Exam 300-715 topic 1 question 150 discussion

the command privileges for 2 - 5 are defined in ISE, not on the IOS device. If the IOS device defines the command privileges, then why do we even need ISE. When ISE is centrally managing the network devices, it configures the command privileges and the shell profile.

Correct Answer C Really poor wording, it looks like cisco hire drunk monkeys to write these questions. C. Define the Command sets for privilege levels 2-5 in Cisco ISE. D. does not make sense if you consider ISE and tacacs, the idea if to have centralized management. what if you have 1000+ devices? what if you have to remove or add a command for privilege lv 2-5?

Correct is D: „Define the command privileges for levels 2-5 in the IOS devices”. --- - Privilege level under which NAD sends commands to ISE for authorization IS NOT specified by privilege level of USER but by privilege level of COMMAND - i. e. level to which particular COMMAND belongs. https://community.cisco.com/t5/network-access-control/command-authorization-by-ise/td-p/3577202 - Commands by default belongs to level 1 or 15. Question states another levels. - "When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. ..." https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/b_consolidated_3850_3se_cg_chapter_0110010.html#ref_1352530 - We for sure need to configure IOS device privilege levels with desired commands. - Answer B: “Enable the privilege levels in the IOS devices.” - not correct, as levels are not disabled, just not configured

The answer is C as west33637 is saying I have Ciso ISE so what I can do is set specific commands based the priv level Cisco ISE will give as a result, first you validate your priv level and then after that you are going to configure the specific command set that you want to use even for users that have priv 15 users

C. Define the command privileges for levels 2-5 in Cisco ISE.

The remaining privilege levels, 2 through 14, are available for customization in individual IOS devices.

The key point "Besides defining a new shell profile in Cisco ISE, what must be done to accomplish this configuration" Answer is B: https://learningnetwork.cisco.com/s/blogs/a0D3i000002eeWTEAY/cisco-ios-privilege-levels

The correct answer is Define the command privileges for levels 2-5 in Cisco ISE. Cisco ISE provides centralized authentication, authorization, and accounting (AAA) for network devices. The device administration service in Cisco ISE allows you to define custom privilege levels and assign commands to each level. To accomplish this configuration, you must define the command privileges for levels 2-5 in Cisco ISE.

Page 933 on Cisco Press book

After configuring the shell profiles and command sets in ISE you need to make shure that the command auhtorization needs to go via ISE by enabling the priv levels. See chapter 25 of the OCG