Free Cisco 300-715 Practice Questions 2026 | Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Explanation (per exam key):
In a distributed Cisco ISE deployment, Policy Service Nodes (PSNs) can be deployed in a failover configuration for RADIUS/TACACS+ sessions. If one PSN fails, the network device (NAD) can forward requests to another PSN. This provides session failover continuity for authentication and posture sessions.

Correct Option:

D. Policy Service nodes for session failover
Multiple PSNs can be deployed in a distributed environment. NADs are configured with multiple RADIUS servers (PSNs) in priority order. If the primary PSN becomes unavailable, the NAD sends requests to the secondary PSN, providing failover for active sessions (re‑authentication may be required). This is a supported capability in distributed ISE deployments.

Incorrect Options:

A. Policy Service nodes for automatic failover –
"Automatic failover" is ambiguous. NADs can retry to secondary PSNs, but ISE does not provide automatic session state synchronization between PSNs for seamless failover.

B. Administration nodes for session failover –
Administration nodes (PAN) handle configuration and system management, not RADIUS sessions. They do not process authentication requests.

C. Monitoring nodes for pxGrid services –
MnT nodes do not run pxGrid. pxGrid runs on PSNs or dedicated pxGrid nodes.

Reference:
Cisco ISE Distributed Deployment Guide – "Policy Service Node (PSN) Failover"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Deployment Models – PSN Redundancy and Failover"

Explanation:
When multiple vendor firewall applications are in use, creating individual application conditions for each vendor is inefficient. Cisco ISE provides a default firewall condition (in posture policies) that checks for the presence of any enabled host‑based firewall (Windows Firewall, McAfee, Symantec, etc.) without requiring vendor‑specific checks. This meets the requirement to ensure some firewall is in place.

Correct Option:

C. Enable the default firewall condition to check for any vendor firewall application.
Under Cisco ISE posture policies, there is a predefined Firewall condition (e.g., "Windows Firewall Status" or "Firewall – Any Enabled Firewall"). This condition uses OPSWAT or native OS checks to detect if any host‑based firewall is installed and running, regardless of vendor. This is the correct solution when multiple firewall products are deployed.

Incorrect Options:

A. Use the file/registry condition to ensure that the firewall is installed and running appropriately –
File/registry conditions are vendor‑specific. Since the organization has multiple vendors, creating conditions for each would be required. The question states engineers are unable to use a specific application check, so this approach fails.

B. Use a compound condition to look for the Windows or Mac native firewall applications –
This only covers native firewalls (Windows Defender Firewall, macOS firewall). Third‑party firewalls (McAfee, Symantec) would not be detected. Does not cover "multiple vendors."

D. Enable the default application condition to identify the applications installed and validate the firewall app –
The default application condition (e.g., "Any Firewall") is essentially what option C describes, but C explicitly states "default firewall condition." The exam key points to C as the precise answer.

Reference:
Cisco ISE Posture Administration Guide – "Posture Conditions – Firewall (Default Condition)"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Posture – Default Firewall Checks for Multi‑Vendor Environments"

Explanation:
On a Cisco Wireless LAN Controller (WLC), Cisco Discovery Protocol (CDP) profiling can provide detailed device information (device type, platform, capabilities) about connected devices. The WLC can forward CDP information to ISE via RADIUS accounting or profiling probes. This is particularly useful for identifying IP phones, switches, or other Cisco devices connecting via wireless.

Correct Option:

B. CDP
CDP (Cisco Discovery Protocol) is a Layer 2 protocol that Cisco devices (including IP phones, switches, routers) use to advertise their identity, platform, capabilities, and neighbor information. When enabled on the WLC, CDP information from connected devices can be included in RADIUS accounting messages or collected via profiling. ISE uses this metadata for endpoint classification and authorization policies.

Incorrect Options:

A. DNS –
DNS (Domain Name System) resolves hostnames to IP addresses. While ISE can use DNS for profiling (hostname lookup), the WLC does not "profile" using DNS in the sense of sending device metadata to ISE.

C. DHCP –
DHCP profiling is common on wired switches (via DHCP snooping), but on a WLC, DHCP information is already available (client IP, hostname, vendor class). However, CDP provides richer device identity (especially for Cisco endpoints) and is specifically the correct answer for device discovery on a Cisco WLC.

D. ICMP –
ICMP (ping, traceroute) is not used for passive profiling. ICMP can test connectivity but does not provide device metadata.

Reference:
Cisco Wireless Controller Configuration Guide – "CDP Profiling for Endpoint Identification"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling – CDP on WLC for Device Classification"

Explanation:
The dot1x system-auth-control command is entered in global configuration mode on a Cisco Catalyst switch. It globally enables 802.1X authentication on the switch, allowing 802.1X to be configured on individual interfaces. Without this command, 802.1X cannot be activated on any port.

Correct Option:

B. globally enables 802.1x
dot1x system-auth-control is the global command that enables the 802.1X authentication framework on the switch. Once this command is issued, individual interfaces can be configured with dot1x pae authenticator and authentication port-control auto. It is a prerequisite for any 802.1X operation on the switch.

Incorrect Options:

A. causes a network access switch not to track 802.1x sessions –
False. This command enables 802.1X and session tracking, not disables it.

C. enables 802.1x on a network access device interface –
This is an interface‑level command (e.g., dot1x pae authenticator), not the global command.

D. causes a network access switch to track 802.1x sessions –
While the switch does track sessions, this is a side effect, not the primary description. The primary purpose is to globally enable 802.1X.

Reference:
Cisco Catalyst Switch Command Reference – dot1x system-auth-control
Cisco SISE 300-715 Official Cert Guide, Chapter: "Configuring 802.1X on Cisco Switches – Global Enablement"

Explanation:
When configuring a Native Supplicant Profile for wired devices (used with posture agents), two critical settings define how the supplicant authenticates. The Allowed Protocol (e.g., EAP‑TLS, PEAP) determines which EAP methods are permitted, and the Certificate Template (if using EAP‑TLS) defines the certificate used for authentication. These directly impact connection testing and profile availability.

Correct Options:

C. certificate template
The certificate template specifies which client certificate (e.g., machine certificate, user certificate) the native supplicant uses for EAP‑TLS authentication. This is essential for wired 802.1X testing, especially when posture agents are involved. Without a certificate template, EAP‑TLS cannot function.

E. allowed protocol
The allowed protocol setting (e.g., EAP‑TLS, PEAP) defines which authentication protocols the native supplicant will attempt. For wired devices, this must match the authentication policy on the switch and ISE. This setting directly affects connectivity testing.

Incorrect Options:

A. authentication mode –
Authentication mode (e.g., user authentication, machine authentication) is a separate configuration, but it is not typically listed as a primary setting within the Native Supplicant Profile wizard alongside certificate and protocol. The exam key points to C and E.

B. proxy host/IP –
Proxy settings are for client provisioning portal access or posture agent updates, not for native supplicant authentication configuration.

D. security –
"Security" is too generic. It may refer to 802.1X settings, but the specific configurable parameters are allowed protocol, certificate template, and authentication mode.

Reference:
Cisco ISE Client Provisioning Guide – "Native Supplicant Profile – Wired Settings (Certificate Template, Allowed Protocols)"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Client Provisioning – Native Supplicant Profile Configuration"

Explanation:
To mitigate brute force attacks on guest passwords, the password policy must enforce strength (complexity) and lifespan (regular change). Minimum password length (e.g., 8 characters) increases the search space for brute force, while password expiration ensures that even if a password is compromised, it remains valid only for a limited time.

Correct Options:

A. minimum password length
Setting a minimum password length (e.g., 8, 10, or 12 characters) increases the number of possible combinations, making brute force and dictionary attacks significantly more time‑consuming and resource‑intensive. This is a fundamental password complexity requirement.

D. password expiration period
A password expiration period forces the guest to change the password after a defined number of days (e.g., 1 day, 7 days). This limits the window of opportunity for an attacker who has obtained a valid password, reducing the impact of a successful brute force or credential theft.

Incorrect Options:

B. active username limit –
This limits the number of concurrent active users with the same username, not password complexity. It does not directly mitigate brute force attacks.

C. access code control –
Not a standard Cisco ISE guest password policy setting. "Access code" may refer to one‑time codes, but it is not a complexity requirement.

E. username expiration date –
Username expiration is account‑level (the entire guest account expires), not a password policy setting for mitigating brute force attacks during the account's validity.

Reference:
Cisco ISE Guest Access Guide – "Guest Password Policy – Complexity and Expiration Settings"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Services – Password Policies for Brute Force Mitigation"

Explanation:
When a device is added to the Blacklist endpoint identity group, Cisco ISE can redirect it to the Blacklist Portal (running on TCP port 8444, or sometimes 8443) to display a customizable message explaining why access is blocked. The network device (switch/WLC) must allow the client to access this portal before enforcing the block.

Correct Option:

C. Ensure that access to port 8444 is allowed within the ACL.
The Blacklist Portal in Cisco ISE typically listens on HTTPS port 8444 (or 8443). The redirect ACL on the NAD must permit the client to reach the ISE portal on this port. Without this, the client cannot fetch the blacklist notification page. After the portal interaction, the device may be fully blocked or quarantined.

Incorrect Options:

A. Select DenyAccess within the authorization policy –
This blocks the device completely without redirection. The question asks to redirect the laptop and restrict access, implying a portal page. DenyAccess does not redirect.

B. Ensure that access to port 8443 is allowed within the ACL –
Port 8443 is used for the BYOD portal, Guest portal, or Client Provisioning portal, not the Blacklist portal. The blacklist portal uses port 8444.

D. Select DROP under If Auth fail within the authentication policy –
The If Auth fail setting in an authentication policy applies to authentication failures, not to blacklist authorization. This is the wrong location.

Reference:
Cisco ISE Administrator Guide – "Blacklist Portal – Port 8444 and Redirect ACL"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Endpoint Management – Blacklist Portal Configuration"

Explanation:
When Cisco ISE is first installed, it creates several default endpoint identity groups to classify endpoints. Two of these default groups are Profiled (endpoints that have been successfully identified by profiling) and Unknown (endpoints that have not yet been profiled or recognized). Both are present out‑of‑the‑box.

Correct Options:

C. profiled
The Profiled endpoint identity group is a default group that contains endpoints successfully matched by a profiling policy (e.g., "Cisco-IP-Phone", "Apple-iPhone"). ISE automatically assigns endpoints to this group when profiling completes. It is used in authorization policies to grant access to recognized devices.

E. unknown
The Unknown endpoint identity group is a default group for endpoints that have not yet been profiled or are unrecognized. When an endpoint first connects (e.g., via MAB), it lands in this group until profiling identifies it. This group is often used to restrict access (e.g., quarantine VLAN) pending identification.

Incorrect Options:

A. block list –
Cisco ISE creates a Blacklist endpoint identity group, not "block list". The name is exactly "Blacklist". While similar, the default name is "Blacklist", not "block list".

B. endpoint –
There is no default endpoint identity group simply named "Endpoint". The default groups are "Unknown", "Profiled", "Blacklist", and "RegisteredDevices" (after BYOD).

D. allow list –
Cisco ISE does not create a default "allow list" endpoint identity group. Whitelisting is typically done using the "RegisteredDevices" group or custom groups after BYOD onboarding.

Reference:
Cisco ISE Administration Guide – "Default Endpoint Identity Groups (Profiled, Unknown, Blacklist)"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Endpoint Management – Default Identity Groups"

Explanation:
For MAB (MAC Authentication Bypass) users, the RADIUS attribute used to dynamically assign an inactivity timer (active timer based on idle time) is Idle-Timeout (attribute number 28). This attribute tells the network access device (switch/WLC) to terminate the session after a specified period of inactivity (no traffic). The switch must be configured to accept this attribute (e.g., with authentication timer inactivity server).

Correct Option:

C. idle-timeout
The Idle-Timeout RADIUS attribute (RFC 2865, section 5.28) is sent by ISE in an Access-Accept packet. It specifies the maximum number of seconds of inactivity after which the session will be terminated. For MAB users, this allows ISE to dynamically control how long a device remains authenticated when idle, overriding the locally configured switch timer. The network device must support this attribute.

Incorrect Options:

A. radius-server timeout –
This is a switch configuration command, not a RADIUS attribute. It controls how long the switch waits for a RADIUS server response, not the inactivity timer.

B. session-timeout –
The Session-Timeout attribute (attribute 27) sets the maximum absolute session duration (regardless of activity). After this time, the session ends. It is not an inactivity timer.

D. termination-action –
The Termination-Action attribute (attribute 29) specifies whether the session should be terminated or reauthenticated after Session-Timeout expires. It does not set an inactivity timer.

Reference:
RFC 2865 – RADIUS Attributes: Idle-Timeout (28), Session-Timeout (27)
Cisco ISE RADIUS Attributes Reference – Idle-Timeout for MAB inactivity timer
Cisco SISE 300-715 Official Cert Guide, Chapter: "MAB – Dynamic Inactivity Timer via Idle-Timeout"

Explanation:
When a conference ends early, guest accounts should be disabled without deleting them (in case of future need). The Sponsor Portal allows sponsors to manage (create, modify, suspend, resume, or delete) guest accounts. Suspending the accounts immediately revokes network access while preserving the account data.

Correct Option:

D. Navigate to the Sponsor Portal and suspend the guest accounts.
The Sponsor Portal is designed for sponsors (users who create and manage guest accounts). Within the portal, sponsors can select specific guest accounts and choose Suspend (or "Disable"). This immediately prevents the guest from accessing the network, but the account remains in the database and can be re‑enabled later. This is the proper action when an event ends early.

Incorrect Options:

A. Create an authorization rule denying sponsored guest access –
This would affect all sponsored guest accounts, not just the conference speakers. It is too broad and requires policy changes that affect other legitimate guests.

B. Navigate to the Guest Portal and delete the guest accounts –
The Guest Portal is for guests (self‑registration, AUP acceptance), not for account management by sponsors. Deleting accounts removes them entirely, losing audit history. Suspending is more appropriate.

C. Create an authorization rule denying guest access –
This would block all guest access (including other events or visitors), which is too draconian and not targeted.

Reference:
Cisco ISE Guest Access Guide – "Sponsor Portal – Suspending Guest Accounts"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Services – Managing Guest Accounts via Sponsor Portal"