Exam 350-401 topic 1 question 409 discussion

"It is recommended to use the Company Internal CA for Admin and EAP certificates, and a publicly-signed certificate for Guest/Sponsor/Hotspot/etc portals. The reason is that if a user or guest comes onto the network and ISE portal uses a privately-signed certificate for the Guest Portal, they get certificate errors or potentially have their browser block them from the portal page. To avoid all that, use a publicly-signed certificate for Portal use to ensure better user experience". Thanks @jj970us for the reference - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

A is the 'best' solution , but I have done 'D' in the past - faster and cheaper :)

Good luck trying even to convince all contractors users to install a certificate into their devices. I double dare you.

It´s A By installing a certificate from a trusted third-party CA on the Cisco ISE, we ensure that the certificate is recognized and trusted by most devices, including those used by contractors, without requiring any changes on the contractor devices themselves.

Here's why this solution is appropriate: Trusted by All: A trusted third-party certificate (from a well-known Certificate Authority) is universally trusted by most devices, including those of contractors and employees. Avoiding Manual Configuration: By using a third-party certificate, you avoid the need to manually install certificates on each contractor's device, which is impractical and not user-friendly. Seamless Experience: This approach provides a seamless experience for all users, as their devices will recognize and trust the certificate without any additional configuration. Thus, installing a trusted third-party certificate on Cisco ISE ensures that all users, regardless of their device configuration, can access the portal without encountering certificate errors.

A is the answer. The certificate needs to be trusted by contractor's computers, which will not trust the internal CA of the company.

A is correct

tricky question with several meaning from Cisco again, looks like they don't want to check your knowledge but want to make you get mistake and pay for the exam again (capitan obvious). So, they didn't mention in the question anything about kind of contractor devices , right? it can be anything , even something very old without the last chain of "green" public CAs, right? In this case there is only one option - it's adding the ISE cert to trusted on on all devices. I'd choose D.

If the issue is not happening with employees devices means that the certificate on ISE is signed by an Internal CA recognised by employees devices Installing a third-party certificate on ISE has a cost, while installing a internal CA signed certificate on contractor devices does not. And since they are your contractors,i.e. work for you, you can do this certificate installation. It is not like providing public wifi to citizens. I think in this case the right answer is D.

A is the answer. The certificate needs to be trusted by contractor's computers, which will not trust the internal CA of the company.

Contractors would get a certificate error if the answer would be B) because they don't trust the CA from the Company. So answer is A)

It is A

Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html