ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 300-715 All Questions

View all questions & answers for the 300-715 exam
Go to Exam

Exam 300-715 topic 1 question 167 discussion

Actual exam question from Cisco's 300-715
Question #: 167
Topic #: 1
[All 300-715 Questions]

An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities. The engineer is configuring new endpoint identity groups as conditions to be used in the AuthZ policies, but noticed that the endpoints are not hitting the correct policies. What must be done in order to get the devices into the right policies?

  • A. Create an AuthZ policy to identify Unknown devices and provide partial network access prior to profiling.
  • B. Add an identity policy to dynamically add the IP address of the devices to their endpoint identity groups.
  • C. Identify the non 802.1X supported device types and create custom profiles for them to profile into.
  • D. Manually add the MAC addresses of the devices to endpoint ID groups in the context visibility database.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by kornalt at Feb. 28, 2023, 7:32 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
denverfly
Highly Voted 1 year, 7 months ago
Selected Answer: D
The correct answer is Manually add the MAC addresses of the devices to endpoint ID groups in the context visibility database. When an endpoint connects to a network that is using MAB, the switch will learn the MAC address of the endpoint and send it to ISE. ISE will then look up the MAC address in the context visibility database to determine which endpoint ID group the endpoint belongs to. If the endpoint is not found in the database, it will be assigned to the default endpoint ID group. To ensure that the endpoints are hitting the correct policies, the engineer needs to manually add the MAC addresses of the devices to the appropriate endpoint ID groups in the context visibility database. This can be done using the Cisco ISE GUI or the CLI. Once the MAC addresses have been added to the database, the endpoints will be assigned to the correct endpoint ID groups and will be subject to the appropriate policies.
upvoted 5 times
...
NikoTomas
Most Recent 11 months ago
D is correct - " Manually add the MAC addresses ..." eBook SISE: “Even though ENDPOINT IDENTITY GROUPS were useful in very early versions of ISE, their use for profiling has been deprecated in favor of using actual endpoint profiles or logical profiles directly in the authorization policy. ... Today, ENDPOINT IDENTITY GROUPS are used for a different purpose. They are used for a MAC Address Management (MAM) model, where you can create a STATIC LIST of MAC addresses to be authorized specifically (for example, a list of all Apple iPads that are owned by the company so they can be differentiated from personally owned iPads).”
upvoted 3 times
NikoTomas
10 months, 2 weeks ago
I was wondering if A) "identify Unknown devices and provide partial network access prior to profiling" can be valid use case, BUT NO. However "Unknown profiles" in profiling (not Posturing) really exist in ISE (see https://community.cisco.com/t5/network-access-control/endpoint-profile-unkown/td-p/3801911 ) So theoretically, we can match them in the policy (I haven't tried it) and allow such endpoints limited access to allow the ISE profiler to find out more information about the endpoints - but this is nonsense, because "Unknown profile" is assigned after ISE is not able to determine the correct profile during profiling (Cisco doc in comment below). This means that profiling always happens after connecting the device (whether we do dot1x or MAB) and if Device Sensor (and then ISE) can't detect enough profiling data from DHCP and RADIUS Accounting, additional network access won't change the profiling situation. To get more profiling data from endpoint communication, another ISE probes would have to be deployed (for ex. SNMP, NetFlow, etc...), which is totally out of scope of this question.
upvoted 1 times
NikoTomas
10 months, 2 weeks ago
"Endpoint Profiling Policy for Unknown Endpoints An endpoint that does not match existing profiles and cannot be profiled in Cisco ISE is an unknown endpoint. An unknown profile is the default system profiling policy that is assigned to an endpoint, where an attribute or a set of attributes collected for that endpoint do not match with existing profiles in Cisco ISE. An Unknown profile is assigned in the following scenarios: • When an endpoint is dynamically discovered in Cisco ISE, and there is no matching endpoint profiling policy for that endpoint. • When an endpoint is statically added in Cisco ISE, and there is no matching endpoint profiling policy for a statically added endpoint, it is assigned to the unknown profile. If you have statically added an endpoint to your network, the statically added endpoint is not profiled by the profiling service in Cisco ISE. You can change the unknown profile later to an appropriate profile and Cisco ISE will not reassign the profiling policy that you have assigned." https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010101.html#ID986
upvoted 1 times
...
...
...
DeviantSpy
1 year, 7 months ago
Selected Answer: C
I think both C and D can be correct, but since C would be more automated that would be my selection to this question.
upvoted 2 times
IETF1
1 year, 1 month ago
Agreed. C is more scalable and preferred method.
upvoted 2 times
...
...
kornalt
1 year, 10 months ago
Selected Answer: B
I think B would work better. D seems as a lot of work if you have many devices. B could automate that (with use of DHCP probe for example).
upvoted 1 times
YmerG
1 year, 10 months ago
IP address is not used in ISE, only the physical address is. So I would go for D too
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel