[2017 New] Lead2pass Latest Cisco 300-208 Exam Questions Free Downloading (151-175)

2017 August Cisco Official New Released 300-208 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Lead2pass is constantly updating 300-208 exam dumps. We will provide our customers with the latest and the most accurate exam questions and answers that cover a comprehensive knowledge point, which will help you easily prepare for 300-208 exam and successfully pass your exam. You just need to spend 20-30 hours on studying the exam dumps.

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/300-208.html

QUESTION 151
Which statement about a distributed Cisco ISE deployment is true?

A.    It can support up to two monitoring Cisco ISE nodes for high availability.
B.    It can support up to three load-balanced Administration ISE nodes.
C.    Policy Service ISE nodes can be configured in a redundant failover configuration.
D.    The Active Directory servers of Cisco ISE can be configured in a load-balanced configuration.

Answer: A

QUESTION 152
Which Cisco ISE feature can differentiate a corporate endpoint from a personal device?

A.    EAP chaining
B.    PAC files
C.    authenticated in-band provisioning
D.    machine authentication

Answer: A

QUESTION 153
Which configuration must you perform on a switch to deploy Cisco ISE in low-impact mode?

A.    Configure an ingress port ACL on the switchport.
B.    Configure DHCP snooping globally.
C.    Configure IP-device tracking.
D.    Configure BPDU filtering.

Answer: A

QUESTION 154
Which profiling capability allows you to gather and forward network packets to an analyzer?

A.    collector
B.    spanner
C.    retriever
D.    aggregator

Answer: A

QUESTION 155
Which network access device feature can you configure to gather raw endpoint data?

A.    Device Sensor
B.    Device Classifier
C.    Switched Port Analyzer
D.    Trust Anchor

Answer: A

QUESTION 156
Which method does Cisco prefer to securely deploy guest wireless access in a BYOD implementation?

A.    deploying a dedicated Wireless LAN Controller in a DMZ
B.    configuring a guest SSID with WPA2 Enterprise authentication
C.    configuring guest wireless users to obtain DHCP centrally from the corporate DHCP server
D.    disabling guest SSID broadcasting

Answer: A

QUESTION 157
Which mechanism does Cisco ISE use to force a device off the network if it is reported lost or stolen?

A.    CoA
B.    dynamic ACLs
C.    SGACL
D.    certificate revocation

Answer: A

QUESTION 158
You discover that the Cisco ISE is failing to connect to the Active Directory server. Which option is a possible cause of the problem?

A.    NTP server time synchronization is configured incorrectly.
B.    There is a certificate mismatch between Cisco ISE and Active Directory.
C.    NAT statements required for Active Directory are configured incorrectly.
D.    The RADIUS authentication ports are being blocked by the firewall.

Answer: A

QUESTION 159
Which type of remediation does Windows Server Update Services provide?

A.    automatic remediation
B.    administrator-initiated remediation
C.    redirect remediation
D.    central Web auth remediation

Answer: A

QUESTION 160
Which three remediation actions are supported by the Web Agent for Windows? (Choose three.)

A.    Automatic Remediation
B.    Message text
C.    URL Link
D.    File Distribution
E.    AV definition update
F.    Launch Program

Answer: BCD

QUESTION 161
What endpoint operating system provides native support for the SPW?

A.    Apple iOS
B.    Android OS
C.    Windows 8
D.    Mac OS X

Answer: A

QUESTION 162
Which condition triggers wireless authentication?

A.    NAS-Port-Type is set to IEEE 802.11.
B.    Framed-Compression is set to None.
C.    Service-Type is set to Framed.
D.    Tunnel-Type is set to VLAN.

Answer: A

QUESTION 163
Which feature enables the Cisco ISE DHCP profiling capabilities to determine and enforce authorization policies on mobile devices?

A.    disabling the DHCP proxy option
B.    DHCP option 42
C.    DHCP snooping
D.    DHCP spoofing

Answer: A

QUESTION 164
With which two appliance-based products can Cisco Prime Infrastructure integrate to perform centralized management? (Choose two.)

A.    Cisco Managed Services Engine
B.    Cisco Email Security Appliance
C.    Cisco Wireless Location Appliance
D.    Cisco Content Security Appliance
E.    Cisco ISE

Answer: AE

QUESTION 165
Which two options are EAP methods supported by Cisco ISE? (Choose two.)

A.    EAP-FAST
B.    EAP-TLS
C.    EAP-MS-CHAPv2
D.    EAP-GTC

Answer: AB

QUESTION 166
You configured wired 802.1X with EAP-TLS on Windows machines. The ISE authentication detail report shows “EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain.” What is the most likely cause of this error?

A.    The ISE certificate store is missing a CA certificate.
B.    The Wireless LAN Controller is missing a CA certificate.
C.    The switch is missing a CA certificate.
D.    The Windows Active Directory server is missing a CA certificate.

Answer: A

QUESTION 167
What type of identity group is the Blacklist identity group?

A.    endpoint
B.    user
C.    blackhole
D.    quarantine
E.    denied systems

Answer: A

QUESTION 168
Which feature must you configure on a switch to allow it to redirect wired endpoints to Cisco ISE?

A.    the http secure-server command
B.    RADIUS Attribute 29
C.    the RADIUS VSA for accounting
D.    the RADIUS VSA for URL-REDIRECT

Answer: A

QUESTION 169
Lab Sim
The Secure-X company has recently successfully tested the 802.1X authentication deployment using the Cisco Catalyst switch and the Cisco ISEv1.2 appliance. Currently, each employee desktop is connected to an 802.1X enabled switch port and is able to use the Cisco AnyConnect NAM 802.1Xsupplicantto log in and connect to the network.
Currently, a new testing requirement is to add a network printer to the Fa0/19 switch port and have it connect to the network. The network printer does not support 802.1X supplicant. The Fa0/19 switch port is now configured to use 802.1X authentication only.
To support this network printer, the Fa0/19 switch port configuration needs to be edited to enable the network printer to authenticate using its MAC address. The network printer should also be on VLAN 9.
Another network security engineer responsible for managing the Cisco ISE has already per- configured all the requirements on the Cisco ISE, including adding the network printer MAC address to the Cisco ISE endpoint database and etc…
Your task in the simulation is to access the Cisco Catalyst Switch console then use the CLI to:

– Enable only the Cisco Catalyst Switch Fa0/19 switch port to authenticate the network printer using its MAC address and:
– Ensure that MAC address authentication processing is not delayed until 802.1Xfails
– Ensure that even if MAC address authentication passes, the switch will still perform 802.1X authentication if requested by a 802.1X supplicant
– Use the required show command to verify the MAC address authentication on the Fa0/19 is successful

The switch enable password is Cisco
For the purpose of the simulation, to test the network printer, assume the network printer will be unplugged then plugged back into the Fa0/19 switch port after you have finished the required configurations on the Fa0/19 switch port.
Note: For this simulation, you will not need and do not have access to the ISE GUI To access the switch CLI, click the Switch icon in the topology diagram

 

Answer: Review the explanation for full configuration and solution.
Initial configuration for fa 0/19 that is already done:

 

AAA configuration has already been done for us.
We need to configure mac address bypass on this port to achieve the goal stated in the question.
To do this we simply need to add this command under the interface:

mab

Then do a shut/no shut on the interface.

Verification:

 

Explanation:
1.Ensure that MAC address authentication processing is not delayed until 802.1X fails?
authentication order mab dot1x
2.Ensure that even if MAC address authentication passes, the switch will still perform 802.1X authentication if requested by a 802.1X supplicant?
authentication priority dot1x mab
3.Use the required show command to verify the MAC address authentication on the Fa0/19 is successful?
show authentication sessions interface fa0/19

configure terminal
!
!
interface fastethernet 0/9
mab
authentication order mab dot1x
authentication priority dot1x mab
shutdown
no shutdown
!
!
end
!
!
show authentication session interface fastethernet 0/9
!
!
Copy running-config startup-config

QUESTION 170
Lab Sim
The Secure-X company has started to tested the 802.1X authentication deployment using the Cisco Catalyst 3560-X layer 3 switch and the Cisco ISEvl2 appliance. Each employee desktop will be connected to the 802.1X enabled switch port and will use the Cisco AnyConnect NAM 802.1X supplicant to log in and connect to the network.
Your particular tasks in this simulation are to create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database. Once the new identity source sequence has been configured, edit the existing DotlX authentication policy to use the new AD_internal identity source sequence.
The Microsoft Active Directory (AD1) identity store has already been successfully configured, you just need to reference it in your configuration.

 

In addition to the above, you are also tasked to edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.
Perform this simulation by accessing the ISE GUI to perform the following tasks:

– Create a new identity source sequence named AD_internal to first use the Microsoft Active Directory (AD1) then use the ISE Internal User database
– Edit the existing Dot1X authentication policy to use the new AD_internal identity source sequence:
– If authentication failed-reject the access request
– If user is not found in AD-Drop the request without sending a response
– If process failed-Drop the request without sending a response
– Edit the IT users authorization policy so IT users who successfully authenticated will get the permission of the existing IT_Corp authorization profile.

To access the ISE GUI, click the ISE icon in the topology diagram. To verify your configurations, from the ISE GUI, you should also see the Authentication Succeeded event for the it1 user after you have successfully defined the DotlX authentication policy to use the Microsoft Active Directory first then use the ISE Internal User Database to authenticate the user. And in the Authentication Succeeded event, you should see the IT_Corp authorization profile being applied to the it1 user. If your configuration is not correct and ISE can’t authenticate the user against the Microsoft Active Directory, you should see the Authentication Failed event instead for the it1 user.
Note: If you make a mistake in the Identity Source Sequence configuration, please delete the Identity Source Sequence then re-add a new one. The edit Identity Source Sequence function is not implemented in this simulation.

 

 

Answer: Review the explanation for full configuration and solution.
Step 1: create a new identity source sequence named AD_internal which will first use the Microsoft Active Directory (AD1) then use the ISE Internal User database as shown below:
 

Step 2: Edit the existing Dot1x policy to use the newly created Identity Source:

 

Then hit Done and save.

Explanation:
In answer they only create identity source sequence and apply it to policy, but the task is more, we must:
1) select Drop in If user not found and If process failed in authentication rule
2) set IT_Corp authorization profile for IT users

QUESTION 171
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc…

 

 

 

Which four statements are correct regarding the event that occurred at 2014-05-07 00:19:07.004? (Choose four.)

A.    The IT_Corp authorization profile were applied.
B.    The it1 user was matched to the IT_Corp authorization policy.
C.    The it1 user supplicant used the PEAP (EAP-MSCHAPv2) authentication method.
D.    The it1 user was authenticated using MAB.
E.    The it1 user was successfully authenticated against AD1 identity store.
F.    The it1 user machine has been profiled as a Microsoft-Workstation.
G.    The it1 user machine has passed all the posture assessement tests.

Answer: ACEF
Explanation:
Here are the details shown for this event:

 

QUESTION 172
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc…

 

 

Which three statements are correct regarding the events with the 20 repeat count that occurred at 2014-05-07 00:22:48.748? (Choose three.)

A.    The device was successfully authenticated using MAB.
B.    The device matched the Machine_Corp authorization policy.
C.    The Print Servers authorization profile were applied.
D.    The device was profiled as a Linksys-PrintServer.
E.    The device MAC address is 00:14:BF:70:B5:FB.
F.    The device is connected to the Gi0/1 switch port and the switch IP address is 10.10.2.2.

Answer: ADE
Explanation:
Event Details:

 

…continued:

 

QUESTION 173
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc…

 

 

Which two statements are correct regarding the event that occurred at 2014-05-07 00:22:48.175? (Choose two.)

A.    The DACL will permit http traffic from any host to 10.10.2.20
B.    The DACL will permit http traffic from any host to 10.10.3.20
C.    The DACL will permit icmp traffic from any host to 10.10.2.20
D.    The DACL will permit icmp traffic from any host to 10.10.3.20
E.    The DACL will permit https traffic from any host to 10.10.3.20

Answer: AE
Explanation:
Event Details:

 

 

 
QUESTION 174
Hotspot Question
In this simulation, you are task to examine the various authentication events using the ISE GUI. For example, you should see events like Authentication succeeded. Authentication failed and etc…

 

 

Which two statements are correct regarding the event that occurred at 2014-05-07 00:16:55.393? (Choose two.)

A.    The failure reason was user entered the wrong username.
B.    The supplicant used the PAP authentication method.
C.    The username entered was it1.
D.    The user was authenticated against the Active Directory then also against the ISE interal user database and both fails.
E.    The NAS switch port where the user connected to has a MAC address of 44:03:A7:62:41:7F
F.    The user is being authenticated using 802.1X.
G.    The user failed the MAB.
H.    The supplicant stopped responding to ISE which caused the failure.

Answer: CF
Explanation:
Event Details:

 
 

QUESTION 175
Changes were made to the ISE server while troubleshooting, and now all wireless certificate authentications are failing. Logs indicate an EAP failure.
What are the two possible causes of the problem? (Choose two.)

A.    EAP-TLS is not checked in the Allowed Protocols list
B.    Client certificate is not included in the Trusted Certificate Store
C.    MS-CHAPv2-is not checked in the Allowed Protocols list
D.    Default rule denies all traffic
E.    Certificate authentication profile is not configured in the Identity Store

Answer: AE

Lead2pass is no doubt your best choice. Using the Cisco 300-208 exam dumps can let you improve the efficiency of your studying so that it can help you save much more time.

300-208 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDM1I1WlhIdHJZNjA

2017 Cisco 300-208 exam dumps (All 300 Q&As) from Lead2pass:

https://www.lead2pass.com/300-208.html [100% Exam Pass Guaranteed]