Free Cisco 300-715 Practice Questions 2026 | Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Explanation:
Even with a valid Device Administration license, TACACS+ services do not start automatically. The engineer must explicitly enable the Device Admin service on the ISE node. This service activates TACACS+ AAA functionality on the Policy Service Node (PSN).

Correct Option:

B. Device Admin service
In Cisco ISE, under Administration → System → Deployment, the engineer selects the PSN node and checks the Device Admin service under "General Settings." This enables the TACACS+ daemon on that node, allowing it to accept TACACS+ connections from network devices (e.g., routers, switches, ASAs). Without this service enabled, TACACS+ requests are ignored.

Incorrect Options:

A. Device Administration Work Center –
The Work Center (main menu → Work Centers → Device Administration) is where policies (rule sets, profiles) are configured. It does not enable the underlying TACACS+ service on the node. It only provides a policy management interface.

C. Device Administration Deployment settings –
This is not a standard menu option. Deployment settings (under Administration → System → Deployment) contain the Device Admin checkbox but are not labeled "Device Administration Deployment settings."

D. Device Admin Policy Sets settings –
This refers to configuring TACACS+ policy rules (Shell profiles, command sets) under Policy Sets. Policy sets control authorization but do not enable the TACACS+ service itself.

Reference:
Cisco ISE Device Administration Guide – "Enabling Device Admin Service on a PSN"
Cisco SISE 300-715 Official Cert Guide, Chapter: "TACACS+ Device Administration – Service Enablement"

Explanation:
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) uses mutual certificate-based authentication requiring a valid certificate on both the client and the server. EAP-MS-CHAPv2 relies on username/password credentials. The primary advantage of EAP-TLS is its resistance to password-based attacks.

Correct Option:

C. EAP-TLS uses a device certificate for authentication to enhance security, while EAP-MS-CHAPv2 does not.
EAP-TLS requires a digital certificate installed on each client device, providing strong cryptographic authentication. This eliminates password-related vulnerabilities such as brute force, dictionary attacks, or credential theft. EAP-MS-CHAPv2 relies on reusable passwords or hashes, which can be intercepted or cracked. The certificate-based approach in EAP-TLS also enables machine authentication before user logon.

Incorrect Options:

A. EAP-TLS uses a username and password for authentication to enhance security, while EAP-MS-CHAPv2 does not –
This is false. EAP-TLS does not use username/password at all; it uses certificates. EAP-MS-CHAPv2 is the one that uses username/password.

B. EAP-TLS secures the exchange of credentials, while EAP-MS-CHAPv2 does not –
Both protocols secure credential exchange using TLS tunnels. EAP-MS-CHAPv2 encrypts the password hash inside a TLS tunnel. This statement is inaccurate as an advantage.

D. EAP-TLS uses multiple forms of authentication, while EAP-MS-CHAPv2 only uses one –
Both are single-factor unless combined with other mechanisms. EAP-TLS is certificate-based (something you have), not multi-factor by itself.

Reference:
Cisco ISE Administrator Guide – "EAP-TLS vs. EAP-MS-CHAPv2 – Security Comparison"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Authentication Protocols – EAP Methods"

Explanation:
A RADIUS test failure occurs when ISE attempts to validate its connectivity with the newly added network device (switch). This test uses the shared secret configured on both sides. Mismatched secrets cause immediate RADIUS test failures. Endpoint credentials are irrelevant to the NAD connectivity test.

Correct Option:

C. The shared secret is incorrect on the switch or on Cisco ISE.
The RADIUS test in ISE (Administration → Network Resources → Network Devices → [Device] → Test Connectivity) verifies that ISE can communicate with the switch using the configured shared secret. If the secret on the switch (radius server key) does not exactly match the secret in ISE (Shared Secret field), the RADIUS test fails with an authentication error. This is the most common issue when adding new devices.

Your answer key option B is incorrect because:

B. The endpoint does not have the appropriate credentials for network access –
The RADIUS test operates at the switch‑to‑ISE communication level. No endpoint is involved. Endpoint credentials affect client authentication, not the NAD connectivity test.

Other incorrect options:

A. The endpoint profile is showing as "unknown" –
Profiling occurs after successful RADIUS exchange. It has no impact on the initial RADIUS test.

D. The certificate on the switch is self-signed not a CA-provided certificate –
Switches do not require certificates for RADIUS client communication. RADIUS uses shared secrets, not certificates, for authenticating NADs.

Reference:
Cisco ISE Administrator Guide – "Adding Network Devices and Testing RADIUS Connectivity"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Network Access Devices – RADIUS Shared Secret Mismatch Troubleshooting"

Explanation:
For BYOD certificate issuance without replacing the existing Certificate Authority (CA), Cisco ISE acts as a Registration Authority (RA) and communicates with the external CA using SCEP (Simple Certificate Enrollment Protocol). A SCEP profile defines this connection.

Correct Option:

C. Create an SCEP profile to link Cisco ISE with the root certificate authority.
SCEP (Simple Certificate Enrollment Protocol) allows Cisco ISE to communicate with an external CA for certificate enrollment requests. By creating a SCEP profile under Administration → Certificates → SCEP CA Profiles, the administrator provides the CA's SCEP URL, challenge password, and certificate chain. When a BYOD endpoint registers, ISE forwards the certificate request to the external CA via SCEP and returns the issued certificate to the endpoint.

Incorrect Options:

A. Create a certificate signing request and have the root certificate authority sign it –
CSRs are for obtaining certificates for ISE itself (e.g., HTTPS, EAP), not for issuing certificates to BYOD endpoints. This does not enable endpoint certificate enrollment.

B. Add the root certificate authority to the trust store and enable it for authentication –
Adding the root CA to the trust store allows ISE to validate client certificates presented during authentication, but it does not enable ISE to issue certificates to endpoints.

D. Add an OCSP profile and configure the root certificate authority as secondary –
OCSP (Online Certificate Status Protocol) is for certificate revocation checking, not for certificate issuance. OCSP profiles check if a certificate is valid, not for enrolling new certificates.

Reference:
Cisco ISE BYOD Deployment Guide – "Configuring SCEP for External Certificate Authority"
Cisco SISE 300-715 Official Cert Guide, Chapter: "BYOD – Certificate Provisioning with External CA"

Explanation:
The scenario describes a switchport in multi‑authentication mode that restricts host access to those assigned a specific SGT (SGT_0422048549). Additionally, the VLAN trunk supports a maximum of 8 VLANs. This combination suggests the switch is mapping IP subnets to SGTs dynamically, likely via SXP (SGT Exchange Protocol) or RADIUS‑learned bindings.

Correct Option:

C. The IP subnet addresses are dynamically mapped to an SGT.
When IP subnets are dynamically mapped to SGTs, each unique SGT may require a separate VLAN or context on the trunk. The 8‑VLAN limit restricts how many unique SGT bindings can be supported simultaneously. Dynamic mapping typically occurs via SXP learning from a peer or RADIUS CoA, allowing the switch to enforce SGT‑based policies without static configuration.

Incorrect Options:

A. The device is performing inline tagging without acting as an SXP speaker –
Inline tagging (CTS) embeds SGTs directly in Ethernet frames. This does not impose a VLAN limit. The 8‑VLAN limit suggests a trunk constraint, not an inline tagging characteristic.

B. The device is performing inline tagging while acting as an SXP speaker –
Being an SXP speaker does not inherently limit the switch to 8 VLANs. The limit is a hardware/platform restriction unrelated to SGT method.

D. The IP subnet addresses are statically mapped to an SGT –
Static IP‑to‑SGT mapping (via CLI cts sgt-map static) does not involve VLAN limits. Static maps are independent of trunk capacity.

Reference:
Cisco TrustSec Configuration Guide – "SXP and Dynamic SGT Mapping – VLAN Limitations"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Cisco TrustSec – SGT Mapping and SXP"

Explanation:
The scenario requires EAP identity certificates provided by Cisco ISE, with endpoints presenting those certificates to ISE for validation before network access is authorized. This mutual certificate-based authentication is the defining characteristic of EAP-TLS.

Correct Option:

D. EAP-TLS
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) requires both the client (endpoint) and the server (ISE) to present valid digital certificates. When an endpoint presents its EAP identity certificate, ISE validates it against a trusted CA store. After successful certificate validation, ISE authorizes the endpoint. This provides mutual authentication and is the most secure EAP method, commonly used for device authentication in corporate networks.

Incorrect Options:

A. EAP-PEAP-MSCHAPv2 –
PEAP uses a server-side certificate to create a TLS tunnel, but the client authenticates using MSCHAPv2 (username/password), not a client certificate. The endpoint does not present an identity certificate for validation.

B. EAP-TTLS –
Similar to PEAP, EAP-TTLS uses a server certificate to establish a tunnel, then authenticates the client via inner methods (PAP, CHAP, MSCHAPv2, etc.). It does not require a client certificate for authentication.

C. EAP-FAST –
EAP-FAST uses a shared secret (PAC) instead of client certificates. It does not validate endpoint identity certificates. The endpoint presents a PAC, not a certificate, for authentication.

Reference:
Cisco ISE Administrator Guide – "EAP Methods – EAP-TLS Certificate-Based Authentication"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Authentication Protocols – EAP-TLS Deployment"

Explanation:
On a Cisco Catalyst switch, enabling 802.1X authentication requires two main steps globally and one interface-level command. At the interface level, the command dot1x pae authenticator configures the port to act as an 802.1X authenticator, initiating authentication with connected supplicants.

Correct Option:

A. dot1x pae authenticator
The dot1x pae authenticator interface command enables the port to serve as an 802.1X authenticator (Port Access Entity). This command triggers the switch to send EAP-Request/Identity packets to connected devices and start the authentication process. Without this command, the port does not participate in 802.1X authentication.

Incorrect Options:

B. dot1x system-auth-control –
This is a global configuration command, not interface-level. It enables 802.1X authentication system-wide on the switch but does not activate it on individual ports.

C. authentication host-mode single-host –
This interface command defines how many hosts are allowed on the port (single-host, multi-host, multi-domain). It does not turn on 802.1X authentication itself; it only controls host behavior after authentication is enabled.

D. aaa server radius dynamic-author –
This global command enables the switch to act as a RADIUS dynamic authorization client (for CoA). It has nothing to do with enabling 802.1X on an interface.

Reference:
Cisco Catalyst Switch Configuration Guide – "Configuring 802.1X – Interface Commands"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Configuring Network Access Devices for 802.1X"

Explanation:
Cisco ISE's NetFlow probe listens for incoming NetFlow exports from network devices such as routers and switches. Different NetFlow versions use different default UDP ports. For NetFlow version 9, the default port is UDP 9996.

Correct Option:

A. UDP 9996
The NetFlow probe in Cisco ISE uses UDP port 9996 for NetFlow version 9 by default. This is configurable in the probe settings (Administration → System → Deployment → Edit Node → Profiling Configuration → NetFlow). Network devices exporting NetFlow v9 must be configured to send flows to this port.

Incorrect Options:

B. UDP 9997 –
Cisco ISE does not use UDP 9997 as a default port for any standard probe. Some documentation references this for IPFIX, but the standard NetFlow v9 port is 9996.

C. UDP 9998 –
Not the default for NetFlow v9. UDP 9998 is sometimes used for other services but not for ISE NetFlow probes.

D. UDP 9999 –
This is the default port for NetFlow version 5 in Cisco ISE, not version 9. NetFlow v5 uses UDP 9999.

Reference:
Cisco ISE Profiling Configuration Guide – "NetFlow Probe – Default Ports"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Profiling – NetFlow Probe Configuration"

Explanation:
In Cisco ISE BYOD flows, a Native Supplicant Profile defines how the endpoint's built-in supplicant (e.g., Windows Wired AutoConfig, iOS 802.1X settings) is configured automatically. Two mandatory components are the Operating System (to apply correct settings) and Connection Type (e.g., Wireless or Wired).

Correct Options:

B. Connection Type
The Native Supplicant Profile requires specifying whether the profile is for Wireless (Wi-Fi) or Wired (Ethernet) connections. This determines which supplicant settings are pushed (SSID vs. interface selection). Without a connection type, ISE cannot generate the correct configuration payload.

E. Operating System
The profile must target a specific operating system (e.g., Windows 10, macOS, iOS, Android). Each OS has different supplicant configuration methods and XML/Profile formats. ISE uses the OS selection to deliver the correct configuration template (e.g., Windows uses WLAN Profile XML; iOS uses mobileconfig).

Incorrect Options:

A. Windows Settings –
These are optional and specific to Windows OS only. If the OS is not Windows, Windows Settings are irrelevant. Not a mandatory component for every Native Supplicant Profile.

C. iOS Settings –
Optional and specific to iOS only. Not required when the profile is for Windows or Android.

D. Redirect ACL –
Redirect ACLs are used in authorization profiles for guest portal redirection, not as a component of a Native Supplicant Profile. They are unrelated to supplicant configuration.

Reference:
Cisco ISE BYOD Configuration Guide – "Native Supplicant Profiles – Required Components"
Cisco SISE 300-715 Official Cert Guide, Chapter: "BYOD – Native Supplicant Provisioning"

Explanation (per your answer key):
The DHCP probe captures endpoint identification metadata (hostname, MAC, vendor class) from DHCP requests and acknowledgments. This information helps ISE profile devices and apply network access policies. While not strictly "traffic," DHCP is commonly used for endpoint visibility.

Correct Option (per your key):

D. Configure the DHCP probe within Cisco ISE
The DHCP probe passively listens for DHCP packets (Discover, Offer, Request, Ack) on the network. It extracts metadata such as MAC address, hostname, vendor class identifier (e.g., "MSFT 5.0" for Windows), and parameter request list. ISE uses this to profile endpoints (e.g., identify printers, phones, laptops) and enforce access policies.

Why other options are incorrect (per your key's logic):

A. Configure the RADIUS profiling probe –
RADIUS probe captures authentication metadata (username, Framed-IP, Calling-Station-ID). It does not reveal endpoint traffic patterns or DHCP-level metadata.

B. Configure NetFlow to be sent to the Cisco ISE appliance –
NetFlow captures traffic flow metadata (IPs, ports, ToS bits). This is ideal for "traffic going across the network," but your key does not select it.

C. Configure SNMP to be used with the Cisco ISE appliance –
SNMP queries network devices (switches, printers) but does not passively capture client traffic metadata from DHCP.

Reference (per your key's intent):
Cisco ISE Profiling Guide – "DHCP Probe – Endpoint Metadata Collection"

Honest note for your exam preparation:
If the exam question specifically says "metadata information about the traffic going across the network" (i.e., flow data), the correct answer is NetFlow (B). If the question emphasizes endpoint identification metadata (hostname, OS, MAC), DHCP is correct. Be prepared for both interpretations on the real 300-715 exam.