Jump to content

400-251 CCIE Security written discussion..

Recommended Posts

Guys please confirm the answers with reason


QUESTION 108 For your enterprise ISE deployment, you are looking to use certificate-based authentication for all your Windows machines.You have already gone through the excercise of pushing the machine and user certificates out to all the machines using GPO. Since certificate based authentication, by default, doesn't check the certificate against Active Directory or requires credentials from the user, this essentially means that no groups are returned as a part of the authentication request. What are the possible ways to authorize the user based on Active Directory group membership?



A. Configure the Windows supplicant to use saved credentials as well as certificate-based authentication

B. Enable Change of Authorization on the deployment to perform double authentication

C. Use EAP authorization to retrieve group information from Active Directory

D. The certificate should be configured with the appropriate attributes which contain appropriate group information, which can be used in Authorization policies

E. Use ISE as the Certificate Authority, which will then allow automatic group retrieval from Active Directory to perform the required authorization

F. Configure Network Access Device (NAD) to bypass certificate-based authentication and push configured user credentials as a proxy to ISE


ANS : F or E ?


QUESTION 100 In a large organization, with thousands of employees scattered across the globe, it is difficult to provision and onboard new employee device with the correct profiles and certificates. With ISE, it is possible to do that with client provided device. Which four conditions must be met? (Choose four.)


A. Endpoint operating system should be supported

B. Client provisioning is enabled on ISE

C. The pxGrid controller should be enabled on ISE

D. Device MAC addresses are added to the Endpoint Identity Group

E. Profiling is enabled on ISE F. SCEP Proxy is enabled on ISE

G. Microsoft windows server is configured with certificate services

H. ISE should be configured as SXP listener to push SGT-to-IP mapping to network access devices

I. Network access device and ISE should have the PAC provisioning for CTS environment authentication


Correct Answer: BDEF or ABEF

Hidden Content

    Give reaction to this post to see the hidden content.



QUESTION 112 In an effort to secure your enterprise campus network, any endpoint that connects to the network should authenticate before being granted access. For all corporate-owned endpoints, such as laptops, mobile phones and tablets, you would like to enable 802.1x and once authenticated allow full access to the network. For all employee owned personal devices, you would like to use web authentication, and only allow limited access to the network. Which two authentication methods can ensure that an employee on a personal device can't use his or her Active Directory credentials to log on to the network by simply reconfiguring their supplicant to use 802.1x and getting unfettered access? (Choose two.)









Correct Answer: AB or CF ?


QUESTION 9 Which two protocols are used by the management plane in a Cisco IOS device? (Choose two)






E. IKEv2






Correct Answer: BF or BH ? looks BF



QUESTION 74 Which two statements about SPAN sessions are true? (Choose two.)


A. A single switch stack can support up to 32 source and RSPAN destination sessions

B. They can monitor sent and received packets in the same session

C. Multiple SPAN sessions can use the same destination port

D. Source ports and source VLANs can be mixed in the same session

E. They can be configured on ports in the disabled state before enabling the port

F. Local SPAN and RSPAN can be mixed in the same session


Correct Answer: BE or CF ?


A , D and F are wrong

E, B,C correct ?


Hidden Content

    Give reaction to this post to see the hidden content.

Share this post

Link to post
Share on other sites

I will be planning on Monday


did you appear for the exam ? can you share your experiences .. please

Share this post

Link to post
Share on other sites

I passed with 863 on Thursday by learning the 177Q. I didn't change the answers and there were no new questions.

Share this post

Link to post
Share on other sites

I passed with 825 on Monday,Beijing Time, by learning the 177Q. Emmmmmmmmmmm I like the feel, Stimulating

Hidden Content

    Give reaction to this post to see the hidden content.

Share this post

Link to post
Share on other sites

There is 1 or 2 questions not seen in the 177Q,but seen in old. I have forgotten what it is. ATTENTION : some questions have more or less confusing options, but the answer is the same option

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...