A network engineer is tasked with configuring a Cisco ISE server to implement external authentication against Active Directory. What must be considered about the authentication requirements? (Choose two.)
A.
RADIUS communication must be permitted between the ISE server and the domain controller.
B.
The ISE account must be a domain administrator in Active Directory to perform JOIN operations.
C.
Active Directory only supports user authentication by using MSCHAPv2.
D.
LDAP communication must be permitted between the ISE server and the domain controller.
E.
Active Directory supports user and machine authentication by using MSCHAPv2.
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1079999
Microsoft Active Directory
Cisco ISE uses Active Directory as an external identity source to access resources such as users, machines, groups, and attributes. You can configure Cisco ISE to authenticate users and machines.
Answer D is correct ^^
MS-CHAPv2—Cisco ISE supports user and machine authentication against Active Directory using EAP-MSCHAPv2
Answer E is correct ^^
They should really allow you to delete posts when you make mistakes (because you're tired of looking at all these questions!!).
To continue - I messed up above and should have said that E is correct based on those two statements in that doc.
The other answer is D and it's found here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_94BE6ABB85BC47C8AEC29EF8D286E6E4
Under the table heading: Network Ports That Must Be Open for Communication
The table specifies LDAP TCP/UDP port 389 must communicate with DC
Disregard the comment about C.
A is wrong , msrpc/kerberos/ldap only needed
B is wrong, ISE account (superuser) is different than domain admin.
C is wrong , mschapv2 is used for user or machine auth (so E is correct)
D is correct.
E is correct
check the 3 tables in cisco doc (AD-ISE integration steps) :
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html
I am going for A & D:
A. RADIUS communication must be permitted between the ISE server and the domain controller: Cisco ISE can use RADIUS as one of the protocols to communicate with the Active Directory domain controller for user authentication.
E Does not sound right because Active Directory supports both user and machine authentication using various authentication protocols, not just MSCHAPv2.
agree with achille5 4 months, 2 weeks ago
Active Directory supports multiple authentication protocols, including MSCHAPv2, Kerberos, and NTLM.
Agree with the others on D and E. I wasn't sure if B could be an option, but on further research you don't need to be a domain admin to join a workstation/server to a domain.
However this documentation from Cisco states "Ensure you have Active Directory Domain Admin credentials, required to make changes to any of the AD domain configurations." https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html
It would be disappointing if B was included in one of the two correct answers.
A. RADIUS communication must be permitted between the ISE server and the domain controller. - NOT TRUE - this is only between Authenticator (switch / AP ) and Authentication Server (ie. ISE)
B. The ISE account must be a domain administrator in Active Directory to perform JOIN operations. - NOT TRUE - it just need regular account no DC Admin privileges are necessary - such account is usually called service account
C. Active Directory only supports user authentication by using MSCHAPv2. - NOT TURE - many other are supported as already mentioned below
I would go for D,E as well according to this doc:
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1079999
"MS-CHAPv2—Cisco ISE supports user and machine authentication against Active Directory using EAP-MSCHAPv2."
"If there is a firewall between Cisco ISE and Active Directory, certain ports need to be opened to allow Cisco ISE to communicate with Active Directory. Ensure that the following default ports are open: LDAP 389 UDP (...amongst others)"
ISE only authenticates the user it does not JOIN machines to the domain, so no admin account is needed. LDAP is used for communication with the Microsoft AD
While ISE account must be admin, Don't need Admin account in Active directory to perform join operation.
AD support mschapv2 for machine and user authentication.
LDAP must be permitted between ISE and AD domain controller.
Ans is DE
AFAIK ISE account is not an admin account, Its a computer account that we allow login to. The account used to join ISE to AD needs special permissions and most of the time it's an admin user
I think it's b and e.... B bcz we need to create&set admin group ... E bcz c is not correct. Ad supports many user ways ntlm etc...I would go for b & e
Need not have domain admin rights as per the guide link attached...so I think should be DE https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217351-ad-integration-for-cisco-ise-gui-and-cli.html#anc6
This section is not available anymore. Please use the main Exam Page.350-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nep1019
8 months, 3 weeks agonep1019
8 months, 3 weeks agonep1019
8 months, 3 weeks agojpapas
8 months, 4 weeks agoums008
9 months, 2 weeks agonekkrokvlt
6 months, 3 weeks agojku2cya
9 months, 2 weeks agoOggo
11 months, 1 week agoJessie45785
1 year agoPiX2
1 year, 1 month agoachille5
1 year, 2 months agostalkr3
1 year agoachille5
1 year, 2 months agoAnonymous983475
1 year, 3 months agoNet4dd
1 year, 3 months agoamtf8888
1 year, 4 months agoEmlia1
1 year, 4 months agosmartcarter
1 year, 5 months agonekkrokvlt
6 months, 3 weeks ago4000000
1 year, 5 months agokjubo
1 year, 5 months agosis_net_sec
1 year, 6 months agoHereim
1 year, 6 months ago