The answer seems to be "A". Refer to that phrase from the official book: "A binary comparison takes the public certificate used by the user or device attempting access and performs a bit-for-bit comparison to a copy stored elsewhere (usually on the issuing CA)."
page 202 of OCG binary comparison
takes the public certificate used by the user or device attempting access and performs
a bit-for-bit comparison to a copy stored elsewhere (usually on the issuing CA). This
setting is configured in the CAP by choosing the Perform Binary Certificate Comparison
with Certificate Retrieved from LDAP or Active Directory option and selecting which LDAP
or AD store will contain the copies of the public certificates.
The binary comparison function in authentication that is based on Active Directory compares the user-presented password hash and a hash stored in Active Directory.
The user enters their password, which is then hashed using a one-way function. The hash is then sent to the authentication server, which compares it to the hash stored in Active Directory. If the hashes match, the user is authenticated.
The other options are incorrect.
A user-presented certificate is not used in authentication that is based on Active Directory.
MS-CHAPv2 is a challenge-response protocol that is used to authenticate machines, not users.
The subject alternative name and the common name are fields in a certificate. They are not used in authentication that is based on Active Directory.
I think the crucial word here is "values". From the ISE admin guide: Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates, you must select an identity source. If you select Active Directory as an identity source, subject and common name and subject alternative name (all values) can be used to look up a user.
From the cisco learning network course - Cisco ISE will retrieve the user certificate from the active directory database and compare it, based on each octet , with the received client certificate.
A - A binary comparison
takes the public certificate used by the user or device attempting access and performs
a bit-for-bit comparison to a copy stored elsewhere (usually on the issuing CA). This
setting is configured in the CAP by choosing the Perform Binary Certificate Comparison
with Certificate Retrieved from LDAP or Active Directory option and selecting which LDAP
or AD store will contain the copies of the public certificates.
A is correct answer.
Always perform binary comparison—This option always performs the binary comparison of client certificate to certificate on account in identity store (Active Directory or LDAP).
https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-ADIntegration.html
It must be D. If option A was true, certificate templates on ADCS can be configured not to store the generated certificates in AD, in which case ISE would not be able to perform the authentication since it cannot find the referenced certificate.
the other answer correct is B: MS-CHAPv2 provided machine credentials and credentials stored in Active Directory
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Pipi
Highly Voted 3 years, 7 months agoYmerG
Highly Voted 1 year, 8 months agocybertrec
Most Recent 9 months, 4 weeks agoccnpsise
1 year agodenverfly
1 year, 4 months agoTHEODORABLE
1 year, 5 months agoRuss
1 year, 11 months ago[Removed]
1 year, 12 months agotururu1496
2 years agoaHash
2 years agouser_topic
2 years, 4 months agoaaInman
3 years agothetaken
3 years, 2 months agoKyoraku715
3 years, 9 months ago