A network engineer needs to deploy 802.1x using Cisco ISE in a wired network environment where thin clients download their system image upon bootup using PXE. For which mode must the switch ports be configured?
C and D are correct.
Monitor mode will work fine.
Low-Impact mode will wor as well, as long as you allow DHCP, DNS, and TFTP (including all UDP to FTP servers)
https://community.cisco.com/t5/network-access-control/pc-imaging-on-nac-secured-ports/td-p/3486098
Low-impact mode allows necessary network operations (such as PXE booting) before full 802.1X authentication, providing the right balance of initial access and security enforcement. This mode is ideal for environments with thin clients that need to download their system image upon bootup.
Low impact mode:
Unless you have a strict compliance/requirement for Closed Mode, I would suggest you consider using Low Impact Mode with a restrictive pre-auth ACL that permits basic protocols like DHCP, DNS, TFTP and denies everything else. The vast majority of customers that I've worked with feel that LIM provides the necessary balance of security vs. user experience.
https://community.cisco.com/t5/network-access-control/device-sensor-without-dhcp-snooping/td-p/4303940
I agree with low impact mode -
Low impact mode allows stuff to flow before a final auth. Could be update servers (SCCM, Win Update, etc) or thin client PXE stuff. Have done this in prod in the past.
C - Monitor mode .They key word is MUST. in Low Impact mode, MIGHT not be able to get all the traffic. DHCP , DNS and EAP by default. Not sure what ports will be used when connect using PXE to DL images. Monitr mode will always work.
Low-Impact Mode–This mode builds on the monitor mode. With open access in place, IP ACLs are used to control pre-authentication and post-authentication network access. A Pre-Auth ACL on the switch port controls network access before an endpoint can successfully authenticate. A named or downloadable ACL that is received from ISE grants specific level of access upon successful authentication. The Low-Impact mode is ideal for a Preboot Execution Environment (PXE) boot environments where thin clients have to download the operating system from the network before attempting network authentication. Since devices get IP address immediately after they connect to the network, and authentication may take place in parallel or later, we recommend that you do not make VLAN changes in the Low-Impact mode.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Cachaman
1 month, 1 week agofactmrojas
9 months, 2 weeks agoXBfoundX
1 year, 5 months agoflambadone
1 year, 7 months agoredpassion
1 year, 11 months agorhylos
1 year, 11 months agoCnoteone
2 years, 1 month ago