CORRECT TEXT
The Secure-X company has recently successfully tested the 802.1X authentication deployment
using the Cisco Catalyst switch and the Cisco ISEv1.2 appliance. Currently, each employee
desktop is connected to an 802.1X enabled switch port and is able to use the Cisco AnyConnect
NAM 802.1Xsupplicantto log in and connect to the network.
Currently, a new testing requirement is to add a network printer to the Fa0/19 switch port and have
it connect to the network. The network printer does not support 802.1X supplicant. The Fa0/19
switch port is now configured to use 802.1X authentication only.
To support this network printer, the Fa0/19 switch port configuration needs to be edited to enable
the network printer to authenticate using its MAC address. The network printer should also be on
VLAN 9.
Another network security engineer responsible for managing the Cisco ISE has already perconfigured all the requirements on the Cisco ISE, including adding the network printer MAC
address to the Cisco ISE endpoint database and etc…
Your task in the simulation is to access the Cisco Catalyst Switch console then use the CLI to:
• Enable only the Cisco Catalyst Switch Fa0/19 switch port to authenticate the network printer
using its MAC address and:
• Ensure that MAC address authentication processing is not delayed until 802.1Xfails
• Ensure that even if MAC address authentication passes, the switch will still perform 802.1X
authentication if requested by a 802.1X supplicant
• Use the required show command to verify the MAC address authentication on the Fa0/19 is
successful
The switch enable password is Cisco
For the purpose of the simulation, to test the network printer, assume the network printer will be
unplugged then plugged back into the Fa0/19 switch port after you have finished the required
configurations on the Fa0/19 switch port.
Note: For this simulation, you will not need and do not have access to the ISE GUI To access the
switch CLI, click the Switch icon in the topology diagram
Answer: See the explanation
Explanation:
Initial configuration for fa 0/19 that is already done:
AAA configuration has already been done for us. We need to configure mac address bypass on
this port to achieve the goal stated in the question. To do this we simply need to add this
command under the interface:
mab
Then do a shut/no shut on the interface.
Verification:
Hi,
I am not sure if this answer is correct… In the excersise description is sentence:
• Ensure that MAC address authentication processing is not delayed until 802.1Xfails
so I am guessing that correct commands to apply are:
mab
authentication order mab dot1x
what you think about that ?
Hey,
I believe that you would also need:
interface FastEthernet0/19
mab
authentication order mab dot1x
authentication priority dot1x mab
According to article bellow and the requirements, you need to start dot1x after MAB anyway.
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
I agree with the order as well, having mab over dot1x.
I think the priority should be:authentication priority mab dot1x
Here’s a good overview over order vs priority: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
I think IOS should behave similar to NX-OS.
Hello, no doubt anymore, the answer is the link provided in the case 2:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
“Case 2: Order MAB Dot1x and Priority Dot1x MAB
If you change the order so that MAB comes before IEEE 802.1X authentication and change the default priority so that IEEE 802.1X authentication precedes MAB, then every device in the network will still be subject to MAB, but devices that pass MAB can subsequently go through IEEE 802.1X authentication.”
So,
mab
authentication order mab dot1x
authentication priority dot1x mab
are commands needed to answer the needs:
• Ensure that MAC address authentication processing is not delayed until 802.1Xfails
• Ensure that even if MAC address authentication passes, the switch will still perform 802.1X authentication if requested by a 802.1X supplicant
Passed 300-208 exam with 960/1000 yesterday (The Passing Score is 846)! Got 57 questions including MAB and ISE-GUI Labs. MAB Lab is very easy but remember to save the CONFIG and the ISE-GUI Lab is not hard at all! I learned all exam questions from the valid 194q dumps here: http://www.passleader.com/300-208.html
Good Luck!
Hi Mee Yoki ,
You work for Passleader ? 😉
For information Passleader say that the last update Passledear is not up to date…
Did u answered like this on lab
?
mab
authentication order mab dot1x
authentication priority dot1x mab
or
mab (only)
New 300-208 Exam Questions and Answers Updated Recently (11/Mar/2016):
NEW QUESTION 195
Which devices support download of environmental data and IP from Cisco ISE to SGT bindings in their SGFW implementation?
A. Cisco ASA devices
B. Cisco ISR G2 and later devices with ZBFW
C. Cisco ISR G3 devices with ZBFW
D. Cisco ASR devices with ZBFW
Answer: A
NEW QUESTION 196
In Cisco ISE 1.3, where is BYOD enabled with dual-SSID onboarding?
A. client provisioning policy
B. client provisioning resources
C. BYOD portal
D. guest portal
Answer: D
NEW QUESTION 197
Which description of the purpose of the Continue option in an authentication policy rule is true?
A. It allows Cisco ISE to check the list of rules in an authentication policy until there is a match.
B. It sends an authentication to the next subrule within the same authentication rule.
C. It allows Cisco ISE to proceed to the authorization policy regardless of authentication pass/fail.
D. It sends an authentication to the selected identity store.
E. It causes Cisco ISE to ignore the NAD because NAD will treat the Cisco ISE server as dead.
Answer: C
NEW QUESTION 198
How many days does Cisco ISE wait before it purges a session from the active session list if no RADIUS Accounting STOP message is received?
A. 1
B. 5
C. 10
D. 15
Answer: B
NEW QUESTION 199
A user configured a Cisco Identity Service Engine and switch to work with downloadable access list for wired dot1x users, though it is failing to work. Which command must be added to address the issue?
A. ip dhcp snooping
B. ip device tracking
C. dot1x pae authenticator
D. aaa authentication dot1x default group radius
Answer: B
NEW QUESTION 200
Which option is the correct format of username in MAB authentication?
A. host/LSB67.cisco.com
B. {email not allowed}
C. 10:41:7F:46:9F:89
D. CISCO\chris
Answer: C
NEW QUESTION 201
Refer to the exhibit. In a distributed deployment of Cisco ISE, which column in Figure 1 is used to fill in the Host Name field in Figure 2 to collect captures on Cisco ISE while authenticating the specific endpoint?
Image URL: w w w.200-120.info/wp-content/uploads/2016/03/2011.jpg (delete space!!!)
A. Server
B. Network Device
C. Endpoint ID
D. Identity
Answer: A
NEW QUESTION 202
Which ISE feature is used to facilitate a BYOD deployment?
A. self-service personal device registration and onboarding
B. Guest Service Sponsor Portal
C. Local Web Auth
D. Guest Identity Source Sequence
Answer: A
NEW QUESTION 203
What are two actions that can occur when an 802.1X-enabled port enters violation mode? (Choose two.)
A. The port is error disabled.
B. The port drops packets from any new device that sends traffic to the port.
C. The port generates a port resistance error.
D. The port attempts to repair the violation.
E. The port is placed in quarantine state.
F. The port is prevented from authenticating indefinitely.
Answer: AB
NEW QUESTION 204
Which option describes the purpose of configuring Native Supplicant Profile on the Cisco ISE?
A. It helps employees add and manage new devices by entering the MAC address for the device.
B. It is used to register personal devices on the network.
C. It enforces the use of MSCHAPv2 or EAP-TLS for 802.1X authentication.
D. It provides posture assessments and remediation for devices that are attempting to gain access to the corporate network.
Answer: C
NEW QUESTION 205
Which configuration is required in the Cisco ISE Authentication policy to allow Central Web Authentication?
A. Dot1x and if authentication failed continue
B. MAB and if user not found continue
C. MAB and if authentication failed continue
D. Dot1x and if user not found continue
Answer: B
NEW QUESTION 206
……
P.S. These New 300-208 Exam Questions Were Just Updated From The Real 300-208 Exam, You Can Get The Newest 300-208 Dumps In PDF And VCE From — http://bitly.com/300-208-exam (232q)
Good Luck !!!
mab should be enough but after shutdown and no shutdown on particular interface you have to wait for 30′ before it will move authentication from do1x to mab
[Update]
New 300-208 Exam Questions Updated Recently (1/Mar/2017):
NEW QUESTION 288
An engineer must ensure that all client operating systems have the AnyConnect Agent for an upcoming posture implementation. Which two versions of OS does the AnyConnect posture agent support? (Choose two.)
A. Google Android
B. Ubuntu
C. Apple Mac OS X
D. Microsoft Windows
E. Red Hat Enterprise Linux
Answer: C
NEW QUESTION 289
Which command would be used in order to maintain a single open connection between a network access device and a tacacs server?
A. tacacs-server host timeout
B. tacacs-server host single-connection
C. tacacs-server host
D. tacacs-server host single-connection
Answer: D
NEW QUESTION 290
Refer to the exhibit. Which authentication method is being used?
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store C LDAP_TESTE
22043 Current Identity Store does not support the authentication method; Skipping it
A. PEAP-MSCHAP
B. EAP-GTC
C. EAP-TLS
D. PEAP-TLS
Answer: C
NEW QUESTION 291
A security engineer has a new TrustSec project and must create a few static security group tag classifications as a proof of concept. Which two classifications can the tags be mapped to? (Choose two.)
A. VLAN
B. user ID
C. interface
D. switch ID
E. MAC address
Answer: AC
NEW QUESTION 292
NEW QUESTION 293
Which CoA type does a Cisco ISE PSN send to a network access device when a NAG agent reports the OS patch status of a noncompliant endpoint?
A. CoA-Terminate
B. CoA-PortBounce
C. CoA-Reauth
D. CoA-Remediate
Answer: B
NEW QUESTION 294
P.S. You Can Get The Newest 300-208 Dumps In PDF And VCE From — http://www.passleader.com/300-208.html (300q VCE and PDF)
Good Luck!
Besides, part of that new 300Q 300-208 Dumps are available here:
https://1drv.ms/f/s!Aq3EkOX-B1yegR-ZeeCwg90H7vjB
Best Regards!