Sunteți pe pagina 1din 81

Vendor: Cisco

Exam Code: 300-208


Exam Name: Implementing Cisco Secure Access Solutions
Version: 16.031

Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.

Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@passleader.com and our technical experts will provide support in 24 hours.

Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID: ****************
PayPal ID: ****************

QUESTION 1
How frequently does the Profiled Endpoints dashlet refresh data?
A.
B.
C.
D.

every 30 seconds
every 60 seconds
every 2 minutes
every 5 minutes

Answer: B

QUESTION 2
Which command in the My Devices Portal can restore a previously lost device to the network?
A.
B.
C.
D.

Reset
Found
Reinstate
Request

Answer: C

QUESTION 3
What is the first step that occurs when provisioning a wired device in a BYOD scenario?
A. The smart hub detects that the physically connected endpoint requires configuration and must use
MAB to authenticate.
B. The URL redirects to the Cisco ISE Guest Provisioning portal.
C. Cisco ISE authenticates the user and deploys the SPW package.
D. The device user attempts to access a network URL.
Answer: A

QUESTION 4
Which three features should be enabled as best practices for MAB? (Choose three.)
A.
B.
C.
D.
E.
F.

MD5
IP source guard
DHCP snooping
storm control
DAI
URPF

Answer: BCE

QUESTION 5
When MAB is configured, how often are ports reauthenticated by default?
A. every 60 seconds
B. every 90 seconds
C. every 120 seconds

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

D. never
Answer: D

QUESTION 6
What is a required step when you deploy dynamic VLAN and ACL assignments?
A.
B.
C.
D.

Configure the VLAN assignment.


Configure the ACL assignment.
Configure Cisco IOS Software 802.1X authenticator authorization.
Configure the Cisco IOS Software switch for ACL assignment.

Answer: C

QUESTION 7
Which model does Cisco support in a RADIUS change of authorization implementation?
A.
B.
C.
D.

push
pull
policy
security

Answer: A

QUESTION 8
You are finding that the 802.1X-configured ports are going into the error-disable state. Which
command will show you the reason why the port is in the error-disable state, and which command
will automatically be re-enabled after a specific amount of time? (Choose two.)
A.
B.
C.
D.
E.
F.

show error-disable status


show error-disable recovery
show error-disable flap-status
error-disable recovery cause security-violation
error-disable recovery cause dot1x
error-disable recovery cause l2ptguard

Answer: BD

QUESTION 9
Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts
to exhaust critical router resources and if preventative controls have been bypassed or are not
working correctly?
A.
B.
C.
D.

Control Plane Protection


Management Plane Protection
CPU and memory thresholding
SNMPv3

Answer: C

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

QUESTION 10
Which administrative role has permission to assign Security Group Access Control Lists?
A.
B.
C.
D.

System Admin
Network Device Admin
Policy Admin
Identity Admin

Answer: C

QUESTION 11
Refer to the exhibit. If the given configuration is applied to the object-group vpnservers, during
which time period are external users able to connect?

A.
B.
C.
D.

From Friday at 6:00 p.m. until Monday at 8:00 a.m.


From Monday at 8:00 a.m. until Friday at 6:00 p.m.
From Friday at 6:01 p.m. until Monday at 8:01 a.m.
From Monday at 8:01 a.m. until Friday at 5:59 p.m.

Answer: D

QUESTION 12
Which set of commands allows IPX inbound on all interfaces?
A. ASA1(config)#
ASA1(config)#
B. ASA1(config)#
ASA1(config)#
C. ASA1(config)#
ASA1(config)#
D. ASA1(config)#
ASA1(config)#

access-list IPX-Allow ethertype permit ipx


access-group IPX-Allow in interface global
access-list IPX-Allow ethertype permit ipx
access-group IPX-Allow in interface inside
access-list IPX-Allow ethertype permit ipx
access-group IPX-Allow in interface outside
access-list IPX-Allow ethertype permit ipx
access-group IPX-Allow out interface global

Answer: A

QUESTION 13
Which command enables static PAT for TCP port 25?
A.
B.
C.
D.

nat (outside,inside) static 209.165.201.3 209.165.201.226 eq smtp


nat static 209.165.201.3 eq smtp
nat (inside,outside) static 209.165.201.3 service tcp smtp smtp
static (inside,outside) 209.165.201.3 209.165.201.226 netmask 255.255.255.255

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

Answer: C

QUESTION 14
Which command is useful when troubleshooting AAA Authentication between a Cisco router and
the AAA server?
A.
B.
C.
D.

test aaa-server test cisco cisco123 all new-code


test aaa group7 tacacs+ auth cisco123 new-code
test aaa group tacacs+ cisco cisco123 new-code
test aaa-server tacacs+ group7 cisco cisco123 new-code

Answer: C

QUESTION 15
In a multi-node ISE deployment, backups are not working on the MnT node. Which ISE CLI
option would help mitigate this issue?
A.
B.
C.
D.

repository
ftp-url
application-bundle
collector

Answer: A

QUESTION 16
Which command can check a AAA server authentication for server group Group1, user cisco, and
password cisco555 on a Cisco ASA device?
A.
B.
C.
D.

ASA#
ASA#
ASA#
ASA#

test aaa-server authentication Group1 username cisco password cisco555


test aaa-server authentication group Group1 username cisco password cisco555
aaa-server authorization Group1 username cisco password cisco555
aaa-server authentication Group1 roger cisco555

Answer: A

QUESTION 17
Which statement about system time and NTP server configuration with Cisco ISE is true?
A. The system time and NTP server settings can be configured centrally on the Cisco ISE.
B. The system time can be configured centrally on the Cisco ISE, but NTP server settings must be configured
individually on each ISE node.
C. NTP server settings can be configured centrally on the Cisco ISE, but the system time must be configured
individually on each ISE node.
D. The system time and NTP server settings must be configured individually on each ISE node.
Answer: D

QUESTION 18

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

Wireless client supplicants attempting to authenticate to a wireless network are generating


excessive log messages. Which three WLC authentication settings should be disabled? (Choose
three.)
A.
B.
C.
D.
E.
F.

RADIUS Server Timeout


RADIUS Aggressive-Failover
Idle Timer
Session Timeout
Client Exclusion
Roaming

Answer: BCD

QUESTION 19
Which two authentication stores are supported to design a wireless network using PEAP EAPMSCHAPv2 as the authentication method? (Choose two.)
A.
B.
C.
D.
E.

Microsoft Active Directory


ACS
LDAP
RSA Secure-ID
Certificate Server

Answer: AB

QUESTION 20
What is another term for 802.11i wireless network security?
A.
B.
C.
D.
E.

802.1x
WEP
TKIP
WPA
WPA2

Answer: E

QUESTION 21
Which two EAP types require server side certificates? (Choose two.)
A.
B.
C.
D.
E.
F.

EAP-TLS
PEAP
EAP-MD5
LEAP
EAP-FAST
MSCHAPv2

Answer: AB

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

QUESTION 22
Where is client traffic decrypted in a controller-based wireless network protected with WPA2
Security?
A.
B.
C.
D.

Access Point
Switch
Wireless LAN Controller
Authentication Server

Answer: A

QUESTION 23
Which setting provides the best security for a WLAN and authenticates users against a
centralized directory store?
A.
B.
C.
D.

WPA2 AES-CCMP and 801.X authentication


WPA2 AES-CCMP and PSK authentication
WPA2 TKIP and PSK authentication
WPA2 TKIP and 802.1X authentication

Answer: A

QUESTION 24
What is a feature of Cisco WLC and IPS synchronization?
A.
B.
C.
D.

Cisco WLC populates the ACLs to prevent repeat intruder attacks.


The IPS automatically send shuns to Cisco WLC for an active host block.
Cisco WLC and IPS synchronization enables faster wireless access.
IPS synchronization uses network access points to provide reliable monitoring.

Answer: B

QUESTION 25
Which two components are required to connect to a WLAN network that is secured by EAP-TLS
authentication? (Choose two.)
A.
B.
C.
D.

Kerberos authentication server


AAA/RADIUS server
PSKs
CA server

Answer: BD

QUESTION 26
Which statement about Cisco Management Frame Protection is true?
A. It enables stations to remain in power-save mode, except at specified intervals to receive data
from the access point.
B. It detects spoofed MAC addresses.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

C. It identifies potential RF jamming attacks.


D. It protects against frame and device spoofing.
Answer: D

QUESTION 27
Which three statements about the Cisco wireless IPS solution are true? (Choose three.)
A. It enables stations to remain in power-save mode, except at specified intervals to receive data from
the access point.
B. It detects spoofed MAC addresses.
C. It identifies potential RF jamming attacks.
D. It protects against frame and device spoofing.
E. It allows the WLC to failover because of congestion.
Answer: BCD

QUESTION 28
In a basic ACS deployment consisting of two servers, for which three tasks is the primary server
responsible? (Choose three.)
A.
B.
C.
D.
E.
F.

configuration
authentication
sensing
policy requirements
monitoring
repudiation

Answer: ABD

QUESTION 29
In a split ACS deployment with primary and secondary servers, which three statements about
AAA load handling are true? (Choose three.)
A.
B.
C.
D.
E.

During normal operations, each server processes the full workload of both servers.
If a AAA connectivity problem occurs, the servers split the full load of authentication requests.
If a AAA connectivity problem occurs, each server processes the full workload of both servers.
During normal operations, the servers split the full load of authentication requests.
During normal operations, each server is used for specific operations, such as device administration
and network admission.
F. The primary servers are used to distribute policy information to other servers in the enterprise.
Answer: CDE

QUESTION 30
Which three personas can a Cisco ISE assume in a deployment? (Choose three.)
A. connection
B. authentication

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

C.
D.
E.
F.

administration
testing
policy service
monitoring

Answer: CEF

QUESTION 31
Which three components comprise the Cisco ISE profiler? (Choose three.)
A.
B.
C.
D.
E.
F.

the sensor, which contains one or more probes


the probe manager
a monitoring tool that connects to the Cisco ISE
the trigger, which activates ACLs
an analyzer, which uses configured policies to evaluate endpoints
a remitter tool, which fails over to redundant profilers

Answer: ABE

QUESTION 32
Which three statements about the Cisco ISE profiler are true? (Choose three.)
A.
B.
C.
D.
E.
F.

It sends endpoint data to AAA servers.


It collects endpoint attributes.
It stores MAC addresses for endpoint systems.
It monitors and polices router and firewall traffic.
It matches endpoints to their profiles.
It stores endpoints in the Cisco ISE database with their profiles.

Answer: BEF

QUESTION 33
From which location can you run reports on endpoint profiling?
A.
B.
C.
D.

Reports > Operations > Catalog > Endpoint


Operations > Reports > Catalog > Endpoint
Operations > Catalog > Reports > Endpoint
Operations > Catalog > Endpoint

Answer: B

QUESTION 34
Which two services are included in the Cisco ISE posture service? (Choose two.)
A.
B.
C.
D.

posture administration
posture run-time
posture monitoring
posture policing

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

E. posture catalog
Answer: AB

QUESTION 35
What is a requirement for posture administration services in Cisco ISE?
A.
B.
C.
D.

at least one Cisco router to store Cisco ISE profiling policies


Cisco NAC Agents that communicate with the Cisco ISE server
an ACL that points traffic to the Cisco ISE deployment
the advanced license package must be installed

Answer: D

QUESTION 36
Which two statements about Cisco NAC Agents that are installed on clients that interact with the
Cisco ISE profiler are true? (Choose two.)
A.
B.
C.
D.
E.
F.

They send endpoint data to AAA servers.


They collect endpoint attributes.
They interact with the posture service to enforce endpoint security policies.
They block access from the network through noncompliant endpoints.
They store endpoints in the Cisco ISE with their profiles.
They evaluate clients against posture policies, to enforce requirements.

Answer: CF

QUESTION 37
What steps must you perform to deploy a CA-signed identify certificate on an ISE device?
A. 1. Download the CA server certificate.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the ISE request.
4. Install the issued certificate on the ISE.
B. 1. Download the CA server certificate.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the ISE request.
4. Install the issued certificate on the CA server.
C. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate.
3. Access the ISE server and submit the CA request.
4.Install the issued certificate on the CA server.
D. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate.
3. Access the CA server and submit the ISE request.
4. Install the issued certificate on the ISE.
Answer: D

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

10

QUESTION 38
What implementation must be added to the WLC to enable 802.1X and CoA for wireless
endpoints?
A.
B.
C.
D.

the ISE
an ACL
a router
a policy server

Answer: A

QUESTION 39
What are the initial steps must you perform to add the ISE to the WLC?
A. 1. With a Web browser, establish an HTTP connection to the WLC pod.
2, Navigate to Administration > Authentication > New.
3. Enter server values to begin the configuration.
B. 1. With a Web browser, establish an FTP connection to the WLC pod.
2. Navigate to Security > Administration > New.
3. Add additional security features for FTP authentication.
C. 1. With a Web browser, establish an HTTP connection to the WLC pod.
2. Navigate to Authentication > New.
3. Enter ACLs and Authentication methods to begin the configuration.
D. 1. With a Web browser connect, establish an HTTPS connection to the WLC pod.
2. Navigate to Security > Authentication > New.
3. Enter server values to begin the configuration.
Answer: D

QUESTION 40
Which command configures console port authorization under line con 0?
A.
B.
C.
D.

authorization default|WORD
authorization exec line con 0|WORD
authorization line con 0|WORD
authorization exec default|WORD

Answer: D

QUESTION 41
Which two statements about administrative access to the ACS Solution Engine are true? (Choose
two.)
A.
B.
C.
D.
E.

The ACS Solution Engine supports command-line connections through a serial-port connection.
For GUI access, an administrative GUI user must be created with the add-guiadmin command.
The ACS Solution Engine supports command-line connections through an Ethernet interface.
An ACL-based policy must be configured to allow administrative-user access.
GUI access to the ACS Solution Engine is not supported.

Answer: BD

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

11

QUESTION 42
What is the purpose of the Cisco ISE Guest Service Sponsor Portal?
A.
B.
C.
D.

It tracks and stores user activity while connected to the Cisco ISE.
It securely authenticates guest users for the Cisco ISE Guest Service.
It filters guest users from account holders to the Cisco ISE.
It creates and manages Guest User accounts.

Answer: D

QUESTION 43
What is the effect of the ip http secure-server command on a Cisco ISE?
A.
B.
C.
D.

It enables the HTTP server for users to connect on the command line.
It enables the HTTP server for users to connect using Web-based authentication.
It enables the HTTPS server for users to connect using Web-based authentication.
It enables the HTTPS server for users to connect on the command line.

Answer: C

QUESTION 44
When RADIUS NAC and AAA Override are enabled for WLC on a Cisco ISE, which two
statements about RADIUS NAC are true? (Choose two.)
A.
B.
C.
D.
E.

It will return an access-accept and send the redirection URL for all users.
It establishes secure connectivity between the RADIUS server and the ISE.
It allows the ISE to send a CoA request that indicates when the user is authenticated.
It is used for posture assessment, so the ISE changes the user profile based on posture result.
It allows multiple users to authenticate at the same time.

Answer: CD

QUESTION 45
What are the initial steps to configure an ACS as a TACACS server?
A. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Create.
B. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Create.
C. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Manage.
D. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Install.
Answer: B

QUESTION 46

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

12

Which two statements about administrative access to the Cisco Secure ACS SE are true?
(Choose two.)
A.
B.
C.
D.
E.

The Cisco Secure ACS SE supports command-line connections through a serial-port connection.
For GUI access, an administrative GUI user must be created by using the add-guiadmin command.
The Cisco Secure ACS SE supports command-line connections through an Ethernet interface.
An ACL-based policy must be configured to allow administrative-user access.
GUI access to the Cisco Secure ASC SE is not supported.

Answer: BD

QUESTION 47
When RADIUS NAC and AAA Override are enabled for a WLC on a Cisco ISE, which two
statements about RADIUS NAC are true? (Choose two.)
A.
B.
C.
D.
E.

It returns an access-accept and sends the redirection URL for all users.
It establishes secure connectivity between the RADIUS server and the Cisco ISE.
It allows the Cisco ISE to send a CoA request that indicates when the user is authenticated.
It is used for posture assessment, so the Cisco ISE changes the user profile based on posture result.
It allows multiple users to authenticate at the same time.

Answer: CD

QUESTION 48
In the command 'aaa authentication default group tacacs local', how is the word 'default' defined?
A.
B.
C.
D.

Command set
Group name
Method list
Login type

Answer: C

QUESTION 49
In an 802.1X authorization process, a network access device provides which three functions?
(Choose three.)
A.
B.
C.
D.
E.
F.

Filters traffic prior to authentication


Passes credentials to authentication server
Enforces policy provided by authentication server
Hosts a central web authentication page
Confirms supplicant protocol compliance
Validates authentication credentials

Answer: ABC

QUESTION 50
Which two switchport commands enable MAB and allow non-802.1X capable devices to
immediately run through the MAB process? (Choose two.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

13

A.
B.
C.
D.
E.
F.

authentication order mab dot1x


authentication order dot1x mab
no authentication timer
dot1x timeout tx-period
authentication open
mab

Answer: AF

QUESTION 51
Which two attributes must match between two Cisco ASA devices to properly enable high
availability? (Choose two.)
A.
B.
C.
D.

model, interface configuration, and RAM


major and minor software release
tcp dead-peer detection protocol
802.1x authentication identity

Answer: AB

QUESTION 52
What are two client-side requirements of the NAC Agent and NAC Web Agent installation?
(Choose two.)
A.
B.
C.
D.

Administrator workstation rights


Active Directory Domain membership
Allowing of web browser activex installation
WSUS service running

Answer: AC

QUESTION 53
Which three algorithms should be avoided due to security concerns? (Choose three.)
A.
B.
C.
D.
E.
F.
G.

DES for encryption


SHA-1 for hashing
1024-bit RSA
AES GCM mode for encryption
HMAC-SHA-1
256-bit Elliptic Curve Diffie-Hellman
2048-bit Diffie-Hellman

Answer: ABC

QUESTION 54
In the command 'aaa authentication default group tacacs local', how is the word 'default' defined?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

14

A.
B.
C.
D.

Command set
Group name
Method list
Login type

Answer: C

QUESTION 55
Which statement about IOS accounting is true?
A.
B.
C.
D.

A named list of AAA methods must be defined.


A named list of accounting methods must be defined.
Authorization must be configured before accounting.
A named list of tracking methods must be defined.

Answer: C

QUESTION 56
What are the initial steps to configure an ACS as a TACACS server?
A. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Create.
B. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Create.
C. 1. Choose Network Resources > Network Devices and AAA Clients.
2. Click Manage.
D. 1. Choose Network Devices and AAA Clients > Network Resources.
2. Click Install.
Answer: B

QUESTION 57
Which effect does the ip http secure-server command have on a Cisco ISE?
A.
B.
C.
D.

It enables the HTTP server for users to connect on the command line.
It enables the HTTP server for users to connect by using web-based authentication.
It enables the HTTPS server for users to connect by using web-based authentication.
It enables the HTTPS server for users to connect on the command line.

Answer: C

QUESTION 58
A network administrator needs to implement a service that enables granular control of IOS
commands that can be executed. Which AAA authentication method should be selected?
A.
B.
C.
D.

TACACS+
RADIUS
Windows Active Directory
Generic LDAP

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

15

Answer: A

QUESTION 59
An administrator can leverage which attribute to assign privileges based on Microsoft Active
Directory user groups?
A.
B.
C.
D.

member of
group
class
person

Answer: A

QUESTION 60
Cisco 802.1X phasing enables flexible deployments through the use of open, low-impact, and
closed modes. What is a unique characteristic of the most secure mode?
A.
B.
C.
D.

Granular ACLs applied prior to authentication


Per user dACLs applied after successful authentication
Only EAPoL traffic allowed prior to authentication
Adjustable 802.1X timers to enable successful authentication

Answer: C

QUESTION 61
A network administrator must enable which protocol extension to utilize EAP-Chaining?
A.
B.
C.
D.

EAP-FAST
EAP-TLS
MSCHAPv2
PEAP

Answer: A

QUESTION 62
In the command 'aaa authentication default group tacacs local', how is the word 'default' defined?
A.
B.
C.
D.

Command set
Group name
Method list
Login type

Answer: C

QUESTION 63
Changes were made to the ISE server while troubleshooting, and now all wireless certificate
authentications are failing. Logs indicate an EAP failure. What is the most likely cause of the

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

16

problem?
A.
B.
C.
D.
E.

EAP-TLS is not checked in the Allowed Protocols list


Certificate authentication profile is not configured in the Identity Store
MS-CHAPv2-is not checked in the Allowed Protocols list
Default rule denies all traffic
Client root certificate is not included in the Certificate Store

Answer: A

QUESTION 64
The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service
Node?
A.
B.
C.
D.

tcp/8905
udp/8905
http/80
https/443

Answer: B

QUESTION 65
Which two conditions are valid when configuring ISE for posturing? (Choose two.)
A.
B.
C.
D.
E.

Dictionary
memberOf
Profile status
File
Service

Answer: DE

QUESTION 66
Refer to the exhibit. Which three statements about the given configuration are true? (Choose
three.)

A.
B.
C.
D.
E.
F.

TACACS+ authentication configuration is complete.


TACACS+ authentication configuration is incomplete.
TACACS+ server hosts are configured correctly.
TACACS+ server hosts are misconfigured.
The TACACS+ server key is encrypted.
The TACACS+ server key is unencrypted.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

17

Answer: BCF

QUESTION 67
In AAA, what function does authentication perform?
A.
B.
C.
D.

It identifies the actions that the user can perform on the device.
It identifies the user who is trying to access a device.
It identifies the actions that a user has previously taken.
It identifies what the user can access.

Answer: B

QUESTION 68
Which identity store option allows you to modify the directory services that run on TCP/IP?
A.
B.
C.
D.

Lightweight Directory Access Protocol


RSA SecurID server
RADIUS
Active Directory

Answer: A

QUESTION 69
Which term describes a software application that seeks connectivity to the network via a network
access device?
A.
B.
C.
D.

authenticator
server
supplicant
WLC

Answer: C

QUESTION 70
Cisco ISE distributed deployments support which three features? (Choose three.)
A.
B.
C.
D.
E.
F.

global implementation of the profiler service CoA


global implementation of the profiler service in Cisco ISE
configuration to send system logs to the appropriate profiler node
node-specific probe configuration
server-specific probe configuration
NetFlow probes

Answer: ACD

QUESTION 71
An organization has recently deployed ISE with the latest models of Cisco switches, and it plans
to deploy Trustsec to secure its infrastructure. The company also wants to allow different network

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

18

access policies for different user groups (e.g., administrators). Which solution is needed to
achieve these goals?
A. Cisco Security Group Access Policies in order to use SGACLs to control access based on SGTs
assigned to different users
B. MACsec in Multiple-Host Mode in order to open or close a portbased on a single authentication
C. Identity-based ACLs on the switches with user identities provided by ISE
D. Cisco Threat Defense for user group control by leveraging Netflow exported from the switches and
login information from ISE
Answer: A

QUESTION 72
Security Group Access requires which three syslog messages to be sent to Cisco ISE? (Choose
three.)
A.
B.
C.
D.
E.
F.

IOS-7-PROXY_DROP
AP-1-AUTH_PROXY_DOS_ATTACK
MKA-2-MACDROP
AUTHMGR-5-MACMOVE
ASA-6-CONNECT_BUILT
AP-1-AUTH_PROXY_FALLBACK_REQ

Answer: BDF

QUESTION 73
Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures
based on the attacker and/or target address criteria, as well as the event risk rating criteria?
A.
B.
C.
D.

signature event action filters


signature event action overrides
signature attack severity rating
signature event risk rating

Answer: A

QUESTION 74
Which action does the command private-vlan association 100,200 take?
A.
B.
C.
D.

configures VLANs 100 and 200 and associates them as a community


associates VLANs 100 and 200 with the primary VLAN
creates two private VLANs with the designation of VLAN 100 and VLAN 200
assigns VLANs 100 and 200 as an association of private VLANs

Answer: B

QUESTION 75
Which of these allows you to add event actions globally based on the risk rating of each event,
without having to configure each signature individually?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

19

A.
B.
C.
D.

event action summarization


event action filter
event action override
signature event action processor

Answer: C

QUESTION 76
Which two are technologies that secure the control plane of the Cisco router? (Choose two.)
A.
B.
C.
D.
E.
F.

Cisco IOS Flexible Packet Matching


uRPF
routing protocol authentication
CPPr
BPDU protection
role-based access control

Answer: CD

QUESTION 77
What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst
switch?
A.
B.
C.
D.

enables the switch to operate as the 802.1X supplicant


globally enables 802.1X on the switch
globally enables 802.1X and defines ports as 802.1X-capable
places the configuration sub-mode into dotix-auth mode, in which you can identify the authentication
server parameters

Answer: B

QUESTION 78
Cisco IOS IPS uses which alerting protocol with a pull mechanism for getting IPS alerts to the
network management application?
A.
B.
C.
D.
E.
F.

HTTPS
SMTP
SNMP
syslog
SDEE
POP3

Answer: E

QUESTION 79
When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue
signature updates from being installed on the router?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

20

A. configure authentication and authorization for maintaining signature updates


B. install a known RSA public key that correlates to a private key used by Cisco
C. manually import signature updates from Cisco to a secure server, and then transfer files from
the secure server to the router
D. use the SDEE protocol for all signature updates from a known secure management station
Answer: B

QUESTION 80
When is it most appropriate to choose IPS functionality based on Cisco IOS software?
A.
B.
C.
D.

when traffic rates are low and a complete signature is not required
when accelerated, integrated performance is required using hardware ASIC-based IPS inspections
when integrated policy virtualization is required
when promiscuous inspection meets security requirements

Answer: A

QUESTION 81
Which Cisco IOS IPS risk rating component uses a low value of 75, a medium value of 100, a
high value of 150, and a mission-critical value of 200?
A.
B.
C.
D.
E.
F.

Signature Fidelity Rating


Attack Severity Rating
Target Value Rating
Attack Relevancy Rating
Promiscuous Delta
Watch List Rating

Answer: C

QUESTION 82
Which two of these are potential results of an attacker performing a DHCP server spoofing
attack? (Choose two.)
A.
B.
C.
D.
E.

DHCP snooping
DoS
confidentiality breach
spoofed MAC addresses
switch ports being converted to an untrusted state

Answer: BC

QUESTION 83
When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?
A. It is calculated from the Event Risk Rating.
B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

21

C. It is manually set by the administrator.


D. It is set based upon SEAP functions.
Answer: C

QUESTION 84
When performing NAT, which of these is a limitation you need to account for?
A.
B.
C.
D.

exhaustion of port number translations


embedded IP addresses
security payload identifiers
inability to provide mutual connectivity to networks with overlapping address spaces

Answer: B

QUESTION 85
Which two answers are potential results of an attacker that is performing a DHCP server spoofing
attack? (Choose two.)
A.
B.
C.
D.
E.

ability to selectively change DHCP options fields of the current DHCP server, such as the giaddr field.
DoS
excessive number of DHCP discovery requests
ARP cache poisoning on the router
client unable to access network resources

Answer: BE

QUESTION 86
When configuring NAT, which three protocols that are shown may have limitations or
complications when using NAT? (Choose three.)
A.
B.
C.
D.
E.
F.

Kerberos
HTTPS
NTP
SIP
FTP
SQL

Answer: ADE

QUESTION 87
Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action
even if it has been successfully compiled?
A.
B.
C.
D.

retired
disabled
unsupported
inactive

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

22

Answer: B

QUESTION 88
Which statement best describes inside policy based NAT?
A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise
security policy
B. Policy NAT consists of policy rules based on outside sources attempting to communicate with
inside endpoints.
C. These rules use source addresses as the decision for translation policies.
D. These rules are sensitive to all communicating endpoints.
Answer: A

QUESTION 89
When is it feasible for a port to be both a guest VLAN and a restricted VLAN?
A.
B.
C.
D.

this configuration scenario is never be implemented


when you have configured the port for promiscuous mode
when private VLANs have been configured to place each end device into different subnets
when you want to allow both types of users the same services

Answer: D

QUESTION 90
In an 802.1X environment, which feature allows for non-802.1X-supported devices such as
printers and fax machines to authenticate?
A.
B.
C.
D.

multiauth
WebAuth
MAB
802.1X guest VLAN

Answer: C

QUESTION 91
Which RADIUS attribute is used primarily to differentiate an IEEE 802.1x request from a Cisco
MAB request?
A.
B.
C.
D.

RADIUS Attribute (5) NAS-Port


RADIUS Attribute (6) Service-Type
RADIUS Attribute (7) Framed-Protocol
RADIUS Attribute (61) NAS-Port-Type

Answer: B

QUESTION 92
Which authorization method is the Cisco best practice to allow endpoints access to the Apple App

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

23

store or Google Play store with Cisco WLC software version 7.6 or newer?
A.
B.
C.
D.

dACL
DNS ACL
DNS ACL defined in Cisco ISE
redirect ACL

Answer: B

QUESTION 93
Which time allowance is the minimum that can be configured for posture reassessment interval?
A.
B.
C.
D.

5 minutes
20 minutes
60 minutes
90 minutes

Answer: C

QUESTION 94
Which advanced authentication setting is needed to allow an unknown device to utilize Central
WebAuth?
A.
B.
C.
D.

If Authentication failed > Continue


If Authentication failed > Drop
If user not found > Continue
If user not found > Reject

Answer: C

QUESTION 95
Which option restricts guests from connecting more than one device at a time?
A.
B.
C.
D.

Guest Portal policy > Set Device registration portal limit


Guest Portal Policy > Set Allow only one guest session per user
My Devices Portal > Set Maximum number of devices to register
Multi-Portal Policy > Guest users should be able to do device registration

Answer: B

QUESTION 96
In Cisco ISE, which two actions can be taken based on matching a profiler policy? (Choose two).
A.
B.
C.
D.
E.

exception
network scan (NMAP)
delete endpoint
automatically remediate
create matching identity group

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

24

Answer: AB

QUESTION 97
Which statement about the Cisco ISE BYOD feature is true?
A.
B.
C.
D.

Use of SCEP/CA is optional.


BYOD works only on wireless access.
Cisco ISE needs to integrate with MDM to support BYOD.
Only mobile endpoints are supported.

Answer: A

QUESTION 98
What user rights does an account need to join ISE to a Microsoft Active Directory domain?
A.
B.
C.
D.

Create and Delete Computer Objects


Domain Admin
Join and Leave Domain
Create and Delete User Objects

Answer: A

QUESTION 99
A network administrator must enable which protocol to utilize EAP-Chaining?
A.
B.
C.
D.

EAP-FAST
EAP-TLS
MSCHAPv2
PEAP

Answer: A

QUESTION 100
The corporate security policy requires multiple elements to be matched in an authorization policy.
Which elements can be combined to meet the requirement?
A.
B.
C.
D.

Device registration status and device activation status


Network access device and time condition
User credentials and server certificate
Built-in profile and custom profile

Answer: B

QUESTION 101
A network administrator needs to determine the ability of existing network devices to deliver key
BYOD services. Which tool will complete a readiness assessment and outline hardware and
software capable and incapable devices?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

25

A.
B.
C.
D.

Prime Infrastructure
Network Control System
Cisco Security Manager
Identity Services Engine

Answer: A

QUESTION 102
Which EAP method uses a modified version of the MS-CHAP authentication protocol?
A.
B.
C.
D.

EAP-POTP
EAP-TLS
LEAP
EAP-MD5

Answer: C

QUESTION 103
Under which circumstance would an inline posture node be deployed?
A.
B.
C.
D.

When the NAD does not support CoA


When the NAD cannot support the number of connected endpoints
When a PSN is overloaded
To provide redundancy for a PSN

Answer: A

QUESTION 104
Which Cisco ISE 1.x protocol can be used to control admin access to network access devices?
A.
B.
C.
D.

TACACS+
RADIUS
EAP
Kerberos

Answer: B

QUESTION 105
A user is on a wired connection and the posture status is noncompliant.
Which state will their EPS session be placed in?
A.
B.
C.
D.

disconnected
limited
no access
quarantined

Answer: D

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

26

QUESTION 106
Which three posture states can be used for authorization rules? (Choose three.)
A.
B.
C.
D.
E.
F.
G.

unknown
known
noncompliant
quarantined
compliant
no access
limited

Answer: ACE

QUESTION 107
Which two Cisco ISE administration options are available in the Default Posture Status setting?
(Choose two.)
A.
B.
C.
D.
E.

Unknown
Compliant
FailOpen
FailClose
Noncompliant

Answer: BE

QUESTION 108
Which two portals can be configured to use portal FQDN? (Choose two.)
A.
B.
C.
D.
E.

admin
sponsor
guest
my devices
monitoring and troubleshooting

Answer: BD

QUESTION 109
Which five portals are provided by PSN? (Choose five.)
A.
B.
C.
D.
E.
F.
G.

guest
sponsor
my devices
blacklist
client provisioning
admin
monitoring and troubleshooting

Answer: ABCDE

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

27

QUESTION 110
When you add a new PSN for guest access services, which two options must be enabled under
deployment settings? (Choose two.)
A.
B.
C.
D.
E.

Admin
Monitoring
Policy Service
Session Services
Profiling

Answer: CD

QUESTION 111
In Cisco ISE, which probe must be enabled to collect profiling data using Device Sensor?
A.
B.
C.
D.
E.

RADIUS
SNMPQuery
SNMPTrap
Network Scan
Syslog

Answer: A

QUESTION 112
Which two profile attributes can be collected by a Cisco Catalyst Switch that supports Device
Sensor? (Choose two.)
A.
B.
C.
D.
E.
F.

LLDP agent information


user agent
DHCP options
open ports
operating system
trunk ports

Answer: AC

QUESTION 113
Which two profile attributes can be collected by a Cisco Wireless LAN Controller that supports
Device Sensor? (Choose two.)
A.
B.
C.
D.
E.
F.

LLDP agent information


user agent
DHCP options
open ports
CDP agent information
FQDN

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

28

Answer: BC

QUESTION 114
Which statement about Cisco ISE BYOD is true?
A.
B.
C.
D.
E.

Dual SSID allows EAP-TLS only when connecting to the secured SSID.
Single SSID does not require endpoints to be registered.
Dual SSID allows BYOD for guest users.
Single SSID utilizes open SSID to accommodate different types of users.
Single SSID allows PEAP-MSCHAPv2 for native supplicant provisioning.

Answer: E

QUESTION 115
Which two types of client provisioning resources are used for BYOD implementations? (Choose
two.)
A.
B.
C.
D.
E.

user agent
Cisco NAC agent
native supplicant profiles
device sensor
software provisioning wizards

Answer: CE

QUESTION 116
Which protocol sends authentication and accounting in different requests?
A.
B.
C.
D.
E.

RADIUS
TACACS+
EAP-Chaining
PEAP
EAP-TLS

Answer: B

QUESTION 117
You enabled the guest session limit feature on the Cisco ISE. However, end users report that the
same guest can log in from multiple devices simultaneously.
Which configuration is missing on the network access device?
A.
B.
C.
D.

RADIUS authentication
RADIUS accounting
DHCP required
AAA override

Answer: B

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

29

QUESTION 118
A properly configured Cisco ISE Policy Service node is not receiving any profile data from a Cisco
switch that runs Device Sensor.
Which option is the most likely reason for the failure?
A.
B.
C.
D.
E.

Syslog is configured for the Policy Administration Node.


RADIUS Accounting is disabled.
The SNMP community strings are mismatched.
RADIUS Authentication is misconfigured.
The connected endpoints support CDP but not DHCP.

Answer: B

QUESTION 119
Drag and Drop Question

Answer:

QUESTION 120
The NAC Agent v4.9.x uses which ports and protocols to communicate with an ISE Policy Service
Node?
A.
B.
C.
D.

tcp/8905, http/80, ftp/21


tcp/8905, http/80, https/443
udp/8905, telnet/23, https/443
udp/8906, http/80, https/443

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

30

Answer: B

QUESTION 121
Which two are valid ISE posture conditions? (Choose two.)
A.
B.
C.
D.
E.

Dictionary
memberOf
Profile status
File
Service

Answer: DE

QUESTION 122
A network engineer is configuring HTTP based CWA on a switch. Which three configuration
elements are required? (Choose three.)
A.
B.
C.
D.
E.
F.
G.

HTTP server enabled


Radius authentication on the port with MAB
Redirect access-list
Redirect-URL
HTTP secure server enabled
Radius authentication on the port with 802.1x
Pre-auth port based access-list

Answer: ABC

QUESTION 123
Which three statements describe differences between TACACS+ and RADIUS? (Choose three.)
A.
B.
C.
D.
E.
F.

RADIUS encrypts the entire packet, while TACACS+ encrypts only the password.
TACACS+ encrypts the entire packet, while RADIUS encrypts only the password.
RADIUS uses TCP, while TACACS+ uses UDP.
TACACS+ uses TCP, while RADIUS uses UDP.
RADIUS uses ports 1812 and 1813, while TACACS+ uses port 49.
TACACS+ uses ports 1812 and 1813, while RADIUS uses port 49

Answer: BDE

QUESTION 124
Which two identity store options allow you to authorize based on group membership? (Choose
two).
A.
B.
C.
D.

Lightweight Directory Access Protocol


RSA SecurID server
RADIUS
Active Directory

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

31

Answer: AD

QUESTION 125
What attribute could be obtained from the SNMP query probe?
A.
B.
C.
D.

FQDN
CDP
DHCP class identifier
User agent

Answer: B

QUESTION 126
What is a required configuration step for an 802.1X capable switch to support dynamic VLAN and
ACL assignments?
A.
B.
C.
D.

Configure the VLAN assignment.


Configure the ACL assignment.
Configure 802.1X authenticator authorization.
Configure port security on the switch port.

Answer: C

QUESTION 127
Which network component would issue the CoA?
A.
B.
C.
D.

switch
endpoint
Admin Node
Policy Service Node

Answer: D

QUESTION 128
What steps must you perform to deploy a CA-signed identity certificate on an ISE device?
A. 1. Download the CA server certificate and install it on ISE.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the CA request.
4. Install the issued certificate on the ISE.
B. 1. Download the CA server certificate and install it on ISE.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the CSR.
4. Install the issued certificate on the CA server.
C. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate and install it on ISE.
3. Access the ISE server and submit the CA request.
4.Install the issued certificate on the CA server.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

32

D. 1. Generate a signing request and save it as a file.


2. Download the CA server certificate and install it on ISE.
3. Access the CA server and submit the CSR.
4. Install the issued certificate on the ISE.
Answer: D

QUESTION 129
An organization has recently deployed ISE with Trustsec capable Cisco switches and would like
to allow differentiated network access based on user groups. Which solution is most suitable for
achieving these goals?
A. Cyber Threat Defense for user group control by leveraging Netflow exported from the Cisco
switches and identity information from ISE
B. MACsec in Multiple-Host Mode in order to encrypt traffic at each hop of the network infrastructure
C. Identity-based ACLs preconfigured on the Cisco switches with user identities provided by ISE
D. Cisco Security Group Access Policies to control access based on SGTs assigned to different user
groups
Answer: D

QUESTION 130
Which three are required steps to enable SXP on a Cisco ASA? (Choose three).
A.
B.
C.
D.
E.
F.

configure AAA authentication


configure password
issue the aaa authorization command aaa-server group command
configure a peer
configure TACACS
issue the cts sxp enable command

Answer: BDF

QUESTION 131
Which three network access devices allow for static security group tag assignment? (Choose
three.)
A.
B.
C.
D.
E.
F.

intrusion prevention system


access layer switch
data center access switch
load balancer
VPN concentrator
wireless LAN controller

Answer: BCE

QUESTION 132
Which option is required for inline security group tag propagation?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

33

A.
B.
C.
D.

Cisco Secure Access Control System


hardware support
Security Group Tag Exchange Protocol (SXP) v4
Cisco Identity Services Engine

Answer: B

QUESTION 133
Which two fields are characteristics of IEEE 802.1AE frame? (Choose two.)
A.
B.
C.
D.
E.
F.

destination MAC address


source MAC address
802.1AE header in EtherType
security group tag in EtherType
integrity check value
CRC/FCS

Answer: CE

QUESTION 134
Which two options are valid for configuring IEEE 802.1AE MACSec between switches in a
TrustSec network? (Choose two.)
A.
B.
C.
D.
E.
F.

manually on links between supported switches


in the Cisco Identity Services Engine
in the global configuration of a TrustSec non-seed switch
dynamically on links between supported switches
in the Cisco Secure Access Control System
in the global configuration of a TrustSec seed switch

Answer: AD

QUESTION 135
Which three pieces of information can be found in an authentication detail report? (Choose three.)
A.
B.
C.
D.
E.
F.

DHCP vendor ID
user agent string
the authorization rule matched by the endpoint
the EAP method the endpoint is using
the RADIUS username being used
failed posture requirement

Answer: CDE

QUESTION 136
Certain endpoints are missing DHCP profiling data.
Which option describes what can be used to determine if DHCP requests from clients are
reaching Cisco ISE?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

34

A.
B.
C.
D.
E.

output of show interface gigabitEthernet 0 from the CLI


output of debug logging all 7 from the CLI
output of show logging application profiler.log from the CLI
the TCP dump diagnostic tool through the GUI
the posture troubleshooting diagnostic tool through the GUI

Answer: D

QUESTION 137
Which debug command on a Cisco WLC shows the reason that a client session was terminated?
A.
B.
C.
D.
E.

debug dot11 state enable


debug dot1x packet enable
debug client mac addr
debug dtls event enable
debug ap enable cisco ap

Answer: C

QUESTION 138
Which two identity databases are supported when PEAP-MSCHAPv2 is used as EAP type?
(Choose two.)
A.
B.
C.
D.
E.
F.
G.

Windows Active Directory


LDAP
RADIUS token server
internal endpoint store
internal user store
certificate authentication profile
RSA SecurID

Answer: AE

QUESTION 139
Which two Cisco Catalyst switch interface commands allow only a single voice device and a
single data device to be connected to the IEEE 802.1X-enabled interface? (Choose two.)
A.
B.
C.
D.

authentication host-mode single-host


authentication host-mode multi-domain
authentication host-mode multi-host
authentication host-mode multi-auth

Answer: AB

QUESTION 140
What are two possible reasons why a scheduled nightly backup of ISE to a FTP repository would
fail? (Choose two.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

35

A.
B.
C.
D.
E.

ISE attempted to write the backup to an invalid path on the FTP server.
The ISE and FTP server clocks are out of sync.
The username and password for the FTP server are invalid.
The server key is invalid or misconfigured.
TCP port 69 is disabled on the FTP server.

Answer: AC

QUESTION 141
Which two statements about MAB are true? (Choose two.)
A.
B.
C.
D.
E.

It requires a preexisting database of the MAC addresses of permitted devices.


It is unable to control network access at the edge.
If MAB fails, the device is unable to fall back to another authentication method.
It is unable to link the IP and MAC addresses of a device.
It is unable to authenticate individual users.

Answer: AE

QUESTION 142
Which type of access list is the most scalable that Cisco ISE can use to implement network
authorization enforcement for a large number of users?
A.
B.
C.
D.

downloadable access lists


named access lists
VLAN access lists
MAC address access lists

Answer: A

QUESTION 143
When you select Centralized Web Auth in the ISE Authorization Profile, which two components
host the web authentication portal? (Choose two.)
A.
B.
C.
D.
E.

ISE
the WLC
the access point
the switch
the endpoints

Answer: BD

QUESTION 144
What is the default posture status for non-agent capable devices, such as Linux and iDevices?
A. Unknown
B. Validated
C. Default

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

36

D. Compliant
Answer: D

QUESTION 145
Your guest-access wireless network is experiencing degraded performance and excessive
latency due to user saturation. Which type of rate limiting can you implement on your network to
correct the problem?
A.
B.
C.
D.
E.

per-device
per-policy
per-access point
per-controller
per-application

Answer: A

QUESTION 146
You are installing Cisco ISE on nodes that will be used in a distributed deployment. After the
initial bootstrap process, what state will the Cisco ISE nodes be in?
A.
B.
C.
D.

Remote
Policy service
Administration
Standalone

Answer: D

QUESTION 147
What three changes require restarting the application service on an ISE node? (Choose three.)
A.
B.
C.
D.
E.
F.

Registering a node.
Changing the primary node to standalone.
Promoting the administration node.
Installing the root CA certificate.
Changing the guest portal default port settings.
Adding a network access device.

Answer: ABC

QUESTION 148
Which default identity source is used by the MyDevices_Portal_Sequence identity source
sequence?
A.
B.
C.
D.
E.

internal users
guest users
Active Directory
internal endpoints
RADIUS servers

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

37

Answer: A

QUESTION 149
What EAP method supports mutual certificate-based authentication?
A.
B.
C.
D.

EAP-TTLS
EAP-MSCHAP
EAP-TLS
EAP-MD5

Answer: C

QUESTION 150
Which two Active Directory authentication methods are supported by Cisco ISE? (Choose two.)
A.
B.
C.
D.
E.

MS-CHAPv2
PEAP
PPTP
EAP-PEAP
PPP

Answer: AB

QUESTION 151
Which statement about a distributed Cisco ISE deployment is true?
A.
B.
C.
D.

It can support up to two monitoring Cisco ISE nodes for high availability.
It can support up to three load-balanced Administration ISE nodes.
Policy Service ISE nodes can be configured in a redundant failover configuration.
The Active Directory servers of Cisco ISE can be configured in a load-balanced configuration.

Answer: A

QUESTION 152
Which Cisco ISE feature can differentiate a corporate endpoint from a personal device?
A.
B.
C.
D.

EAP chaining
PAC files
authenticated in-band provisioning
machine authentication

Answer: A

QUESTION 153
Which configuration must you perform on a switch to deploy Cisco ISE in low-impact mode?
A. Configure an ingress port ACL on the switchport.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

38

B. Configure DHCP snooping globally.


C. Configure IP-device tracking.
D. Configure BPDU filtering.
Answer: A

QUESTION 154
Which profiling capability allows you to gather and forward network packets to an analyzer?
A.
B.
C.
D.

collector
spanner
retriever
aggregator

Answer: A

QUESTION 155
Which network access device feature can you configure to gather raw endpoint data?
A.
B.
C.
D.

Device Sensor
Device Classifier
Switched Port Analyzer
Trust Anchor

Answer: A

QUESTION 156
Which method does Cisco prefer to securely deploy guest wireless access in a BYOD
implementation?
A.
B.
C.
D.

deploying a dedicated Wireless LAN Controller in a DMZ


configuring a guest SSID with WPA2 Enterprise authentication
configuring guest wireless users to obtain DHCP centrally from the corporate DHCP server
disabling guest SSID broadcasting

Answer: A

QUESTION 157
Which mechanism does Cisco ISE use to force a device off the network if it is reported lost or
stolen?
A.
B.
C.
D.

CoA
dynamic ACLs
SGACL
certificate revocation

Answer: A

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

39

QUESTION 158
You discover that the Cisco ISE is failing to connect to the Active Directory server. Which option
is a possible cause of the problem?
A.
B.
C.
D.

NTP server time synchronization is configured incorrectly.


There is a certificate mismatch between Cisco ISE and Active Directory.
NAT statements required for Active Directory are configured incorrectly.
The RADIUS authentication ports are being blocked by the firewall.

Answer: A

QUESTION 159
Which type of remediation does Windows Server Update Services provide?
A.
B.
C.
D.

automatic remediation
administrator-initiated remediation
redirect remediation
central Web auth remediation

Answer: A

QUESTION 160
Which three remediation actions are supported by the Web Agent for Windows? (Choose three.)
A.
B.
C.
D.
E.
F.

Automatic Remediation
Message text
URL Link
File Distribution
AV definition update
Launch Program

Answer: BCD

QUESTION 161
What endpoint operating system provides native support for the SPW?
A.
B.
C.
D.

Apple iOS
Android OS
Windows 8
Mac OS X

Answer: A

QUESTION 162
Which condition triggers wireless authentication?
A. NAS-Port-Type is set to IEEE 802.11.
B. Framed-Compression is set to None.
C. Service-Type is set to Framed.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

40

D. Tunnel-Type is set to VLAN.


Answer: A

QUESTION 163
Which feature enables the Cisco ISE DHCP profiling capabilities to determine and enforce
authorization policies on mobile devices?
A.
B.
C.
D.

disabling the DHCP proxy option


DHCP option 42
DHCP snooping
DHCP spoofing

Answer: A

QUESTION 164
With which two appliance-based products can Cisco Prime Infrastructure integrate to perform
centralized management? (Choose two.)
A.
B.
C.
D.
E.

Cisco Managed Services Engine


Cisco Email Security Appliance
Cisco Wireless Location Appliance
Cisco Content Security Appliance
Cisco ISE

Answer: AE

QUESTION 165
Which two options are EAP methods supported by Cisco ISE? (Choose two.)
A.
B.
C.
D.

EAP-FAST
EAP-TLS
EAP-MS-CHAPv2
EAP-GTC

Answer: AB

QUESTION 166
You configured wired 802.1X with EAP-TLS on Windows machines. The ISE authentication detail
report shows "EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client
certificates chain." What is the most likely cause of this error?
A.
B.
C.
D.

The ISE certificate store is missing a CA certificate.


The Wireless LAN Controller is missing a CA certificate.
The switch is missing a CA certificate.
The Windows Active Directory server is missing a CA certificate.

Answer: A

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

41

QUESTION 167
What type of identity group is the Blacklist identity group?
A.
B.
C.
D.
E.

endpoint
user
blackhole
quarantine
denied systems

Answer: A

QUESTION 168
Which feature must you configure on a switch to allow it to redirect wired endpoints to Cisco ISE?
A.
B.
C.
D.

the http secure-server command


RADIUS Attribute 29
the RADIUS VSA for accounting
the RADIUS VSA for URL-REDIRECT

Answer: A

QUESTION 169
Lab Sim
The Secure-X company has recently successfully tested the 802.1X authentication deployment
using the Cisco Catalyst switch and the Cisco ISEv1.2 appliance. Currently, each employee
desktop is connected to an 802.1X enabled switch port and is able to use the Cisco AnyConnect
NAM 802.1Xsupplicantto log in and connect to the network.
Currently, a new testing requirement is to add a network printer to the Fa0/19 switch port and
have it connect to the network. The network printer does not support 802.1X supplicant. The
Fa0/19 switch port is now configured to use 802.1X authentication only.
To support this network printer, the Fa0/19 switch port configuration needs to be edited to enable
the network printer to authenticate using its MAC address. The network printer should also be on
VLAN 9.
Another network security engineer responsible for managing the Cisco ISE has already perconfigured all the requirements on the Cisco ISE, including adding the network printer MAC
address to the Cisco ISE endpoint database and etc...
Your task in the simulation is to access the Cisco Catalyst Switch console then use the CLI to:
- Enable only the Cisco Catalyst Switch Fa0/19 switch port to
authenticate the network printer using its MAC address and:
- Ensure that MAC address authentication processing is not delayed
until 802.1Xfails
- Ensure that even if MAC address authentication passes, the switch
will still perform 802.1X authentication if requested by a 802.1X
supplicant
- Use the required show command to verify the MAC address
authentication on the Fa0/19 is successful
The switch enable password is Cisco
For the purpose of the simulation, to test the network printer, assume the network printer will be
unplugged then plugged back into the Fa0/19 switch port after you have finished the required
configurations on the Fa0/19 switch port.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

42

Note: For this simulation, you will not need and do not have access to the ISE GUI To access the
switch CLI, click the Switch icon in the topology diagram

Answer: Review the explanation for full configuration and solution.


Initial configuration for fa 0/19 that is already done:

AAA configuration has already been done for us.


We need to configure mac address bypass on this port to achieve the goal stated in the question.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

43

To do this we simply need to add this command under the interface:


mab
Then do a shut/no shut on the interface.
Verification:

QUESTION 170
Lab Sim
The Secure-X company has started to tested the 802.1X authentication deployment using the
Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee desktop
will be connected to the 802.1X enabled switch port and will use the Cisco AnyConnect NAM
802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named
AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal
User database. Once the new identity source sequence has been configured, edit the existing
DotlX authentication policy to use the new AD_internal identity source sequence.
The Microsoft Active Directory (AD1) identity store has already been successfully configured, you
just need to reference it in your configuration.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

44

In addition to the above, you are also tasked to edit the IT users authorization policy so IT users
who successfully authenticated will get the permission of the existing IT_Corp authorization
profile.
Perform this simulation by accessing the ISE GUI to perform the following tasks:
- Create a new identity source sequence named AD_internal to first use
the Microsoft Active Directory (AD1) then use the ISE Internal User
database
- Edit the existing Dot1X authentication policy to use the new
AD_internal identity source sequence:
- If authentication failed-reject the access request
- If user is not found in AD-Drop the request without sending a
response
- If process failed-Drop the request without sending a response
- Edit the IT users authorization policy so IT users who successfully
authenticated will get the permission of the existing IT_Corp
authorization profile.
To access the ISE GUI, click the ISE icon in the topology diagram. To verify your configurations,
from the ISE GUI, you should also see the Authentication Succeeded event for the it1 user after
you have successfully defined the DotlX authentication policy to use the Microsoft Active
Directory first then use the ISE Internal User Database to authenticate the user. And in the
Authentication Succeeded event, you should see the IT_Corp authorization profile being applied
to the it1 user. If your configuration is not correct and ISE can't authenticate the user against the
Microsoft Active Directory, you should see the Authentication Failed event instead for the it1 user.
Note: If you make a mistake in the Identity Source Sequence configuration, please delete the
Identity Source Sequence then re-add a new one. The edit Identity Source Sequence function is
not implemented in this simulation.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

45

Answer: Review the explanation for full configuration and solution.


Step 1: create a new identity source sequence named AD_internal which will first use the
Microsoft Active Directory (AD1) then use the ISE Internal User database as shown below:

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

46

Step 2: Edit the existing Dot1x policy to use the newly created Identity Source:

Then hit Done and save.

QUESTION 171
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

47

For example, you should see events like Authentication succeeded. Authentication failed and
etc...

Which four statements are correct regarding the event that occurred at 2014-05-07 00:19:07.004?
(Choose four.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

48

A.
B.
C.
D.

The IT_Corp authorization profile were applied.


The it1 user was matched to the IT_Corp authorization policy.
The it1 user supplicant used the PEAP (EAP-MSCHAPv2) authentication method.
The it1 user was authenticated using MAB.
"Pass Any Exam. Any Time." - www.actualtests.com 69 Cisco 300-208 Exam
E. The it1 user was successfully authenticated against AD1 identity store.
F. The it1 user machine has been profiled as a Microsoft-Workstation.
G. The it1 user machine has passed all the posture assessement tests.
Answer: BCEF
Explanation:
Here are the details shown for this event:

QUESTION 172
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI.
For example, you should see events like Authentication succeeded. Authentication failed and
etc...

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

49

Which three statements are correct regarding the events with the 20 repeat count that occurred at
2014-05-07 00:22:48.748? (Choose three.)
A. The device was successfully authenticated using MAB.
B. The device matched the Machine_Corp authorization policy.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

50

C.
D.
E.
F.

The Print Servers authorization profile were applied.


The device was profiled as a Linksys-PrintServer.
The device MAC address is 00:14:BF:70:B5:FB.
The device is connected to the Gi0/1 switch port and the switch IP address is 10.10.2.2.
"Pass Any Exam. Any Time." - www.actualtests.com 71 Cisco 300-208 Exam

Answer: ADE
Explanation:
Event Details:

...continued:

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

51

QUESTION 173
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI.
For example, you should see events like Authentication succeeded. Authentication failed and
etc...

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

52

Which two statements are correct regarding the event that occurred at 2014-05-07 00:22:48.175?
(Choose two.)
A.
B.
C.
D.
E.

The DACL will permit http traffic from any host to 10.10.2.20
The DACL will permit http traffic from any host to 10.10.3.20
The DACL will permit icmp traffic from any host to 10.10.2.20
The DACL will permit icmp traffic from any host to 10.10.3.20
The DACL will permit https traffic from any host to 10.10.3.20

Answer: AE
Explanation:
Event Details:

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

53

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

54

QUESTION 174
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI.
For example, you should see events like Authentication succeeded. Authentication failed and
etc...

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

55

Which two statements are correct regarding the event that occurred at 2014-05-07 00:16:55.393?
(Choose two.)
A.
B.
C.
D.
E.
F.
G.
H.

The failure reason was user entered the wrong username.


The supplicant used the PAP authentication method.
The username entered was it1.
The user was authenticated against the Active Directory then also against the ISE interal user
database and both fails.
The NAS switch port where the user connected to has a MAC address of 44:03:A7:62:41:7F
The user is being authenticated using 802.1X.
"Pass Any Exam. Any Time." - www.actualtests.com 76 Cisco 300-208 Exam
The user failed the MAB.
The supplicant stopped responding to ISE which caused the failure.

Answer: CF
Explanation:
Event Details:

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

56

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

57

QUESTION 175
Changes were made to the ISE server while troubleshooting, and now all wireless certificate
authentications are failing. Logs indicate an EAP failure.
What are the two possible causes of the problem? (Choose two.)
A.
B.
C.
D.
E.

EAP-TLS is not checked in the Allowed Protocols list


Client certificate is not included in the Trusted Certificate Store
MS-CHAPv2-is not checked in the Allowed Protocols list
Default rule denies all traffic
Certificate authentication profile is not configured in the Identity Store

Answer: AE

QUESTION 176
Which action must an administrator take after joining a Cisco ISE deployment to an Active
Directory domain?
A. Choose an Active Directory user.
B. Configure the management IP address.
C. Configure replication.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

58

D. Choose an Active Directory group.


Answer: D

QUESTION 177
Which feature of Cisco ASA allows VPN users to be postured against Cisco ISE without requiring
an inline posture node?
A.
B.
C.
D.

RADIUS Change of Authorization


device tracking
DHCP snooping
VLAN hopping

Answer: A

QUESTION 178
After an endpoint has completed authentication with MAB, a security violation is triggered
because a different MAC address was detected. Which host mode must be active on the port?
A.
B.
C.
D.

single-host mode
multidomain authentication host mode
multiauthentication host mode
multihost mode

Answer: A

QUESTION 179
Refer to the exhibit. You are configuring permissions for a new Cisco ISE standard authorization
profile. If you configure the Tunnel-Private-Group-ID attribute as shown, what does the value 123
represent?

A.
B.
C.
D.

the VLAN ID
the VRF ID
the tunnel ID
the group ID

Answer: A

QUESTION 180
Where would a Cisco ISE administrator define a named ACL to use in an authorization policy?
A. In the conditions of an authorization rule.
B. In the attributes of an authorization rule.
C. In the permissions of an authorization rule.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

59

D. In an authorization profile associated with an authorization rule.


Answer: D

QUESTION 181
Refer to the exhibit. Which URL must you enter in the External Webauth URL field to configure
Cisco ISE CWA correctly?

A.
B.
C.
D.

https://ip_address:8443/guestportal/Login.action
https://ip_address:443/guestportal/Welcome.html
https://ip_address:443/guestportal/action=cpp
https://ip_address:8905/guestportal/Sponsor.action

Answer: A

QUESTION 182
When you configure an endpoint profiling policy rule, which option describes the purpose of the
minimum certainty factor?
A. It is compared to the total certainty metric of an individual endpoint to determine whether the
endpoint can be trusted.
B. It is compared to the assigned certainty value of an individual endpoint in a device database to
determine whether the endpoint can be trusted.
C. It is used to compare the policy condition to other active policies.
D. It is used to determine the likelihood that an endpoint is an active, trusted device on the network.
Answer: A

QUESTION 183
You have configured a Cisco ISE 1.2 deployment for self-registration of guest users. What two
options can you select from to determine when the account duration timer begins? (Choose two.)
A.
B.
C.
D.

CreateTime
FirstLogin
BeginLogin
StartTime

Answer: AB

QUESTION 184
Which error in a redirect ACL can cause the redirection of an endpoint to the provisioning portal

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

60

to fail?
A.
B.
C.
D.

The redirect ACL is blocking access to ports 80 and 443.


The redirect ACL is applied to an incorrect SVI.
The redirect ACL is blocking access to the client provisioning portal.
The redirect ACL is blocking access to Cisco ISE port 8905.

Answer: A

QUESTION 185
Where must periodic re-authentication be configured to allow a client to come out of the
quarantine state and become compliant?
A.
B.
C.
D.

on the switch port


on the router port
on the supplicant
on the controller

Answer: A

QUESTION 186
Which functionality does the Cisco ISE self-provisioning flow provide?
A. It provides support for native supplicants, allowing users to connect devices directly to the
network.
B. It provides the My Devices portal, allowing users to add devices to the network.
C. It provides support for users to install the Cisco NAC agent on enterprise devices.
D. It provides self-registration functionality to allow guest users to access the network.
Answer: A

QUESTION 187
During client provisioning on a Mac OS X system, the client system fails to renew its IP address.
Which change can you make to the agent profile to correct the problem?
A.
B.
C.
D.

Enable the Agent IP Refresh feature.


Enable the Enable VLAN Detect Without UI feature.
Enable CRL checking.
Edit the Discovery Host parameter to use an IP address instead of an FQDN.

Answer: A

QUESTION 188
Where is dynamic SGT classification configured?
A.
B.
C.
D.

Cisco ISE
NAD
supplicant
RADIUS proxy

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

61

Answer: A

QUESTION 189
What is the function of the SGACL policy matrix on a Cisco TrustSec domain with SGT
Assignment?
A.
B.
C.
D.
E.

It determines which access policy to apply to the endpoint.


It determines which switches are trusted within the TrustSec domain.
It determines the path the SGT of the packet takes when entering the Cisco TrustSec domain.
It lists all servers that are permitted to participate in the TrustSec domain.
It lists all hosts that are permitted to participate in the TrustSec domain.

Answer: A

QUESTION 190
You are configuring SGA on a network device that is unable to perform SGT tagging. How can
the device propagate SGT information?
A. The device can use SXP to pass IP-address-to-SGT mappings to a TrustSec-capable hardware
peer.
B. The device can use SXP to pass MAC-address-to-STG mappings to a TrustSec-capable
hardware peer.
C. The device can use SXP to pass MAC-address-to-IP mappings to a TrustSec-capable hardware
peer.
D. The device can propagate SGT information in an encapsulated security payload.
E. The device can use a GRE tunnel to pass the SGT information to a TrustSec-capable hardware
peer.
Answer: A

QUESTION 191
Refer to the exhibit. The links outside the TrustSec area in the given SGA architecture are
unprotected. On which two links does EAC take place? (Choose two.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

62

A.
B.
C.
D.
E.
F.

between switch 2 and switch 3


between switch 5 and host 2
between host 1 and switch 1
between the authentication server and switch 4
between switch 1 and switch 2
between switch 1 and switch 5

Answer: AB

QUESTION 192
Which three host modes support MACsec? (Choose three.)
A.
B.
C.
D.
E.
F.

multidomain authentication host mode


multihost mode
multi-MAC host mode
single-host mode
dual-host mode
multi-auth host mode

Answer: ABD

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

63

QUESTION 193
You are troubleshooting wired 802.1X authentications and see the following error: "Authentication
failed: 22040 Wrong password or invalid shared secret." What should you inspect to determine
the problem?
A.
B.
C.
D.
E.

RADIUS shared secret


Active Directory shared secret
Identity source sequence
TACACS+ shared secret
Certificate authentication profile

Answer: A

QUESTION 194
Refer to the exhibit. You are troubleshooting RADIUS issues on the network and the debug
radius command returns the given output. What is the most likely reason for the failure?

A.
B.
C.
D.
E.

An invalid username or password was entered.


The RADIUS port is incorrect.
The NAD is untrusted by the RADIUS server.
The RADIUS server is unreachable.
RADIUS shared secret does not match

Answer: A

QUESTION 195
Which devices support download of environmental data and IP from Cisco ISE to SGT bindings in
their SGFW implementation?
A.
B.
C.
D.

Cisco ASA devices


Cisco ISR G2 and later devices with ZBFW
Cisco ISR G3 devices with ZBFW
Cisco ASR devices with ZBFW

Answer: A

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

64

QUESTION 196
In Cisco ISE 1.3, where is BYOD enabled with dual-SSID onboarding?
A.
B.
C.
D.

client provisioning policy


client provisioning resources
BYOD portal
guest portal

Answer: D

QUESTION 197
Which description of the purpose of the Continue option in an authentication policy rule is true?
A.
B.
C.
D.
E.

It allows Cisco ISE to check the list of rules in an authentication policy until there is a match.
It sends an authentication to the next subrule within the same authentication rule.
It allows Cisco ISE to proceed to the authorization policy regardless of authentication pass/fail.
It sends an authentication to the selected identity store.
It causes Cisco ISE to ignore the NAD because NAD will treat the Cisco ISE server as dead.

Answer: C

QUESTION 198
How many days does Cisco ISE wait before it purges a session from the active session list if no
RADIUS Accounting STOP message is received?
A.
B.
C.
D.

1
5
10
15

Answer: B

QUESTION 199
A user configured a Cisco Identity Service Engine and switch to work with downloadable access
list for wired dot1x users, though it is failing to work. Which command must be added to address
the issue?
A.
B.
C.
D.

ip dhcp snooping
ip device tracking
dot1x pae authenticator
aaa authentication dot1x default group radius

Answer: B

QUESTION 200
Which option is the correct format of username in MAB authentication?
A. host/LSB67.cisco.com

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

65

B. chris@cisco.com
C. 10:41:7F:46:9F:89
D. CISCO\chris
Answer: C

QUESTION 201
Refer to the exhibit. In a distributed deployment of Cisco ISE, which column in Figure 1 is used to
fill in the Host Name field in Figure 2 to collect captures on Cisco ISE while authenticating the
specific endpoint?

A.
B.
C.
D.

Server
Network Device
Endpoint ID
Identity

Answer: A

QUESTION 202
Which ISE feature is used to facilitate a BYOD deployment?
A.
B.
C.
D.

self-service personal device registration and onboarding


Guest Service Sponsor Portal
Local Web Auth
Guest Identity Source Sequence

Answer: A

QUESTION 203
What are two actions that can occur when an 802.1X-enabled port enters violation mode?
(Choose two.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

66

A.
B.
C.
D.
E.
F.

The port is error disabled.


The port drops packets from any new device that sends traffic to the port.
The port generates a port resistance error.
The port attempts to repair the violation.
The port is placed in quarantine state.
The port is prevented from authenticating indefinitely.

Answer: AB

QUESTION 204
Which option describes the purpose of configuring Native Supplicant Profile on the Cisco ISE?
A.
B.
C.
D.

It helps employees add and manage new devices by entering the MAC address for the device.
It is used to register personal devices on the network.
It enforces the use of MSCHAPv2 or EAP-TLS for 802.1X authentication.
It provides posture assessments and remediation for devices that are attempting to gain access
to the corporate network.

Answer: C

QUESTION 205
Which configuration is required in the Cisco ISE Authentication policy to allow Central Web
Authentication?
A.
B.
C.
D.

Dot1x and if authentication failed continue


MAB and if user not found continue
MAB and if authentication failed continue
Dot1x and if user not found continue

Answer: B

QUESTION 206
In a Cisco ISE deployment, which traffic is permitted by the default dynamic ACL?
A.
B.
C.
D.

all IP traffic
management traffic only
TCP traffic only
UDP traffic only

Answer: A

QUESTION 207
Which redirect-URL is pushed by Cisco ISE for posture redirect for corporate users?
A. https://ise1.cisco.com:8443/portal/gateway?sessionId=0A00023D0000003A239F78CC&po
rtal=283258a0-e96e-11e4-a30a005056bf01c9&action=cpp&token=a1a6ea71ea8f410c2637e11ba534379e
B. https://ise1.cisco.com:8443/portal/gateway?sessionId=0A00023D0000003A239F78CC&po

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

67

rtal=283258a0-e96e-11e4-a30a005056bf01c9&action=cwa&token=a1a6ea71ea8f410c2637e11ba534379e
C. https://ise1.cisco.com:8443/portal/gateway?sessionId=0A00023D0000003A239F78CC&po
rtal=283258a0-e96e-11e4-a30a005056bf01c9&action=mdm&token=a1a6ea71ea8f410c2637e11ba534379e
D. https://ise1.cisco.com:8443/portal/gateway?sessionId=0A00023D0000003A239F78CC&po
rtal=283258a0-e96e-11e4-a30a005056bf01c9&action=drw&token=a1a6ea71ea8f410c2637e11ba534379e
Answer: A

QUESTION 208
Scenario:
Currently, many users are expehecing problems using their AnyConnect NAM supplicant to login
to the network. The rr desktop support staff have already examined and vehfed the AnyConnect
NAM configuration is correct.
In this simulation, you are tasked to examine the various ISE GUI screens to determine the ISE
current configurations to help isolate the problems. Based on the current ISE configurations, you
will need to answer three multiple choice questions.
To access the ISE GUI, click on the ISE icon in the topology diagram to access the ISE GUI.
Not all the ISE GUI screen are operational in this simulation and some of the ISE GUI operations
have been reduced in this simulation.
Not all the links on each of the ISE GUI screen works, if some of the links are not working on a
screen, click Home to go back to the Home page first. From the Home page, you can access all
the required screens.
To view some larger GUI screens, use the simulation window scroll bars. Some of the larger GUI
screens only shows partially but will include all information required to complete this simulation.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

68

Determine which can be two reasons why many users like the Sales and fT users are not able to
authenticate and access the network using their AnyConnect NAM client with EAP-

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

69

FAST.(Choose two.)
A.
B.
C.
D.

The DotlX authentication policy is not allowing the EAP-FAST protocol.


The rr_Corp authorization profile has the wrong Access Type configured.
The authorization profile used for the Sales users is misconfigured.
The order for the MAB authentication policy and the DotlX authentication policy should be
reversed.
E. Many of the fT Sales and fT user machines are not passing the ISE posture accessment.
F. he PERMrr_ALL_TRAFFIC DACL is missing the permit ip any any statement it the end.
G. The Employee_FullAccess_DACL DACL is missing the permit ip any any statement in the end.
Answer: AD

QUESTION 209
Which 802.1X command ignores Access-Reject during EAP authentication?
A.
B.
C.
D.
E.

dot1x pae authenticator


switchport mode access
authentication port-control auto
authentication open
authentication host-mode multi-domain

Answer: D

QUESTION 210
Refer to the exhibit. If a user with privilege 15 is matching this command set on Cisco ISE 2.0,
which three commands can the user execute? (Choose three.)

A.
B.
C.
D.
E.
F.

configure terminal
show run
show clock
ping 10.10.100.1
exit
show ip interface brief

Answer: BCF

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

70

QUESTION 211
Which two options must be used on Cisco ISE to enable the TACACS+ feature? (Choose two.)
A.
B.
C.
D.
E.
F.
G.

TACACS External Servers


TACACS+ Authentication Settings
TACACS Server Sequence
Enable Device Admin Service
TACACS Command Sets
TACACS Profiles
Device Administration License

Answer: DG

QUESTION 212
Which operating system type needs access to the Internet to download the application that is
required for BYOD on-boarding?
A.
B.
C.
D.

iOS
OSX
Android
Windows

Answer: C

QUESTION 107
Refer to the exhibit. Which two things must be verified if authentication is failing with this error
message? (Choose two.)

A. Cisco ISE EAP identity certificate is valid.


B. CA cert chain of Cisco ISE EAP certificate is installed on the trusted certs store of the client
machine.
C. CA cert chain of the client certificate is installed on Cisco ISE.
D. Cisco ISE HTTPS/admin certificate is valid.
E. Cisco ISE server certificate is installed on the client.
Answer: AB

QUESTION 213
Which three pieces of information can be found in an authentication detail report? (Choose three.)
A. DHCP vendor ID
B. user agent string
C. the authorization rule matched by the endpoint

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

71

D. the EAP method the endpoint is using


E. the RADIUS username being used
F. failed posture requirement
Answer: CDE

QUESTION 214
Which profiling capability allows you to gather and forward network packets to an analyzer?
A.
B.
C.
D.

collector
spanner
retriever
aggregator

Answer: A

QUESTION 215
Scenario:
Currently, many users are expehecing problems using their AnyConnect NAM supplicant to login
to the network. The rr desktop support staff have already examined and vehfed the AnyConnect
NAM configuration is correct.
In this simulation, you are tasked to examine the various ISE GUI screens to determine the ISE
current configurations to help isolate the problems. Based on the current ISE configurations, you
will need to answer three multiple choice questions.
To access the ISE GUI, click on the ISE icon in the topology diagram to access the ISE GUI.
Not all the ISE GUI screen are operational in this simulation and some of the ISE GUI operations
have been reduced in this simulation.
Not all the links on each of the ISE GUI screen works, if some of the links are not working on a
screen, click Home to go back to the Home page first. From the Home page, you can access all
the required screens.
To view some larger GUI screens, use the simulation window scroll bars. Some of the larger GUI
screens only shows partially but will include all information required to complete this simulation.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

72

Which two of the following statements are correct? (Choose two.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

73

A. The ISE is not able to successfully connect to the hq-srv.secure-x. local AD server.
B. The ISE internal endpoints database is used authenticate any users not in the Active Directory
domain.
C. The ISE internal user database has two accounts enabled: student and test that maps to the
Employee user identity group.
D. Guest_Portal_Sequence is a built-in identity source sequence.
Answer: BD

QUESTION 216
By default, how many days does Cisco ISE wait before it purges the expired guest accounts?
A.
B.
C.
D.

1
10
15
20

Answer: C

QUESTION 217
In Cisco ISE 1.3, which feature is available to a sponsor in a sponsor group?
A.
B.
C.
D.

Help employees add and manage new devices by entering the MAC address for the device.
Restrict sponsors from viewing guest passwords.
Allow the user to download a native supplicant profile.
Reinstate or delete devices that were registered previously.

Answer: B

QUESTION 218
Which option is one method for transporting security group tags throughout the network?
A.
B.
C.
D.

by embedding the SGT in the IP header


via Security Group Exchange Protocol
by embedding the SGT in the 802.1Q header
by enabling 802.1AE on every network device

Answer: B

QUESTION 219
Which two options can a sponsor select to create bulk guest accounts from the sponsor portal?
(Choose two.)
A.
B.
C.
D.
E.

Known
Random
Monthly
Imported
Daily

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

74

F. Yearly
Answer: BD

QUESTION 220
Which components must be selected for a client provisioning policy to do a Posture check on the
Cisco ISE?
A.
B.
C.
D.

Configuration Wizard, Wizard Profile


Remediation Actions, Posture Requirements
Operating System, Posture Requirements
Agent, Profile, Compliance Module

Answer: D

QUESTION 221
How many bits are in a security group tag?
A.
B.
C.
D.

64
8
16
32

Answer: C

QUESTION 222
Which attribute is needed for Cisco ISE to profile a device with HTTP probe?
A.
B.
C.
D.
E.
F.

user-agent
OUI
host-name
cdp-cache-platform
dhcp-class-identifier
sysDescr

Answer: A

QUESTION 223
Which two posture redirect ACLs and remediation DACLs must be pushed from Cisco ISE to a
Cisco IOS switch if the endpoint must remediate itself The ISE IP address is 10.201.228.76 and
the IP address of the remediating server is 10.201.229.1. (Choose two.)
A. ip access-l ex ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny ip any host 10.201.228.76
permit tcp any any eq 80 permit tcp any any eq 443
B. ip access-l ex ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny ip any host 10.201.228.76

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

75

C.

D.

E.

F.

deny ip any host 10.201.229.1


permit tcp any any eq 80
permit tcp any any eq 443
ip access-l ex ACL-POSTURE-REDIRECT
deny udp any any eq domain
permit ip any host 10.201.228.76
permit ip any host 10.201.229.1 deny ip any any
POSTURE_REMEDIATION DACL
permit udp any any eq domain
permit tcp any host 10.201.228.76
permit tcp any any eq 80
permit tcp any any eq 443
POSTURE_REMEDIATION DACL
permit udp any any eq domain
deny tcp any host 10.201.228.76
permit tcp any any eq 80
permit tcp any any eq 443
permit ip any host 10.210.229.1
POSTURE_REMEDIATION DACL
permit udp any any eq domain
deny tcp any host 10.201.228.76
deny ip any host 10.210.229.1
permit tcp any any eq 80
permit tcp any any eq 443

Answer: BD

QUESTION 224
Scenario:
Currently, many users are expehecing problems using their AnyConnect NAM supplicant to login
to the network. The rr desktop support staff have already examined and vehfed the AnyConnect
NAM configuration is correct.
In this simulation, you are tasked to examine the various ISE GUI screens to determine the ISE
current configurations to help isolate the problems. Based on the current ISE configurations, you
will need to answer three multiple choice questions.
To access the ISE GUI, click on the ISE icon in the topology diagram to access the ISE GUI.
Not all the ISE GUI screen are operational in this simulation and some of the ISE GUI operations
have been reduced in this simulation.
Not all the links on each of the ISE GUI screen works, if some of the links are not working on a
screen, click Home to go back to the Home page first. From the Home page, you can access all
the required screens.
To view some larger GUI screens, use the simulation window scroll bars. Some of the larger GUI
screens only shows partially but will include all information required to complete this simulation.

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

76

Which of the following statement is correct?

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

77

A.
B.
C.
D.

Currently,IT users who successfully authenticate will have their packets tagged withaSGTof3.
Currently,ITusers who successfully authenticate will be assigned to VLAN 9.
Currently, any domain administrator who successfully authenticate will be assigned to VLAN 10.
Computers belonging to the secure-x domain which passes machine authentication but failed
user authentication will have the Employee_Restricted_DACL applied.
E. Print Servers matching the Linksys-PrintServer identity group will have the following access
restrictions:permit icmp any host 10.10.2.20 permit tcp any host 10.10.2.20 eq 80 permit icmp any
host 10.10.3.20 permit tcp any host 10.10.3.20 eq 80 deny ip any any
Answer: C

QUESTION 225
Refer to the exhibit. If the user matches the given TACACS+ profile on Cisco ISE, which
command can the user enter from shell prompt on a Cisco switch?

A.
B.
C.
D.

enable
enable 10
show run
configure terminal

Answer: B

QUESTION 226
During BYOD flow, where does a Microsoft Windows 8.1 PC download the Network Setup

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

78

Assistant from?
A.
B.
C.
D.

from Cisco App Store


from Cisco ISE directly
from Microsoft App Store
It uses the native OTA functionality.

Answer: B

QUESTION 227
Which two attributes are delivered by the DHCP probe to the Cisco ISE? (Choose two.)
A.
B.
C.
D.
E.

dhcp-client-identifier
framed-IP-address
host-name
calling-station-ID
MAC address

Answer: AC

QUESTION 228
Which option is the correct redirect-ACL for Wired-CWA, with 10.201.228.76 being the Cisco ISE
IP address?
A. ip access-l ex ACL-WEBAUTH-REDIRECT
deny udp any any eq domain
deny ip any host 10.201.228.76
permit tcp any any eq 80
permit tcp any any eq 443
B. ip access-l ex ACL-WEBAUTH-REDIRECT
permit udp any any eq domain
permit ip any host 10.201.228.76
deny tcp any any eq 80
permit tcp any any eq 443
C. ip access-l ex ACL-WEBAUTH-REDIRECT
deny udp any any eq domain
permit tcp any host 10.201.228.76 eq 8443
deny ip any host 10.201.228.76
permit tcp any any eq 80
permit tcp any any eq 443
D. ip access-l ex ACL-WEBAUTH-REDIRECT
permit udp any any eq domain
deny ip any host 10.201.228.76
permit tcp any any eq 80
permit tcp any any eq 443
Answer: A

QUESTION 229
In Cisco ISE 1.3 and above, which two operations are allowed on Endpoint Certificates pages for
issued endpoint certificates on the admin portal? (Choose two.)

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

79

A.
B.
C.
D.
E.

unrevoke
delete
view
export
revoke

Answer: CE

QUESTION 230
Which statement about the CAK is true?
A. It is the master key that generates the other keys that MACsec requires.
B. Failed MACsec connections fall back to MAB by default.
C. It is the key that is used to discover MACsec peers and perform key negotiation between the
peers.
D. It is the secret key that encrypts traffic during the connection.
E. It is the key that is used to negotiate session encryption keys.
Answer: A

QUESTION 231
Which remediation type ensures that Automatic Updates configuration is turned on Windows
clients per security policy to remediate Windows clients for posture compliance?
A.
B.
C.
D.
E.

AS Remediation
File Remediation
Launch Program Remediation
Windows Update Remediation
Windows Server Update Services Remediation

Answer: D

QUESTION 232
Which command on the switch ensures that the Service-Type attribute is sent with all RADIUS
authentication request?
A.
B.
C.
D.

radius-server attribute 8 include-in-access-req


radius-server attribute 25 access-request include
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail

Answer: C

Get Latest & Actual 300-208 Exam's Question and Answers from Passleader.
http://www.passleader.com

80