AD Password:” as a way of providing a hint to the network engineers when logging in. Under which page in Cisco ISE would this change be made?

A. Work Centers> Device Administration Ext Id Sources>Advanced Settings
B. The password prompt cannot be changed on a Cisco IOS device
C. Work Centers> Device Administration> Network Resources> Network Devices
D. Work Centers> Device Administration> Settings> Connection Settings

Answer: D

QUESTION 291
The 300 GB OVA templates for VMs are sufficient for which two dedicated Cisco ISE node types? (Choose two.)

A. Administration
B. Log Collector
C. pxGrid
D. Policy Service
E. Monitoring

Answer: CD

QUESTION 292
A network engineer has recently configured a remote branch router to authenticate to a centralized Cisco ISE server behind the corporate firewall using TACACS+. After making this configuration change, the engineer opened another SSH session to the router in order to verity that login attempts are now being sent to Cisco ISE, however that login attempt was unsuccessful. There are no connection attempts showing in the TACACS live log in Cisco ISE and the firewall administrator has verified that they see syslog and SNMP traffic destinated for the IP address of Cisco ISE, but no TACACS+ traffic. Which misconfiguration is the cause of the failed login?

A. The router is missing a route to the Cisco ISE server.
B. The tacacs source-interface command on the router references the wrong interface.
C. No hosts have been defined under the aaa server group on the router.
D. The shared secret entered on the router for the Cisco ISE server is incorrect.

Answer: B

QUESTION 293
A user recently had their laptop stolen. IT has ordered a replacement device for the user and was able to obtain the MAC address of the device 04.57:47:34 35 0A from the vendor before it shipped. Which statement regarding adding MAC addresses to Cisco ISE is correct?

A. MAC addresses can only be manually imported using a .csv file and the import option.
B. MAC addresses can only be manually imported using the REST API.
C. MAC addresses can only be allowed after the device has connected to the network.
D. MAC addresses can be manually added using the + sign under Context Visibility > Endpoints.

Answer: D

QUESTION 294
Which two tasks must be completed when configuring the Cisco ISE BYOD Portal? (Choose two.)

A. Enable policy services.
B. Create endpoint identity groups.
C. Customize device portal.
D. Provision external identity sources.
E. Deploy client provisioning portal.

Answer: CD

QUESTION 295
An administrator is configuring posture assessment in Cisco ISE for the first time. Which two components must be uploaded to Cisco ISE to use Secure Client for the agent configuration in a client provisioning policy? (Choose two.)

A. SecureClientProtie.xsd file
B. Secure Client compliance module
C. Secure Client agent image
D. SecureClientProfie.xml file
E. Secure Client network visibility module

Answer: BC

QUESTION 296
Drag and Drop Question
Refer to the exhibit. An engineer must create a web authentication access policy in Cisco ISE that matches the exhibit. Drag and drop the configuration steps from the left into sequence on the right to accomplish this task.


Answer:

QUESTION 297
Which Cisco ISE module contains a list of vendor names, product names, and attributes provided by OPSWAT?

A. Compliance Module
B. Client Provisioning Module
C. Endpoint Security Module
D. Posture Module

Answer: A
Explanation:
The compliance module contains a list of fields, such as vendor name, product version, product name, and attributes provided by OPSWAT that supports Cisco ISE posture conditions.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_compliance.html

QUESTION 298
A new Cisco ISE infrastructure is being built to provide network access control. If Cisco Discovery Protocol is used, what information is being gathered in relation to profiling with Cisco ISE?

A. IdentityGroup
B. device ID
C. RADIUS session attributes
D. DHCP session attributes

Answer: B

QUESTION 299
A customer requires a Cisco ISE deployment where quests must log in to a webpage with unique credentials in the form username. User1 and Password: A463646808. Which deployment should the customer use?

A. mobile number field using the guest page
B. hotspot portal authentication
C. single credentials login to guest portal
D. captcha protection self-registration

Answer: C

QUESTION 300
A security engineer has a new TrustSec projct and must create a few static security group tag classifications as proof of concept. Which two classifications must the engineer configure? (Choose two.)

A. switch ID
B. MAC address
C. VLAN
D. user ID
E. interface

Answer: BC

QUESTION 301
An engineer is configuring a new switch to deploy in the campus network. The task is to configure TACACS+ and RADIUS authentication using the new switch and Cisco ISE. What is the procedure for adding this new switch on the network resources page?

A. network devices profiles > add
B. default device > add
C. network devices > add
D. network devices groups > add

Answer: C

QUESTION 302
Which file setup method is supported by ZTP on physical appliances?

A. cfg
B. iso
C. img
D. ova

Answer: C

QUESTION 303
What is configured to enforce the blocklist permissions and deny access to clients in the blocklist to protect against a lost or stolen device obtaining access to the network?

A. My Devices portal
B. blocklist portal
C. Authentication rule
D. Authorization rule

Answer: D

QUESTION 304
An administrator in a health facility must assign a medical device to a static profiling policy. Under which settings group must it be configured?

A. user-defined exception actions
B. CoA under global settings
C. global profiling settings
D. system-defined exceptions actions

Answer: C

QUESTION 305
An engineer must configure guest access on Cisco ISE for company visitors. Which step must be taken on the Cisco ISE PSNs before a guest portal is configured?

A. Install SSL certificates
B. Create a node group
C. Enable profiling services
D. Enable session services

Answer: A

QUESTION 306
A network engineer is configuring a portal on Cisco ISE for employees. Employees must use this portal when registering personal devices with native supplicants. For onboarding devices connected with Cisco switches and Cisco wireless LAN controllers, the internal CA must be used. Which portal type must the engineer configure?

A. Personal Device portal
B. Client Provisioning portal
C. Bring Your Own Device portal
D. My Devices portal

Answer: C

QUESTION 307
An engineer must configure web redirection for guests to a portal where no authentication is required and an Acceptable Use Policy must be accepted by the guest before network access is allowed. Which type of guest portal must be configured in Cisco ISE to meet the requirement?

A. Sponsored
B. Self Registered
C. Hotspot
D. Custom

Answer: C

QUESTION 308
A network engineer is in the predeployment discovery phase of a Cisco ISE deployment and must discover the network. There is an existing NMS in the network. Which type of probe must be configured to gather the information?

A. SNMP
B. NMAP
C. NetFlow
D. RADIUS

Answer: A

QUESTION 309
An engineer must organize endpoints in a Cisco ISE identity management store to improve the operational management of IP phone endpoints. The endpoints must meet these requirements:
– classify endpoints for finance, sales, and marketing departments
– tag each endpoint as profiled
Which action organizes the endpoints?

A. Add a tag for the endpoints of each department and use the identity group filter.
B. Create an endpoint identity group for each department with the profiled parent group.
C. Add a tag for the endpoints of each department and add an endpoint to profiled group.
D. Create an endpoint identity group for each department with the IP phone parent group.

Answer: B

QUESTION 310
A network engineer must remove a device that has been allowlisted. How should the engineer remove it manually on Cisco ISE?

A. Administration > Identity Management > Endpoint Identity Groups > Profiled
B. Administration > Identity Management > Groups > Endpoint Identity Groups
C. Administration > Identity Management > Groups > Endpoint Identity Groups > Profiled
D. Administration > Identity Management > Endpoint Identity Groups

Answer: B
Explanation:
To remove a device that has been allowlisted manually on Cisco ISE, the correct answer is option – Administration > Identity Management > Groups > Endpoint Identity Groups. This option allows you to view and edit the endpoint identity groups that are configured on Cisco ISE, and to delete any device that belongs to a specific group.

QUESTION 311
An engineer is adding a new network device to be used with 802.1X authentication. After configuring the device, the engineer notices that no endpoints that connect to the switch are able to authenticate. What is the problem?

A. The command dot1x system-auth-control is not configured on the switch.
B. The switch’s supplicant is unable to establish a connection to Cisco ISE.
C. The command dot1x critical vlan 40 is not configured on the switch ports.
D. The endpoint firewalls are blocking the EAPoL traffic.

Answer: A

QUESTION 312
A user is attempting to register a BYOD device to the Cisco ISE deployment but needs to use the onboarding policy to request a digital certificate and provision the endpoint. What must be configured to accomplish this task?

A. The BYOD flow to ensure that the endpoint is provisioned prior to registering.
B. The Cisco Secure Client provisioning policy to provision the endpoint for onboarding.
C. A native supplicant provisioning policy to redirect the user to the BYOD portal for onboarding.
D. The posture provisioning policy to give the endpoint the required components prior to registering.

Answer: C

QUESTION 313
Which platform does a Windows-based device download the Network Assistant from?

A. Microsoft app store
B. Cisco ISE
C. native OS
D. Cisco download site

Answer: B
Explanation:
A Windows-based device downloads the Network Assistant Manager from Cisco ISE. During the BYOD onboarding process, ISE serves the necessary agent software directly to the endpoint.

QUESTION 314
An administrator must provide administrative access to the helpdesk users on production Cisco IOS routers. The solution must meet these requirements:
– Authenticate the users against Microsoft AD.
– Validate IOS commands run by users.
These configurations have been performed:
– joined Cisco ISE to AD
– retrieved AD groups
– added a router to Cisco ISE
– enabled Device Admin Service in Cisco ISE
– configured an authorization policy
– configured the routers for authentication and authorization
Which two components must be configured? (Choose two.)

A. TACACS command sets
B. authentication profile
C. authorization profile
D. TACACS profile
E. access control list to filter the IOS commands

Answer: AD

QUESTION 315
An engineer must create an authentication policy in Cisco ISE to allow wired printers that lack support for 802.1X onto the network. What must the RadiusFlowType be set to in the policy to meet the requirement?

A. MAB
B. Wired_MAB
C. Compliant_Devices
D. Compliance_Unknown_Devices

Answer: B

QUESTION 316
An engineer is starting to implement a wired 802.1X project throughout the campus. The task is for failed authentication to be logged to Cisco ISE and also have a minimal impact on the users. Which command must the engineer configure?

A. monitor-mode enabled
B. authentication host-mode multi-auth
C. authentication open
D. pae dot1x enabled

Answer: A

QUESTION 317
An engineer wants to preselect AD groups to be used in the access policy after integrating Cisco ISE with an active directory. Which configuration steps must the engineer take to assign groups to the AD on the identity management page?

A. external identity sources > active directory > groups
B. user identity groups > groups
C. external identity sources > groups > active directory
D. groups > user identity groups

Answer: A

QUESTION 318
An enterprise uses a separate PSN for each of its four remote sites. Recently, a user reported receiving an “EAP-TLS authentication failed” message when moving between remote sites. Which configuration must be applied on Cisco ISE?

A. Use a third-party certificate on the network device.
B. Add the device to all PSN nodes in the deployment.
C. Configure an authorization profile for the end users.
D. Renew the expired certificate on one of the PSN.

Answer: D

QUESTION 319
An engineer must configure posture updates. The task is to ensure the latest set of predefined checks and operating system information is updated. The checks must take place regularly. Where in the Cisco ISE interface would the engineer make the necessary changes to the compliance module?

A. Administration > System > Settings > Updates > Posture
B. Administration > System > Settings > Updates > Schedule
C. Administration > System > Settings > Posture > Updates
D. Administration > System > Settings > Posture > Updates > Schedule

Answer: C

QUESTION 320
An engineer must develop a policy that utilizes AD group membership on Cisco ISE. Which type of policy element must the engineer configure to create an AD group within a policy?

A. conditions
B. results
C. dictionaries
D. smart conditions

Answer: A

QUESTION 321
An engineer is working on a switch and must tag packets with SGT values such that it learns via SXP. Which command must be entered to meet this requirement?

A. ip source guard
B. ip arp inspection
C. ip device tracking maximum
D. ip dhcp snooping

Answer: D

Resources From:

1.2025 Latest Braindump2go 300-715 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/300-715.html

2.2025 Latest Braindump2go 300-715 PDF and 300-715 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1-jcJT1SxbH3DDB-cgSq_cPEhlxMEfvFK?usp=sharing

3.2025 Free Braindump2go 300-715 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/300-715-VCE-Dumps(245-321)pdf.pdf

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!