An organization wants to standardize the 802.1X configuration on their switches and remove static ACLs on the switch ports while allowing Cisco ISE to communicate to the switch what access to provide. What must be configured to accomplish this task?
A.
dynamic access list within the authorization profile
B.
extended access-list on the switch for the client
C.
security group tag within the authorization policy
D.
port security on the switch based on the client's information
It states "Dynamic ACL". https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html
The answer is A.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-11/config-guide/b_wl_17_eleven_cg/m_dACL.pdf
ACLs to a connected Cisco ISE server and download them to the
controller when a wireless client joins. Such ACLs are referred to as downloadable ACLs, per-user Dynamic
ACLs, or dACLs
C is the correct answer--I am going against the mainstream here... Don't confuse Dynamic ACL with Downloadable ACL (DACL) (see https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html). ISE doesn't dictate dynamic ACLs, I think the question is hinting at SGACL where ISE pushes the Egress policy (matrix) to all trustsec clients along with the CTS environment data. therfore ISE is instructing the switch for access control, and BTW Trustsec is intended to replace static ACLE within the enterprise infrastructure (see comment below).
Correct is A - DACL.
---
SGACL does NOT override Port ACL for sure. Port ACL is overriden only by dACL (downloadable or dynamic – they are sometimes used in the same meaning)
Real case:
“We are moving from traditional DACL to SGACL and we've noticed that the existing static ACL applied to the port that enforces the traffic when the device has not authenticated yet into the network, overrides the SGACL downloaded from ISE. With DACL this does not happen and the DACL has higher priority over the port ACL, but for some reason this is not the case for SGACLs.”
Advised solution:
“To retain your Port ACL and use SGT/SGACL you'd probably have to have an ISE authz policy that assigns an SGT as well as a "permit any" DACL to negate the Port ACL.”
https://community.cisco.com/t5/network-access-control/port-acl-overrides-sgacl/td-p/4621584
SGTs are usable where Trust Sec is deployed, the question simply asks about a better way of handling ACLs, substitute for Static ACLs should be Dynamic ACLs configured on ISE Authorisation Profiles.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
IlPerdan0
Highly Voted 1 year, 10 months agoNullNull88
Most Recent 7 months, 4 weeks agosajoz123
11 months, 1 week agowebwalker00
1 year, 1 month agoGithinji
1 year, 3 months agoTHEODORABLE
1 year, 5 months agoNikoTomas
8 months agotururu1496
1 year, 11 months ago[Removed]
2 years ago[Removed]
2 years ago