300-715 Question #171: Real Exam Question with Answer & Explanation

Question

An administrator is migrating device administration access to Cisco ISE from the legacy TACACS+ solution that used only privilege 1 and 15 access levels. The organization requires more granular controls of the privileges and wants to customize access levels 2-5 to correspond with different roles and access needs. Besides defining a new shell profile in Cisco ISE. What must be done to accomplish this configuration?

Options

• AEnable the privilege levels in Cisco ISE
• BEnable the privilege levels in the IOS devices
• CDefine the command privileges for levels 2-5 in the IOS devices
• DDefine the command privileges for levels 2-5 in Cisco ISE

Explanation

{"question_number": 4, "correct_answer": "D", "explanation": "In Cisco ISE TACACS+ device administration, command authorization is handled centrally by ISE rather than locally on each IOS device. To implement granular access levels 2–5, the administrator must define Command Sets within ISE that specify exactly which CLI commands are permitted or denied for each privilege level or role. When a user executes a command, the IOS device sends a TACACS+ authorization request to ISE, which evaluates the command against the defined sets and returns a permit or deny. Since ISE is the policy decision point in this model, the privilege-to-command mappings must live in ISE. Defining them only on the IOS devices would replicate the legacy model and defeat the purpose of centralizing policy in ISE.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.