Exam 350-701 topic 1 question 298 discussion

https://community.cisco.com/t5/security-documents/ise-admin-user-authentication-from-ad/ta-p/3159662

The correct answer is A. In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store: External Authentication and Authorization: There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication. External Authentication and Internal Authorization: The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011010.html Scroll down to: "Administrative Access to Cisco ISE Using an External Identity Store"

https://community.cisco.com/t5/security-documents/ise-admin-user-authentication-from-ad/ta-p/3159662 Step 3 Create user in AD. After created shadow user

You cannot join AD without typing in a valid user (with correct rights) to be able to joind AD, and also to do lookups in AD

https://community.cisco.com/t5/security-knowledge-base/ise-admin-user-authentication-from-ad/ta-p/3159662 Search shadow user

A should be Correct: RSA SecureID is an authentication mechanism that utilizes two-factor authentication, combining something the user knows (a PIN or password) with something the user has (a hardware or software token). In the case of RSA SecureID integration with Cisco ISE, a shadow user needs to be created on Cisco ISE for the admin login to work. When a user attempts to log in to Cisco ISE using RSA SecureID, the RSA SecureID server validates the user's credentials and generates a one-time password (OTP) or token. This OTP or token is sent to Cisco ISE for authentication. To complete the authentication process, Cisco ISE must have a shadow user account created, which mirrors the user's credentials on the RSA SecureID server.

The correct answer is A. RSA SecureID. When using RSA SecureID as the ID store on Cisco ISE (Identity Services Engine), a shadow user must be created for the admin login to work. A shadow user is a local user account created on Cisco ISE that mirrors the admin account in the RSA SecureID server.

A is correct! RSA SecureID

RSA SecureID is an external ID store that is commonly used for two-factor authentication (2FA) in Cisco ISE environments. When using RSA SecureID as the ID store, a shadow user must be created in Cisco ISE for each user who will be logging in with 2FA. This shadow user is linked to the user's RSA SecureID token, and is used to authenticate the user's login credentials. In contrast, Internal Database, Active Directory, and LDAP do not require the use of shadow users in order for admin logins to work. These ID stores authenticate users directly against their stored credentials, without the need for additional shadow accounts.

The answer is A. RSA SecureID, as it requires the creation of a shadow user on Cisco ISE for the admin login to work. This is because RSA SecureID is an authentication method that combines something a user knows (a password or PIN) with something the user has (a token). The shadow user in ISE acts as a representation of the RSA SecureID system, allowing the administrator to log in to the ISE using the combination of their password and the RSA SecureID token.

The correct answer is A. Please see Jeeves69's comment for clarification. No user is created in ISE when using AD as the ID store.

AD is correct

A is answer

Correct answer is C. Active Directory.

Correct answer is C. Active Directory. https://community.cisco.com/t5/security-documents/ise-admin-user-authentication-from-ad/ta-p/3159662

ACD are all valid answers, maybe the question is does NOT require, in which case it would be B

I think this is actually RSA. When creating a new admin user we get these details.... Information on External Checkbox If this checkbox is checked then a shadow user will be created in the ISE for authorization. This user name will be same as that in the defined External ID store. Applicable to users authenticating against RSA & RADIUS-token external ID stores.