Exam 300-715 topic 1 question 207 discussion

Prior to Cisco Identity Services Engine (ISE) 3.1, ISE provisions the certificates to endpoints with MAC Addresses seen by ISE under SAN field. Because of Randomized MAC Address, Cisco ISE sees different MAC Address when on-boarding these endpoints through BYOD flow. So, there is going to be mismatch in MAC Address imprinted under Certificate’s SAN field, seen by ISE and actual MAC Address. From Cisco Identity Services Engine (ISE) 3.1 onwards, ISE can provision the Certificates with GUID along with MAC Address under SAN field so that administrator can track the endpoint through unique parameter (GUID) from Context Visibility .

Having the MAC in the certificate is exactly what the scenario is trying to avoid.

Correct answer A. Configure GUID for Connected MDM Servers To check if an MDM server you have already connected to Cisco ISE supports the latest Cisco ISE MDM APIs and can send GUID information, carry out the following steps: In the Cisco ISE GUI, click the Menu icon () and choose Administration > Network Resources > External MDM. In the MDM Servers window, check the check box for the MDM server you want to update, and click Edit. Click Test Connection. If the MDM server supports Cisco ISE MDM APIs Version 3, a new section called Device Identifiers is displayed. Check the check boxes for one or more of the following options that you want to enable: Cert - SAN URI, GUID Cert - CN, GUID Legacy MAC Address https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_secure_wired_access.html

from (SAN) drop-down list, choose MAC Address and GUID. To handle random and changing MAC addresses in BYOD flows, the Cisco ISE provisioning service generates a GUID value for Windows, iOS, and Android endpoints. If you have configured the Subject Alternative Name (SAN) of your certificate to include the GUID value to handle random MAC addresses in a BYOD flow, choose Subject - Common Name as the certificate attribute for identity validation when you configure a Certificate Authentication Profile to authenticate AD users.

B isn't correct,.. why look for the MAC? We don't know what it is,.. it can change we don't want to use this combination we only want GUID but that is not a choice here

I will go for B based on this: Cisco ISE 3.1 can now look up devices with GUID As explained in the release notes for Cisco ISE 3.1, this new version employs a different approach to locating devices on a network. Admins can configure ISE to use a globally unique identifier (GUID), to identify devices and interface about them with an MDM service. The Jamf Pro integration for Cisco ISE now allows for all communications between the two solutions about devices to use GUID instead of MAC addresses. This new device identification method also solves for environments where dongles and multiple network interfaces would cause lookups to fail. https://www.jamf.com/blog/cisco-ise-31-mdm-solutions/

B. MAC Address and GUID ( ISE 3.1 and above)

Could it be option C? Official Cert GUide SISE : The ISE GUI also allows you to customize the Subject Alternative Name (SAN) field, which is meant to carry a number of different attributes, each designed to aid in the identification of the certificate. You can add the following customizations for the SAN field: ■■ DNS Name: This is the FQDN of the ISE node. If the certificate will be a wildcard certificate, be sure to specify the wildcard notation (*). ■■ IP Address: This is the IP address of the ISE node associated with the certificate. ■■ Uniform Resource Name: This is the URI associated with the certificate. ■■ Directory Name: This is a string representation of the distinguished name (DN). DNs are defined in RFC 2253.

B is right: "Subject Alternative Name (SAN): Currently, only value available is the MAC Address." Currently, only value available is the MAC Address."

Should be B