650-472 Introduction to 802.1X Operations for Cisco Security Professionals Exam

Page 1   
Question 1

Which two EAP methods require server-side digital certificates? (Choose two)

  • A. EAP-FAST
  • B. PEAP
  • C. LEAP
  • D. EAP-MD5
  • E. EAP-TLS


Answer : B,E

Question 2

Which two statements are true regarding load balancing Cisco ISE Policy Services nodes
with a Cisco Application Control Engine? (Choose two.)

  • A. Each Cisco ISE Policy Services node must be configured with an identical unicast IP address that is used to receive policy requests from the load balancer.
  • B. Each Cisco ISE Policy Services node must be configured with a unique (and non- reserved) multicast IP address that is used as a heartbeat channel.
  • C. Each Cisco ISE Policy Services node must be configured with an identical (and non- reserved) multicast IP address that is used as a heartbeat channel.
  • D. The virtual IP address of the ACE must be on the same IP subnet as the unicast subnet of the Cisco ISE Policy Services node.
  • E. The virtual IP address of the ACE must not be on the same IP subnet as the unicast subnet of the Cisco ISE Policy Services node.
  • F. Each Cisco ISE Policy Services node must be configured with a unique unicast IP address that is used to receive policy requests from the load balancer.


Answer : D,F

Question 3

Which statement is true for certificate auto-enrollment on a Cisco IP phone?

  • A. Cisco Unified Communications Manager CA Proxy Function (CAPF) is capable of auto- enrolling certificates.
  • B. Cisco Unified Communications Manager Certificate Auto-Enroll Function (CAEF) is capable of auto-enrolling certificates.
  • C. Cisco IP phones are capable of using digital certificates, but manual enrollment is required.
  • D. Cisco IP phones are not capable of using digital certificates.
  • E. Microsoft Windows 2003 Certificate Server Telephony plug-in can be used for auto- enrolling certificates.
  • F. Microsoft Windows 2008 Enterprise Certificate Server Telephony plug-in can be used for auto-enrolling certificates.


Answer : A

Question 4

What is the purpose of the guest VLAN on a Cisco Catalyst switch?

  • A. It provides configurable guest access to devices that have a supplicant but lack local credentials.
  • B. It provides configurable guest access to non-supplicant devices that lack local credentials.
  • C. It provides configurable guest access to devices that have a supplicant when the authenticator is down or unreachable.
  • D. It provides configurable guest access to non-supplicant devices that have local credentials.
  • E. It provides configurable guest access to devices that have a supplicant when the authentication server is down or unreachable.


Answer : B

Question 5

Which two PEAP requirements must be met to authenticate the TLS session? (Choose
two.)

  • A. The supplicant requires only an identity certificate.
  • B. Cisco ISE requires an identity certificate and a CA certificate.
  • C. The authenticator requires only an identity certificate.
  • D. The supplicant requires an identity certificate and a CA certificate.
  • E. The authenticator requires an identity certificate and a CA certificate.
  • F. The supplicant requires only a CA certificate.
  • G. Cisco ISE requires only an identity certificate.


Answer : B,D

Question 6

Which two sets of ports does Cisco ISE listen on for RADIUS authentication and
accounting messages? (Choose two.)

  • A. UDP - Authentication 1535/Accounting 1536
  • B. UDP - Authentication 1645/Accounting 1646
  • C. TCP - Authentication 1535/Accounting 1536
  • D. TCP - Authentication 1645/Accounting 1646
  • E. UDP - Authentication 1812/Accounting 1813
  • F. TCP - Authentication 1812/Accounting 1813


Answer : B,E

Question 7

Which three elements are required fields when adding a Cisco Wireless IAN Controller as a
network device in Cisco ISE? (Choose three)

  • A. Name
  • B. Software Version
  • C. Device Configuration Deployment
  • D. RADIUS Shared Secret
  • E. SSID
  • F. Model Number
  • G. IP Address


Answer : A,D,G

Question 8

During initial ISE setup, foe which three of the following required and optional elements
does the setup script prompt the administrator to enter a value? (Choose three)

  • A. Device Gateway
  • B. Static Host Routes
  • C. IP Address
  • D. Active Directory Domain Name
  • E. Path to RSA SecuriD Seed File
  • F. NTP Server IP Address
  • G. Path to RAMUS Seed File


Answer : A,C,D

Question 9

What action must be performed immediately after initial login to the Cisco ISE GUI?

  • A. Configure an alternate local administrator account for password recovery.
  • B. Configure profiling services to authenticate IP phones for MAB.
  • C. Join a Microsoft Active Directory domain for time synchronization.
  • D. Change the administrative user account password.
  • E. Configure an NTP server for time synchronization.
  • F. Configure RSA SecurelD to secure administrative access to Cisco ISE.


Answer : E

Question 10

Which method provides authenticated guest access to nonsupplicant hosts?

  • A. restricted VIAN
  • B. authentication fallback
  • C. authentication proxy
  • D. web authentication
  • E. guest VIAN
  • F. flexible authentication


Answer : D

Question 11

Which hardware component of a Cisco TrustSec solution for 802.1X is optional but widely
adopted in most networks?

  • A. external Authentication server
  • B. Cisco AnyConnect Secure Mobility Client
  • C. authentication server
  • D. authenticator
  • E. Cisco 4200 Series IPS


Answer : B

Question 12

Consider a design where a Cisco Catalyst switch that supports Network Edge Access
Topology (NEAT) is connected to an upstream switch that requires 802.1X authentication
on the switch-to-switch link. What differentiates a Cisco Catalyst switch configured for
NEAT from an unmanaged switch connected to the same upstream switch port?

  • A. Switches that support NEAT can be configured with a port in supplicant mode.
  • B. Switches that support NEAT can perform Layer 2 MAC address translation to allow multiple hosts to be seen by the upstream switch as the same host.
  • C. Switches that support NEAT can be configured with a port in authenticator mode that supports authentication multi-host.
  • D. Switches that support NEAT can be configured with a port in authenticator mode that supports authentication multi-auth.


Answer : A

Question 13

Which two of these Cisco products can act as 802.1X authenticates? (Choose two.)

  • A. Cisco 4255 Intrusion Prevention Sensor
  • B. Cisco Catalyst 37SO Series Switch
  • C. Cisco Wireless LAN Control
  • D. Cisco Secure Access Control Server for Widows
  • E. Cisco 3640 Rooter
  • F. Cisco 5510 Adaptive Security Appliance
  • G. Cisco Secure Access Control Solution for Windows
  • H. Cisco 4255 Intrusion Prevention System


Answer : C,D

Question 14

What is the purpose of the fallback profile command?

  • A. This command configures the Critical VLAN policy on an interface.
  • B. This command configures a WebAuth profile to use in the event that MAB authentication fails.
  • C. This command configures a WebAuth profile to use in the event that 802.1X authentication fails.
  • D. This command globally enables WebAuth authentication.
  • E. This command configures the Guest VLAN policy on an interface.
  • F. This command configures the Restricted VLAN policy on an interface.


Answer : C

Question 15

What is the purpose of the restricted VLAN (authentication failed VLAN) on a Cisco
Catalyst switch?

  • A. It provides configurable guest access to nonsupplicant devices that have local credentials.
  • B. It provides configurable guest access to devices that have a supplicant when the authenticator is down or unreachable.
  • C. It provides configurable guest access to nonsupplicant devices that lack local credentials.
  • D. It provides configurable guest access to devices that have a supplicant when the authentication server is down or unreachable.
  • E. It provides configurable guest access to devices that have a supplicant but lack local credentials.


Answer : E

Page 1