Exam 300-715 topic 1 question 146 discussion

Correct answer should be B and D. Option C is only enable dot1x globally, not for accept downloadable ACLs.

vsa send vendor specific attribute and has nothing to do with CoA, radius-server attribute 8 send the attribute to ISE and has nothing to do with the CoW or dACL but the only 2 commands that has an impact are enabling dot1x globally "C" and device tracking which enable the switch to know the IP address of the endpoints connected to its port which will have impact on the dACL. "B and C"

For me the two answers are dot1x enable globally and the device ip tracking command. If i don't have dot1x enabled my switch will simply does not use the dot1x feature. How a switch can download a dynamic acl from ISE if i do not enable the feature that permit to that client to authenticate via ISE and based on what result he got he will receive a result with a dACL? the ip tracking device feature is enabled for this purpose: per-user ACL with any SW use ip tracking to re-arrange the ACL to add instead of any to host IP. What this means is that the device ip tracking command let the switch modify that specific acl with the host ip address /32 address of the device that is connected to that port.

Answer is B and D https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-acl-assign.html Configuring Downloadable ACLs To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task. SUMMARY STEPS 1. enable 2. configure terminal 3. ip device tracking 4. aaa new-model 5. aaa authorization network default group radius 6. radius-server vsa send authentication 7. interface interface-id 8. ip access-group acl-id in 9. end 10. show running-config interfaceinterface-id 11. copy running-config startup-config

Page 5 at https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-chng-of-auth.pdf

The correct answers are. radius-server attribute 8 include-in-access-req and dot1x system-auth-control. The radius-server attribute 8 include-in-access-req command tells the switch to include the RADIUS attribute 8 (user group membership) in the Access-Request packet that is sent to the RADIUS server. This attribute is used by the RADIUS server to determine which downloadable ACL to send to the switch. The dot1x system-auth-control command enables 802.1X authentication on the switch. This is required for the switch to be able to accept downloadable ACLs from the RADIUS server.

B & D from documentation we have: Configuring Downloadable ACLs To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task. SUMMARY STEPS 1. enable 2. configure terminal 3. ip device tracking 4. aaa new-model 5. aaa authorization network default group radius 6. radius-server vsa send authentication 7. interface interface-id 8. ip access-group acl-id in 9. end

Talking about DACLs as per https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-acl-assign.html

To configure a switch to accept downloadable ACLs from a Cisco ISE server, the following two commands are required: B. ip device tracking: This command enables the switch to track IP device information, which is needed for the ISE server to provide dynamic access policies based on a device's IP address. C. dot1x system-auth-control: This command enables 802.1X authentication on the switch and allows the switch to forward authentication requests to the ISE server.

My answer according to this documentation: "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-802x-acl-assign.html"

B & C are correct. A is not because it has nothing to do with dACL D has been enabled by default since IOS 15.x E is for enabling the Auth Proxy feature. See SISE 300-715 Official Cert Guide, pg. 266. Step 1. Enable dot1x Globally on the Switch dot1x system-auth-control Step 2. Enable dACLs to function by entering this command. IP device tracking

An old document, from 2012, but if they are using this as reference then the answer is B and D. Configuring Downloadable ACLs To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task. SUMMARY STEPS 1. enable 2. configure terminal 3. ip device tracking 4. aaa new-model 5. aaa authorization network default group radius 6. radius-server vsa send authentication 7. interface interface-id 8. ip access-group acl-id in 9. end 10. show running-config interfaceinterface-id 11. copy running-config startup-config https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-acl-assign.html

Tested on lab on a catalyst switch. dACLs work with A,C commands enabled. No ip device tracking, no vsa send authentication, no aaa authorization auth-proxy were enabled.

book says B & C. dACL requires ip device tracking and dot1x system-auth-control allows the any source in the dACL to be replaced with the IP of a single device connected to switchport p266

To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task. SUMMARY STEPS 3. ip device tracking 4. aaa new-model 5. aaa authorization network default group radius 6. radius-server vsa send authentication

B & C are correct as user mahmoud65446 wrote correctly. Good expl ;)

B&C Downloadable access control lists (dACLs) are a very common enforcement mechanism in ISE deployments. In order for dACLs to function properly on a switch, a function called IP device tracking must be enabled globally. The dot1x system-authcontrol command allows for the any source in the provided dACL to be replaced with the IP address of the single device connected to the switch port.