2017 November Cisco Official New Released 300-208 Dumps in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
2017 timesaving comprehensive guides for Cisco 300-208 exam: Using latest released Lead2pass 300-208 exam questions, quickly pass 300-208 exam 100%! Following questions and answers are all new published by Cisco Official Exam Center!
Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/300-208.html
QUESTION 251
A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?
A. monitor mode
B. high-security mode
C. closed mode
D. low-impact mode
Answer: A
Explanation:
Monitor ModeMonitor Mode is a process, not just a command on a switch. The process is to enable authentication (with authentication open), see exactly which devices fail and which ones succeed, and correct the failed authentications before they cause any problems.
QUESTION 252
Which three events immediately occur when a user clicks register on their device in a single- SSID BYOD onboarding registration process? (Choose three).
A. CA certificate is sent to the device from Cisco ISE
B. An endpoint is added to a Registered Devices identity group
C. RADIUS access request is sent to Cisco ISE
D. The profile service is sent to the device from Cisco ISE
E. DACL is sent to the device from Cisco ISE
F. BYOD registration flag is set by Cisco ISE
Answer: ABF
QUESTION 253
A company wants to allow employees to register and manage their own devices that do not support NSP. Which portals enable this?
A. MDM portals
B. Client provisioning portals
C. My devices portals
D. BYOD Portals
Answer: C
QUESTION 254
Which three options can be pushed from Cisco ISE server as part of a successful 802.1x authentication. (Choose three)
A. authentication order
B. posture status
C. authentication priority
D. vlan
E. DACL
F. reauthentication timer
Answer: DEF
QUESTION 255
With which two appliance-based products can Cisco Prime infrastructure integrate to perform centralized management?
A. Cisco content security appliance
B. Cisco email security appliance
C. Cisco wireless location appliance
D. Cisco Mobility Services Engine
E. Cisco ISE
Answer: DE
QUESTION 256
A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time.
What two catalyst switch security features will prevent further violations? (Choose two)
A. DHCP Snooping
B. 802.1AE MacSec
C. Port security
D. IP Device tracking
E. Dynamic ARP inspection
F. Private VLANs
Answer: AE
Explanation:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html
DHCP snooping is fully compatible with MAB and should be enabled as a best practice.
Dynamic Address Resolution Protocol (ARP) Inspection (DAI) is fully compatible with MAB and should be enabled as a best practice.
In general, Cisco does not recommend enabling port security when MAB is also enabled. Since MAB enforces a single MAC address per port (or per VLAN when multidomain authentication is configured for IP telephony), port security is largely redundant and may in some cases interfere with the expected operation of MAB.
QUESTION 257
Refer to exhibit, which statement about the authentication protocol used in the configuration is true?
aaa new model
tacacs-server host 1.1.1.1 single connection
tacas-server key cisco123
A. Authentication request contains username, encrypted password, NAS IP address, and port.
B. Authentication and authorization requests are sent in a single open connection between the network device and the TACACS+ server
C. Authentication request contains username, password, NAS IP address and port.
D. Authentication and authorization request packets are grouped together in a single packet.
Answer: B
QUESTION 258
Which option is the code field of n EAP packet?
A. one byte and 1=request, 2=response 3=failure 4=success
B. two byte and 1=request, 2=response, 3=success, 4=failure
C. two byte and 1=request 2=response 3=failure 4=success
D. one byte and 1=request 2=response 3=success 4=failure
Answer: D
QUESTION 259
An engineer has discovered that a NAD is already configured to send packets to the cisco ISE node running session services, which probe profile requires the simplest configuration?
A. RADIUS
B. DHCP
C. SPAN
D. NMAP
E. HTTP
Answer: A
QUESTION 260
A network administration wants to set up a posture condition on Cisco ISE to check for the file name Posture.txt in C:\ on a Windows machine.
Which condition must the network administrator configuration?
A. Service condition
B. Registry condition
C. Application condition
D. File condition
Answer: D
QUESTION 261
Which technology performs CoA support Posture Service?
A. External root CA
B. Cisco ACS
C. Cisco ISE
D. Internal root CA
Answer: C
QUESTION 262
Which 802.1x command is needed for ACL to be applied on a switch port?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control auto
D. radius-server vsa send authentication
E. aaa authorization network default group radius
Answer: D
QUESTION 263
You have configured a Cisco ISE1.2 deployment for self-registration of guest users.
What two options can you select from to determine when the account duration timer begins (Choose two)?
A. Createtime
B. Firstlogin
C. Approvaltime
D. Custom
E. Starttime
F. FromCreation
Answer: AB
QUESTION 264
Which two options enable security group tags to the assigned to a session?
A. Firewall
B. DHCP
C. ACL
D. Source VLAN
E. ISE
Answer: DE
Explanation:
Source VLAN is valid as it is possible to statically define the SGT mapping on the NAD (switch), on the basis of IP address or VLAN.
ISE is valid as the ISE is responsible for dynamically assigning SGTs on the basis of an authorization policy rule (eg: after dot1x, mab or CWA authentication are successful and complete).
Firewall can’t be valid as the ASA firewall doesn’t support in-line SGT tagging.
QUESTION 265
What are three ways that an SGT can be assigned to network traffic?
A. Manual binding of the IP address to an SGT
B. Manually configured on the switch port
C. Dynamically assigned by the network access device
D. Dynamically assigned by the 802.1X authorization result
E. Manually configured in the NAC agent profile
F. Dynamically assigned by the AnyConnect network access manager
Answer: ABD
QUESTION 266
What are two methods of enforcement with SGTs?
A. SG-ACLs on switches.
B. SG-ACLs on routers.
C. SG-Firewalls.
D. SG-Appliances.
E. SGTs are not enforced.
Answer: AC
QUESTION 267
Which command defines administrator CLI access in ACS5.x?
A. Application reset-passwd acs username
B. username username password password role admin
C. username username password plain password role admin
D. password-policy
Answer: C
QUESTION 268
Which two are best practices to implement profiling services in a distributed environment? (Choose two)
A. use of device sensor feature
B. configuration to send syslogs to the appropriate profiler node
C. netflow probes enabled on central nodes
D. node-specific probe configuration
E. global enablement of the profiler service
Answer: BD
Explanation:
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html#wp134
You can deploy the Cisco ISE profiler service either in a standalone environment (on a single node), or in a distributed environment (on multiple nodes). Depending on the type of your deployment and the license you have installed, the profiler service of Cisco ISE can run on a single node or on multiple nodes. You need to install either the base license to take advantage of the basic services or the advanced license to take advantage of all the services of Cisco ISE. The ISE distributed deployment includes support for the following:
· The Deployment Nodes page supports the infrastructure for the distributed nodes in the distributed deployment.
· A node specific configuration of probes–The Probe Config page allows you to configure the probe per node.
· Global Implementation of the profiler Change of Authorization (CoA). · Configuration to allow syslogs to be sent to the appropriate profiler node.
QUESTION 269
A network security engineer is considering configuring 802.1x port authentication such that a single host is allowed to be authenticated for data and another single host for voice.
Which port authentication host mode can be used to achieve this configuration?
A. single-host
B. multihost
C. multauth
D. multidomain
Answer: D
QUESTION 270
Which valid external identity source can be used with Cisco ISE?
A. IPsec vpn authentication
B. smart card
C. local user name and password
D. TACACS+ token
Answer: B
QUESTION 271
Which three statement about Windows Server Update Services remediation are true?
A. WSUS can install the latest service pack available
B. WSUS checks for automatic update configuration on Windows
C. WSUS checks for client behavior anomalies
D. WSUS remediates Windows client from a locally manage WSUS server
E. WSUS remediates Windows client from a Microsoft manage WSUS server
F. WSUS provides links to update AV/AS
Answer: ADE
QUESTION 272
An engineer wants do allow dynamic vlan assignment from ISE.
What must be configured on the switch?
A. DTP
B. VTP
C. AAA authentication
D. AAA authorization
Answer: C
QUESTION 273
What are three portals provided by PSN?
A. Monitor
B. Admin
C. Tshoot
D. My device
E. Sponsor
F. Guest
Answer: DEF
QUESTION 274
Which two component are required for creating native supplicant profile? (Choose 2)
A. Operative System
B. Connection type wired/wireless
C. Ios Sutten
D. BYOD
Answer: AB
QUESTION 275
Which profiling probe collects the user-agent string?
A. NetFlow
B. DHCP
C. Network Scan
D. HTTP
Answer: D
Lead2pass is confident that our NEW UPDATED 300-208 exam questions and answers are changed with Cisco Official Exam Center. If you cannot pass 300-208 exam, never mind, we will return your full money back! Visit Lead2pass exam dumps collection website now and download 300-208 exam dumps instantly today!
300-208 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDMXlWOHdFVkZmREU
2017 Cisco 300-208 exam dumps (All 320 Q&As) from Lead2pass:
https://www.lead2pass.com/300-208.html [100% Exam Pass Guaranteed]
