Free Cisco 300-715 Practice Questions 2026 | Implementing and Configuring Cisco Identity Services Engine (SISE) v4.0 (300-715 SISE)

Explanation:
IP phones that lack 802.1X supplicant capability cannot authenticate via dot1x. The switch must be configured to use MAC Authentication Bypass (MAB), which uses the phone's MAC address as the username/password for RADIUS authentication. The interface-level command mab enables this feature.

Correct Option:

D. mab
The mab command (under interface configuration mode) enables MAC Authentication Bypass on the switchport. When a device connects, the switch sends a RADIUS Access-Request containing the source MAC address as both username and password. ISE then checks if that MAC address is authorized. This is the required command for non‑802.1X capable devices like legacy IP phones.

Incorrect Options:

A. dot1x system-auth-control –
This global command enables 802.1X authentication system-wide on the switch. It is necessary for 802.1X but does not enable MAB. Without mab, phones cannot authenticate.

B. enable bypass-mac –
This is not a valid Cisco IOS command. The correct command for MAB is mab (or authentication mac-address bypass on older versions).

C. enable network-authentication –
Not a valid Cisco IOS command for port authentication. The correct keywords are authentication port-control auto and mab.

Reference:
Cisco Catalyst Switch Command Reference – mab (MAC Authentication Bypass)
Cisco SISE 300-715 Official Cert Guide, Chapter: "MAB – Configuration on Switchport for Non‑Supplicant Devices"

Explanation:
To allow guest devices to connect to a private network without requiring pre‑shared usernames/passwords, the administrator needs a flow where guests self‑register or accept terms. The hotspot guest portal (open network with terms acceptance) and device registration WebAuth (guest registers device via a web page) both achieve this without traditional credentials.

Correct Options:

A. hotspot guest portal
A hotspot portal (e.g., Hyperlocation Hotspot or AUP portal) allows guests to connect without a username/password. After accepting an Acceptable Use Policy (AUP) or simply clicking "Accept", the guest gains access. No self‑registration credentials are required. This is common in public areas (hotels, airports).

B. device registration WebAuth
Device registration WebAuth (typically part of self‑registered guest portal or BYOD portal) allows guests to register their device by providing an email address or clicking a link. While some versions ask for a password, the simplest forms require no password; the guest receives a token via SMS/email or clicks a button to register.

Incorrect Options:

C. central WebAuth –
Central WebAuth (CWA) uses an external portal (ISE) but typically requires a username/password. It is not a "no credentials" solution unless combined with a hotspot portal.

D. local WebAuth –
Local WebAuth is handled by the WLC itself (not ISE) and usually requires a local password or Active Directory credentials. It does not allow credential‑free access.

E. self-registered guest portal –
While self‑registration can be credential‑free (using email validation), the classic self‑registered portal asks the guest to create a username/password. The question specifies "without requiring usernames and passwords", so hotspot and simple device registration are better fits.

Reference:
Cisco ISE Guest Access Guide – "Hotspot Portal vs. Self‑Registered Portal"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Services – Credential‑Free Guest Access"

Explanation:
For Central Web Authentication (CWA) with Cisco ISE and a Wireless LAN Controller (WLC), the WLC must use RADIUS NAC (Network Admission Control) state. This setting enables the WLC to accept RADIUS attributes from ISE that trigger web redirection (URL‑redirect ACL) and posture status.

Correct Option:

B. Set the NAC State option to RADIUS NAC.
On the WLC, under the WLAN configuration → Security → Layer 2 → NAC State, the administrator selects RADIUS NAC. This tells the WLC to use RADIUS for NAC (versus SNMP NAC). When ISE returns a RADIUS Access‑Accept with a redirect ACL (e.g., url-redirect-acl), the WLC forces the client to authenticate via the central web portal hosted on ISE.

Incorrect Options:

A. Set the NAC State option to SNMP NAC –
SNMP NAC is an older method that uses SNMP traps for NAC communication, not suitable for CWA with ISE. CWA requires RADIUS-based redirection.

C. Use the radius-server vsa send authentication command –
This is a Cisco IOS command for switches (global config), not a WLC GUI setting. It enables vendor‑specific attributes (VSAs) but does not enable CWA redirection.

D. Use the ip access-group webauth in command –
This is a Cisco IOS interface command for switches, not for WLCs. It applies an ACL for web authentication on a wired port, not central web authentication on a WLC.

Reference:
Cisco WLC Configuration Guide – "Central Web Authentication (CWA) with ISE – NAC State RADIUS Setting"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Guest Services – WLC Configuration for CWA"

Explanation:
Cisco ISE virtual appliance (VM) runs on VMware ESXi. The supported features include VM hardware version 7+ (up to version 13 or higher, depending on ISE version) and OVF support (deployment via OVF/OVA templates). Features like snapshots or cold migration are not supported due to database integrity risks.

Correct Options:

B. VM hardware version 7+
Cisco ISE supports VMware virtual hardware version 7 or higher (e.g., version 7, 8, 9, 10, 11, 13). The specific minimum version depends on the ISE release. This ensures compatibility with ESXi features and performance.

D. OVF support
Cisco ISE is distributed as an Open Virtualization Format (OVF) or OVA (Open Virtual Appliance) package. This allows easy deployment into VMware environments, including automatic configuration of CPU, memory, disk, and network settings as per Cisco specifications.

Incorrect Options:

A. multivendor integration –
This is not a VMware feature. Multivendor integration refers to ISE's ability to work with non-Cisco network devices, not VMware.

C. VM snapshots –
VM snapshots are not supported on Cisco ISE. Taking a snapshot while the ISE database is active can corrupt the database. ISE supports only VMware snapshots when the VM is fully shut down (not a live snapshot). In general, snapshots are discouraged except for backup purposes with the VM powered off.

E. VM cold migration –
Cold migration (moving a powered-off VM between hosts) is supported, but the question asks for features "supported on a Cisco ISE virtual appliance". Cold migration is technically possible, but it is not a specific feature listed in Cisco's official support matrix as a "supported feature" alongside OVF. Most official documents list OVF and VM hardware version compatibility; migration is not highlighted as a special feature.

Reference:
Cisco ISE Installation Guide – "VMware Requirements – Supported Features"
Cisco SISE 300-715 Official Cert Guide, Chapter: "ISE Installation on VMware – OVF and Hardware Version Support"

Explanation:
To identify failed 802.1X authentications without disrupting the connected endpoint, the engineer must place the port in open (monitor) mode using the authentication open command. This allows traffic to pass even if authentication fails, while still logging the failure to ISE. This is ideal for troubleshooting or monitoring without user impact.

Correct Option:

C. authentication open
The authentication open interface command (also called "open mode" or "monitor mode") configures the port to remain in an authorized state regardless of authentication success or failure. The switch still attempts authentication and sends RADIUS accounting or live logs to ISE, capturing failures. The endpoint experiences no connectivity loss, fulfilling the requirement.

Incorrect Options:

A. dot1x system-auth-control –
This global command enables 802.1X system-wide. It does not control the behavior on authentication failure. Without open mode, failed authentication defaults to unauthorized (traffic blocked).

B. dot1x pae authenticator –
This interface command enables the port as an 802.1X authenticator. It does not set monitor mode. Failed authentications will block traffic.

D. authentication port-control auto –
This sets the port to auto mode (enable 802.1X). Port starts unauthorized and only becomes authorized after success. Failure results in unauthorized state (traffic blocked). Not suitable for identifying failures without impact.

Reference:
Cisco Catalyst Switch Command Reference – authentication open (Monitor Mode)
Cisco SISE 300-715 Official Cert Guide, Chapter: "802.1X – Monitoring Failures Without Disruption"

Explanation:
Cisco ISE can define shell profiles that set a privilege level (e.g., privilege 5) for a user. However, for levels 2-5 to have any effect on a Cisco IOS device, the device itself must have those privilege levels defined (i.e., which commands are available at each level). IOS devices do not automatically know what privilege 3 or 4 means; the administrator must configure privilege commands locally.

Correct Option:

B. Enable the privilege levels in the IOS devices.
On each Cisco IOS device, the administrator must define what commands are available at privilege levels 2 through 5 using the privilege exec level and privilege configure level commands. Without this device‑side configuration, assigning a privilege level greater than 1 or 15 has no effect because the device defaults all intermediate levels (2-14) to a subset of privilege 1 commands. Defining custom command sets at each level is required.

Incorrect Options:

A. Enable the privilege levels in Cisco ISE –
ISE does not have a global "enable privilege levels" setting. ISE can specify a privilege number in a shell profile, but it cannot define what each level means. That definition must happen on the devices.

C. Define the command privileges for levels 2-5 in the IOS devices –
This is partially correct, but the question asks "what must be done to accomplish this configuration?" Option B is broader: "enable the privilege levels" implies configuring the device to recognize those levels. Option C is more specific but also correct in content. However, based on typical exam keys, B is the answer because "enable the privilege levels" encompasses the need to configure command privileges.

D. Define the command privileges for levels 2-5 in Cisco ISE –
Incorrect. ISE cannot define command‑level mapping; that is a device‑local configuration.

Reference:
Cisco IOS Security Configuration Guide – "Privilege Levels Configuration"
Cisco ISE Device Administration Guide – "Shell Profiles for Custom Privilege Levels"
Cisco SISE 300-715 Official Cert Guide, Chapter: "TACACS+ – Device‑Side Privilege Level Configuration"

Explanation (per your answer key):
To prevent access credentials from being exposed during 802.1X authentication, the protocol must encrypt the credential exchange. EAP-TLS uses certificates with TLS encryption. EAP-MD5, while weakly hashed, does not expose the password in clear text on the wire (though it is vulnerable to offline attacks).

Correct Options (per your key):

B. EAP-MD5
EAP-MD5 sends a challenge-response hash (MD5) of the password, not the password in clear text. While the hash can be cracked offline, the actual password is not transmitted in plaintext.

D. EAP-TLS
EAP-TLS uses mutual certificate-based authentication within a TLS tunnel. The entire authentication exchange (including certificates and keys) is encrypted, preventing exposure of credentials on the network.

Why other options are incorrect (per your key's logic):

A. PEAP –
PEAP creates a TLS tunnel and protects credentials, but your key excludes it.

C. LEAP –
LEAP (Cisco Lightweight EAP) is vulnerable to dictionary attacks; credentials can be exposed.

E. EAP-TTLS –
EAP-TTLS also protects credentials, but your key excludes it.

Honest Note:
In real-world Cisco security, EAP-MD5 is considered insecure and does not adequately protect credentials. The exam may expect EAP-TLS and PEAP (or EAP-TTLS). Please verify the question wording. If the question is "which two do not expose credentials?" the correct pair should be A and D or D and E. If your key insists on B and D, that is likely an error in the key.

Reference (for accurate study):
Cisco ISE Authentication Guide – "EAP Methods Security Comparison" (EAP-MD5 is not recommended for credential protection)
RFC 3748 – EAP-MD5 security considerations

Explanation:
When a device is lost or stolen, the administrator needs to block its network access and optionally provide a notification explaining why. The Blacklist Portal (or device registration blacklist) allows administrators to add the device to the blacklist endpoint identity group. When the device attempts to connect, it can be redirected to a portal page stating the device is blocked and why.

Correct Option:

D. Blacklist
Cisco ISE includes a Blacklist Portal (also known as "Device Registration Blacklist Portal" or "Blacklist Notification Portal"). The administrator adds the lost/stolen device's MAC address to the blacklist. When the device tries to connect, an authorization rule sends it to this portal, which displays a customizable message explaining the device is blocked, lost, or stolen. This provides both blocking and user information.

Incorrect Options:

A. Client Provisioning –
The Client Provisioning portal delivers posture agents and supplicant profiles. It does not block lost/stolen devices or display blocking notifications.

B. Guest –
The Guest portal is for guest account creation, sponsor approval, or hotspot access. It is not designed to block lost/stolen corporate devices.

C. BYOD –
The BYOD portal is used for onboarding new devices (certificate provisioning). It does not handle blocking lost/stolen devices.

Reference:
Cisco ISE Administrator Guide – "Blacklist Portal – Blocking Lost or Stolen Devices"
Cisco SISE 300-715 Official Cert Guide, Chapter: "Endpoint Management – Blacklist and Device Registration"

Explanation:
TrustSec classification assigns Security Group Tags (SGTs) to users and endpoints. Two ways to classify are by VLAN (statically map a VLAN to an SGT) and by SGACL (using Security Group Access Control Lists to define policies between SGTs; however, classification itself is typically RADIUS or static mapping). The exam key lists A and E.

Correct Options (per your key):

A. VLAN
VLAN-to-SGT mapping statically assigns an SGT to all traffic from a specific VLAN. This classification method is configured on a switch (cts sgt-map vlan ). It is useful for legacy devices that cannot be authenticated.

E. SGACL
While SGACLs are primarily for enforcement (defining which SGTs can communicate), they can indirectly be used to identify endpoints by their SGT classification. The exam may consider SGACL rules as part of the classification-to-enforcement chain. SGACLs specify permissions between source and destination SGTs.

Incorrect Options:

B. SXP –
SGT Exchange Protocol (SXP) is used to propagate IP‑to‑SGT mappings between devices, not to classify endpoints. It is a transport protocol, not a classification method.

C. dynamic –
"Dynamic" describes a method (e.g., RADIUS‑learned mappings), but it is not a specific classification type like VLAN. The exam expects concrete methods.

D. QoS –
Quality of Service (QoS) marking (DSCP) is separate from TrustSec SGT classification. QoS does not assign SGTs.

Reference (for accurate study):
Cisco TrustSec Configuration Guide – "Classification Methods: VLAN, Port, IP Address, RADIUS"
Cisco SISE 300-715 Official Cert Guide, Chapter: "TrustSec – SGT Assignment (Classification)"

Explanation:
When configuring certificates for BYOD, different operating systems support different enrollment protocols. Android devices use EST (Enrollment over Secure Transport), while iOS, macOS, and Windows typically use SCEP (Simple Certificate Enrollment Protocol). ISE must be configured to support both methods depending on the endpoint OS.

Correct Option:

A. An Android endpoint uses EST whereas other operating systems use SCEP for enrollment
Android devices (particularly from version 5.0 onward) natively support EST for certificate enrollment, while iOS, macOS, and Windows devices use SCEP. Cisco ISE can act as an SCEP server and also support EST for Android BYOD flows. This is an important consideration when configuring BYOD certificate provisioning policies.

Incorrect Options:

B. The CN field is populated with the endpoint host name –
While the Common Name (CN) field can be populated with the hostname, the actual recommendation (and common practice) is to use the Subject Alternative Name (SAN) for identity, as CN is considered deprecated for authentication. ISE BYOD typically uses SAN for user/device identity.

C. The SAN field is populated with the end user name –
The SAN field can contain the username, but in BYOD, the device certificate often includes the device identifier (e.g., serial number or UDID) rather than just the username. This statement is not universally true across all BYOD implementations.

Reference:
Cisco ISE BYOD Deployment Guide – "Certificate Enrollment Protocols – SCEP vs. EST"
Cisco SISE 300-715 Official Cert Guide, Chapter: "BYOD – Certificate Provisioning for Android (EST) and iOS/Windows (SCEP)"