300-715 Question #243: Real Exam Question with Answer & Explanation

Question

An engineer needs to configure a Cisco ISE server to issue a CoA for endpoints already authenticated to access the network. The CoA option must be enforced on a session, even if there are multiple active sessions on a port. What must be configured to accomplish this task?

Options

• Athe Reauth CoA option in the Cisco ISE system profiling settings enabled
• Ban endpoint profiling policy with the No CoA option enabled
• Can endpoint profiling policy with the Port Bounce CoA option enabled
• Dthe Port Bounce CoA option in the Cisco ISE system profiling settings enabled

Explanation

To ensure a Change of Authorization (CoA) is enforced on a specific session even when multiple sessions are active on a port, the Reauth CoA option must be enabled in Cisco ISE's system profiling settings. This allows ISE to initiate a re-authentication for the individual session without affecting others.

Common mistakes.

• B. An endpoint profiling policy with "No CoA" enabled would prevent any CoA from being sent, which is contrary to the goal.
• C. "Port Bounce CoA" is an action that disconnects and then immediately brings up the entire port, affecting all sessions, not just a specific one.
• D. Configuring "Port Bounce CoA" in the system settings would apply a port bounce to all CoA actions, which would affect all sessions on a port, not just the target session, which is not what the question implies by "enforced on a session".

Concept tested. Cisco ISE CoA options - Reauth CoA vs Port Bounce

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01100.html#concept_902D82D3E5664CD8A8504B76A188C0A9

No community discussion yet for this question.