Free Cisco 300-715 Practice Questions 2026 | Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Explanation:
For more than 50,000 concurrent active endpoints, Cisco recommends a large distributed deployment (not small or medium). However, among the given options, the correct architecture for scalability is a medium deployment with primary and secondary PAN/MnT/pxGrid nodes (dedicated) plus dedicated PSNs. The key is that PSNs should be dedicated (not running administration/monitoring personas) to maximize throughput for RADIUS and posture processing.

Correct Option:

C. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with dedicated PSNs
For 50,000+ endpoints, the deployment must scale horizontally. The PAN and MnT personas should run on dedicated nodes (primary/secondary pair). pxGrid also runs on dedicated nodes (or co-located with PSNs). Importantly, PSNs should be dedicated (no PAN/MnT personas) to handle the high RADIUS load. This architecture provides centralized management and monitoring while distributing the authentication workload across multiple dedicated PSNs.

Incorrect Options:

A. large deployment with fully distributed nodes running all personas –
This description is ambiguous. "Fully distributed" typically means separate nodes per persona, but "running all personas" contradicts distributed. This option is not well-defined.

B. medium deployment with primary and secondary PAN/MnT/pxGrid nodes with shared PSNs –
"Shared PSNs" suggests PSNs also run other personas (e.g., shared with MnT), which is not recommended for high scale. Dedicated PSNs are required for 50,000+ endpoints.

D. small deployment with one primary and one secondary node running all personas –
This is insufficient for 50,000+ endpoints. A two‑node deployment would be overloaded and lacks dedicated PSN capacity.

Reference:
Cisco ISE Deployment Guide – "Scalability – Concurrent Endpoints and Node Recommendations"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Deployment Models – Large Scale (Dedicated PSNs)"

Explanation:
Cisco ISE deployment sizes are categorized by the number of concurrent endpoints and nodes. In a medium-sized deployment, the maximum number of Policy Service Nodes (PSNs) supported is five (5). This is based on Cisco's official deployment guide for medium-scale environments.

Correct Option:

B. five
According to Cisco ISE scalability guidelines, a medium deployment supports up to 5 PSN nodes. The exact number depends on the ISE version and endpoint count, but the certified limit for medium is typically 5 PSNs (e.g., for environments with up to 50,000 endpoints). A large deployment can support more PSNs (e.g., 6, 10, or more depending on version and hardware).

Incorrect Options:

A. three –
This is a possible number but not the maximum for medium. Three PSNs would be a smaller medium or small deployment.

C. two –
Two PSNs is typical for small deployments or for redundancy in a minimal configuration, not the maximum for medium.

D. eight –
Eight or more PSNs fall into a large deployment, not medium.

Reference:
Cisco ISE Scalability and Deployment Guide – "Deployment Sizes (Small, Medium, Large) – PSN Limits"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Deployment Models – PSN Scaling Limits"

Explanation:
To filter traffic based on Security Group Tags (SGTs) on a routed interface (SVI or Layer 3 interface), the interface must be configured to enforce role‑based policy using the cts role-based enforcement command. This enables the interface to classify incoming packets based on their SGT and apply SGACLs (Security Group ACLs) from the TrustSec policy matrix.

Correct Option:

B. cts role-based enforcement
The interface command cts role-based enforcement (or cts role-based enforcement with in/out direction) enables TrustSec SGACL enforcement on a routed interface. It allows the device to filter traffic by matching the source SGT and destination SGT using policies defined in the CTS policy matrix (or imported from ISE). This is the standard command for enabling SGT‑based filtering on Layer 3 interfaces.

Incorrect Options:

A. cts authorization list –
This command is used in legacy CTS environments (pre-ISE) to designate a list of SGTs, not for enforcement on interfaces.

C. cts cache enable –
This enables caching of SGT mappings or policy entries. It does not enable enforcement filtering on an interface.

D. cts role-based policy priority-static –
This sets the priority of static vs. dynamic policies, not interface‑level enforcement.

Reference:
Cisco TrustSec Configuration Guide – "Enabling SGACL Enforcement on Routed Interfaces (cts role-based enforcement)"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Cisco TrustSec – Interface Commands for SGT Enforcement"

Explanation:
To identify the types of devices connecting to the network (e.g., iPhone, Printer, IP Phone), Cisco ISE uses profiling. Profiling passively collects information from probes (DHCP, RADIUS, NetFlow, CDP, HTTP) or actively using scans (NMAP) to determine the device's operating system, manufacturer, and device type.

Correct Option:

B. profiling
Profiling in Cisco ISE is a service that identifies endpoint types by analyzing attributes such as MAC OUI, DHCP hostname and vendor class, HTTP user-agent, CDP/LLDP information, and more. The profiling service can be enabled on Policy Service Nodes (PSNs) and uses policies to assign a logical profile (e.g., "Cisco-IP-Phone-7940", "Apple-iPhone") to the endpoint. This identity is then used in authorization policies.

Incorrect Options:

A. MAB –
MAC Authentication Bypass (MAB) is an authentication method, not a device identification service. It uses the MAC address to authenticate, but does not determine the device type.

C. posture –
Posture checks endpoint compliance (e.g., antivirus, patches). It does not identify the device type.

D. central web authentication –
CWA is a guest access method using a web portal, not a device identification service.

Reference:
Cisco ISE Profiling Guide – "Profiling Service – Endpoint Identification"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling – Identifying Device Types"

Explanation:
The IT Admins user is attempting to log into a device in the finance department, but the authorization policy rule for IT Admins only matches devices with DEVICE Location: EQUALS All LocationManagement. The finance device is not in that location group, so it does not match the rule. The policy set does not have a rule allowing IT Admins to access finance-location devices, resulting in a deny by default.

Correct Option:

D. The authorization policy doesn't correctly grant them access to the finance devices.
The exhibit shows each rule (IT Training, IT Admins, Security Engineering, Network Engineering) includes a condition DEVICE Location: EQUALS All LocationManagement. The finance department devices likely belong to a different location (e.g., All LocationFinance). Since the IT Admins rule does not include that location, the policy fails to match, and the user is denied access. The fix would be to either modify the rule to include the finance location or create a new rule.

Incorrect Options:

A. The IT training rule is taking precedence over the IT Admins rule –
The rules are listed as separate entries; precedence is determined by order (top to bottom). However, the issue is not rule order but the lack of a matching location condition.

B. The authorization conditions wrongly allow IT Admins group no access to finance devices –
This is essentially the same as D, but D is more precisely worded: the policy does not grant access. The conditions are not "wrong" per se; they simply do not include finance.

C. The finance location is not a condition in the policy set –
The finance location is likely not a condition in the IT Admins rule. However, the policy set can have multiple rules; the problem is that no rule matches both the IT Admins group and the finance location.

Reference:
Cisco ISE Device Administration Guide – "Authorization Policy Conditions – Location NDG"
Cisco SISE 300-715 Official Cert Guide, Chapter: "TACACS+ – Policy Set Rule Matching and Location Conditions"

Explanation:
The engineer has already configured the identity group (allowlist), added the endpoints, and configured an authentication policy for MAB. The missing piece is an authorization policy that matches the allowlist identity group and explicitly grants PermitAccess. Without this, even if MAB authentication succeeds, the authorization policy may default to denying access or applying the wrong result.

Correct Option:

D. authorization policy that has the PermitAccess permission and matches the allowlist identity group
After MAB authentication, ISE evaluates authorization policies. The engineer must create an authorization rule with a condition such as Endpoints:IdentityGroup EQUALS allowlist and select an authorization profile that includes PermitAccess (or a profile with Access-Type = ACCESS_ACCEPT). This explicitly grants network access to endpoints in the allowlist. Without this, the default rule may deny access.

Incorrect Options:

A. authorization profile that has the PermitAccess permission and matches the allowlist identity group –
An authorization profile is the result of a policy, not the policy itself. The question asks "what must be configured?" — the policy (rule) is required, not just the profile.

B. logical profile that matches the allowlist identity group based on the configured policy –
Logical profiles are for profiling (device type identification), not for allowlisting endpoints for MAB. This is unrelated.

C. authentication policy that has the PermitAccess permission and matches the allowlist identity group –
Authentication policies determine how a user is authenticated (protocol, identity store), not whether access is permitted after successful authentication. PermitAccess is an authorization concept, not authentication.

Reference:
Cisco ISE Administration Guide – "Authorization Policies for Endpoint Identity Groups (MAB Allowlist)"
Cisco SISE 300-715 Official Cert Guide, Chapter: "MAB – Configuring Authorization Policy for Allowlist"

Explanation:
To enable TACACS+ on Cisco ISE, two requirements must be met. First, a Device Administration License must be installed (this enables the TACACS+ feature set). Second, the Device Admin Service must be enabled on the desired Policy Service Node(s) under Administration → System → Deployment. Without both, TACACS+ operations will not function.

Correct Options:

A. Device Administration License
Cisco ISE requires a separate Device Administration license (in addition to Base or Plus licenses) to enable TACACS+ functionality for network device administration. Without this license, TACACS+ options are greyed out or unavailable.

D. Enable Device Admin Service
On each PSN that will handle TACACS+ requests, the administrator must check the Device Admin box under Administration → System → Deployment → [Node] → General Settings. This starts the TACACS+ daemon on that node, allowing it to accept TACACS+ connections from network devices.

Incorrect Options:

B. Server Sequence –
Server sequence (identity source sequence) is used for RADIUS authentication, not for enabling TACACS+. TACACS+ uses a different configuration path.

C. Command Sets –
Command sets are used to authorize specific CLI commands within TACACS+ policies. While they are used after TACACS+ is enabled, they are not required to enable the TACACS+ feature.

E. External TACACS Servers –
This refers to using external TACACS+ servers as identity sources, which is an optional configuration, not required to enable TACACS+ on ISE.

Reference:
Cisco ISE Device Administration Guide – "Prerequisites for TACACS+ – License and Service Enablement"
Cisco SISE 300-715 Official Cert Guide, Chapter: "TACACS+ Device Administration – Enabling TACACS+ on ISE"

Explanation:
When an endpoint does not match any profiling policy in Cisco ISE, it is placed into the Unknown endpoint identity group by default. This is a standard default group for endpoints that have not been identified (e.g., new devices, devices without distinct profiling signatures). Authorization policies can then restrict or quarantine these "unknown" devices.

Correct Option:

B. unknown
The Unknown endpoint identity group is one of Cisco ISE's default groups. Endpoints automatically become members of this group when they are first seen (e.g., via MAB) and when no profiling policy successfully matches them to a known device type (e.g., "Cisco-IP-Phone", "Apple-iPhone"). The endpoint remains in this group until manually moved or until profiling later identifies it.

Incorrect Options:

A. Endpoint –
There is no default endpoint identity group named simply "Endpoint". The default groups are Unknown, Profiled, Blacklist, and (after BYOD) RegisteredDevices.

C. blacklist –
The Blacklist group is for devices explicitly blocked (manually or by policy). Endpoints go here only when added by an administrator or via policy (e.g., stolen device), not by default.

D. white list –
Cisco ISE does not have a default "WhiteList" endpoint identity group. Whitelisting is typically done via the "RegisteredDevices" group or custom groups.

E. profiled –
The Profiled group is for endpoints that have successfully matched a profiling policy, the opposite of the condition described.

Reference:
Cisco ISE Profiling Guide – "Default Endpoint Identity Groups – Unknown Group"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling – Endpoint Group Assignment (Unknown vs. Profiled)"

Explanation:
MAB (MAC Authentication Bypass) is enabled per interface. The command mab is entered in interface configuration mode (prompt Switch(config-if)#). This enables MAB on that specific port, allowing the switch to send RADIUS requests using the source MAC address as credentials.

Correct Option:

C. Switch(config-if)# mab
The mab command is an interface-level command. After entering interface , the prompt changes to Switch(config-if)#. Typing mab enables MAC Authentication Bypass on that port. The switch must also have global authentication enabled (dot1x system-auth-control), and the port must be configured with authentication port-control auto.

Incorrect Options:

A. Switch# authentication port-control auto –
This is incorrectly shown at privileged EXEC mode (#). The correct mode is global or interface config, and the command is authentication port-control auto, not just authentication port-control auto at #.

B. Switch(config)# mab –
The mab command is not a global configuration command. Entering mab at (config)# will be rejected. It must be used inside interface configuration.

D. Switch(config)# authentication port-control auto –
This is a valid command but it enables 802.1X port-control (auto mode), not MAB. It is often used alongside mab, but the question specifically asks for the command to enable MAB, which is mab.

Reference:
Cisco Catalyst Switch Command Reference – mab (interface configuration)
Cisco SISE 300-715 Official Cert Guide, Chapter: "MAB – Enabling MAB on a Switch Interface"

Explanation:
When an endpoint matches a posture policy (i.e., a policy exists for its operating system or device type) but fails to meet all mandatory requirements (e.g., antivirus not running, firewall off, missing patch), Cisco ISE assigns the compliance status non-compliant. This status triggers the authorization rule associated with non‑compliant endpoints (e.g., quarantine VLAN, restricted access).

Correct Option:

C. non-compliant
During posture assessment, ISE evaluates the endpoint against defined posture conditions. If a posture policy exists for the endpoint but one or more required checks fail (e.g., "Antivirus is running" required but not satisfied), the overall posture status becomes NonCompliant. This is distinct from Unknown (no posture data received) or Compliant (all requirements met).

Incorrect Options:

A. unauthorized –
"Unauthorized" is not a standard posture compliance status. Authorization is separate from posture; an endpoint can be non‑compliant but still authorized (to a restricted network).

B. untrusted –
This is not a Cisco ISE posture status. "Untrusted" may appear in certificate validation contexts, not posture compliance.

D. unknown –
Unknown means no posture data has been received (e.g., agent not installed, no posture scan performed). The scenario states a matching posture policy is defined, so the status is not unknown.

Reference:
Cisco ISE Posture Administration Guide – "Posture Compliance Status – Non‑Compliant"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Posture – Compliance Statuses (Compliant, Non-Compliant, Unknown)"