Exam 300-715 topic 1 question 109 discussion

actually B and D is correct

According to CiscoPress SISE ebook, BYOD: --- For Android: "The NSP portal displays the device registration page with the Device ID field prepopulated with the MAC address of the endpoint." - you can see this also in the video at time 4:20: https://youtu.be/z0sRiffVdpg?t=264 - For Apple iOS, there are 2 certificates in the BYOD flow: 1. Device Enrollment ■ CN=device-UDID ■ SAN=MAC-Address --- 2. Device Provisioning ■ CN=Username ■ SAN=MAC-Address --- UDID is NOT hostname, just some numeric value and exists only for Apple. UDID according to Cisco is: "UDID Value. Match based on Unique Device Identifier (Apple specific)" https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867 - Example of UDID (it is just number): https://messapps.com/allcategories/development/finding-ios-devices-udid-via-itunes-2/ --- (continuation in comment)

The correct answer is actually D. CN is locked to $username$ SAN is locked to MAC address. Android does use EST for certificate enrollment. These two articles have this information. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867 https://community.cisco.com/t5/security-knowledge-base/android-byod-provisioning-error-quot-certificate-generation/ta-p/3733734

The answer here is B. The CN field have the FQDN of the the local computer, hostname + domain. The D answer is not bad but is saying that Android use EST for certificate enrollment while the other vendors uses SCEP, I mean IT CAN BE USED, BUT IS NOT MANDATORY other vendors will use different protocols also for the certificate enrollments. The B answer shoul be true because actually the CN field contain the hostname of the device.

CN is locked to $username$ SAN is locked to either MAC or MAC+GUID. Android devices do in fact use EST for cert enrollment, so i think D is correct.

I vote for B.

It should be B. When configuring certificates for Bring Your Own Device (BYOD), it is important to consider populating the CN (Common Name) field with the endpoint host name. The CN field should contain the host name or FQDN (Fully Qualified Domain Name) of the endpoint device. This allows the certificate to be properly validated when the device connects to the network. The CN field helps ensure that the device is correctly identified and authorized for network access.

WHat about D? https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html I am thinking D. Android uses EST and other OS uses SCEP

A is wrong. SAN can have MAC address, not Username Must Be B

i would go with B, "CN is auto populated with the username that is going through the BYOD flow. Other attributes can be entered here to reflect the site. If differentiating different endpoint or users based on certificate is needed, then any of the attributes here can be changed and can be used during AuthZ to provide differentiated access. For instance if OU=HR, the endpoint can have access to HR resources, while other endpoints cannot access HR resources" https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

MacOS and Windows devices: Employee clicks Register in the BYOD portal to download and install the supplicant provisioning wizard (Network Setup Assistant), which configures the supplicant and provides the certificate (if necessary) used for EAP-TLS certificate-based authentication. The issued certificate is embedded with the device's MAC address and employee's username.

Provided answer is correct

Correct answer is might be A or C. Device Encrollment CSR is: SAN = Username CN = Device-UDID User CSR is: SAN = MAC Address CN = Username Any thoughts which is better?