300-715 Question #389: Real Exam Question with Answer & Explanation

Question

An engineer must onboard secure Windows 11 laptops of directors on the BYOD portal by using Cisco ISE. Corporate security policies require the Cisco ISE internal CA to use an ECC certificate rather than the standard RSA certificate. What must be configured in Cisco ISE?

Options

• Akey type of ECC on the Cisco ISE EAP authentication certificate template
• Bkey type of ECC in the Cisco ISE system certificates
• CWindows 11 laptop with an ECC certificate as the minimal requirement
• Dkey type of ECC in the Cisco ISE internal CA settings

Explanation

{"question_number": 1, "question_summary": "Configuring Cisco ISE internal CA to use ECC certificate for BYOD onboarding", "correct_answer": "D", "explanation": "The question specifically states that the Cisco ISE internal CA must use an ECC certificate. The internal CA is responsible for issuing certificates to endpoints during BYOD enrollment flows. To enforce ECC as the key type for certificates issued by the internal CA, you must configure this in the Cisco ISE internal CA settings (Administration > System > CA Service > Internal CA). This is distinct from the EAP authentication certificate template (option A) or the system certificates used for ISE node identity (option B), which address different certificate purposes. Option C is incorrect because the requirement is on ISE's CA, not on the Windows laptop. Only option D directly controls the key algorithm used by the internal CA when issuing endpoint certificates.", "generated_by": "claude-sonnet", "llm_judge_score": 3}

No community discussion yet for this question.