Exam 300-715 topic 1 question 63 discussion

Based on numerous deployment experiences, the recommendation is to set the tx-period value to 10 seconds to provide the most optimal time for MAB devices. Setting the value below 10 seconds may result in unwanted behavior, and setting the value greater than 10 seconds may result in DHCP timeouts. Therefore, the answer is B Cisco ISE 300-715 - Official Cert Guide Page 275 "Configure Authentication Timers"

I cannot believe some answers here... "The RADIUS server then authenticates the user and returns an IP address to the endpoint" --what's that? ISE using HTTP? ISE sending IP addresses?? That doesn't make any sense... B is the most viable answer: if dot1x timeout is too long, and therefore, MAB triggers only after that time, the client might have stopped requesting IP Address

The only answer that make sense here is B. HTTP traffic is blocked... Who cares, i need to use DHCP ports so that do not matters. What I think is that the switchport have both 802.1x and MAB configured. So the client is sending an DHCP request but because the 802.1x timeout timer is too long the client is not getting the IP address at first, after that timeout time now the user can be authenticate via MAB, so you see that the user is authenticated but is failing to get the ip address.

Since the issue is "the device cannot obtain an IP address", we will be focusing on how the IP obtain mechanism was blocked. A is related to authentication (The endpoint is successfully getting the network access) B 802.1X (The endpoint is bypassing 802.1X) C DHCP probe is not working (In this case, all the endpoint that using MAB should be losing communication D will be the answer as per the commend by @denverfly below

The correct answer is - An ACL on the port is blocking HTTP traffic. When an endpoint uses MAB to authenticate, it sends a username and password to the RADIUS server. The RADIUS server then authenticates the user and returns an IP address to the endpoint. If an ACL on the port is blocking HTTP traffic, the endpoint will not be able to contact the RADIUS server to authenticate and obtain an IP address. The other options are incorrect: The endpoint is using the correct protocol to authenticate with Cisco ISE. MAB is a valid authentication protocol for Cisco ISE. The 802.1X timeout period is not relevant in this case. The endpoint is bypassing 802.1X and using MAB. The DHCP probe for Cisco ISE is not relevant in this case. The endpoint is using MAB, not DHCP. Here are some things the administrator can do to troubleshoot the issue: Check the ACL on the port to make sure that HTTP traffic is not being blocked. Verify that the endpoint is configured to use MAB. Verify that the RADIUS server is configured to accept MAB authentication. Verify that the endpoint is able to contact the RADIUS server.

When a device successfully bypasses 802.1X and authenticates using MAB (MAC Authentication Bypass), it is still required to obtain an IP address through DHCP (Dynamic Host Configuration Protocol) to communicate on the network. In this case, the fact that the endpoint cannot obtain an IP address suggests an issue with the DHCP process. The DHCP probe is a mechanism used by Cisco ISE to validate DHCP packets and ensure that the requests and responses are properly handled by the ISE infrastructure. If the DHCP probe is not functioning as expected, it can prevent DHCP traffic from reaching the DHCP server and, subsequently, hinder the endpoint from obtaining an IP address.

B sound most feasible

B is correct.

If it is too long DHCP can actually timeout

It's unlikely that the answer is B because the problem mentioned in the scenario is related to the endpoint not being able to obtain an IP address, which is a separate issue from the 802.1X timeout period. The 802.1X timeout period refers to how long the switch will wait for a response from the supplicant before assuming that it has failed to authenticate, so it wouldn't be related to the endpoint's ability to obtain an IP address.

Correct B is the answer