300-715 Question #191: Real Exam Question with Answer & Explanation

Question

An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities. The engineer is configuring new endpoint identity groups as conditions to be used in the AuthZ policies, but noticed that the endpoints are not hitting the correct policies. What must be done in order to get the devices into the right policies?

Options

• AManually add the MAC addresses of the devices to endpoint ID groups in the context visibility
• BCreate an AuthZ policy to identify Unknown devices and provide partial network access prior to
• CAdd an identity policy to dynamically add the IP address of the devices to their endpoint identity
• DIdentify the non 802.1x supported device types and create custom profiles for them to profile into.

Explanation

{"question_number": 1, "question": "An engineer is configuring Cisco ISE policies to support MAB for devices that do not have 802.1X capabilities...", "correct_answer": "A", "explanation": "MAC Authentication Bypass (MAB) identifies endpoints by their MAC address. When endpoint identity groups are used as conditions in AuthZ policies, ISE must know which group each MAC address belongs to in order to match the correct policy. If endpoints are not hitting the right policies, it is because their MAC addresses have not been assigned to the appropriate endpoint identity groups. The fix is to manually add each device's MAC address to the correct group via Context Visibility in ISE. Without this static assignment, ISE cannot correlate an unknown MAB supplicant to the intended identity group, so no policy match occurs.", "generated_by": "claude-sonnet", "llm_judge_score": 3}

No community discussion yet for this question.