web analytics

2017 August Cisco Official New Released 300-208 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Lead2pass updates Cisco 300-208 exam questions, adds some new changed questions from Cisco Official Exam Center. Want to know 2017 300-208 exam test points? Download the following free Lead2pass latest exam questions today!

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/300-208.html

Which action must an administrator take after joining a Cisco ISE deployment to an Active Directory domain?

A.    Choose an Active Directory user.
B.    Configure the management IP address.
C.    Configure replication.
D.    Choose an Active Directory group.

Answer: D

Which feature of Cisco ASA allows VPN users to be postured against Cisco ISE without requiring an inline posture node?

A.    RADIUS Change of Authorization
B.    device tracking
C.    DHCP snooping
D.    VLAN hopping

Answer: A

After an endpoint has completed authentication with MAB, a security violation is triggered because a different MAC address was detected. Which host mode must be active on the port?

A.    single-host mode
B.    multidomain authentication host mode
C.    multiauthentication host mode
D.    multihost mode

Answer: A

Refer to the exhibit. You are configuring permissions for a new Cisco ISE standard authorization profile. If you configure the Tunnel-Private-Group-ID attribute as shown, what does the value 123 represent?


A.    the VLAN ID
B.    the VRF ID
C.    the tunnel ID
D.    the group ID

Answer: A

Where would a Cisco ISE administrator define a named ACL to use in an authorization policy?

A.    In the conditions of an authorization rule.
B.    In the attributes of an authorization rule.
C.    In the permissions of an authorization rule.
D.    In an authorization profile associated with an authorization rule.

Answer: D

Refer to the exhibit. Which URL must you enter in the External Webauth URL field to configure Cisco ISE CWA correctly?


A.    https://ip_address:8443/guestportal/Login.action
B.    https://ip_address:443/guestportal/Welcome.html
C.    https://ip_address:443/guestportal/action=cpp
D.    https://ip_address:8905/guestportal/Sponsor.action

Answer: A

When you configure an endpoint profiling policy rule, which option describes the purpose of the minimum certainty factor?

A.    It is compared to the total certainty metric of an individual endpoint to determine whether the endpoint can be trusted.
B.    It is compared to the assigned certainty value of an individual endpoint in a device database to determine whether the endpoint can be trusted.
C.    It is used to compare the policy condition to other active policies.
D.    It is used to determine the likelihood that an endpoint is an active, trusted device on the network.

Answer: A

You have configured a Cisco ISE 1.2 deployment for self-registration of guest users. What two options can you select from to determine when the account duration timer begins? (Choose two.)

A.    CreateTime
B.    FirstLogin
C.    BeginLogin
D.    StartTime

Answer: AB

Which error in a redirect ACL can cause the redirection of an endpoint to the provisioning portal to fail?

A.    The redirect ACL is blocking access to ports 80 and 443.
B.    The redirect ACL is applied to an incorrect SVI.
C.    The redirect ACL is blocking access to the client provisioning portal.
D.    The redirect ACL is blocking access to Cisco ISE port 8905.

Answer: A

Where must periodic re-authentication be configured to allow a client to come out of the quarantine state and become compliant?

A.    on the switch port
B.    on the router port
C.    on the supplicant
D.    on the controller

Answer: A

Which functionality does the Cisco ISE self-provisioning flow provide?

A.    It provides support for native supplicants, allowing users to connect devices directly to the network.
B.    It provides the My Devices portal, allowing users to add devices to the network.
C.    It provides support for users to install the Cisco NAC agent on enterprise devices.
D.    It provides self-registration functionality to allow guest users to access the network.

Answer: A

During client provisioning on a Mac OS X system, the client system fails to renew its IP address. Which change can you make to the agent profile to correct the problem?

A.    Enable the Agent IP Refresh feature.
B.    Enable the Enable VLAN Detect Without UI feature.
C.    Enable CRL checking.
D.    Edit the Discovery Host parameter to use an IP address instead of an FQDN.

Answer: A

Where is dynamic SGT classification configured?

A.    Cisco ISE
B.    NAD
C.    supplicant
D.    RADIUS proxy

Answer: A

What is the function of the SGACL policy matrix on a Cisco TrustSec domain with SGT Assignment?

A.    It determines which access policy to apply to the endpoint.
B.    It determines which switches are trusted within the TrustSec domain.
C.    It determines the path the SGT of the packet takes when entering the Cisco TrustSec domain.
D.    It lists all servers that are permitted to participate in the TrustSec domain.
E.    It lists all hosts that are permitted to participate in the TrustSec domain.

Answer: A

You are configuring SGA on a network device that is unable to perform SGT tagging. How can the device propagate SGT information?

A.    The device can use SXP to pass IP-address-to-SGT mappings to a TrustSec-capable hardware peer.
B.    The device can use SXP to pass MAC-address-to-STG mappings to a TrustSec-capable hardware peer.
C.    The device can use SXP to pass MAC-address-to-IP mappings to a TrustSec-capable hardware peer.
D.    The device can propagate SGT information in an encapsulated security payload.
E.    The device can use a GRE tunnel to pass the SGT information to a TrustSec-capable hardware peer.

Answer: A

Refer to the exhibit. The links outside the TrustSec area in the given SGA architecture are unprotected. On which two links does EAC take place? (Choose two.)


A.    between switch 2 and switch 3
B.    between switch 5 and host 2
C.    between host 1 and switch 1
D.    between the authentication server and switch 4
E.    between switch 1 and switch 2
F.    between switch 1 and switch 5

Answer: BD

Which three host modes support MACsec? (Choose three.)

A.    multidomain authentication host mode
B.    multihost mode
C.    multi-MAC host mode
D.    single-host mode
E.    dual-host mode
F.    multi-auth host mode

Answer: ABD

You are troubleshooting wired 802.1X authentications and see the following error: “Authentication failed: 22040 Wrong password or invalid shared secret.” What should you inspect to determine the problem?

A.    RADIUS shared secret
B.    Active Directory shared secret
C.    Identity source sequence
D.    TACACS+ shared secret
E.    Certificate authentication profile

Answer: A

Refer to the exhibit. You are troubleshooting RADIUS issues on the network and the debug radius command returns the given output. What is the most likely reason for the failure?


A.    An invalid username or password was entered.
B.    The RADIUS port is incorrect.
C.    The NAD is untrusted by the RADIUS server.
D.    The RADIUS server is unreachable.
E.    RADIUS shared secret does not match

Answer: A

Which devices support download of environmental data and IP from Cisco ISE to SGT bindings in their SGFW implementation?

A.    Cisco ASA devices
B.    Cisco ISR G2 and later devices with ZBFW
C.    Cisco ISR G3 devices with ZBFW
D.    Cisco ASR devices with ZBFW

Answer: A

In Cisco ISE 1.3, where is BYOD enabled with dual-SSID onboarding?

A.    client provisioning policy
B.    client provisioning resources
C.    BYOD portal
D.    guest portal

Answer: D

Which description of the purpose of the Continue option in an authentication policy rule is true?

A.    It allows Cisco ISE to check the list of rules in an authentication policy until there is a match.
B.    It sends an authentication to the next subrule within the same authentication rule.
C.    It allows Cisco ISE to proceed to the authorization policy regardless of authentication pass/fail.
D.    It sends an authentication to the selected identity store.
E.    It causes Cisco ISE to ignore the NAD because NAD will treat the Cisco ISE server as dead.

Answer: C

How many days does Cisco ISE wait before it purges a session from the active session list if no RADIUS Accounting STOP message is received?

A.    1
B.    5
C.    10
D.    15

Answer: B

A user configured a Cisco Identity Service Engine and switch to work with downloadable access list for wired dot1x users, though it is failing to work. Which command must be added to address the issue?

A.    ip dhcp snooping
B.    ip device tracking
C.    dot1x pae authenticator
D.    aaa authentication dot1x default group radius

Answer: B

Which option is the correct format of username in MAB authentication?

A.    host/LSB67.cisco.com
B.    [email protected]
C.    10:41:7F:46:9F:89
D.    CISCO\chris

Answer: C

Lead2pass promise that all 300-208 exam questions are the latest updated, we aim to provide latest and guaranteed questions for all certifications. You just need to be braved in trying then we will help you arrange all later things! 100% pass all exams you want or full money back! Do you want to have a try on passing 300-208?

300-208 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDM1I1WlhIdHJZNjA

2017 Cisco 300-208 exam dumps (All 300 Q&As) from Lead2pass:

https://www.lead2pass.com/300-208.html [100% Exam Pass Guaranteed]

By admin