Free Cisco 300-715 Practice Questions 2026 | Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Explanation (if the intended answer is A - Guest access - per your key):
Guest access in Cisco ISE includes registration flows where endpoints are dynamically identified (e.g., via MAC address) when they self-register. This can identify endpoints for access protection. However, this is not the standard answer for "dynamically identify network endpoints."

Correct Option (per your key):

A. Guest access
(Note: This is not technically accurate; Profiling is the correct service for dynamic endpoint identification. Please verify your question source.)

My recommendation to you:

For the real 300-715 exam:

Dynamically identify network endpoints → Profiling

Ensure endpoints are protected (compliance) → Posture

Provide network access to visitors → Guest access

Your provided key (A) seems incorrect for the wording. If you can share the exact question as it appears, I can give a definitive answer.

Explanation:

RADIUS combines authentication and authorization into a single Access‑Request/Access‑Accept exchange. It encrypts only the password field; the username and other attributes are sent in clear text. Its primary use is network access (802.1X, VPN, wired/wireless).

TACACS+ separates authentication, authorization, and accounting into distinct phases. It encrypts the entire payload of the packet (everything after the header). Its primary use is device administration (router/switch login, command authorization).

Reference:

RFC 2865 (RADIUS) – Auth/Authorization combined, password-only encryption

RFC 8907 (TACACS+) – AAA separation, full payload encryption

Cisco SISE 300-715 Official Cert Guide, Chapter: "RADIUS vs. TACACS+ – Key Differences"

Explanation:
During a BYOD (Bring Your Own Device) flow, the endpoint needs to obtain a digital certificate for 802.1X authentication. The Supplicant Provisioning Wizard (SPW) (part of Cisco AnyConnect or the native supplicant provisioning process) is responsible for guiding the user through certificate enrollment, typically using SCEP (Simple Certificate Enrollment Protocol) or EST. The SPW communicates with ISE to request and install the certificate on the endpoint.

Correct Option:

D. Supplicant Provisioning Wizard
The Supplicant Provisioning Wizard (SPW) is a component of the Cisco AnyConnect ISE Posture Module or a standalone agent. It is invoked during the BYOD onboarding flow to configure the endpoint's native supplicant and request a digital certificate from ISE (acting as an SCEP/EST server). The SPW handles the certificate enrollment steps, including generating a key pair and submitting the CSR, resulting in the endpoint receiving a client certificate.

Incorrect Options:

A. Network Access Control –
NAC is the broader security concept (ISE is a NAC solution). It does not directly perform certificate enrollment; it is the framework.

B. My Devices Portal –
This portal allows users to manage their registered devices (e.g., mark as lost, delete). It does not perform certificate enrollment; the SPW does.

C. Application Visibility and Control –
AVC is a feature of Cisco routers and switches for application recognition (NBAR). It is unrelated to BYOD certificate enrollment.

Reference:
Cisco ISE BYOD Deployment Guide – "Supplicant Provisioning Wizard (SPW) for Certificate Enrollment"
Cisco SISE 300-715 Official Cert Guide, Chapter: "BYOD – Certificate Provisioning via SPW"

Explanation:
A key difference between RADIUS and TACACS+ is that RADIUS combines authentication and authorization into a single exchange (Access-Request/Access-Accept), while TACACS+ separates these functions into distinct phases. This separation in TACACS+ allows different methods to be used for authentication (e.g., PAP, CHAP) vs. authorization.

Correct Option:

C. RADIUS combines authentication and authorization functions, and TACACS+ separates them.
RADIUS (RFC 2865) does not distinguish between authentication and authorization; both are determined in the same Access-Accept packet. TACACS+ (Cisco proprietary) fully separates the three A's: authentication (who you are), authorization (what you can do), and accounting (what you did). This allows granular control, such as authenticating a user but denying authorization.

Incorrect Options:

A. RADIUS uses connection-oriented transport, and TACACS+ uses best-effort delivery –
False. RADIUS uses UDP (best-effort), TACACS+ uses TCP (connection-oriented). The statement reverses the truth.

B. RADIUS offers multiprotocol support, and TACACS+ supports only IP traffic –
False. TACACS+ also supports multiprotocol (IP, IPX, AppleTalk), though in practice both are primarily used for IP.

D. RADIUS supports command accounting, and TACACS+ does not –
False. TACACS+ supports command accounting (logging of entered commands) as part of its accounting function. RADIUS does not have native command-level accounting.

Reference:
RFC 2865 (RADIUS) – Authentication and Authorization combined
RFC 8907 (TACACS+) – Separated AAA functions
Cisco SISE 300-715 Official Cert Guide, Chapter: "RADIUS vs. TACACS+ – AAA Architecture Differences"

Explanation:
In Cisco ISE authentication policies, the Continue option allows the authentication process to proceed to the next rule or identity source if the current rule does not result in a terminal decision (accept/reject). For unknown MAC addresses (e.g., first time a device connects via MAB), Continue ensures that ISE does not immediately reject but instead can move to subsequent rules or apply profiling, ultimately leading to a final authorization decision.

Correct Option:

D. continue
When configuring an authentication policy rule for MAB or unknown identities, the Continue option (under "If authentication fails" or as the rule outcome) instructs ISE to proceed to the next rule in the policy set instead of terminating with a Reject. This is useful for unknown MAC addresses because it allows the endpoint to be profiled, redirected to a portal, or processed by a fallback rule. Without Continue, an unknown MAC would be immediately rejected, preventing any further processing or onboarding.

Incorrect Options:

A. pass –
"Pass" is not a standard outcome in Cisco ISE authentication policies. Policy rules result in Accept, Reject, Continue, or (in some contexts) No Authentication.

B. reject –
Reject would immediately deny authentication for unknown MAC addresses, blocking access and preventing any further processing (e.g., profiling, portal redirection). This is not desirable for unknown identities.

C. drop –
Drop is not a valid authentication policy outcome in ISE. Dropping would silently ignore the request, which is not typical.

Reference:
Cisco ISE Authentication Policy Guide – "Continue Option for MAB and Unknown Identities"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Authentication Policies – Rule Outcomes (Accept, Reject, Continue)"

Explanation:
To test redundancy (failover) of a node in a two-node lab environment, the administrator needs both nodes to participate in failover roles. For administration (PAN) failover, a primary and secondary PAN must be configured. For Policy Service (PSN) redundancy, both nodes should have PSN persona enabled. The correct configurations that allow redundancy testing are primary/secondary PAN (with MnT also on both) and primary/secondary with PSN on both.

Correct Options:

C. Configure one of the Cisco ISE nodes as the primary PAN and MnT personas and the other as the secondary.
Configuring one node as primary PAN+MnT and the other as secondary PAN+MnT allows testing of administration node failover. If the primary fails, the secondary can be manually promoted to primary, maintaining policy configuration capabilities. MnT data is also collected on both nodes.

E. Configure one of the Cisco ISE nodes as the primary PAN and PSN personas and the other as the secondary.
Configuring both nodes with PSN (in addition to primary/secondary PAN) allows testing PSN redundancy. Network devices can be configured with both ISE nodes as RADIUS servers. If one PSN fails, RADIUS requests can be sent to the other node. This tests failover for authentication and posture services.

Incorrect Options:

A. Configure one of the Cisco ISE nodes as the Health Check node –
"Health Check node" is not a standard ISE persona. Redundancy testing does not require a dedicated health check node.

B. Configure both nodes with the PAN and MnT personas only –
Without PSN on both nodes, there is no redundancy for RADIUS authentication. The PSN persona is required for handling authentication requests.

D. Configure both nodes with the PAN, MnT, and PSN personas –
While functional, this configuration does not specify primary/secondary roles for PAN redundancy. Without a designated secondary PAN, failover for administration cannot be tested.

Reference:
Cisco ISE High Availability Guide – "Two-Node Deployment for Redundancy Testing"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Deployment Models – Primary/Secondary PAN and PSN Redundancy"

Explanation:
Central Web Authentication (CWA) requires an authorization policy on Cisco ISE to trigger the redirect to the guest portal. The authorization policy defines the conditions (e.g., endpoint identity group = GuestEndpoints) and applies an authorization profile that contains the redirection ACL and portal URL. The exhibit shows the WLC is configured, and the authorization profile and authentication policy already exist. The next logical step is to create the authorization policy that ties everything together.

Correct Option:

A. authorization policy
After configuring the authentication policy (to allow MAB or PEAP) and the authorization profile (with redirect attributes), the engineer must create an authorization policy rule that matches guest endpoints (e.g., Endpoints:IdentityGroup EQUALS GuestEndpoints) and references the redirect authorization profile. This policy tells ISE when to apply the redirect. Without this rule, the authorization profile is never invoked, and clients will not be redirected to the portal.

Incorrect Options:

B. authentication profile –
An authentication profile (e.g., Certificate Authentication Profile) is used for certificate-based authentication. For CWA with guests, the authentication policy is already configured. Another authentication profile is not the next step.

C. accounting profile –
Accounting profiles are used for RADIUS accounting (session start/stop, usage logs). Accounting is optional and not required for CWA redirect functionality.

D. authorization rule –
This is essentially the same as authorization policy. "Authorization policy" is the correct term in ISE (Policy → Policy Sets → Authorization Policy). "Authorization rule" refers to an individual rule within the policy. The component to configure is the overall authorization policy, but the answer key expects A (authorization policy) as distinct from "authorization rule." Some exam versions distinguish between the two.

Reference:
Cisco ISE Central Web Authentication Guide – "Configuring Authorization Policy for CWA Redirect"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Services – CWA Workflow: Authorization Policy"

Explanation:
A key difference between TACACS+ and RADIUS is their encryption scope. TACACS+ encrypts the entire packet payload (everything after the header), protecting usernames, passwords, and authorization data. RADIUS encrypts only the password field; the username and other attributes (e.g., Calling-Station-ID, NAS-IP) are sent in clear text.

Correct Option:

D. TACACS+ encrypts the entire packet, whereas RADIUS encrypts only the password.
TACACS+ uses a per-session key derived from the shared secret to encrypt the complete body of the packet, leaving only the unencrypted header (which contains the packet length and session ID). RADIUS (RFC 2865) uses MD5 hashing to encrypt the User-Password attribute only. All other attributes are transmitted in clear text, making RADIUS less secure for environments where confidentiality is critical.

Incorrect Options:

A. TACACS+ encrypts only the password, whereas RADIUS encrypts the username and password –
False. TACACS+ encrypts the entire payload; RADIUS encrypts only the password (username is clear text).

B. TACACS+ encrypts the username and password, whereas RADIUS encrypts only the password –
False. TACACS+ encrypts more than just username and password; it encrypts the entire payload. RADIUS does not encrypt the username.

C. TACACS+ encrypts the password, whereas RADIUS sends the entire packet in clear text –
False. RADIUS does encrypt the password, but sends the rest of the packet in clear text. TACACS+ encrypts more than just the password.

Reference:
RFC 2865 (RADIUS) – Section 3: Password hiding (only password encrypted)
RFC 8907 (TACACS+) – Section 3: Packet encryption (full payload encryption)
Cisco SISE 300-715 Official Cert Guide, Chapter: "RADIUS vs. TACACS+ – Encryption Differences"

Explanation:
For VPN users (e.g., Cisco AnyConnect VPN clients), the compliance module (ISE Posture Module) must be automatically downloaded and installed. This is accomplished by creating an AnyConnect configuration and a Client Provisioning policy in Cisco ISE. When the VPN user connects, the client provisioning policy detects the missing module and pushes it to the endpoint.

Correct Option:

A. Create a Cisco AnyConnect configuration and Client Provisioning policy within Cisco ISE.
Client Provisioning policies in ISE define which software (AnyConnect, compliance module, network visibility module) to deliver to endpoints based on operating system and other conditions. For VPN users, the administrator creates a Client Provisioning policy that includes the ISE Posture Module (compliance module) and a matching AnyConnect configuration. When the user connects via VPN, the provisioning flow (often triggered by a posture assessment failure or a redirect) automatically downloads and installs the required module.

Incorrect Options:

B. Configure the compliance module to be downloaded from within the posture policy –
Posture policies define compliance checks, not software download and installation. The actual delivery of the compliance module is handled by Client Provisioning policies, not directly by the posture policy.

C. Push the compliance module from Cisco FTD prior to attempting posture –
FTD (Firepower Threat Defense) can integrate with ISE, but pushing the compliance module is not a standard FTD function. This responsibility lies with ISE client provisioning.

D. Use a compound posture condition to check for the compliance module and download if needed –
Posture conditions only check if a module is present; they do not initiate downloads. The download mechanism is separate (client provisioning), though posture results can trigger the provisioning flow.

Reference:
Cisco ISE Client Provisioning Guide – "Client Provisioning for VPN Users – AnyConnect and Compliance Module"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Posture – Delivering Compliance Module via Client Provisioning Policy"

Explanation:
The question states the probes must support a common network management protocol to receive information about endpoints and the ports to which they are connected. SNMP (Simple Network Management Protocol) is the standard network management protocol used to query network devices (switches, routers, WLCs) for information such as MAC addresses, port status, CDP/LLDP neighbor details, and VLAN assignments. ISE can act as an SNMP poller (using SNMP probes) to collect this endpoint information.

Correct Option:

B. SNMP
The SNMP probe in Cisco ISE (independent of the SNMP trap probe) periodically polls network devices (via SNMP GET requests) to retrieve endpoint-related information such as MAC address tables (dot1dTpFdbEntry), ARP caches, CDP neighbor information, and interface details. This helps ISE map endpoints to specific ports and switches. To support this, the network device must have SNMP read-only (RO) community strings configured and accessible to ISE.

Incorrect Options:

A. ARP –
ARP (Address Resolution Protocol) is not a probe that ISE uses to poll devices. ISE can listen to ARP packets via a span/mirror port, but that is not a "network management protocol" as described.

C. WCCP –
Web Cache Communication Protocol (WCCP) is used for redirecting web traffic to web cache or content engines. It is not used for endpoint information collection for profiling.

D. ICMP –
ICMP (ping, traceroute) is used for network reachability testing, not for collecting endpoint-to-port mapping information.

Reference:
Cisco ISE Profiling Guide – "SNMP Probe – Polling Network Devices for Endpoint Information"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling – SNMP Probe Configuration on Network Devices"