A laptop was stolen and a network engineer added it to the block list endpoint identity group. What must be done on a new Cisco ISE deployment to redirect the laptop and restrict access?
A.
Select DROP under If Auth fail within the authentication policy.
B.
Ensure that access to port 8444 is allowed within the ACL.
C.
Ensure that access to port 8443 is allowed within the ACL.
D.
Select DenyAccess within the authentication policy.
The correct answer is - Select DenyAccess within the authentication policy.
When a laptop is added to the block list endpoint identity group, Cisco ISE will deny access to the network. To redirect the laptop and restrict access, the network engineer must create an authentication policy that denies access to the laptop. The authentication policy must be configured to select DenyAccess under If Auth fail.
The other options are incorrect:
Select DROP under If Auth fail within the authentication policy. Selecting DROP will drop the traffic from the laptop. This will not redirect the laptop or restrict access.
Ensure that access to port 8444 is allowed within the ACL. Port 8444 is the default port for Cisco ISE administration. Allowing access to this port will allow the network engineer to access Cisco ISE to manage the network.
Ensure that access to port 8443 is allowed within the ACL. Port 8443 is the default port for Cisco ISE web access. Allowing access to this port will allow users to access the Cisco ISE web interface.
search for "Blocked List portal: Port 8444"
https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_guest.html?bookSearch=true
Employees do not access this portal directly, but are redirected to it.
If employees lose their personal device or it is stolen, they can update its status in the My Devices portal, which adds it to the Blacklist endpoint identity group. This prevents others from using the device to obtain unauthorized network access. If anyone attempts to connect to the network using one of these devices, they are redirected to the Blacklist portal which informs them that the device is denied access to the network.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/m_ise_device_access.html
The keyword is "redirect" in the question so only B option meets the scenario when the port is allowed within ACL to allow the endpoint access blacklist portal in the network.
Answer A will prevent redirection. Blacklist portal listens on port 8444 thus, B should be the right answer. Ensure access to portal is allowed and then portal does the redirection.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
denverfly
Highly Voted 1 year, 1 month agoAhmed00001
Highly Voted 1 year, 9 months ago327c7c8
Most Recent 5 days, 11 hours agoNullNull88
4 months, 1 week agommzain
4 months, 3 weeks agoXBfoundX
7 months, 1 week agoJOE_15
9 months, 1 week agoLeogxn
11 months, 2 weeks agoTHEODORABLE
1 year, 1 month agoaHash
1 year, 8 months agoAhmed00001
1 year, 9 months ago