Online Access Free 400-251 Exam Questions

In your Corporate environment, you have various Active Directory groups based o the organizational structure and would like to ensure that users are only able to access certain resources depending on which groups(s) they belong to.This policy should apply across the network. You have ISE, ASA and WSA deployed, and would like to ensure the appropriate policies are present to ensure access is only based on the user's group membership. Addionally, you don't want the user to authenticate multiple times to get access. Which two ploicies are used to set this up? (Choose two)

• A.Deploy a Single Sign-On Infrastructure such as Ping, and Integrate ISE, ASA and WSA with it. Access policies will be applied based on the user's group membership retrieved from the authentication Infrastructure.
• B.Deploy ISE, intergrate it with Active Directory, and based on group membership authirize the user to specific VLANs. These VLANs. These VLANs (with specific subnets) should then be used in access policies on the ASA as well as the WSA.
• C.Deploy Cisco TrustSec Infrastructure, with ASA and WSA integrated with the ISE to transparently identity user based on SGT assignment. when the user authenticates to the network. The SGTs can then be used in access policies
• D.Configure ISE to relay learned SGTs for the authenticates sessions with the binded destination address using SXP ro SXp speakers that will be used to apply access policies at the traffic ingress point for segmentation
• E.Integrate ISE, ASA and WSA with Active Directory. Once user is authenticated to the network through ISE, the ASSA and WSA will automatically extract the identity information from AD to apply the appropriate access policies.
• F.Configure ISE as an SSO Service Provider, and integrate with ASA and WSA using pxGrid. ASA and WSA will be able to extract the relevant identity information from ISE to apply to the access policies once the user has authenticated to the network.

What are the three types of CoA we use in ISE? (Choose three)

• A.Terminate
• B.No CoA (Change of authorization)
• C.PoD (Packet of Disconnect)
• D.Reauth
• E.Port Bounce

A customer has configured a single Policy Set to authenticate and authorize MAB and 802.1x requests on Cisco ISE. The 802.1x authorization rules are on the top of the list and check Active Directory group membership for a match. The MAB results are at the bottom of the list and check local Identity Groups for a match. When a MAB request comes to ISE

• A.ISE will not try to find Active Directory group membership based on the 802.1x request
• B.ISE will try to find the Active Directory group membership based on the MAB request
• C.ISE will ignore the 802.1x authorization rules on the top
• D.ISE will drop the request because 802.1x and MAB rules are not allowed in the same Policy Set
• E.ISE will never match the MAB authorization rules at the bottom

Which are the three conditions in which ISE profiler issues a CoA request to a NAD? (Choose three)

• A.In the global profiler settings, CoA type set to "No CoA"
• B.An endpoint disconnects from the network
• C.A profile policy exception is triggered
• D.An endpoint deleted from the ISE endpoint page
• E.An endpoint profiled for the first time

When Cisco Web Security Appliance (WSA) is configured for the first time, how is WSA GUI interface accessed?

• A.https://$ManagementIP:8080
• B.https://$ManagementIP:443
• C.http://$ManagementIP:8080
• D.https://$ManagementIP:8443
• E.http://$ManagementIP:8443