Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of the
authentication failure?
Points 1
Answer
Select an answer:
UDP port 1812 is blocked between the switch and ISE
Wrong EAP type is being used
Incompatible Switch code
Crypto Map not applied for Site-1 on GM3
Encryption error between ISE and Active Directory
RADIUS shared key is incorrect
Shared secret between Windows and Switch is incorrect
live:rahulk_ashyap_1
Task Number-2 : Redirection Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as :“We are trying to implement Guest access on our
switches using ISE and Central Web Authentication. We have Configured
ISE and the Switches according to Cisco’s guides, but when the end user
opens a browser, they do not get redirection to the ISE guest portal. We
need help in troubleshooting this.”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?
Point 1
Answer
Select an answer:
The URL redirect ACL does not allow access to cisco.com
URL redirect only works when the original request is an intranet site
The machine is authorized in the wrong domain
Incompatible Switch Code
The downloadable ACL does not allow traffic to UDP port 53
ISE is configured on the wrong port for the portal.
live:rahulk_ashyap_1
Task Number- 3 :Authentication Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as : “I am trying to authenticate a Windows 7 laptop
using 802.1x against a Cisco ISE Server. The laptop is connected to a Cisco
3560-X. The authentication attempts keeping failing with error 5400.
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.”
With all the information available to you, what is the cause of this
problem?
Point 1
Answer
Select an answer:
Enable EAP-TLS on the “Default Network Access” allowed protocol
object.
Self signed certificate cannot be used for EAP authentication
The Self signed certificate needs to be trusted on the end point
Dot1.x priority is incorrect in switch interface configuration
Client is rejecting the EAP protocol proposed by the ISE server.
live:rahulk_ashyap_1
Task Number-4 : Network Accessibility Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as :
“We are trying to implement Guest access on our switches using ISE and
Central Web Authentication. We have Configured ISE and the Switches
according to Cisco’s guides, but even after a successful authentication the
guest user is redirect back again and again to the guest portal page. They
do not get access to the network.”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?
Point 1
Answer
Select an answer:
Switch is not able to accept new policies due to a defect.
The switch is not configured to accept RADIUS CoA messages from ISE
Wrong authorization result is applied to guest authorization policy.
Guest credentials are incorrect
The guest account is set to activate at a later date and time
live:rahulk_ashyap_1
Task Number-5: Profiling Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as:
“We are trying to implement profiling so as to use its results as a mean to
authorize devices. For testing, we are using a Windows 7 laptop and ISE is
not able to profile it as such. The device shows up as an Intel-device instead
of a Windows 7 Workstation.”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?
Point 1
Answer
Select an answer:
User needs to be redirected to guest portal to profile correctly.
Not enough probes have been enabled to profile a Windows machine
ISE’s IP address is missing under VLAN1 as an ip helper-address
Feed service has corrupted the profiling policies
Device sensor configuration is incomplete
live:rahulk_ashyap_1
Task Number-6: Command Authorization Issue
David from Acme Inc has opened a service request with Cisco TAC. He
describes the problem as:
“We are trying to implement TACACS+ authentication and command
authorization on our Cisco switches with Cisco ISE as the server. We have
configured ISE and the switch as per the user guide, but we have problem
with command authorization. All authorized users should be able to use
any show command, but they are not able to”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?
Point 1
Answer
Select an answer:
The user is authorized at privilege level 5 where show command not
available
The implicit deny in the default authorization rule is causing command
authorization failure
“Permit any command that is not listed below” should be enabled on
the command set
Command set has wrong argument for the show command
“Auto Command” should be “show” in the TACACS profile
live:rahulk_ashyap_1
Task Number-7: Performance Issue
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as“intermittent performance issue when
users trying to access the Internet through WSA”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is the cause of this
problem?
Point 1
Answer
Select an answer:
Too many requests per second (overloaded appliance)
Network issues and disabled PMTU discovery
Chrome browser usage influences the performance, change the browser
and test again
Destination server is responding slower than usual
L4 traffic monitoring feature is on and causing the performance issues
One of the DNS servers might be root cause of the issue.
live:rahulk_ashyap_1
Task number-8: Access Issue
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as “intermittent issue with access to
specific HTTPS site access”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, What should be the next step
suggested to customer in order to resolve the issue?
Point 1
Answer
Select an answer:
Configure decryption policy pass-through affected sites
Test and check if server name extension is enable on WSA
Make sure to export WSA’s ROOT CA certificate and import in to test
PCs Trusted Root Certificate Authorities store
Test using openssl tool from other client, issue might be because site
uses SSLv3 protocol only, and client tries to negotiate using TLS v2
One of the DNS Server might be root cause of the issue
Disable upstream proxy and try if the site works again
Test with another browser and collect the logs again
Configure default access policy pass-through affected sites
live:rahulk_ashyap_1
Task Number- 9: WSA TLS Decryption Issue
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as “Unable to access a website”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you. What is most likely to be the root
cause the client not being able to access the requested website.
Point 1
Answer
Select an answer:
When establishing the connection, the “SEED-SHA” cipher needs to be
enabled on the appliance
Destination server requires a client certificate
TLS 1.2 is not supported on the server and needs to be disable so we
can Fallback to TLS 1.0
The intermediate candidate is not send by the server and needs to me
imported
it seems to the browser error as this Cipher is not supported in the
browser of the client. Try another browser.
live:rahulk_ashyap_1
Task Number- 10: ESA Rejecting Emails
Johnny X from CustomerNet Inc has open a service request with Cisco
TAC. He describes the problem as “External senders are no able to send
emails”
Network diagram and email exchange between the TAC engineer and
customer are provided for the analysis.
With all the information available to you, what is most likely to be the root
cause of the ESA rejecting many senders?
Point 1
Answer
Select an answer:
The Default parameter for concurrent connections is very low with a
Value of “10”. Increase this Value to “100”
Senderbase was never contacted and therefore, the Reputation
Filtering is causing issues.
The email contains Malware and The Outbreak is putting it in
Quarantine.
The email contains a malicious URL and is blocked by a Content filter
named “CFDefandMaliciousUrls”
The Sender needs to be resolvable via DNS and this is not the case
“Check your DNS server”
The sbrs score of “none” is included in the “BLACKLIST”. Remove this
setting and add the sbrs score of “none” to the “SUSPECLIST”
live:rahulk_ashyap_1