Updated CCIE Security 400-251 V5.0 Written Exam Questions

1. Which of the following is used by WSA to extract session information from ISE and use that in access policies?

2. For your enterprise ISE deployment, you are looking to use certificate-based authentication for all your Windows machines. You have already gone through the exercise Of pushing the machine and user certificates out to all the machines using GPO ・ Since certificate based authentication, by default, doesn't check the artificate against Active Directoryepr requires credentia'S from the user. This essentially means that no groups a re returned as part of the authentication request.

What a re the possible ways to authorize the user based on Active Directory group membership?

3. Which statement is true about a SMURF attack?

4. Refer to the exhibit.

R2 is getting time synchronized from NTP server R1. It has been reported that the clock on R2 cannot associate with the NTP server R1.

Which possible cause is true?

5. In your network, you require all guests to authenticate to the network before getting access, however, you don't want to be stuck creating or approving accounts It is preferred that this is all taken care of by the user, as long as their device is registered.

Which two mechanisms can be used to provide this functionality? (Choose two.)

6. Which protocol does ISE use to secure connection through the Cisco IronPort Tunnel infrastructure?

7. Which protocol does ISE use to secure a connection through the Cisco IronPort tunnel infrastructure?

8. An employee using an Android phone on your network has disabled DHCP, enabled it's firewall, modified it's HTTP User-Agent header, to fool ISE into profiling it as a Windows 10 machine connected to the wireless network. This user is now able to get authorization for unrestricted network access using his Active Directory credentials, as your policy states that a Windows device using AD credentials should be able to get full network access. Whereas, an Android device should only get access to the Web Proxy.

Which two steps can you take to avoid this sort of rogue behavior? (Choose two.)

9. Refer to the exhibit.

Looking at the configuration what may cause the MAB authentication to fail for a supplicant?

10. Your environment has a large number of network devices that are configured to use AAA for authentication. Additionally, your security policy requires use of 2 Factor Auth or Multi-factor Auth for all device administrators, which you have integrated with ACS, To simplify device management, your organization has purchased Prime Infrastructure,

What is the best way to get Prime Infrastructure to authentication to all your network devices?

11. Which statement correctly represents the ACI security principle of Object Model?

12. In your ISE design, there are two TACACS profiles that are created for device administration: IOS_HelpDesk_Profile, and IOS_Admin_Profile. The HelpDesk profile should login the user with privilege 1, with ability to change privilege level to 15. The admin profile should login the user with privilege 15 by default.

Which two commands must the HelpDesk user enter on the IOS device to access privilege level 15? (Choose two)

13. Which statement about Dynamic ARP inspection true?

14. Refer to the exhibit.

R9 is running FLEXVPN with peer R10 at 201.4.10 using a pre-shared key "ccier10". The IPSec tunnel is sourced from 172.16.2.0/24 network and is included in EIGRP routing process. BGP next hop is in AS 345 with address 20.1.3.12. It has been reported that FLEXVPN is down.

What could be the issue?

15. In a Cisco ASA multiple-context mode of operation configuration, which three session types are resource-limited by default when their context is a member of the default class? (Choose three)

16. Which function of MSE in the WIPS architecture is true?

17. Which statement about SenderBase reputation scoring on an ESA device is true?

18. Which statement is correct regarding password encryption and integrity on a Cisco IOS device?

19. For which of the four portals is the SAML Single Sign-On on ISE supported? (Choose four)

20. Refer to the exhibit.

aaa authentication login default group radius

aaa authentication login NO_AUTH none

aaa authantication login vty local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop qroup radius

!

aaa server radius dynamic-author

client 161.1.7.14 server-key cisco

!

ip dhcp excluded-address 60.1.1.11

ip dhcp excluded-address 60.1.1.2

!

ip dhcp pool mabpc-pool

network 60.1.1.0 255.255.255.0

default router 60.1.1.2

!

cts sxp enable

cts sxp default source ip 10.9.31.22

cts sxp default password ccie

cts sxp connection peer 10.9.31.1 password defalut mode peer listener hold-time 0

!

dot1x system-auth-control

!

interface GigabitEthernet1/0/9

switchport mode access

ip device tracking maximum 10

authentication host-mode multi-auth

authentication port-control auto

!

radius-server host 161.1.7.14 key cisco

radius-server timeout 60

!

line con 0

login authentication NO_AUTH

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login authentication vty

line vty 5 15

A customer has opened a case with Cisco TAC reporting an issue that one of the Windows client supposed to login to the network using MAB is no longer able to access any allowed resources.

Looking at the configuration of the switch, what could be the possible cause of MAB failure?

21. What are the advantages of using LDAP over AD?

22. Which description of a Botnet attack is true?

23. Which of the following is true regarding ASA clustering requirements?

24. In FMC, which two elements can the correlation rule be based on? (Choose two.)

25. Which statement correctly describes TAP mode deployment in IPS?

26. Which statement about NVGRE functionality is true?

27. Which statement is true regarding Private VLAN?

28. Which statement about Nmap scanning on the Cisco Firepower System is true?

29. Refer to the exhibit.

Which two statements about the given IPv6 ZBF configuration are true? (Choo two)

30. Which statement about the Traffic Substitution and Insertion attack is true?

31. The purpose of an authentication proxy is to force the user to authenticate to a network device before users are allowed access through the device. This is primarily used for HTTP based services, but can also be used for other services.

In the case of an ASA, what does ISE have to send to enforce this access policy?

32. Which of the following is the correct statement regarding enabling SMTP encryption on ESA?

33. Which of the following four traffic should be allowed during an unknown posture state? (Choose four)

34. Which statement description of the Strobe scan is true?

35. Which statement is true regarding SSI- policy implementation in a Firepower system?

36. Refer to the exhibit.

R2 is configured as a WCCP router to redirect HTTP traffic for policy implementation to WSA at 171.1.7.12 with the passphrase used for authentication as "ccie". The redirection is for the traffic on R2 Gi2 interface in the inbound direction. There is an issue reported that web sites are not accessible anymore.

What could the cause be?

37. Which statement about SMTP authentication in a Cisco ESA deployment is true?

38. In a large organization with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee devices with the correct proxies and certificates.

With ISE, it is possible to do client provisioning provided which four conditions are met. (Choose four)

39. Which security control in PCI-DSS is responsible for restrictive card holder data access?