Exam 300-715 topic 1 question 61 discussion

Question is about scanning unknown endpoints. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/reorg/b_endpoint_profiling_2_4.html#concept_57A4A7ADE3DA429A821900C5CBEA8BF0 Given below is additional information related to the manual NMAP scan results: • To detect unknown endpoints, NMAP should be able to learn the IP/MAC binding via NMAP or a supporting SNMP scan. • ISE learns IP/MAC binding of known endpoints via Radius authentication or DHCP profiling. • The IP/MAC bindings are not replicated across PSN nodes in a deployment. Therefore, you must trigger the manual scan from the PSN, which has the IP/MAC binding in its local database (for example, the PSN against which a mac address was last authenticated with). • The NMAP scan results do not display any information related to an endpoint that NMAP had previously scanned, manually or automatically.

If the endpoint is unknown, how can it be previously auhtenticated in a PSN? the correct is A

The correct answer is D: The most recent network scan results are stored in Work Centers > Profiler > Manual Scans > Manual NMAP Scan Results. The Manaul NMAP Scan Results page displays only the most recent endpoints that are detected, along with their associated endpoint profiles, their MAC addresses, and their static assignment status as the result of a manual network scan you perform on any subnet. This page allows you to edit points that are detected from the endpoint subnet for better classification, if required. Cisco ISE allows you to perform the manual network scan from the Policy Service nodes that are enabled to run the profiling service. You must choose the Policy Service node from the primary Administration ISE node user interface in your deployment to run the manual network scan from the Policy Service node. During the manual network scan on any subnet, the Network Scan probe detects endpoints on the specified subnet, their operating systems, and check UDP ports 161 and 162 for an SNMP service.

Answer is D To detect unknown endpoints, NMAP should be able to learn the IP/MAC binding via NMAP or a supporting SNMP scan. ISE learns IP/MAC binding of known endpoints via Radius authentication or DHCP profiling. The IP/MAC bindings are not replicated across PSN nodes in a deployment. Therefore, you must trigger the manual scan from the PSN, which has the IP/MAC binding in its local database (for example, the PSN against which a mac address was last authenticated with).

Since the question states that "an administrator must scan for unknown endpoints", means we are looking for an answer related to scan so only the C or D could be the answer. If D is incorrect, the answer is C

The answer is - Scanning must be initiated from the MnT node to centrally gather the information. The Management and Monitoring (MnT) node is the central point for collecting data from all the Policy Service Nodes (PSNs) in a distributed Cisco ISE deployment. When scanning for unknown endpoints, the MnT node will send the request to the PSNs, which will perform the scanning process and send the results back to the MnT node. The MnT node will then centrally gather and distribute the information to all the PSNs. The other options are incorrect

D is my choice

Answer is D. The MnT node is responsible for monitoring and troubleshooting the network and collecting data from the Policy Service Nodes (PSNs). It is the central point where information from all PSNs is collected, and from where the administrator can initiate and manage various monitoring and troubleshooting tasks. When the scan for unknown endpoints is initiated, the MnT node will send the request to the PSNs, which will perform the scanning process and send the results back to the MnT node. The MnT node will then centrally gather and distribute the information to all the PSNs, making it available to the entire deployment.

Based on this link and paragraphs, endpoint information is not replicated to other PSNs, each PSN has to profile its endpoints and stores information in a local database. Given below is additional information related to the manual NMAP scan results: To detect unknown endpoints, NMAP should be able to learn the IP/MAC binding via NMAP or a supporting SNMP scan. ISE learns IP/MAC binding of known endpoints via Radius authentication or DHCP profiling. The IP/MAC bindings are not replicated across PSN nodes in a deployment. Therefore, you must trigger the manual scan from the PSN, which has the IP/MAC binding in its local database (for example, the PSN against which a mac address was last authenticated with). The NMAP scan results do not display any information related to an endpoint that NMAP had previously scanned, manually or automatically. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/reorg/b_endpoint_profiling_2_4.html

The Answer is D