Exam 350-701 topic 1 question 242 discussion

Correct answer should be D

Answer should be C https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215419-ise-session-management-and-posture.html step 3. Posture assessment happens. step 4. Session marked as Compliant. step 5. Change of Authorization (COA) triggered by posture status change leads to re-authentication of the endpoint to apply the next access level.

C is the "benefit "

Cisco Identity Services Engine (ISE) Posture Policy is used to verify that endpoints comply with security policies before granting them network access. When an endpoint is compliant with the posture policy, ISE can apply a Change of Authorization (CoA). CoA dynamically updates the endpoint’s access privileges without requiring the user to reconnect. If the endpoint is non-compliant, ISE can restrict access to a remediation VLAN or apply a quarantine policy. Why not the other options? A. It adds endpoints to identity groups dynamically. While ISE can dynamically categorize endpoints, this is not a direct function of posture compliance. B. It allows the endpoint to authenticate with 802.1X or MAB 802.1X and MAB (MAC Authentication Bypass) occur before posture assessment, meaning compliance does not impact authentication. D. It verifies that the endpoint has the latest Microsoft security patches installed Posture policies can check for security patches, but ensuring compliance does not guarantee the latest patches are installed.

Answer c

We need to answer based on the question, the question asked for benefit. Should be D. Since CoA is mechanism, not benefit, authentication with dot1x and MAB also not a benefit.

Option C remains the most appropriate answer because it directly addresses the capability of applying CoA based on endpoint compliance status, which is a key benefit of posture assessment and enforcement in Cisco ISE. Therefore, while option D is a valuable functionality, option C offers a more comprehensive and overarching benefit of posture compliance in Cisco ISE. It highlights the dynamic access control and policy enforcement capabilities enabled by CoA based on the endpoint's security posture. In conclusion, while option D reflects a significant aspect of posture policies, option C provides a more encompassing benefit by emphasizing the dynamic access control and policy enforcement possibilities through CoA based on the endpoint's overall security posture.

CoA is not a benefit, it is mechanism

D is correct

C is the correct answer for me. An endpoint (PC) having the latest Microsoft security patches installed, is part of the compliant posture policy defined in ISE. So, an and point cannot be said to be compliant without this Microsoft patch and the other necessary patches for the other applications running on that pc. The patches are determined by the company in function of its business applications.

It must be D. It cannot be C because CoA also happens if the endpoint is not compliant. " Validating a Posture Requirement Request Once the client (an endpoint) is authenticated on the network, the client can be granted limited access on the network. For example, the client can access remediation-only resources on the network. The NAC Agent that is installed on the client validates the requirements for an endpoint and the endpoint is moved to a compliant state upon successful validation of the requirements. If the endpoint satisfies the requirement, a compliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a Change of Authorization (CoA) for the posture compliant status. If the endpoint fails to satisfy the requirement, a noncompliance report will be sent to the Cisco ISE node that assumes the Policy Service persona and the run-time services triggers a CoA for the posture noncompliant status." source: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1496783

This is what I have been thinking about too but I am not sure...I'm tilting towards "C" 5. Change of Authorization (COA) triggered by posture status change leads to re-authentication of the endpoint to apply the next access level. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215419-ise-session-management-and-posture.html

Please stop voting for C, it is not the right answer. CoA is not a benefit, it's just the action as result of the compliance status whether it is compliant, noncompliant, or unknown. If you read the question carefully "Which benefit is provided by ensuring that an endpoint is compliant.." if checking for the latest MS security patches is what the posture policy is looking for, then that would be the benefit, answer is D.

The key here, is allowing COA is not a "benefit", rather the expected behaviour once the endpoint is compliant, to grant full access.

for me it is D, why ask about benefits

The correct answer is B, i.e., ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE allows the endpoint to authenticate with 802.1x or MAB (MAC Authentication Bypass). Posture assessment is a feature in Cisco ISE that checks the security status of endpoints before allowing them access to the network. The posture assessment can check various aspects of the endpoint's security status, such as antivirus status, patch level, and software versions. If the endpoint is found to be non-compliant, it can be redirected to a remediation server to update its security status. Once the endpoint is found to be compliant with the posture policy, it can be granted access to the network. Depending on the configuration, the endpoint may be required to authenticate using 802.1x or MAB. This authentication process ensures that only authorized devices are allowed access to the network.

The correct answer is option C: It allows CoA to be applied if the endpoint status is compliant. Posture policies in Cisco ISE provide the ability to check the compliance of endpoints with regard to specific security settings or configurations, such as antivirus software or the latest security patches. This allows network administrators to ensure that all endpoints on the network meet the required security standards and are not a risk to the network. When an endpoint is found to be noncompliant with a posture policy, the Cisco ISE can initiate remediation actions, such as quarantining the endpoint or restricting its network access until it meets the policy requirements. Once an endpoint is compliant, a Change of Authorization (CoA) can be sent to allow the endpoint full network access.