Free Cisco 300-715 Practice Questions 2026 | Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Explanation (according to your provided answer key):
DHCP probe provides metadata such as hostname, vendor class identifier, and parameter request list. Some Cisco documentation loosely refers to this as "metadata" because it helps profile endpoints without inspecting application traffic. However, DHCP carries industry‑standard protocol fields.

Correct Option (per your key):

C. DHCP probe
The DHCP probe captures DHCP Discover, Request, and Ack packets. It extracts endpoint metadata like MAC address, hostname, vendor class (e.g., "MSFT 5.0" for Windows), and requested parameters. ISE uses this to profile devices without needing deep packet inspection. This metadata is endpoint‑specific rather than general protocol definitions.

Why other options are incorrect (per your key's logic):

A. NetFlow probe –
Provides flow‑based traffic metadata (IPs, ports, bytes), but this is network traffic metadata, not endpoint‑specific metadata like device OS.

B. DNS probe –
Provides domain query metadata, not endpoint hardware/OS metadata.

D. SNMP query probe –
Polls network devices (switches, printers) not endpoint traffic metadata.

Honest Reference (official Cisco stance):

Cisco ISE Profiling Guide – "DHCP Probe captures endpoint identifier attributes (hostname, vendor class, MAC)."

However, for traffic metadata (flows, conversations), NetFlow is correct. Since your answer key says DHCP, use that for exam purposes, but note the question's phrasing is flawed.

Recommendation:

If this appears on the real 300-715 exam, read carefully:

"Traffic information relating to endpoints" → NetFlow

"Endpoint configuration metadata (hostname, vendor class)" → DHCP

Explanation:
In a distributed Cisco ISE deployment with two admin nodes (primary PAN and secondary PAN), if the primary PAN fails and secondary has not been promoted, the secondary PAN is in read‑only standby mode. Policy Service Nodes (PSNs) continue handling RADIUS/TACACS requests independently. Features requiring write access to the PAN (e.g., portal page changes, guest account creation) fail, but pure authentication/authorization services and read‑only posture checks remain functional.

Correct Options:

B. new AD user 802.1X authentication
PSNs cache Active Directory machine and user credentials/group information locally. Even with PAN down, PSNs can authenticate new AD users using cached Kerberos tickets or LDAP connections. Read‑only authentication (802.1X) continues because PSNs handle RADIUS directly without PAN involvement for existing or new users (as long as AD is reachable).

C. posture
Posture assessment (checking endpoint compliance) is processed by PSNs using locally cached posture policy and compliance modules. The PAN is only required for policy changes, not for running existing posture checks. Endpoints can pass/fail posture requirements, and PSNs apply the corresponding authorization policies.

Incorrect Options:

A. hotspot –
Hotspot (guest access) portal creation, modification, or new guest account creation requires write access to PAN (database updates). When PAN is down and secondary not promoted, guest portal operations fail. Existing hotspot sessions may continue via PSNs, but new account creation is unavailable.

D. BYOD –
BYOD flow involves certificate provisioning, which updates the internal endpoint database. This requires write access to the PAN for certificate binding and endpoint attribute updates. With PAN down, new BYOD enrollments fail. Existing BYOD devices can still authenticate via PSNs.

E. guest AUP (Acceptable Use Policy) –
AUP is a portal page element. Serving an existing AUP page may work (cached), but modifying or acknowledging a new AUP requires PAN write access. The question implies the secondary PAN is not promoted, so portal edits are disabled.

Reference:
Cisco ISE High Availability Guide – "PAN Failure – Services Impact"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Distributed Deployment – Node Failure Scenarios"

Explanation:
The scenario describes inline tagging (CTS/SGT propagation within Ethernet frames). For inline tagging to work, both the switch and WLC must be configured to propagate tags (Cisco Metadata Field) on their interfaces. Additionally, the switch must run SXP if the WLC does not natively support inline tagging (or to exchange IP-to-SGT mappings with non-CTS devices). Given the options, the two missing actions are enabling inline tag propagation on both devices and SXP on the switch.

Correct Options:

C. Configure inline tag propagation on the switch and wireless LAN controller.
Inline tagging (IEEE 802.1X with CTS) requires the cts manual configuration on each interface, including propagate sgt. Without this, the switch and WLC do not insert or read the security group tag (SGT) in Ethernet frames. This step is mandatory for inline tagging to carry SGTs end‑to‑end from wireless client to wired network.

E. Configure Security Group Tag Exchange Protocol on the switch.
SGT Exchange Protocol (SXP) is used when a network device (e.g., WLC) does not support inline tagging or when IP-to‑SGT mapping must be learned via RADIUS. By configuring SXP on the switch, it can receive IP‑to‑SGT bindings from ISE (or peer with the WLC) and enforce policies on the wired side even if the wireless segment lacks inline tags.

Incorrect Options:

A. Configure SGT Exchange Protocol on the wireless LAN controller –
While possible, it is not strictly required if the WLC supports inline tagging. The question already lists "configured TrustSec on the WLC," so inline propagation (option C) is the priority, not necessarily SXP on the WLC.

B. Configure SGT Exchange Protocol to distribute IP to security group tags on Cisco ISE –
ISE does not run SXP as a client; SXP runs on network devices (switches, routers, WLCs). ISE distributes IP‑to‑SGT mappings via RADIUS (CoA) or pxGrid, not via SXP.

D. Create static IP-to-SGT mapping for the restricted web server –
The server can be assigned a static SGT, but the question asks what must be done to complete the user traffic tagging and propagation. Static mapping for the server is optional if the server is not sending tagged traffic. The core missing steps are propagation and SXP.

Reference:
Cisco TrustSec Configuration Guide – "Inline Tagging and SXP – Switch & WLC Deployment"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Cisco TrustSec – SGT Propagation and SXP"

Explanation:
When an Active Directory join point is configured in Cisco ISE, groups are not automatically imported. The administrator must explicitly select which AD groups should be "added" to ISE's group store. Only groups that have been added under the AD join point settings appear as selectable conditions in authorization policies.

Correct Option:

D. The groups are not added to Cisco ISE under the AD join point
After joining ISE to an AD domain, the administrator must navigate to Administration → Identity Management → External Identity Sources → Active Directory → [Join Point] → Groups. From there, they must click "Add," browse the AD tree, select the desired groups, and click "OK." Only then are those groups populated into ISE's policy condition picker. The missing groups simply have not been added.

Incorrect Options:

A. Cisco ISE only sees the built-in groups, not user created ones –
This is false. ISE can see both built‑in and user‑created groups once they are added via the group selection process. There is no restriction to built‑in groups only.

B. The groups are present but need to be manually typed as conditions –
ISE does not allow manual typing of AD group names in authorization policy conditions. Groups must be selected from the picker, which only displays groups explicitly added under the AD join point.

C. Cisco ISE's connection to the AD join point is failing –
If the AD connection were failing, no groups would be visible. The question states that other groups are seen, so the join point is functional. The issue is specific to certain groups not being added.

Reference:
Cisco ISE Administrator Guide – "External Identity Sources – Active Directory – Adding Groups"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Configuring Active Directory as an External Identity Source"

Explanation:
The endpoint can connect to the SSID but cannot reach or pass through the guest portal. This indicates an authentication or authorization issue, not basic connectivity. The most effective troubleshooting tool in Cisco ISE to identify such problems is the session trace feature, which follows the client's authentication flow step by step.

Correct Option:

B. Use the endpoint ID to execute a session trace.
Session trace in Cisco ISE (Operations → Troubleshooting → Session Trace) allows the administrator to input the endpoint ID (MAC address or IP address) and simulate or analyze the actual authentication session. It shows which authentication policy matched, which identity store was used, which authorization policy applied, and any redirect rules (including guest portal redirection). This pinpoints exactly why the guest portal is not granting access.

Incorrect Options:

A. Use context visibility to verify posture status –
Posture status is irrelevant for guest portal access unless posture policies are enforced. Guest access typically does not require posture checks. Context visibility shows current endpoint attributes but does not step through the authentication flow.

C. Use the identity group to validate the authorization rules –
Checking authorization rules manually may help, but without seeing which rules the client actually matched, it is guesswork. Session trace shows the exact rule hit.

D. Use traceroute to ensure connectivity –
The endpoint can already connect to the SSID, so Layer 3 connectivity to the gateway exists. Traceroute tests network path, not ISE policy logic. The issue is policy-based, not network connectivity.

Reference:
Cisco ISE Administrator Guide – "Troubleshooting – Session Trace"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Access Troubleshooting – Using Session Trace"

Explanation of the Drag-and-Drop Logic:

Administration (PAN/MnT Admin component):
The Administration persona (Policy Administration Node) handles all configuration management, policy edits, and system auditing. It does NOT process live RADIUS requests. The purpose listed in the exhibit for "Administration" is incorrect as given; the correct purpose for Administration is the one currently assigned to "Monitoring" in your table.

Policy Service (PSN):
The PSN is the workhorse. It processes RADIUS/TACACS, posture, guest, profiling, and client provisioning. The purpose listed in your table for "pxGrid" actually describes the PSN.

Monitoring (MnT):
The Monitoring node collects logs, alerts, and provides troubleshooting tools (Session Trace, Reports, Live Logs).

pxGrid:
pxGrid is specifically for sharing contextual session, SGT, and endpoint information with external subscribers (e.g., Cisco ASA, Firepower).

Per your requested format:

Explanation:
The exhibit contains misaligned descriptions. Proper matching requires understanding that PSN handles all policy decisions (RADIUS, posture, guest). Administration manages configuration. MnT provides troubleshooting/logging. pxGrid shares context with subscribers. The drag-and-drop tests correct persona-to-function association.

Correct Mapping (based on official ISE roles):

Administration → manages all system-related configuration (the third row in your table)

Policy Service → provides network access, posture, guest access (the fourth row)

Monitoring → provides advanced troubleshooting tools (the first row)

pxGrid → shares context-sensitive information (the second row)

Reference:
Cisco ISE Administrator Guide – "ISE Personas (PAN, MnT, PSN, pxGrid)"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Deployment Models – Personas and Purposes"

Explanation:
The binary comparison function in Cisco ISE's certificate authentication profile can compare specific certificate fields extracted from the user‑presented certificate against corresponding attributes stored in Active Directory. However, true "binary comparison" typically compares the entire certificate blob. If the exam expects SAN and CN, it is referring to field‑level matching, not full binary comparison.

Correct Option (per your key):

A. subject alternative name and the common name
When binary comparison is enabled for certificate‑based authentication with AD, ISE can extract the SAN and CN from the client certificate and compare them (in binary form) against the SAN/CN values stored in the AD computer or user object. This ensures an exact match of these two critical identifier fields.

Why other options are incorrect (per your key's logic):

B. MS-CHAPv2 provided machine credentials –
This is password‑based, not certificate‑based. Binary comparison requires certificates.

C. user-presented password hash –
Again, password hash comparison is for PEAP/MS-CHAPv2, not certificate binary comparison.

D. user-presented certificate and a certificate stored in AD –
This is actually the correct definition of binary comparison. If your key says A, then the exam question may be misworded or expects field‑level comparison.

Accurate Answer (based on Cisco official documentation):
The binary comparison function compares the entire user‑presented certificate with the certificate stored in Active Directory (option D). This ensures the exact same certificate is bound to the AD object.

However, since your answer key indicates A, please refer to your specific exam materials. The 300-715 exam has been known to use "binary comparison" ambiguously.

Reference:
Cisco ISE Administration Guide – "Certificate Authentication Profile – Perform binary comparison with certificate stored in Active Directory" (compares full certificate, not just SAN/CN)

Explanation:
The engineer needs to identify traffic based on ToS bit (DSCP) and destination IP address. This is traffic flow metadata, not endpoint attributes. NetFlow probes capture exactly such information—Layer 3 flow details including IP addresses, ports, and ToS/DSCP values—which ISE can use for profiling certain devices.

Correct Option:

B. NETFLOW
The NetFlow probe in Cisco ISE listens for NetFlow v5/v9/v10 (IPFIX) exports from network devices (switches, routers). It extracts flow metadata including source/destination IP, ports, protocol, and Type of Service (ToS) bits. When an IP speaker sends traffic with ToS=5 to the intercom system's IP, NetFlow reports this flow to ISE, allowing ISE to profile the speaker based on its traffic pattern.

Incorrect Options:

A. NMAP –
NMAP is an active scanning probe that performs port scans and OS fingerprinting. It cannot passively inspect ToS bits or destination IP flows. NMAP probes are intrusive and not suitable for identifying live traffic characteristics.

C. pxGrid –
pxGrid shares context between ISE and other platforms (e.g., Firepower). It does not capture or analyze raw traffic flows. pxGrid is a publishing/subscription service, not a traffic inspection probe.

D. RADIUS –
RADIUS carries authentication and accounting data (username, MAC, Framed-IP), but it does not carry ToS bits or flow-level destination IP details for arbitrary traffic from IP speakers.

Reference:
Cisco ISE Profiling Guide – "NetFlow Probe – Configuration and Use Cases"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling – Passive Probes – NetFlow"

Explanation:
Cisco ISE provides a built‑in bulk import feature for guest accounts using comma‑separated values (CSV) files. This allows an administrator to export existing guest data from the old system, format it according to ISE’s CSV template, and import all 1000 accounts in a single operation without manual entry.

Correct Option:

A. Use a CSV file to import the guest accounts
ISE supports importing guest accounts via CSV under Guest Access → Guest Operations → Import Guest Accounts. The administrator downloads a predefined CSV template, populates it with the 1000 guest records (username, password, guest type, duration, sponsor, etc.), and imports the file. This is the efficient, supported method for bulk guest account migration.

Incorrect Options:

B. Use SQL to link the existing database to Cisco ISE –
ISE does not support direct SQL connections to external guest databases for account synchronization. SQL linking is not a feature available in standard ISE deployments.

C. Use a JSON file to automate the migration of guest accounts –
ISE does not accept JSON for guest account import. The only supported bulk import format is CSV. JSON can be used via REST API (ERS), but that requires scripting, not a simple file import.

D. Use an XML file to change the existing format to match that of Cisco ISE –
ISE does not support XML file import for guest accounts. XML is used for configuration backups, not guest user data migration.

Reference:
Cisco ISE Administrator Guide – "Guest Access – Bulk Import of Guest Accounts Using CSV"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Services – Managing Guest Accounts"

Explanation:
In Cisco ISE, profiling probes (including the Active Directory probe) are enabled at the node level under deployment settings. The navigation path is Administration → System → Deployment, then select the specific ISE node and find the Profiling Configuration section.

Correct Option:

D. Administration > System > Deployment > Profiling
The engineer navigates to Administration → System → Deployment, clicks on the desired ISE node (e.g., a PSN), and scrolls to the Profiling Configuration section. Here, various probes including the Active Directory probe (which pulls computer account details like operating system and last logon from AD) can be enabled or disabled.

Incorrect Options:

A. Policy > Policy Elements > Profiling –
This location is for creating profiling policies and conditions, not for enabling probes on specific nodes. Probes are node‑level services, not policy elements.

B. Administration > Deployment > System > Profiling –
The order is incorrect. The correct path is Administration → System → Deployment, not Administration → Deployment → System.

C. Policy > Deployment > System > Profiling –
The "Policy" menu does not contain "Deployment." Deployment settings are exclusively under the Administration menu.

Reference:
Cisco ISE Administrator Guide – "Profiling Probes – Enabling Probes on a PSN"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling Services – Configuring Probes – Active Directory Probe"