The best Cisco CCNP Security 300-208 dumps exam questions and answers download free try from lead4pass. New Cisco CCNP Security 300-208 dumps pdf materials and vce youtube demo update free shared. “Implementing Cisco Secure Access Solutions” is the name of Cisco CCNP Security https://www.lead4pass.com/300-208.html exam dumps which covers all the knowledge points of the real Cisco exam. Useful latest Cisco CCNP Security 300-208 dumps pdf training resources and study guides free download, pass Cisco 300-208 exam test easily.
Vendor: Cisco
Certifications: CCNP Security
Exam Name: Implementing Cisco Secure Access Solutions
Exam Code: 300-208
Total Questions: 310 Q&As
Latest Cisco 300-208 dumps pdf materials: https://drive.google.com/open?id=0B_7qiYkH83VRWWVtSWlTWENZMzA
Latest Cisco 300-206 dumps pdf materials: https://drive.google.com/open?id=0B_7qiYkH83VRckk2V1ZwWXl5dVk
New Cisco CCNP Security 300-208 Dumps Exam Questions And Answers (11-40)
QUESTION 11
You have configured a Cisco ISE 1.2 deployment for self-registration of guest users.
What two options can you select from to determine when the account duration timer begins? (Choose two.)
A. CreateTime
B. FirstLogin
C. BeginLogin
D. StartTime
Correct Answer: AB
QUESTION 12
Which type of access list is the most scalable that Cisco ISE can use to implement network authorization enforcement for a large number of users?
A. downloadable access lists
B. named access lists
C. VLAN access lists
D. MAC address access lists
Correct Answer: A
QUESTION 13
An organization has recently deployed ISE with Trustsec capable Cisco switches and would like to allow differentiated network access based on user groups. Which solution is most suitable for achieving these goals?
A. Cyber Threat Defense for user group control by leveraging Netflow exported from the Cisco switches and identity information from ISE
B. MACsec in Multiple-Host Mode in order to encrypt traffic at each hop of the network infrastructure
C. Identity-based ACLs preconfigured on the Cisco switches with user identities provided by ISE
D. Cisco Security Group Access Policies to control access based on SGTs assigned to different user groups
Correct Answer: D
QUESTION 14
Which two Cisco ISE administration options are available in the Default Posture Status setting? (Choose two.)
A. Unknown
B. Compliant
C. FailOpen
D. FailClose
E. Noncompliant
Correct Answer: BE
QUESTION 15
Which command would be used in order to maintain a single open connection between a network access device and a tacacs server?
A. tacacs-server host timeout
B. tacacs-server host single-connection
C. tacacs-server host andlt;ip addressandgt;
D. tacacs-server host andlt;ip addressandgt; single-connection
Correct Answer: D
QUESTION 16
Which statement about system time and NTP server configuration with Cisco ISE is true?
A. The system time and NTP server settings can be configured centrally on the Cisco ISE.
B. The system time can be configured centrally on the Cisco ISE, but NTP server settings must be configured individually on each ISE node.
C. NTP server settings can be configured centrally on the Cisco ISE, but the system time must be configured individually on each ISE node.
D. The system time and NTP server settings must be configured individually on each ISE node.
Correct Answer: D
QUESTION 17
Which valid external identity source can be used with Cisco ISE? 300-208 dumps
A. IPsec vpn authentication
B. smart card
C. local user name and password
D. TACACS+ token
Correct Answer: B
QUESTION 18
Changes were made to the ISE server while troubleshooting, and now all wireless certificate authentications are failing.
Logs indicate an EAP failure. What is the most likely cause of the problem?
A. EAP-TLS is not checked in the Allowed Protocols list
B. Certificate authentication profile is not configured in the Identity Store
C. MS-CHAPv2-is not checked in the Allowed Protocols list
D. Default rule denies all traffic
E. Client root certificate is not included in the Certificate Store
Correct Answer: A
QUESTION 19
Which functionality does the Cisco ISE self-provisioning flow provide?
A. It provides support for native supplicants, allowing users to connect devices directly to the network.
B. It provides the My Devices portal, allowing users to add devices to the network.
C. It provides support for users to install the Cisco NAC agent on enterprise devices.
D. It provides self-registration functionality to allow guest users to access the network.
Correct Answer: A
QUESTION 20
Which option is the code field of n EAP packet?
A. one byte and 1=request, 2=response 3=failure 4=success
B. two byte and 1=request, 2=response, 3=success, 4=failure
C. two byte and 1=request 2=response 3=failure 4=success
D. one byte and 1=request 2=response 3=success 4=failure
Correct Answer: D
QUESTION 21
In a basic ACS deployment consisting of two servers, for which three tasks is the primary server responsible? (Choose three.)
A. configuration
B. authentication
C. sensing
D. policy requirements
E. monitoring
F. repudiation
Correct Answer: ABD
QUESTION 22
During client provisioning on a Mac OS X system, the client system fails to renew its IP address. Which change can you make to the agent profile to correct the problem?
A. Enable the Agent IP Refresh feature.
B. Enable the Enable VLAN Detect Without UI feature.
C. Enable CRL checking.
D. Edit the Discovery Host parameter to use an IP address instead of an FQDN.
Correct Answer: A
QUESTION 23
A network administrator has just added a front desk receptionist account to the Cisco ISE Guest Service sponsor group.
Using the Cisco ISE Guest Sponsor Portal, which guest services can the receptionist provide?
A. Authenticate guest users to Cisco ISE.
B. Keep track of guest user activities.
C. Create and manage guest user accounts.
D. Configure authorization setting for guest users.
Correct Answer: C
QUESTION 24
Which two profile attributes can be collected by a Cisco Wireless LAN Controller that supports Device Sensor? (Choose two.)
A. LLDP agent information
B. user agent
C. DHCP options
D. open ports
E. CDP agent information
F. FQDN
Correct Answer: BC
QUESTION 25
A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?
A. monitor mode
B. high-security mode
C. closed mode
D. low-impact mode
Correct Answer: A
QUESTION 26
Where is dynamic SGT classification configured?
A. Cisco ISE
B. NAD
C. supplicant
D. RADIUS proxy
Correct Answer: A
QUESTION 27
By default, how many days does Cisco ISE wait before it purges the expired guest accounts?
A. 1
B. 10
C. 15
D. 20
Correct Answer: C
QUESTION 28
Which command on the switch ensures that the Service-Type attribute is sent with all RADIUS authentication request?
A. radius-server attribute 8 include-in-access-req
B. radius-server attribute 25 access-request include
C. radius-server attribute 6 on-for-login-auth
D. radius-server attribute 31 send nas-port-detail
Correct Answer: C
QUESTION 29
A network administrator is seeing a posture status andquot;unknownandquot; for a single corporate machine on the Cisco ISE authentication report, whereas the other machines are reported as andquot;compliantandquot;. 300-208 dumps Which option is the reason for machine being reported as andquot;unknownandquot;?
A. Posture agent is not installed on the machine.
B. Posture policy does not support the OS.
C. Posfure compliance condition is missing on the machine.
D. Posture service is disabled on Cisco ISE.
Correct Answer: A
QUESTION 30
Cisco 802.1X phasing enables flexible deployments through the use of open, low-impact, and closed modes. What is a unique characteristic of the most secure mode?
A. Granular ACLs applied prior to authentication
B. Per user dACLs applied after successful authentication
C. Only EAPoL traffic allowed prior to authentication
D. Adjustable 802.1X timers to enable successful authentication
Correct Answer: C
QUESTION 31
Which components must be selected for a client provisioning policy to do a Posture check on the Cisco ISE?
A. Configuration Wizard, Wizard Profile
B. Remediation Actions, Posture Requirements
C. Operating System, Posture Requirements
D. Agent, Profile, Compliance Module
Correct Answer: D
QUESTION 32
Which effect does the ip http secure-server command have on a Cisco ISE?
A. It enables the HTTP server for users to connect on the command line.
B. It enables the HTTP server for users to connect by using web-based authentication.
C. It enables the HTTPS server for users to connect by using web-based authentication.
D. It enables the HTTPS server for users to connect on the command line.
Correct Answer: C
QUESTION 33
Refer to the exhibit.
Which two things must be verified if authentication is failing with this error message? (Choose two.)
A. Cisco ISE EAP identity certificate is valid.
B. CA cert chain of Cisco ISE EAP certificate is installed on the trusted certs store of the client machine.
C. CA cert chain of the client certificate is installed on Cisco ISE.
D. Cisco ISE HTTPS/admin certificate is valid.
E. Cisco ISE server certificate is installed on the client.
Correct Answer: AB
QUESTION 34
Which two Active Directory authentication methods are supported by Cisco ISE? (Choose two.)
A. MS-CHAPv2
B. PEAP
C. PPTP
D. EAP-PEAP
E. PPP
Correct Answer: AB
QUESTION 35
Which two EAP types require server side certificates? (Choose two.)
A. EAP-TLS
B. PEAP
C. EAP-MD5
D. LEAP
E. EAP-FAST
F. MSCHAPv2
Correct Answer: AB
QUESTION 36
In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc…
Which two statements are correct regarding the event that occurred at 2014-05-07 00:16:55.393? (Choose two.)
A. The failure reason was user entered the wrong username.
B. The supplicant used the PAP authentication method.
C. The username entered was it1.
D. The user was authenticated against the Active Directory then also against the ISE interal user database and both fails.
E. The NAS switch port where the user connected to has a MAC address of 44:03:A7:62:41:7F
F. The user is being authenticated using 802.1X.
G. The user failed the MAB.
H. The supplicant stopped responding to ISE which caused the failure.
Correct Answer: CF
QUESTION 37
Which command can check a AAA server authentication for server group Group1, user cisco, and password cisco555 on a Cisco ASA device? 300-208 dumps
A. ASA# test aaa-server authentication Group1 username cisco password cisco555
B. ASA# test aaa-server authentication group Group1 username cisco password cisco555
C. ASA# aaa-server authorization Group1 username cisco password cisco555
D. ASA# aaa-server authentication Group1 roger cisco555
Correct Answer: A
QUESTION 38
In an 802.1X authorization process, a network access device provides which three functions? (Choose three.)
A. Filters traffic prior to authentication
B. Passes credentials to authentication server
C. Enforces policy provided by authentication server
D. Hosts a central web authentication page
E. Confirms supplicant protocol compliance
F. Validates authentication credentials
Correct Answer: ABC
QUESTION 39
What steps must you perform to deploy a CA-signed identify certificate on an ISE device?
A. 1. Download the CA server certificate.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the ISE request.
4. Install the issued certificate on the ISE.
B. 1. Download the CA server certificate.
2. Generate a signing request and save it as a file.
3. Access the CA server and submit the ISE request.
4. Install the issued certificate on the CA server.
C. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate.
3. Access the ISE server and submit the CA request.
4. Install the issued certificate on the CA server.
D. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate.
3. Access the CA server and submit the ISE request.
4. Install the issued certificate on the ISE.
Correct Answer: A
QUESTION 40
Which method does Cisco prefer to securely deploy guest wireless access in a BYOD implementation?
A. deploying a dedicated Wireless LAN Controller in a DMZ
B. configuring a guest SSID with WPA2 Enterprise authentication
C. configuring guest wireless users to obtain DHCP centrally from the corporate DHCP server
D. disabling guest SSID broadcasting
Correct Answer: A
Why Choose Lead4 pass?
Lead4pass is the best IT learning material provider. Other brands appeared early, the Cisco CCNP Security 300-208 dumps exam questions are not the latest and it is very expensive. Lead4pass provide the newest and cheapest questions and answers. Lead4pass is the correct choice for IT learning materials, help you pass your exam easily.
The Following Are Some Reviews From Our Customers:
You can click here to have a review about us: https://www.resellerratings.com/store/lead4pass
With the help of latest and authentic Cisco CCNP Security 300-208 dumps exam questions, you can find the best 300-208 exam preparation kit here and you will also get the 100% guarantee for passing the Cisco exam. Latest Cisco CCNP Security https://www.lead4pass.com/300-208.html dumps pdf training resources which are the best for clearing 300-208 exam test, and to get certified by Cisco CCNP Security. 100% success and guarantee to pass Cisco 300-208 exam.
Best Cisco CCNP Security 300-208 dumps vce youtube: