Which AAA authentication method should be selected?

A network administrator needs to implement a service that enables granular control of IOS
commands that can be executed. Which AAA authentication method should be selected?

A network administrator needs to implement a service that enables granular control of IOS
commands that can be executed. Which AAA authentication method should be selected?

A.
TACACS+

B.
RADIUS

C.
Windows Active Directory

D.
Generic LDAP



Leave a Reply 105

Your email address will not be published. Required fields are marked *


kenichi

kenichi

Hello,

Thanks for the questions, there were quite a few new questions on the new test and I can’t seem to find the answers for online. Are you able to get the new Q/A? Thanks so much!

Happy new year!

I remember a few of the questions:

1 – eap packet size (1) / (2) byte with tag 1-request, 2- response, 3-success, 4 failure. I know that’s the order of the tag but I’m unsure of whether or not it’s a 1 byte or a 2 byte.

2 – it show a radius authentication setup and ask what is true about this set up. I believe it’s authentication and authorization being sent in the same packet. As only TACACS+ would split up the authentication and authorization request

3 – it show a tacacs+ setup and asked what is true about this setup. I selected authentication packet is sent with username, password, (and something else I don’t remember) if you can get the q/a for this, it’d be awesome.

(These are questions, i pulled from one else’s post that I also got during the test)

What RADIUS attribute can be used to dynamically assign the inactivity active timer for mac users from the Cisco ISE?
A. Idle-timeout attribute
B. Session-timeout
C. Radius-server
D. Termination-action

(A?)

A malicious user gained network access by spoofing printer connections that were authorized user MAB on four different switch ports. What Cisco Cat switch security features will prevent further violations? (choose 2)
A. ip device tracking
B. private vlans
C. port security
D. dhcp snooping
E. dynamic arp inspection
F. 802.1 AE MacSec

(i think i chose A and F on this and i think it’s wrong, can someone confirm?)

Which three statement about Windows Server Update Services remediation are true? (choose 3)
A. WSUS can install the latest service pack available
B. WSUS checks for automatic update configuration on the Windows Client
C. WSUS checks for client behavioral anomalies
D. WSUS remediates Windows client from a locally manage WSUS server
E. WSUS remediates Windows client from a Microsoft manage WSUS server
F. WSUS provides links to update AV/AS

(I couldn’t find this in the book so I’m not sure. I know it can check for updates and automatic remediation but not sure what would be the right options for this question)

Which 3 EAP methods use tunnel to encapsulate EAP traffic?
A. EAP-MD5
B. EAP-FAST
C. EAP-TTLS
D. PEAP
E. EAP-TLS

(should be eap-fast, peap, and eap-tls, right?)

A security engineer has configured separate Policy Service and Admin Node, What will occur when the admin node is offline?

A. AUP is shown at every login
B. Max failed login will be enforced
C. Change password becomes available
D. Device registration is allowed

(i can know you have to manual bring up the 2nd admin node and if the admin node fails, only existing users can authenticate and no new users can be created. but I can’t make sense of this question’s answer)

What are the 3 portal provided by PSN?

A. Sponsor
B. Admin
C. My devices
D. Monitoring
E. Guest
F. Troubleshooting

(There should be 5 psn, but based on it, i believe it’s sponsor, guest, and my devices?)

Ridho

Ridho

I tried to help searching the answer and I can confirm this:

– RADIUS attribute for inactivity active timer is idle-timeout attribute

– I don’t think printer has MacSec features, that’s why F is wrong (but I might be wrong too). My best bet is using Dynamic ARP Inspection & Port Security.

– I believed WSUS remediation is all about Windows Update, so my answer will be A,B,E

– The answer for tunneled EAP:
EAP Tunneled Transport Layer Security (EAP-TTLS)
EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
Protected EAP (PEAP)

– 3 portal provided by PSN is correct too, Sponsor, My Devices, and Guest

alladin

alladin

I think the (3) portals supported are Admin, Sponsor, and Guest, and it is documented in the book, pp.398

mur

mur

Admin portal runs on admin node for sure. The PSN node is running Sponsor, Guest and My Device portals.

The Printer and spoofing – i am not sure but i think that ip device tracking and DAI should work. Port-security should also work but depends on the setup. As the device is spoofing the mac address the port-security is useless.

Ceyhun Quniyev

Ceyhun Quniyev

[Update]

New 300-208 Exam Questions and Answers Updated Recently (4/Jan/2017):

NEW QUESTION 251
A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?

A. monitor mode
B. high-security mode
C. closed mode
D. low-impact mode

Answer: A

NEW QUESTION 252
Which three events immediately occur when a user clicks register on their device in a single- SSID BYOD onboarding registration process? (Choose three).

A. CA certificate is sent to the device from Cisco ISE
B. An endpoint is added to a Registered Devices identity group
C. RADIUS access request is sent to Cisco ISE
D. The profile service is sent to the device from Cisco ISE
E. DACL is sent to the device from Cisco ISE
F. BYOD registration flag is set by Cisco ISE

Answer: ABF

NEW QUESTION 253
A company wants to allow employees to register and manage their own devices that do not support NSP. Which portals enable this?

A. MDM portals
B. Client provisioning portals
C. My devices portals
D. BYOD Portals

Answer: C

NEW QUESTION 254
Which three options can be pushed from Cisco ISE server as part of a successful 802.1x authentication. (Choose three)

A. authentication order
B. posture status
C. authentication priority
D. vlan
E. DACL
F. reauthentication timer

Answer: DEF

NEW QUESTION 255
With which two appliance-based products can Cisco Prime infrastructure integrate to perform centralized management?

A. Cisco content security appliance
B. Cisco email security appliance
C. Cisco wireless location appliance
D. Cisco Mobility Services Engine
E. Cisco ISE

Answer: DE

NEW QUESTION 256
A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)

A. DHCP Snooping
B. 802.1AE MacSec
C. Port security
D. IP Device tracking
E. Dynamic ARP inspection
F. Private VLANs

Answer: AE

NEW QUESTION 257
Refer to exhibit, which statement about the authentication protocol used in the configuration is true?
aaa new model
tacacs-server host 1.1.1.1 single connection
tacas-server key cisco123

A. Authentication request contains username, encrypted password, NAS IP address, and port.
B. Authentication and authorization requests are sent in a single open connection between the network device and the TACACS+ server.
C. Authentication request contains username, password, NAS IP address and port.
D. Authentication and authorization request packets are grouped together in a single packet.

Answer: B

NEW QUESTION 258
Which option is the code field of n EAP packet?

A. one byte and 1=request, 2=response 3=failure 4=success
B. two byte and 1=request, 2=response, 3=success, 4=failure
C. two byte and 1=request 2=response 3=failure 4=success
D. one byte and 1=request 2=response 3=success 4=failure

Answer: D

NEW QUESTION 259
……

P.S. These New 300-208 Exam Questions Were Just Updated From The Real 300-208 Exam, You Can Get The Newest 300-208 Dumps In PDF And VCE From — http://www.passleader.com/300-208.html (275q VCE and PDF)

Good Luck!

Kazy

Kazy

Who has the supposedly 275Q dump? since the 251 + this 9 questions is 260? where are the rest ?

Macr

Macr

I have my exam soon, does anyone have new questions and will share it?

Marc

Marc

According to this document:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html

the answer for one of the new questions above is:
A – AUP is show at every login

As you can read:
The Guest portal can run on a node that assumes the Policy Services persona when the primary node with Administration persona is offline. However, it has the following restrictions:

•Self registration is not allowed
•Device Registration is not allowed
•The AUP is shown at every login even if first login is selected
•Change Password is not allowed and accounts are given access with the old password.
•Maximum Failed Login is not be enforced

Mx12

Mx12

I scored above 950.

The exam is truly difficult.

Some of the questions have been changed a little, so other responses are valid, not the one published in dumps.

The exam focuses on asking you the new, added questions, about 50% of them were the new one, only about 50% the old from previous dumps.

Not all questions are in the latest dump, I had about 10 new ones.

Examples, differences:

– accounting is not working, what could be the reason: single choice, ans.: misconfigured authorization (I beleive 😉 )

– q275 from PL which two components are required for creating native supplicant profile – choose two – ans.: Operating System, Connection type – wired/wireless

– q143 from PL – which component hosts the CWA portal – single choice – ans.: the ISE

– shown radius configuration, what is true about it – single choice – ans.: the authentication and authorization send in one packet

– Cisco Any Connect must be installed, what OSes are supported – choose two from: Windows, Android, two Linux distributions, Apple iOS, I think Windows, Apple iOS

– a few others – just stay calm and analyze, eliminate, choose and go on

– one or two questions where I didn’t understand what the author had in mind, so I chose intuitively

!ALL! the questions where you have to analyze ISE configuration and answer which statement is true are modified in such way, that different answers are valid, not the one marked in dumps. So dont learn these ones by heart, you have to analyze thoroughly and choose different answers, ex: q208 from PL – not AD, but in my case AC

!ALL! the questions where you have to analyze detail of live log have the same valid answers as in dumps

Good luck!

EM

EM

Hi,

Please advise if passleader or troytec can be used,
I have read the book twice studied as well but donot want to fail this exam,

Thanks EM

Bo

Bo

Great job, MX12! Congratulations! What about lab in exam?

rafilsk

rafilsk

Any location with issues 100% guaranteed?
I tried the exam using pass4sure but it was not approved.

V4

V4

It seems there is no unfortunately location where we can get 100% exam questions. Like MX 12 said, about 10-15 new questions.

What can network administrator configure in order to create Antivirus remediation? Vendor name, OS, file, location….

Something about NAC agent.. Which one can support remediation (NAC/Web agent for Windows, Macintosh)

Several new questions about BYOD proccess…

Good luck!

Tiger

Tiger

Failed today as well….

I remember the following questions but not the answers:

1) Which three (3) ISE posture remediation actions are supported by the Web Agent for Windows?

2) Why Cisco recommends assigning dynamic classification security group tag assignment at the access layer authentication?

3) Which probe profile requires the simplest configuration?

Chris

Chris

Passed today…barely. This 846 points gap is a killer 🙂

I’ve got exactly the same questions as at first attempt one week ago.

There was something also about checking by posture file location in c:/Windows… what is a service, session service, file service, registry service one of those…

Which agent supports posture or something like that:
– windows web agent
– windows thick agent
– mac os web agent
– mas os thick agent
– unix

I think win/mac web agent…

2 simulations 3,4 questions each. Exactly one of those from dumps.

How are anivirus remediated… (there was something about antivirus name & file location i suppose from where remediate…this is what i choose at least)

Chris

Chris

There was also something about NAD reports to ISE using RADIUS accounting what probe on ISE would use for profilling. I thing radius probe..

Chris

Chris

An this one :
TCP: 8905 (Cisco NAC agent update)
TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)

What port is used for agent update. -> TCP 8905

Tiger

Tiger

Hi Chris,

Are you sure about the TCP/8905 ??

According to this :
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.pdf

The NAC Agent connects to the Cisco ISE server by sending SWISS unicast discovery packets out on User Datagram Protocol (UDP) port 8905 until a Cisco ISE node that assumes the Policy Service persona sends a response to the client]

Chris

Chris

You mean SWISS packet for discovery ISE by NAC agent.
But according to question is what port is used for agent update – which is TCP 8905

Tiger

Tiger

Hi Chris,
Regarding the remediation question.

Which agent supports posture services? OR Which agent supports remediation services?
A. Windows Web Agent
B. Windows thick Agent
C. MAC OS Web Agent
D. MAC OS thick agent
E. UNIX

I believe Windows Thick Agent & MAC OS thick agent are the correct answers.
Any other thoughts ?

Thanks

Chris

Chris

There was something also about EAP packet request response, succes and failure but it was something more, quite not sure what was that, can’t remember… not a 1 byte, but something other.

Chris

Chris

I choosed on exam thick clients, but I am not sure about it right because u wrote that question :

“Which ISE posture remediation action s are supported by the Web Agent for Windows?”

So regarding it Web Agent is supporting remediation services 🙂

Tiger

Tiger

Which three remediation actions are supported by the Web Agent for Windows?
(Choose three.)
A. Automatic Remediation
B. Message text
C. URL Link
D. File Distribution
E. AV definition update
F. Launch Program

Answer: B,C,D

Tiger

Tiger

Which NAC agents support remediation? (Choose three)
A. Windows NAC
B. Windows web-based NAC
C. MAC OS NAC
D. MAC OS web-based NAC
E. UNIX

Answer: A,B,C

Chris

Chris

Do You have PL 232 q?

Tiger

Tiger

Hi Chris & Everyone.

PL has now uploaded a 287Q which is quite valid. But I took the exam today and failed with 834
(passing score is 846).

The exam is ridiculous hard especially if you consider that there is no good Official Study Guide…
And the passing score of Cisco is quite high as well.
Is there any other cert in the industry with passing score close to 85% ??
There were some new questions(5 i believe) & a new Drag&Drop which i will try to remember…

As Mx12 mentioned on the last post. I think the major changes are on Simulation Labs!!
My score for “Troubleshooting, Monitoring, and Reporting Tools” was 17% !!
And i tried to analyze them as good as possible.
Also, on my first try for this exam, the score for “Troubleshooting, Monitoring, and Reporting Tools” was 33% !!

Both the times my answers where the same as the PL files.

OR there is something broken on those Simulation LABS!!
Does anyone know how to contact Cisco for this kind of problems?

@Mx12, do you remember your score for the section “Troubleshooting, Monitoring, and Reporting Tools” ?

Thanks in advance!!

rafilsk

rafilsk

I Tiger sorry to know about your failure, I also failed using pass4sure !!
I am now studying with PL 287q and plan to schedule my exam soon.

What is your % of success in PL?

Tiger

Tiger

Hi Rafilsk,

Most of the questions in PL 287q are valid.
I think the problem is the Simulation Labs. If Mx12 remember his score then he can help more…

For example, i had 2 x Simulations in my exam(3 + 4 Questions each)
So in total, for the section “Troubleshooting, Monitoring, and Reporting Tools” i got 7 Questions and i scored 17% (1.12 Questions correct)!!. This CAN’T be right…

My answers to the Simulations were the same in PL 287Q.

rafilsk

rafilsk

Hi,

In some places response in this simulation are: B, C, E, F and others(Ex: PL) A, C, E, F.
Does anyone confirm the correct?

Which four statements are correct regarding the event that occurred at 2014­05­07 00:19:07.004?
(Choose four.)

A. The IT_Corp authorization profile were applied.
B. The it1 user was matched to the IT_Corp authorization policy.
C. The it1 user supplicant used the PEAP (EAP­MSCHAPv2) authentication method.
D. The it1 user was authenticated using MAB.
E. The it1 user was successfully authenticated against AD1 identity store.
F. The it1 user machine has been profiled as a Microsoft­Workstation.
G. The it1 user machine has passed all the posture assessement tests.

Tiger

Tiger

Hi Guys,

Here are the new questions i remember from the exam:

1) A network engineer must create an Antivirus remediation policy.
Which two options can the engineer select in the new Antivirus Policy?
A. File to upload
B. Program installation path
C. Antivirus vendor name
D. OS
E. Uniform resource locator

Answer: A,E ?? I think

2) Why Cisco recommends assigning Dynamic classification Security Group Tag assignment at the access layer?
A. Security Group assignment access occurs as user enter the network
B. Static Security Group assignment are more scalable
C. Security Group assignment occurs as user leave the network
D. To use SXP to transport Security Tag Group to IP mappings

Answer: A

3) A security engineer has a new TrustSec project and must create a few static Security Group Tag (SGT).
Which two classifications can the tags be mapped to?(Choose two)
A. User ID
B. MAC Address
C. VLAN
D. Switch ID
E. Interface

Answer: A, D? not sure

4) Which two NAC agents support file remediation? (Choose two)
A. Web agent for MAC OS X
B. NAC agent for MAC OS X
C. Web agent for Windows
D. NAC agent for Windows
E. Web Ageng for UNIX

Answer C,D ?? not sure

5) Which CoA type does a Cisco ISE PSN sent to a NAD when a NAC agent reprots the OS patch status of a non-compliant endpoint?
A. CoA – Reauth
B. CoA – Terminate
C. CoA – Remediate
D. CoA – PortBounce

Answer: C ??

Chris

Chris

Hello Tiger.

In my opinion :
1) C,D

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1655749

2) A

3) C,E – read about TrustSec :

http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf

L3IF-SGT directly maps an SGT to a Layer 3 interface. Supported interfaces are:
● Routed port
● SVI (VLAN interface)
● Layer 3 subinterface of a Layer 2 port
● Tunnel interface

4) I think B,D
5) Yes C is the best option.

Good Luck!

Tiger

Tiger

Hello all,

Here are two(2) more questions which confuse me:

What is the functionality of the Cisco ISE BYOD flow provided?
A. Provides the “My Device” portal, allowing user to add devices.
B. Provides self-registration functionality to allow guest users to access the network.
C. Provides support for native supplicant, allowing user to connect devices directly to the networks.
D. Provides support for user to install NAC agents on enterprise devices.

Answer: A or C ?
=============================================================================

51) User reports that the switch RADIUS accounting packets are not beeing seen on the Cisco ISE.
Which command is missing on the swithch?
A. aaa accounting resource default start-stop group radius
B. aaa accounting network default start-stop group radius
C. aaa accounting exec deafult start-stop group radius
D. radius-server vsa send accounting

Answer: A or D ?
==============================================================================

Chris

Chris

It is A of course. BYOD is Bringing your own device through the portal, which gives you the option to register your device.

51) D

Tiger

Tiger

Hi Chris,

Thanks for your reply.

Tiger

Tiger

Also this one…

An engineer wants to allow dynamic VLAN assignment from ISE. What must be configured on the switch? (Choose ONE)
A. DTP
B. VTP
C. AAA authentication
D. AAA authorization

Chris

Chris

AAA authorization must be defined.

oka

oka

aaa authentication

oka

oka

fail today , so many new quastion and tow drag drop , i get 5./. in Traoublshooting.

oka

oka

Which os has anyconnect posture support ?

Redhat
mac os
Windows

in cisco website , anyconnect v4 suport mac and windows and linux , so what the answer ?

Tiger

Tiger

Hi Oka,

Anyconnect is support in MAC, Windows & Linux.
But the posture/remediation services are not supported in Linux

Which NAC agents support remediation? (Choose three)
A. Windows NAC
B. Windows web-based NAC
C. MAC OS X NAC
D. MAC OS X web-based NAC
E. UNIX

Answer: A, B, C

Which two NAC agents support file remediation? (Choose two)
A. Web agent for MAC OS X
B. NAC agent for MAC OS X
C. Web agent for Windows
D. NAC agent for Windows
E. Web Ageng for UNIX

C,D

Tiger

Tiger

Plus this question:

A network administrator needs to install Anyconnect agent for an upcoming posture implementation. Which two versions of OS for the Anyconnect posture agent support?
(Choose two)
A. Linux
B. Windows
C. Ubuntu
D. Mac OSX

Answer: B,D

oka

oka

Thanks Tiger , in my test i get the question drag drop , cant find it in pl 287q,

AN

AN

An engineer wants do allow dynamic vlan assignment from ISE. What must be configured on the switch?
A.DTP
2.VTP
3.AAA AUTHENTICATION
4.AAA AUTHROIZATION

Answer confusing 3 or 4 in PL 3 but another forume 4 .

Tiger

Tiger

Hello AN,

I found a forum which has 3&4 as correct questions(we could choose TWO answers).

But IF you need to choose ONE answer then I would choose 4(Authorization).
Assuming that authentication is already configured.
I am not sure if you can configure authorization without authentication.

oka

oka

Which two component are required for creating native supplicant profile?

oka

oka

Operating Systems Supported by Native Supplicants
Native supplicants are supported for these operating systems:

Android (excluding Amazon Kindle, B&N Nook
Mac OS X (for Apple Mac computers)
Apple iOS devices (Apple iPod, iPhone and iPad)
Microsoft Windows 7, Vista, and XP

Tiger

Tiger

Which two components are required for creating Native Supplicant profile?
A. Operating System
B. IoS
C. BYOD
D. Connection Type – Wired/Wireless

Answer: A,D

Chris

Chris

Tiger did u manage to pass the exam already?

Tiger

Tiger

Hello Tiger,

YES finally!! I passed the exam 14th of February.
I confirm that the last PL of 300Q is valid. All of the questions are in the new PDF.

NOTE: In my opinion the PL of 300Q has a lot of wrong answers !!
So the PL 300Q is valid (according to my exam 14th of February) BUT
you need to double check the answers.

Regarding the Simulation Questions, I scored 83% and here are my answers:

SIMULATION 1

1)Which four statements are correct regarding the event that occurred at 2014‐05‐07 00:19:07.004? (Choose four.)

A. The IT_Corp authorization profile were applied
B. The it1 user was matched to the IT_Corp authorization policy.
C. The it1 user supplicant used the PEAP (EAP‐MSCHAPv2) authentication method.
D. The it1 user was authenticated using MAB.
E. The it1 user was successfully authenticated against AD1 identity store
F. The it1 user machine has been profiled as a Microsoft‐Workstation.
G. The it1 user machine has passed all the posture assessement tests.

My Answers: B,C,E

2) Which three statements are correct regarding the events with the 20 repeat counts that occurred at 2014‐05‐07 00:22:48.748?
( Choose three.)

A. The device was successfully authenticated using MAB.
B. The device matched the Machine_Corp authorization policy.
C. The Print Servers authorization profile were applied.
D. The device was profiled as a Linksys‐PrintServer.
E. The device MAC address is 00:14:BF:70:B5:FB.
F. The device is connected to the Gi0/1 switch port and the switch IP address is 10.10.2.2

My Answers: A,D,E
3) Which two statements are correct regarding the event that occurred at 2014‐05‐07 00:22:48.175?(Choose two.)

A. The DACL will permit http traffic from any host to 10.10.2.20
B. The DACL will permit http traffic from any host to 10.10.3.20
C. The DACL will permit icmp traffic from any host to 10.10.2.20
D. The DACL will permit icmp traffic from any host to 10.10.3.20
E. The DACL will permit https traffic from any host to 10.10.3.20

My Answers: A,E

4) Which two statements are correct regarding the event that occurred at 2014‐05‐07 00:16:55.393? (Choose two.)

A. The failure reason was user entered the wrong username.
B. The supplicant used the PAP authentication method.
C. The username entered was it1.
D. The user was authenticated against the Active Directory then also against the ISE interal user database and both fails.
E. The NAS switch port where the user connected to has a MAC address of 44:03:A7:62:41:7F
F. The user is being authenticated using 802.1X.
G. The user failed the MAB.
H. The supplicant stopped responding to ISE which caused the failure.

My Answers: C,F

SIMULATION 2

1)Which two of the following statement are correct? (Choose two)

A. The ISE is not able to succefully connect the hq-srv.secure- x.local AD server
B. The ISE internal endpoint database is used authenticate any user not in the Active Directory domain
C. The ISE internal user database has two accounts enabled: students and test that maps to the Employee user identity group
D. Guest_Portl_Seqeuence is a built-in identity source sequence

My Answers: C,D

2)Determine which can be two reasons why many users like the Sales and IT users are not able to authenticate and access the network using their AnyConnect NAM client with EAP-FAST? (choose two)

A. The Dot1x authentication policy is not allowing the EAP-FAST protocol
B. The rr_Corp authorization profile has the wrong Access Type configured
C. The authorization profile used for the Sales users is misconfigured
D. The order for the MAB authentication policy and the Dot1x authentication policy should be reversed.
E. Many of the Sales and IT users machines are not passing the ISE posture assessment.
F. The PERMrr_ALL_TRAFFIC DACL is missing the permit ip any any statement in the end
G. The Employee_FullAccess_DACL DACL is missing the permit ip any any statement in the end

My Answers: A,D

3)Which of the following statement is correct?

A. Currently, IT users who successfully authenticate will have their packets tagged with a SGT of 3
B. Currently, IT users who successfully authenticate will be assigned to VLAN 9
C. Currently, any domain administrator who successfully authenticate will be assigned to VLAN 10
D. Computers belonging to the secure-x domain which passes matching authentication but failed user authentication will have the
Employee_Restricted_DACL applied
E. Print Servers matching the Linksys_PrintServer identiry group will have the following access
restictions: permit icmp any any host 10.10.2.20 , permit tcp any host 10.10.2.20 eq 80.
Permit icmp any host 10.10.3.20 permit tcp any host 10.10.3.20 eq 80 deny ip any any

My Answer: D

GOOD LUCK TO EVERYONE !!

Teo

Teo

I Agree in particolary with this last one 3) -> answer D.

On some dumps there are c) …but also from my point of view following the lab is completely wrong!
or… lab during the text are changing!? …bah..

Filippo

Filippo

[Update]

New 300-208 Exam Questions Updated Recently (1/Mar/2017):

NEW QUESTION 288
An engineer must ensure that all client operating systems have the AnyConnect Agent for an upcoming posture implementation. Which two versions of OS does the AnyConnect posture agent support? (Choose two.)

A. Google Android
B. Ubuntu
C. Apple Mac OS X
D. Microsoft Windows
E. Red Hat Enterprise Linux

Answer: C

NEW QUESTION 289
Which command would be used in order to maintain a single open connection between a network access device and a tacacs server?

A. tacacs-server host timeout
B. tacacs-server host single-connection
C. tacacs-server host
D. tacacs-server host single-connection

Answer: D

NEW QUESTION 290
Refer to the exhibit. Which authentication method is being used?
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store – LDAP_TESTE
22043 Current Identity Store does not support the authentication method; Skipping it

A. PEAP-MSCHAP
B. EAP-GTC
C. EAP-TLS
D. PEAP-TLS

Answer: C

NEW QUESTION 291
A security engineer has a new TrustSec project and must create a few static security group tag classifications as a proof of concept. Which two classifications can the tags be mapped to? (Choose two.)

A. VLAN
B. user ID
C. interface
D. switch ID
E. MAC address

Answer: AC

NEW QUESTION 292
……

NEW QUESTION 293
Which CoA type does a Cisco ISE PSN send to a network access device when a NAG agent reports the OS patch status of a noncompliant endpoint?

A. CoA-Terminate
B. CoA-PortBounce
C. CoA-Reauth
D. CoA-Remediate

Answer: B

NEW QUESTION 294
……

P.S. These New 300-208 Exam Questions Were Just Updated From The Real 300-208 Exam, You Can Get The Newest 300-208 Dumps In PDF And VCE From — http://www.passleader.com/300-208.html (300q VCE and PDF)

Good Luck!

KMB

KMB

your dumps that you continually advertise are not accurate.
NEW QUESTION 288
An engineer must ensure that all client operating systems have the AnyConnect Agent for an upcoming posture implementation. Which two versions of OS does the AnyConnect posture agent support? (Choose two.)

A. Google Android
B. Ubuntu
C. Apple Mac OS X
D. Microsoft Windows
E. Red Hat Enterprise Linux

Answer: C (where is the 2nd choice?)

NEW QUESTION 290
Refer to the exhibit. Which authentication method is being used?
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store – LDAP_TESTE
22043 Current Identity Store does not support the authentication method; Skipping it

A. PEAP-MSCHAP
B. EAP-GTC
C. EAP-TLS
D. PEAP-TLS

Answer: C (WRONG!!! the correct answer is PEAP-MSCHAP)

Stop posting false information.

isra

isra

thease are some newquestions in my last exam 20 of february 2017. i was fail my exam for second time.

1.-wich port does cisco ISE use for native supplicant provisioninf of a windows machin.
a)tcp 8443
b)tcp 443
c)tcp/udp 8909
d)tcp/udp 8905

i think that the answer is A – tcp 8443??

KMB

KMB

tcp 8443 is the redirect port for portals.
c) is the answer – TCP/UDP 8905 (Swiss ports)

KMB

KMB

sorry, d)tcp/udp 8905

KMB

KMB

ok, i found info in this book – “Cisco ISE for BYOD and Secure Unified Access”:
Port 8443 is used by the ISE guest portal:
Ports 8905 and 8906 are used by NAC Agent Swiss protocol.
Port 8909 is used for client provisioning activity

300-208

300-208

TCP/UDP 8909 : web, cisco nac agent, supplicant provisioning wizard installation

isra

isra

Thanks 300-208.

i have these doubts.

1.-An engginner wants do allow dynamic vlan assigment from ISE, what must be configuration on the switch?

a)DTP
b)vtp
c)AAA AUTHENTICATION
D)AAA AUTHORIZATION

I think that the answer is D) but i not sure if D or C.

2.-why cisco recommends assigning dynamic classification security group tg assigment at the access layer authentication??

in these questions number 2,3,4 i dont remember the answers. but anyone recomendation is good.

3.-which probe profile requires the simplest configuration??

4.- There was also something about NAD reports to ISE using RADIUS accounting what probe on ISE would ese for profilling?

a) Radius Probe ????

thanks for your help.

regards

rafilsk

rafilsk

I also passed the exam today.
My scored 894, the exam is really difficult.

Thank to everyone for support.
Good luck!

isra

isra

congratulations rafilsk.

did you see some new questions that you remenber??

rafilsk

rafilsk

All questions are in PDF PL300. but many answers are incorrect.

isra

isra

I pass today 865 of 846 was my score.

thanks for your help gays.

Marco

Marco

Congratulations isra.
could you please tell us if this dump with the updates in the comments is enough to pass the exam?

Teatro

Teatro

Hi Isra,
did you find some new or stange question?

Teo

Teo

Failed today.
Many new question included one “drag & drop” never seen.

I bought some new dump on ebay, but didn’t find these question that right now I don’t remember well.

Someone have some update or and answer about questions?

regards

grassman

grassman

There are really new questions?

Teo

Teo

Some question are news.

Lab are different / wrong answer than PL-300, but i think that @Tiger above in one post is right!

Kush

Kush

Hello Everyone.

I need your help.
please help me with valid dumps. I will give exam on 6th April.

PL300 Is valid or not?

Please Help me out.

Thanks
Kush.

Teo

Teo

Hi all,
did yesterday! Passed with “only” 879! 😐 🙂

The exam is not difficult, but STRANGE.
I can spend a lot of words but in summarize:
1) PL300 is valid BUT for only 80/85% of the answers!!
This is absolutely sure. IN particularly for the laboratory! I analyze from my self for
some answers and with others question following PL300….totalizing……ONLY33%!!! unbelievable.
And I used to make a really difficult project on ISE, but following test and “pre-compilated” Cisco laboratory in the simulation you can fall in completely crazy things and answers.
I suspect also some bug or things like that…
Hopefully totalizing high % in the other question,I couldn’t fail two times the exam! :-/

2) Then use PL300 only for “a guide line” not take it for sure absolutely not!

3) PL300 you’ll find all question in the exam (remember BTW point 1) and 2) 😉 )

…keep calm and try to make your lab!!

Hope for all and thanks everybody!

grassman

grassman

do you have the pl300 for us?

Kush

Kush

Hello Teo,

Congratulation…!!!!

Thank to shared your Exam experience but could you please share the lab related questions?

Please Guide to clear the exam.

Regards
Kush

Teo

Teo

Hi Kush,
all are in PL-300.

But no way to share the answers. As I said, are different lab by lab and answers on PL-300 are not correct.
Try to do by yourself.

regards

Kush

Kush

Thank You So Much Teo.

I will try to do my best.

PL300q available for free or I have to purchase it form web site?

Regards,
Kaushal Patel

Kush

Kush

Finally…. Did It With 874 Only…

Thanks to all of you.

And Yes Teo Is right.. About PL300.

Face Some of new tricky questions.

Regards..

Marco

Marco

Congratulations Kush.
Can you recall these tricky questions?

Regards

Marco

Marco

QUESTION 290 from PL:
Refer to the exhibit. Which authentication method is being used?
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store – LDAP_TESTE
22043 Current Identity Store does not support the authentication method; Skipping it

A. PEAP-MSCHAP
B. EAP-GTC
C. EAP-TLS
D. PEAP-TLS

Answer: C

In my opinion the right answer should be A, PEAP-MSCHAP is not supported by LDAP. Can anybody confirm what I’m saying?

JR

JR

One of the questions that I had was something like “Which of the following statements refers to “Posturing”….. I had also failed the exam with 33% for Troubleshooting, Monitoring and Reporting Tools”. I could have passed the exam, but got confused with some questions. I’m going to try again soon.

JR

JR

Passed the exam today (~880)- used the 267questions and studied the official book. Note that answers for the Labs are incorrect (at least some of them). As mentioned in the previous post, I had a questions about what is “Posturing”- I remember choosing last option which matched the official description of Posturing.

2)Determine which can be two reasons why many users like the Sales and IT users are not able to authenticate and access the network using their AnyConnect NAM client with EAP-FAST? (choose two)

A. The Dot1x authentication policy is not allowing the EAP-FAST protocol
B. The rr_Corp authorization profile has the wrong Access Type configured
C. The authorization profile used for the Sales users is misconfigured
D. The order for the MAB authentication policy and the Dot1x authentication policy should be reversed.
E. Many of the Sales and IT users machines are not passing the ISE posture assessment.
F. The PERMrr_ALL_TRAFFIC DACL is missing the permit ip any any statement in the end
G. The Employee_FullAccess_DACL DACL is missing the permit ip any any statement in the end

My Answers: A,C

Which of the following statement is correct?

A. Currently, IT users who successfully authenticate will have their packets tagged with a SGT of 3
B. Currently, IT users who successfully authenticate will be assigned to VLAN 9
C. Currently, any domain administrator who successfully authenticate will be assigned to VLAN 10
D. Computers belonging to the secure-x domain which passes matching authentication but failed user authentication will have the
Employee_Restricted_DACL applied
E. Print Servers matching the Linksys_PrintServer identiry group will have the following access
restictions: permit icmp any any host 10.10.2.20 , permit tcp any host 10.10.2.20 eq 80.
Permit icmp any host 10.10.3.20 permit tcp any host 10.10.3.20 eq 80 deny ip any any

My Answer: D

Good luck everyone.

SF

SF

Hi All
I passed the exam with the score of 901 !
The exam is not an easy ride and the lab questions were not that hard although I have scored only 50%. The lab DACL question was there as exactly it appeared in dumps however the screen didn’t allow me to expand to see the results, therefore I had to guess with the view to save the time.
Some new questions were there which I did not find in any of the dumps.

PL300, as I feel, is a waste to a certain extent as some of the question which make up 300 qs are not directly related to this subject and therefore its a waste of time preparing for them, I also think that 267Q, which is cheaper, will do the trick. dumps must be used as just a guidelines, as a result you still have to do lot of preparation to assimilate subject sufficiently.

The questions posted by JR above were there and I agree with his answers.

Now looking forward for the other exams and good luck for everybody who are going to take this exam.

Calvin C

Calvin C

Passed last week. PL287 is mostly valid and there were few new questions . Make sure to check the answers – some of them are obviously wrong. Two netsims, prepare more time for that.

Peter

Peter

Failed;
– almost all of the questions above were on the exam + had 10 new;

reg “NEW QUESTION 288″
An engineer must ensure that all client operating systems have the AnyConnect Agent for an upcoming posture implementation. Which two versions of OS does the AnyConnect posture agent support? (Choose two.)
A. Google Android
B. Ubuntu
C. Apple Mac OS X
D. Microsoft Windows
E. Red Hat Enterprise Linux”
Should be C and D

New were:
Which 2 options are functional components of the posture service?
a) network …
b) client provisioning
c) quarantined …
d) posture service
e) secure …

Correct: b,d, I believe.

Native supplicant port is:

Correct tcp/udp 8909

D&D:
Associate with role description:
Admin persona
Monitoring persona
Policy service
Inline posture node

Definition of posturing;

Which interface level is needed to turn on dot1x authentication?

Which advance option wan&wlan must be enabled to trigger central Web auth. for wifi?

Something with “advantage of using dynamic vlan assignment form ISE”

Which 2 profile attribute … Wireless LAN controller supports in device sensor?

A network admin is seeing a posture status “unknown” for a single corporate machine on the Cisco ISE authentication report; other are compliant. What could cause the reason?

Those having PL300q, pleas share with me in return.

Raphie

Raphie

Guys do we have any update on the exam? Did you encounter new questions for Cisco 300-208? exam… I’m planning to take the exam this month and I really need your help guys.

Peter

Peter

See the post above, if you do not know the ans. forget about it, or you have an outdated exam pack (PL300q or 224q).

Raphie

Raphie

Thank you Peter I just want to ask if what score you got on simulations and troubleshooting.

Ceejay

Ceejay

Hello Guys!!! Any update on the exam please…

kmb

kmb

I took the test a few weeks ago, all the questions mentioned on here are relevant with a few new ones – ex:” definition of posturing”. I believe it’s the simulator questions that may be incorrect in the PL files compared to what cisco thinks is correct. I scored 33% on the troubleshooting portion of the test but I answered the those exactly as the PL study material advises. So my suggestion to you is to study and learn the material based on the questions provided and talked about in this site, but also spend time researching the ways to verify all the possible answers for the simulators, do not just answer them blindly because of what someone or somethings said is the answer. So that means you need to know your way around the ISE GUI.

Ceejay

Ceejay

@kmb

bro do yo have a copy of PL300Q? What are the answers that PL Dumps used for SIM questions?

kmb

kmb

read the comments in each question for 300-208 here in aiotestking. They are sharing the relevant questions. I do not have the PL300 questions.

Ceejay

Ceejay

@kmb

What are the new questions that come out on the exam? I tried to gather some details about SIM2 and found out that most of the wrong answers are from SIM2.

kmb

kmb

uhhhh which one is “SIM2”?

Ceejay

Ceejay

Any updates on the exam guys???

Ceejay

Ceejay

@kmb

Here are the list of questions under sim1 and sim2. what are the answers given on the dumps that you used for the following questions?

—————–
SIMULATION 1
—————–
1)Which four statements are correct regarding the event that occurred at 2014‐05‐07 00:19:07.004? (Choose four.)

A. The IT_Corp authorization profile were applied
B. The it1 user was matched to the IT_Corp authorization policy.
C. The it1 user supplicant used the PEAP (EAP‐MSCHAPv2) authentication method.
D. The it1 user was authenticated using MAB.
E. The it1 user was successfully authenticated against AD1 identity store
F. The it1 user machine has been profiled as a Microsoft‐Workstation.
G. The it1 user machine has passed all the posture assessement tests.

2) Which three statements are correct regarding the events with the 20 repeat counts that occurred at 2014‐05‐07 00:22:48.748?
( Choose three.)

A. The device was successfully authenticated using MAB.
B. The device matched the Machine_Corp authorization policy.
C. The Print Servers authorization profile were applied.
D. The device was profiled as a Linksys‐PrintServer.
E. The device MAC address is 00:14:BF:70:B5:FB.
F. The device is connected to the Gi0/1 switch port and the switch IP address is 10.10.2.2

3) Which two statements are correct regarding the event that occurred at 2014‐05‐07 00:22:48.175?(Choose two.)

A. The DACL will permit http traffic from any host to 10.10.2.20
B. The DACL will permit http traffic from any host to 10.10.3.20
C. The DACL will permit icmp traffic from any host to 10.10.2.20
D. The DACL will permit icmp traffic from any host to 10.10.3.20
E. The DACL will permit https traffic from any host to 10.10.3.20

4) Which two statements are correct regarding the event that occurred at 2014‐05‐07 00:16:55.393? (Choose two.)

A. The failure reason was user entered the wrong username.
B. The supplicant used the PAP authentication method.
C. The username entered was it1.
D. The user was authenticated against the Active Directory then also against the ISE interal user database and both fails.
E. The NAS switch port where the user connected to has a MAC address of 44:03:A7:62:41:7F
F. The user is being authenticated using 802.1X.
G. The user failed the MAB.
H. The supplicant stopped responding to ISE which caused the failure.

——————-
SIMULATION 2
——————-
1)Which two of the following statement are correct? (Choose two)

A. The ISE is not able to succefully connect the hq-srv.secure- x.local AD server
B. The ISE internal endpoint database is used authenticate any user not in the Active Directory domain
C. The ISE internal user database has two accounts enabled: students and test that maps to the Employee user identity group
D. Guest_Portl_Seqeuence is a built-in identity source sequence

2)Determine which can be two reasons why many users like the Sales and IT users are not able to authenticate and access the network using their AnyConnect NAM client with EAP-FAST? (choose two)

A. The Dot1x authentication policy is not allowing the EAP-FAST protocol
B. The rr_Corp authorization profile has the wrong Access Type configured
C. The authorization profile used for the Sales users is misconfigured
D. The order for the MAB authentication policy and the Dot1x authentication policy should be reversed.
E. Many of the Sales and IT users machines are not passing the ISE posture assessment.
F. The PERMrr_ALL_TRAFFIC DACL is missing the permit ip any any statement in the end
G. The Employee_FullAccess_DACL DACL is missing the permit ip any any statement in the end

3)Which of the following statement is correct?
A. Currently, IT users who successfully authenticate will have their packets tagged with a SGT of 3
B. Currently, IT users who successfully authenticate will be assigned to VLAN 9
C. Currently, any domain administrator who successfully authenticate will be assigned to VLAN 10
D. Computers belonging to the secure-x domain which passes matching authentication but failed user authentication will have the
Employee_Restricted_DACL applied
E. Print Servers matching the Linksys_PrintServer identiry group will have the following access
restictions: permit icmp any any host 10.10.2.20 , permit tcp any host 10.10.2.20 eq 80.
Permit icmp any host 10.10.3.20 permit tcp any host 10.10.3.20 eq 80 deny ip any any

Mm2

Mm2

Passed few days ago…

As others have said above, abt 10-12 new q, most of which are included in the comments below.

Simulations are the same, but answers were different.
Also, focus on macsec, trustsec (sgt), posturing…

Profer

Profer

Could you share more details? In focus practice lab…
thanks a lot

Deva

Deva

Hello Mm2, Do you remember any of the lab simulation questions ?

Deva

Deva

Hello All,

I failed the exam couple of days before. I used Lead4Pass dump but the exam questions have around 50% new questions. Here are some of them: (I wagely remember only some of them)

1. What protocol does cisco prime use for device discovery?

LLDP
SWISS

2. Guest user password, how is the information send to guest users?

SMS
guest profile
via email

3. which cisco ise mode is similar to 802.1x?

monitor mode
closed mode
low impact mode
open mode

4. If guest cannot connect to network, what should they do?

wait for idle timeout
change BYOD option
change WLC option for guest

PLEASE CAN ANY SHARE THE LATEST DUMPS? I DO NOT WANT TO FAIL AGAIN AND I NEED TO TAKE THE EXAM BEFORE THIS MONTH.

PLEAS EMAIL ME DUMPS TO : [email protected]