Exam 200-301 topic 1 question 705 discussion

Supplied reference seemed like a lazy copy and paste without verifying it was relevant or not. Since employees can access the portal it indicates that this is an issue strictly on the contractors' devices and not on the ISE. Assuming this ISE is not meant to be access by anyone but the contractors and employees internally signed certificate should be added on contractors' devices to allow trust. No need for 3rd party because its meant to verify a website such as amazon is who they say they are. See link below. https://www.ssl2buy.com/wiki/self-signed-certificate-vs-trusted-ca-signed-certificate

Is this even CCNA?

im going with B

B makes more sense to me, though I just dont know anymore....only a few hundred more q's to go........

B. Install a trusted third-party certificate on the Cisco ISE. If the employees can access the portal without errors, it suggests that the Cisco ISE is already presenting a certificate that is trusted by the employees' devices. Installing a trusted third-party certificate on the Cisco ISE might help ensure that the contractors' devices trust the certificate as well. This could be a valid solution. C. Install an internal CA signed certificate on the contractor devices. If the certificate error is specifically on the contractor devices, installing the internal CA's certificate on those devices might be a solution. This would require configuring the contractor devices to trust the internal CA that signed the certificate used by Cisco ISE. ChatGPT isn't sure. But I agree with RougePotatoe's logic, I'd answer D with the assumption ONLY contractors and employees.

Ambiguous question, as usual. But I lean toward B. Why? The lack of a trusted third-party CA signed certificate is likely the cause of the "certificate errors" on the contractor devices. Switching the ISE certificate to one signed by a third-party CA will resolve the issue, while also allowing employees to continue accessing the network. C implies something like EAP-TLS where the server requires a certificate from the client also, which would also be signed by the Internal CA. C is not correct anyway, because the contractor devices don't need an "internal CA certificate", they need the *root certificate* from the internal CA which they then would have to manually configure as trusted. Important difference.

You don't have access to the contractor devices. Answer is B.

The correct answer is B. Install a trusted third-party certificate on the Cisco ISE. When a guest portal is used, the certificate presented to the guest users must be signed by a Certificate Authority (CA) that is trusted by the guest's browser. This is typically a public CA. If the certificate is signed by an internal CA (option A and C), the guest's browser will not trust it unless the root certificate of that internal CA is manually installed on their device, which is not practical for guest users. Installing a certificate on the contractor devices (option D) would not be practical or scalable. Therefore, to avoid certificate errors when contractors attempt to access the portal, a trusted third-party certificate should be installed on the Cisco ISE. This ensures that the certificate is automatically trusted by most devices, as their browsers typically have a pre-installed list of trusted public CAs.

I think D A. Install an Internal CA signed certificate on the Cisco ISE. Wouldn't be able to authenticate contractor devices B. Install a trusted third-party certificate on the Cisco ISE. Could do this but the contractors would need their own CA C. Install an internal CA signed certificate on the contractor devices. Could do this but it would make the contractor devices and employee devices use the same CA, it would be better for contractor devices to use a dedicated SubCA D. Install a trusted third-party certificate on the contractor devices. generate 3rd party certificate with from the CA and give it out to the contractors to use

B. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

The certificate error experienced by contractors suggests that their devices do not trust the certificate presented by the Cisco ISE for the guest portal. To resolve this, a trusted certificate needs to be installed on the Cisco ISE, which is signed by a trusted third-party certificate authority (CA). This ensures that when contractors connect to the guest portal, their devices recognize the certificate as valid and trusted. Option A, installing an internal CA signed certificate on the Cisco ISE, would only address certificate errors for devices within the same organization that have the internal CA's root certificate installed as a trusted root. It would not resolve certificate errors for external contractors' devices. Options C and D involve installing certificates on the contractor devices. However, this would require distributing and configuring certificates on each contractor device individually, which may not be practical or feasible in this scenario.

We can deduce that the EAP-TLS wireless authentication method is used, which requires a server and client certificate. Because the contracting client got a certificate error, but the employee clients did not. This eliminates the problem of the certificate on the ISE server, both in an EAP-TLS and in a PEAP (which uses a certificate only on the server, not on the client). In this case, (to be continued...)

It is recommended to use the Company Internal CA for Admin and EAP certificates, and a publicly-signed certificate for Guest/Sponsor/Hotspot/etc portals. The reason is that if a user or guest comes onto the network and the ISE portal uses a privately-signed certificate for the Guest Portal, they get certificate errors or potentially have their browser block them from the portal page. To avoid all that, use a publicly-signed certificate for Portal use to ensure a better user experience Source: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

Why everybody chose C, the Correct is B here is the link: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

Answer B. I was thinking about B or C but after studies Sico recommendation I vote for B. Search for Guest or Portal certificate in following link: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html Regards,

i would say D