CCNP Security Implementing Cisco Secure Access Solutions (SISAS)

Here you have the best Cisco 300-208 practice exam questions

You have 237 total questions to study from
Each page has 5 questions, making a total of 48 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on October 28, 2025
This site is not affiliated with or endorsed by Cisco.

Question 1 of 237

Cisco 802.1X phasing enables flexible deployments through the use of open, low-impact, and closed modes. What is a unique characteristic of the most secure mode?

Granular ACLs applied prior to authentication

Per user dACLs applied after successful authentication

Only EAPoL traffic allowed prior to authentication

Adjustable 802.1X timers to enable successful authentication

Correct Answer: C

The most secure mode of Cisco 802.1X phasing is characterized by allowing only EAPoL traffic prior to authentication. This ensures that no network access is granted until a device is successfully authenticated, thus providing the highest level of security. In closed mode, all other types of traffic, such as DHCP, HTTP, and DNS, are blocked until authentication is completed successfully.

Question 2 of 237

A network administrator must enable which protocol extension to utilize EAP-Chaining?

EAP-FAST

EAP-TLS

MSCHAPv2

PEAP

Correct Answer: A

EAP-Chaining requires the use of EAP-FAST. This protocol extension allows for a single authentication process that encompasses both machine and user credentials, which is a key capability needed for EAP-Chaining.

Question 3 of 237

In the command 'aaa authentication default group tacacs local', how is the word 'default' defined?

Command set

Group name

Method list

Correct Answer: C

In the command 'aaa authentication default group tacacs local', the word 'default' defines a method list. A method list is a named list of authentication methods that are used to determine how users are authenticated. The methods specified (in this case, TACACS+ and local) are applied in the given order when a user attempts to access the system.

Question 4 of 237

Changes were made to the ISE server while troubleshooting, and now all wireless certificate authentications are failing. Logs indicate an EAP failure. What is the most likely cause of the problem?

EAP-TLS is not checked in the Allowed Protocols list

Certificate authentication profile is not configured in the Identity Store

MS-CHAPv2-is not checked in the Allowed Protocols list

Default rule denies all traffic

Client root certificate is not included in the Certificate Store

Correct Answer: A

The most likely cause of the problem is that EAP-TLS is not checked in the Allowed Protocols list. Since the logs indicate an EAP failure and EAP-TLS is a common protocol used for certificate-based authentication, not having it checked would prevent wireless certificate authentications from succeeding.

Question 5 of 237

The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

tcp/8905

udp/8905

http/80

https/443

Correct Answer: B

The NAC Agent uses UDP port 8905 to send discovery packets to an ISE Policy Service Node. This is because the Network Admission Control (NAC) uses the SWISS protocol, which is stateless and operates over the User Datagram Protocol (UDP).