exam questions

Exam 300-715 All Questions

View all questions & answers for the 300-715 exam

Exam 300-715 topic 1 question 163 discussion

Actual exam question from Cisco's 300-715
Question #: 163
Topic #: 1
[All 300-715 Questions]


Refer to the exhibit. An engineer is configuring Cisco ISE for guest services. They would like to have any unregistered guests redirected to the guest portal for authentication, then have a CoA provide them with full access to the network that is segmented via firewalls. Why is the given configuration failing to accomplish this goal?

  • A. The Guest Portal and Guest Access policy lines are in the wrong order.
  • B. The PermitAccess result is not set to restricted access in its policy line.
  • C. The Network_Access_Authentication_Passed condition will not work with guest services for portal access.
  • D. The Guest_Flow condition is not in the line that gives access to the guest portal.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
CiscoEnthu
1 week, 6 days ago
The "Network_Access_Authentication_Passed" condition should not be satisfied as we are using the Authentication Policy condition as "If user not found, continue". If this condition is not hit, the order will of the Authorization Policy will never matter I agree with cris711 for correct answer to be C
upvoted 1 times
...
cris711
7 months, 1 week ago
Why not C? How any unauthenticated endpoint will authenticate with these two rules, regardless of their order?
upvoted 1 times
cris711
7 months, 1 week ago
Guest_Flow is used to identify when an authentication has occurred via an ISE web portal.
upvoted 4 times
...
NikoTomas
4 months, 2 weeks ago
Because: 1. Guest connects his unknown device to the network, no supplicant, so MAB will occur. 2. First rule "Guest Portal" redirects to WebAuth portal, where guest authenticates. 3. ISE issues CoA, NAD will start new authentication (which is MAB again, as guest does not have supplicant). 4. As "Guest Portal" rule is #1 in the policy, MAB will hit it again and redirecs guest to WebAuth portal (again). 5. As rule "Guest Access", which matches Guest_Flow (i. e. guest is autheticated) is on #2 place, it will never match. So guest keeps looping on rule #1. --- We need to move rule "Guest Access" to the top (#1). If not authenticated guest connects, the #1 rule (Guest_Flow) will NOT match and ISE will continue to rule #2 (WebAuth portal). As authenticated guest is being evaluated after CoA, policy matches rule #1 (Guest_Flow) and guest is allowed to the network.
upvoted 1 times
...
...
XBfoundX
7 months, 3 weeks ago
For me the answer is A. B and C are not true, and D is not also right the Guest_Flow condition is not used for give access to the webportal. A is true because the Network_Access_Authentication_Passed attribute is the default condition for network access, so the first policy is saying if authentication is ok the client is going to be redirected. After that the client is going to be authenticated again the MAB authentication will be successful again, so this means that the user will be again redirected to the portal because is gonna match always the firts policy. What we must do is change the order of the policies. After that the user is gonna to authenticate then the CoA will be sent and another process for authentication will occur. After that this time the policy that will be hit is the Guest Portal, that means if you have done a Guest_Flow correctly then permitaccess
upvoted 3 times
XBfoundX
7 months, 3 weeks ago
https://srftw.wordpress.com/2017/01/23/mab-authentication-using-cisco-ise/ https://community.cisco.com/t5/security-knowledge-base/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-1320686318
upvoted 1 times
...
...
MORTND
11 months, 4 weeks ago
Selected Answer: A
the lines are in the wrong order. The initial flow is MAB - not guest flow - https://community.cisco.com/t5/security-knowledge-base/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-1320686318 Guest flow only starts as soon as the user enters his credentials
upvoted 4 times
...
colla
1 year, 1 month ago
Selected Answer: A
Have a look at the screenshot under the "Create an Authorization Policy" subsection. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc6
upvoted 2 times
...
DeviantSpy
1 year, 2 months ago
Selected Answer: D
D is correct. The wrong results are set to the rules.
upvoted 1 times
...
YmerG
1 year, 4 months ago
Selected Answer: A
A for sure. Order is very important here as the device will keep looping into the redirection rule which is hit first.
upvoted 3 times
...
tliz
1 year, 5 months ago
Selected Answer: D
While A could be right I believe D is a better, more accurate answer. The Guest_Flow needs to be tied to the Guest Portal which is called out in the Results Profile Cisco_WebAuth.
upvoted 2 times
colla
1 year, 1 month ago
If we were to swap the two conditions, it would still not give the user access because the "results" profile would still be in the wrong order, that is, Web_Auth would precede PermitAccess. With A, both the condition and results profile will receive priority, which will allow traffic in for further processing. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc6
upvoted 1 times
...
NikoTomas
4 months, 2 weeks ago
No. As Cris711 wrote "Guest_Flow is used to identify when an authentication has occurred via an ISE web portal."
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago