Examice

Exam 350-701 All QuestionsBrowse all questions from this exam

Question 286

Refer to the exhibit. A Cisco ISE administrator adds a new switch to an 802. 1X deployment and has difficulty with some endpoints gaining access. Most PCs and

IP phones can connect and authenticate using their machine certificate credentials; however, printers and video cameras cannot. Based on the interface configuration provided, what must be done to get these devices onto the network using Cisco ISE for authentication and authorization while maintaining security controls?

Configure authentication event fail retry 2 action authorize vlan 41 on the interface.

Add mab to the interface configuration.

Enable insecure protocols within Cisco ISE in the allowed protocols configuration.

Change the default policy in Cisco ISE to allow all devices not using machine authentication.

Correct Answer: B

To allow non-802.1X devices, such as printers and video cameras, to gain access to the network using Cisco ISE for authentication and authorization while maintaining security controls, the interface configuration should include 'mab' (MAC Authentication Bypass). MAB allows devices that do not support 802.1X, like many printers and cameras, to be authenticated based on their MAC address. This method ensures these devices can connect without compromising the network's security. Adding 'mab' to the interface configuration is the appropriate solution.

Discussion

Vlad_Is_Love_uaOption: B

B is correct

Jessie45785Option: B

I am working with ISE since 1.x version and there never was anything like default authentication and authorization policy - MAB is te way to go

Anonymous983475Option: B

Cameras, Printers, and devices not having user interaction don't have dot1x capabilities. MAB is used for these kind of devices.

NikoNikoOption: B

B is correct - MAB. Printers, cameras, video conference devices, etc.. either don't have 802.1X supplicant or if they have it, it could be difficult to manage. So these devices are usually authenticated and authorized by Mac Authentication Bypass (MAB) + Profiling on ISE (profiling is classification of the devices by type, function, etc... ISE recognizes devices like cameras / Cisco Phones / printers / ... and these attributes can be used in the ISE policy to apply desired authorization to the endpoints)

luisseijuroOption: B

B is correct https://community.cisco.com/t5/network-access-control/problems-with-connecting-printers-via-mab/td-p/3528002

Medusa8Option: B

Should be MAB, My answer is B.

KorndalOption: B

100% B. MAB is not enabled on the port, so only 802.1x enabled devices can get onto the network (if they pass authentication and authorization)

[Removed]Option: B

It's interesting that they even have C as an option. Because if you authenticate MAB to Windows NPS, you have to add MD5-EAP manually to NPS as it is considered insecure.

DarkestbloodOption: B

B is correct.

moobeOption: B

B is correct.

Emlia1Option: B

Probably B

sis_net_secOption: B

https://sirius-cyber.net/2020/06/08/cisco-ise-mac-authentication-bypass-mab/

TrovechOption: B

I think mab is the only way to authenticate printers and cameras, I stand to be corrected. To me B is the answer.