Cisco 300-715 Implementing and Configuring Cisco Identity Services Engine (300-715 SISE)  Exam Dumps and Practice Test Questions Set 7 Q91-105

Visit here for our full Cisco 300-715 exam dumps and practice test questions.

Question 91

Which Cisco ISE feature allows administrators to integrate real-time endpoint information with SIEMs, firewalls, and endpoint protection solutions to enable automated, adaptive threat response?

A) pxGrid
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

PxGrid in Cisco ISE provides a framework for real-time, bi-directional communication between ISE and external security systems, including Security Information and Event Management (SIEM) platforms, firewalls, and endpoint protection solutions. This integration allows ISE to share endpoint context, user identity, compliance status, and other environmental information with external systems. In return, external security systems can feed threat intelligence or alerts back to ISE, triggering automated, adaptive responses for active network sessions.

For example, if an endpoint is flagged by an endpoint protection system as potentially compromised, pxGrid can communicate this information to ISE, which can dynamically adjust network access through mechanisms like Change of Authorization (CoA). The endpoint might be quarantined, restricted to a remediation VLAN, or have its access privileges reduced immediately. This integration ensures that security policies are not static but adapt to evolving threats, enabling faster incident response, reduced lateral movement of attacks, and overall improved network security posture.

Posture Assessment evaluates endpoint compliance but does not integrate with external security systems for automated responses. Policy Sets define access policies based on context but do not facilitate real-time adaptive actions in response to external threat intelligence. Guest Access allows temporary network connectivity for visitors but does not provide integration with SIEM or endpoint protection solutions.

PxGrid provides organizations with a mechanism to coordinate security actions across multiple platforms and respond dynamically to emerging threats. By enabling real-time sharing of endpoint and user information, it supports automated, adaptive access enforcement, enhancing network resilience and incident response capabilities. Because it allows integration with SIEMs, firewalls, and endpoint protection solutions for automated threat response, pxGrid is the correct answer.

Question 92

Which Cisco ISE feature allows administrators to enforce device compliance policies by evaluating antivirus, firewall, OS patch, and encryption status before granting network access?

A) Posture Assessment
B) Policy Sets
C) Profiling
D) Guest Access

Answer: A

Explanation

Posture Assessment in Cisco ISE is a crucial security feature that evaluates the compliance state of endpoints attempting to access a network. It ensures that devices meet corporate security requirements, such as having up-to-date antivirus software, active firewall configurations, current operating system patches, and proper encryption. This feature prevents noncompliant devices from accessing sensitive resources, thus reducing the risk of malware propagation, unauthorized access, or data breaches.

The process begins with an interrogation of the endpoint using a series of checks. Cisco ISE collects information about installed software, system configuration, and security status. Based on the results, devices can either be granted full access, limited access, or redirected to a remediation VLAN to correct noncompliant issues. Posture Assessment integrates with Policy Sets to create adaptive policies based on compliance, identity, device type, and other contextual factors. Change of Authorization (CoA) further enhances this by allowing dynamic updates to the network session when a device’s compliance state changes after initial authentication.

Posture Assessment is different from Policy Sets, which define access rules based on multiple factors but rely on posture assessment for compliance input. Profiling identifies device types but does not evaluate their security compliance. Guest Access allows temporary network connectivity for visitors but does not enforce security compliance for internal or managed devices.

Posture Assessment is essential for organizations aiming to maintain a secure environment by preventing compromised or vulnerable devices from accessing sensitive network resources. By evaluating antivirus, firewall, OS patch, and encryption status, it ensures that only compliant endpoints are granted access. Because it enforces security compliance before allowing network access, Posture Assessment is the correct answer.

Question 93

Which Cisco ISE feature allows administrators to assign Security Group Tags (SGTs) to endpoints dynamically based on device type, user role, and compliance state?

A) Policy Sets
B) Posture Assessment
C) Profiling
D) Guest Access

Answer: A

Explanation

Policy Sets in Cisco ISE are the primary mechanism for enforcing adaptive and context-aware access control. One of their core capabilities is the ability to assign Security Group Tags (SGTs) to endpoints dynamically. These SGTs are used for role-based access control, network segmentation, and policy enforcement across switches, wireless controllers, and VPN gateways. Policy Sets evaluate multiple contextual attributes such as device type, user identity, posture compliance, location, and time of day to determine the appropriate SGT for each endpoint.

Dynamic SGT assignment allows organizations to segment network traffic logically rather than relying solely on static VLANs. For example, corporate laptops belonging to employees may receive an SGT that grants full access to internal resources, while personal mobile devices on BYOD programs may receive limited SGTs. Endpoints failing posture compliance can be automatically assigned to restricted SGTs, effectively quarantining them without requiring manual intervention. The integration of Policy Sets with posture assessment, profiling, and Change of Authorization ensures that SGTs are applied accurately and updated in real time.

Posture Assessment evaluates compliance but does not directly assign SGTs. Profiling identifies the device type but does not enforce access or assign tags. Guest Access provides temporary connectivity for visitors but does not assign SGTs based on role or compliance.

By enabling dynamic SGT assignment, Policy Sets allow organizations to implement granular and adaptive access control, enforce security segmentation, and respond in real time to changes in device posture or context. Because they allow endpoints to be tagged based on device type, user role, and compliance, Policy Sets is the correct answer.

Question 94

Which Cisco ISE feature allows administrators to detect rogue or unmanaged devices on the network and categorize them for appropriate access control?

A) Profiling
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

Profiling in Cisco ISE is a mechanism used to detect and classify devices connecting to the network, including rogue, unmanaged, or semi-managed devices. Profiling collects information from DHCP requests, MAC addresses, CDP/LLDP messages, HTTP headers, and network traffic to identify device types and characteristics. Once devices are detected and classified, administrators can apply Security Group Tags, assign VLANs, or enforce policies tailored to the type of device.

Rogue or unmanaged devices pose significant security risks as they may bypass traditional authentication or contain vulnerabilities. Profiling allows these devices to be identified automatically, without requiring user authentication, and ensures that they are either restricted or segmented appropriately. Integration with Policy Sets, Posture Assessment, and Change of Authorization enables administrators to enforce adaptive policies for these endpoints, dynamically restricting access based on risk or compliance status. For example, a rogue IoT camera might be automatically placed in a restricted VLAN until further investigation, while a corporate laptop receives full access.

Posture Assessment evaluates compliance but does not detect rogue devices. Policy Sets define access rules but rely on profiling for device identification. Guest Access provides temporary connectivity but does not detect or classify unmanaged devices.

Profiling provides comprehensive visibility into all network-connected devices, enabling adaptive security policies and real-time classification of rogue or unmanaged endpoints. Because it identifies and categorizes devices for access control purposes, Profiling is the correct answer.

Question 95

Which Cisco ISE feature allows administrators to enforce secure BYOD policies by automatically removing corporate data while leaving personal content intact?

A) App Protection Policies
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

App Protection Policies in Cisco ISE are designed to secure corporate data on BYOD devices while preserving personal user data and applications. The core functionality of these policies is selective wiping, which allows administrators to remove corporate applications, email accounts, and sensitive data without affecting personal content such as photos, personal applications, or media. This selective approach is critical for maintaining privacy while ensuring corporate data remains secure.

App Protection Policies enforce rules such as preventing corporate data from being copied to unmanaged apps, shared externally, or stored in personal cloud services. They also support encryption and secure storage within corporate-managed applications. During offboarding, device loss, or security incidents, these policies can be triggered manually or automatically to remove corporate data while leaving personal content untouched. Integration with posture assessment, Policy Sets, and Change of Authorization allows enforcement of these policies dynamically based on device compliance, user role, or network context.

Posture Assessment evaluates endpoint compliance but does not selectively remove corporate data. Policy Sets define access policies but do not manage corporate app behavior. Guest Access provides temporary network connectivity but does not secure corporate applications or data.

App Protection Policies enable organizations to maintain corporate data security on personal devices without compromising user privacy. By selectively wiping corporate content while leaving personal data intact, these policies prevent data leakage and enforce regulatory compliance. Because they manage corporate apps and remove sensitive data selectively, App Protection Policies is the correct answer.

Question 96

Which Cisco ISE feature allows administrators to provide temporary network access to contractors or visitors while keeping them isolated from production resources?

A) Guest Access
B) Posture Assessment
C) Policy Sets
D) Profiling

Answer: A

Explanation

Guest Access in Cisco ISE is a feature that allows organizations to provide temporary network connectivity to visitors, contractors, or other external users while ensuring that they are fully isolated from internal or production resources. The main purpose of this feature is to enable secure, controlled, and temporary access without compromising the security of corporate networks. Administrators can create portals for self-registration or sponsor-based approval workflows. Self-registration allows visitors to fill out a form and automatically receive temporary credentials, while sponsor-based workflows require approval from an internal user, such as a manager or host, adding an additional layer of accountability.

Guest Access provides a flexible mechanism for controlling bandwidth, session duration, VLAN assignment, and access restrictions. For example, a visitor connecting through Guest Access can be restricted to the internet or specific non-sensitive resources, while critical internal systems remain inaccessible. This isolation is crucial in preventing unauthorized access to production networks and maintaining overall network security. Administrators can also customize the portal to include organizational branding, terms of use, or instructions for safe connectivity, improving the user experience while educating visitors on acceptable use policies.

Posture Assessment ensures device compliance but does not provide temporary network access for visitors. Policy Sets define access rules based on user identity, device type, or contextual factors but are not intended for temporary guest connectivity. Profiling classifies endpoints but does not manage access workflows or isolation for external users.

Guest Access allows organizations to meet usability requirements for external users without sacrificing security. By providing temporary credentials, controlled network access, and full isolation from production resources, Guest Access ensures operational continuity while protecting critical systems. Because it enables temporary, isolated network access for visitors and contractors, Guest Access is the correct answer.

Question 97

 

Which Cisco ISE feature allows administrators to classify endpoints automatically using DHCP, MAC addresses, CDP/LLDP, HTTP headers, and other traffic characteristics to enforce context-aware policies?

A) Profiling
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

Profiling in Cisco ISE is an automated feature that identifies and classifies endpoints as they connect to the network. It collects information from multiple sources including DHCP requests, MAC addresses, CDP/LLDP messages, HTTP headers, and other traffic characteristics. Profiling enables administrators to understand the types of devices on the network, such as laptops, smartphones, printers, IP cameras, and IoT devices. Once classified, devices can receive Security Group Tags (SGTs), VLAN assignments, or tailored access policies based on their identity and role, ensuring appropriate segmentation and adaptive network access.

Profiling is particularly important in environments with many unmanaged or semi-managed endpoints. It provides visibility without requiring device authentication, which is crucial for identifying rogue, BYOD, or legacy devices. Profiling information can feed into Policy Sets and Change of Authorization workflows to enable context-aware and adaptive access decisions. For instance, a printer detected through profiling can be placed in a restricted VLAN, while a corporate laptop that passes posture assessment may receive full network privileges. Profiling improves network security by providing visibility, classification, and automated context-aware policy enforcement.

Posture Assessment evaluates compliance but does not classify device types. Policy Sets define access rules but rely on profiling to provide device identification. Guest Access allows temporary network access for visitors but does not perform device classification.

Profiling ensures administrators have real-time knowledge of all endpoints and can enforce appropriate access policies. By automatically identifying devices and applying segmentation and policy rules, Profiling reduces administrative overhead and enhances security. Because it classifies endpoints using multiple network characteristics for context-aware policies, Profiling is the correct answer.

Question 98

Which Cisco ISE feature allows administrators to integrate real-time endpoint context with SIEMs, firewalls, and endpoint protection platforms to enable automated adaptive access control?

A) pxGrid
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

PxGrid in Cisco ISE is a feature that provides real-time, bi-directional integration between Cisco ISE and external security systems such as Security Information and Event Management (SIEM) platforms, firewalls, and endpoint protection solutions. This integration enables the sharing of contextual information, including device type, user identity, compliance status, and session information, allowing external systems to influence access decisions dynamically. PxGrid supports automated adaptive access control by enabling Cisco ISE to respond immediately to security events detected by these integrated systems.

For example, if an endpoint is flagged as compromised by an endpoint protection system, pxGrid can communicate this to Cisco ISE, which can then trigger a Change of Authorization (CoA) to quarantine the device, adjust VLAN assignments, apply stricter ACLs, or enforce additional authentication measures. This dynamic interaction ensures that threats are mitigated in real time, reducing the potential for lateral movement, data exfiltration, or other security incidents. PxGrid also supports the distribution of contextual information to multiple enforcement points, enabling consistent adaptive access policies across switches, wireless controllers, and VPN gateways.

Posture Assessment evaluates compliance but does not integrate with external systems for adaptive threat response. Policy Sets define access rules but do not provide real-time adaptive integration with external tools. Guest Access provides temporary network connectivity but does not enable dynamic integration with SIEMs or endpoint protection solutions.

PxGrid enhances network security by enabling real-time sharing of contextual endpoint information with external security systems, supporting automated, adaptive, and coordinated responses to potential threats. Because it facilitates integration with SIEMs, firewalls, and endpoint protection platforms for automated adaptive access control, pxGrid is the correct answer.

Question 99

Which Cisco ISE feature allows administrators to enforce network access restrictions based on endpoint posture, such as antivirus status, firewall settings, and operating system patches?

A) Posture Assessment
B) Policy Sets
C) Profiling
D) Guest Access

Answer: A

Explanation

Posture Assessment in Cisco ISE is designed to evaluate the compliance state of endpoints before granting network access. This feature ensures that devices meet corporate security requirements by checking antivirus status, firewall configuration, operating system patch levels, disk encryption, and other endpoint security parameters. Posture Assessment reduces the risk of introducing vulnerable or noncompliant devices into the network, helping organizations prevent malware propagation and unauthorized access to sensitive resources.

The process involves interrogating the endpoint to collect information regarding its security configuration. Based on the compliance results, endpoints can receive full network access, limited access, or redirection to a remediation network. Posture Assessment integrates with Policy Sets and Change of Authorization to enable adaptive, context-aware enforcement of network policies. For example, if an endpoint fails posture checks, CoA can dynamically assign it to a restricted VLAN without requiring reauthentication. Posture Assessment can also be integrated with external security systems through pxGrid to enhance automated response to compliance violations.

Policy Sets define access policies based on contextual factors but rely on Posture Assessment to determine the compliance state. Profiling identifies and classifies devices but does not evaluate compliance. Guest Access provides temporary connectivity for visitors but does not enforce compliance-based access.

Posture Assessment is essential for enforcing security standards before allowing network access. By evaluating antivirus, firewall, and patch status, organizations can ensure that only secure, compliant endpoints connect to critical resources. Because it enforces access based on endpoint posture, Posture Assessment is the correct answer.

Question 100

Which Cisco ISE feature enables administrators to enforce secure BYOD policies by protecting corporate apps while leaving personal apps intact and performing selective wipes if needed?

A) App Protection Policies
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

App Protection Policies in Cisco ISE are critical for securing corporate data on BYOD devices while preserving personal content. The primary functionality of these policies is selective wiping, which allows administrators to remove corporate applications, accounts, and sensitive information without affecting personal apps, photos, or media. This selective approach maintains user privacy while ensuring corporate security compliance.

These policies enforce restrictions such as preventing corporate data from being copied to unmanaged apps, shared externally, or stored in unapproved locations. They also support encryption, secure storage, and containerization for corporate applications, ensuring that sensitive data remains protected. During offboarding, security incidents, or device loss, selective wipes can be executed manually or automatically to remove corporate content while leaving personal data intact. App Protection Policies integrate with Posture Assessment, Policy Sets, and Change of Authorization to allow dynamic enforcement based on compliance, user role, or network context.

Posture Assessment evaluates endpoint compliance but does not enforce selective removal of corporate apps. Policy Sets define access rules but do not manage application-level behavior. Guest Access provides temporary network connectivity but does not protect corporate apps or perform selective wipes.

App Protection Policies enable organizations to protect corporate resources on personal devices without intruding on user privacy. By enforcing application-level security and selective wipes, these policies reduce the risk of data leakage and ensure regulatory compliance. Because they secure corporate apps, leave personal apps intact, and support selective wipes, App Protection Policies is the correct answer.

Question 101

Which Cisco ISE feature provides visibility and classification of devices on the network using DHCP, HTTP headers, MAC addresses, CDP/LLDP, and other traffic to enable context-aware access control?

A) Profiling
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

Profiling in Cisco ISE provides automated visibility and classification of endpoints connecting to the network. It collects information from DHCP requests, HTTP headers, MAC addresses, CDP/LLDP messages, and other network traffic patterns to determine the type and characteristics of devices. Profiling allows administrators to identify laptops, smartphones, printers, IP cameras, IoT devices, and unmanaged endpoints. Once classified, endpoints can be assigned Security Group Tags (SGTs), VLANs, or context-aware access policies tailored to device type, role, and security posture.

Profiling is crucial in environments with BYOD devices, IoT endpoints, and legacy systems. It ensures that network administrators can apply appropriate segmentation and adaptive access policies without requiring authentication for every device. Profiling information feeds into Policy Sets, Posture Assessment, and Change of Authorization, allowing real-time, adaptive access control based on endpoint type, compliance, and risk. For example, a printer detected through profiling can automatically be placed in a restricted VLAN, whereas a corporate laptop that passes posture checks can receive full access.

Posture Assessment evaluates compliance but does not classify device types. Policy Sets define access rules but rely on profiling to provide device context. Guest Access allows temporary connectivity for visitors but does not classify devices or provide endpoint visibility.

Profiling ensures that organizations have comprehensive visibility into all devices on the network, enabling adaptive, secure, and context-aware access control. By collecting and analyzing multiple traffic and device characteristics, Profiling allows administrators to enforce security policies efficiently and accurately. Because it provides visibility and classification of devices to support context-aware access, Profiling is the correct answer.

Question 102

Which Cisco ISE feature allows administrators to assign network access policies dynamically based on user identity, device type, and environmental context such as location and time?

A) Policy Sets
B) Posture Assessment
C) Profiling
D) Guest Access

Answer: A

Explanation

Policy Sets in Cisco ISE provide a comprehensive framework for administrators to enforce adaptive, context-aware access control policies. These sets allow dynamic evaluation of multiple contextual attributes, including user identity, device type, compliance posture, location, time, and even session parameters. By combining these factors, Policy Sets enable organizations to enforce granular, role-based access control that adapts in real time to changing conditions.

Policy Sets work hierarchically. The top-level set defines conditions based on identity sources such as Active Directory or LDAP. Sub-conditions can be based on device type determined through profiling, compliance state determined through posture assessment, or environmental conditions like access location or time of day. This ensures that network access is tailored to each session’s context. For example, an employee accessing the network from a corporate laptop during office hours might receive full access to internal resources, whereas the same user attempting access from a personal mobile device offsite may be restricted to limited resources or forced to perform multi-factor authentication.

Policy Sets integrate closely with other ISE features. Profiling provides device-type information, allowing Policy Sets to apply different access controls for desktops, mobile devices, printers, or IoT devices. Posture Assessment provides compliance information that informs policy decisions, such as restricting access if antivirus is outdated or firewall settings are disabled. Change of Authorization (CoA) allows Policy Sets to dynamically update active sessions without requiring reauthentication when a user’s context changes.

Posture Assessment ensures endpoint compliance but does not define adaptive access rules or combine multiple contextual factors. Profiling identifies and classifies devices but does not enforce access policies based on combined context. Guest Access provides temporary connectivity but is limited to external users and does not adapt based on device type, identity, or environmental context.

Policy Sets are critical for organizations that require flexible, context-aware security policies. By combining identity, device classification, compliance, location, and time, administrators can enforce adaptive access that aligns with security requirements while minimizing user disruption. Because it allows dynamic assignment of access policies based on identity, device type, and context, Policy Sets is the correct answer.

Question 103

Which Cisco ISE feature provides visibility into the types and characteristics of endpoints on the network by collecting information from DHCP, MAC addresses, HTTP headers, CDP/LLDP, and other traffic?

A) Profiling
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

Profiling in Cisco Identity Services Engine is a fundamental feature that provides detailed visibility into all endpoints connecting to a network and supports adaptive security policies based on device identification. Profiling enables network administrators to automatically detect, classify, and categorize endpoints as soon as they attempt to connect, allowing organizations to maintain comprehensive knowledge of their network environment. This capability is especially critical in modern networks where the number and diversity of endpoints are constantly increasing, including laptops, smartphones, tablets, VoIP phones, printers, and a wide array of IoT devices. By collecting and analyzing device information, profiling allows administrators to apply appropriate access controls, enforce segmentation, and reduce the risk of unauthorized access or security incidents.

The profiling process works by gathering data from a variety of network sources to create a detailed fingerprint for each device. Cisco ISE collects information from DHCP requests, MAC address patterns, HTTP headers, CDP and LLDP advertisements, SNMP data, and general network traffic characteristics. By correlating these data points with predefined or learned device signatures, ISE can accurately determine the type of device and sometimes even the manufacturer or model. This automated classification eliminates the need for manual identification, which is time-consuming and error-prone, and allows administrators to apply policies in a more precise and consistent manner. For instance, a detected VoIP phone can be automatically assigned to a voice VLAN with the necessary Quality of Service (QoS) policies, while a printer can be restricted to a separate VLAN to prevent it from accessing sensitive data on the corporate network.

Profiling is particularly valuable in environments where unmanaged or semi-managed endpoints are prevalent. BYOD devices, legacy systems, and IoT devices often cannot participate in authentication mechanisms such as 802.1X. Without profiling, these devices would appear as unknown endpoints, leaving a visibility gap that could be exploited by malicious actors. Profiling allows ISE to classify these devices based on observable attributes even when they cannot authenticate, enabling administrators to segment and control network access effectively. For example, an IoT sensor deployed in a manufacturing environment may be placed into a dedicated VLAN with restricted access, reducing the risk of lateral movement or exposure of critical systems.

The information obtained from profiling integrates seamlessly with other Cisco ISE functionalities. Policy Sets rely heavily on profiling data to enforce context-aware and role-based access controls. By knowing the device type, the system can apply rules that are appropriate for that endpoint, ensuring that only authorized users and devices have access to certain resources. Posture Assessment can use the profiling classification to evaluate compliance for specific device types, such as ensuring that corporate laptops have up-to-date antivirus and patches while IoT devices are restricted to approved protocols and networks. Change of Authorization uses profiling information to dynamically adjust active session privileges; for instance, if a device is initially unidentified and later classified as noncompliant or high-risk, CoA can trigger immediate remediation actions without requiring the user to disconnect.

It is important to understand how profiling differs from other Cisco ISE features. Posture Assessment is concerned with evaluating whether endpoints meet compliance requirements, such as antivirus status, firewall configuration, or patch levels, but it does not classify or identify device types. Policy Sets define the rules for network access, such as which VLAN or Security Group Tag a device should receive, but these rules rely on the context provided by profiling to make precise decisions. Guest Access, on the other hand, provides temporary network connectivity for visitors and contractors but does not provide classification or detailed visibility into device attributes. Profiling fills the gap by supplying accurate and continuous identification data, which then informs policy decisions across the network.

The value of profiling extends beyond simple device identification. By maintaining a dynamic and up-to-date view of all connected endpoints, profiling enables adaptive access control that responds to changing network conditions. It supports granular segmentation, ensures that devices receive permissions appropriate for their type and security posture, and helps detect unauthorized or rogue devices. For example, if an unknown device appears on a sensitive network segment, administrators can immediately identify it through profiling and take corrective action, such as quarantining the device or applying strict access controls. This continuous visibility enhances overall network security, operational efficiency, and regulatory compliance.

Profiling also allows organizations to optimize network resources and plan for future growth. By understanding the types and volume of devices connecting to the network, administrators can implement VLANs, Quality of Service policies, and segmentation strategies that reflect real-world usage patterns. Profiling can also highlight unusual traffic or unknown device types, serving as an early indicator of misconfigurations, policy violations, or potential threats.

profiling in Cisco ISE provides automated, real-time identification and categorization of endpoints, offering detailed visibility that is essential for enforcing adaptive and context-aware network policies. By collecting data from multiple sources and analyzing it to classify devices, profiling enables precise application of VLANs, Security Group Tags, and access control policies. It integrates with Policy Sets, Posture Assessment, and Change of Authorization to ensure that all connected devices receive appropriate, secure, and adaptive network access. Because it supplies accurate endpoint visibility for context-aware security decisions and adaptive enforcement, profiling is the correct answer.

Question 104

Which Cisco ISE feature allows administrators to secure corporate applications on BYOD devices while maintaining user privacy by selectively removing only corporate data when necessary?

A) App Protection Policies
B) Posture Assessment
C) Policy Sets
D) Guest Access

Answer: A

Explanation

App Protection Policies in Cisco ISE play a crucial role in securing corporate information on employee-owned devices in Bring Your Own Device environments. As organizations increasingly rely on mobile devices for accessing corporate resources, ensuring the protection of sensitive data becomes a priority. However, enforcing security on personal devices requires a balanced approach that safeguards corporate information while respecting user privacy. App Protection Policies are specifically designed to support this balance. Their primary purpose is to protect corporate applications and data on BYOD devices by applying security rules only to managed business applications and leaving personal applications and content untouched. This makes them highly effective for organizations that want to maintain strong security controls while minimizing disruption to the personal use of devices.

A key feature of App Protection Policies is selective wiping. This functionality allows administrators to remove only corporate data, such as business applications, email accounts, and work-related documents, without deleting or modifying any personal content. Personal photos, messages, social media applications, and personal files remain completely unaffected during a selective wipe. This approach not only protects corporate interests but also reassures employees that their personal privacy is respected, reducing resistance to BYOD programs. Selective wiping can be initiated manually by administrators when an employee leaves the company, when a device is lost or stolen, or when a security incident requires immediate containment. It can also be triggered automatically based on defined compliance conditions, such as when a device becomes non-compliant or when it attempts to access corporate resources outside approved policies.

App Protection Policies further enhance security by enforcing data handling rules within corporate-managed applications. These rules can include preventing copy and paste operations from corporate apps into personal apps, blocking screenshots of sensitive information, or restricting file sharing to approved business applications. Such controls prevent accidental or intentional leakage of confidential data. In addition, App Protection Policies may require encryption for data stored within managed corporate apps. Encryption ensures that even if a device is compromised, unauthorized users cannot access sensitive information. Containerization is another important aspect, allowing corporate applications and data to be isolated from the rest of the device. This logical separation ensures that personal applications cannot interact with corporate data and vice versa. As a result, corporate information remains protected even if personal apps on the device are compromised by malware or other threats.

Integration with Policy Sets expands the effectiveness of App Protection Policies. Policy Sets define the conditions under which specific security actions are applied, such as the user’s identity, device ownership, device compliance state, and the network context in which access is attempted. By combining App Protection Policies with Policy Sets, administrators can enforce corporate app protection only for users who access high-risk resources, only on devices that lack certain security configurations, or only when connections are made over untrusted networks. This level of context-aware enforcement ensures that corporate security adapts dynamically to risk levels. Change of Authorization further strengthens this capability by enabling Cisco ISE to push updated authorization rules in real time. If a device’s status changes from compliant to non-compliant, Change of Authorization can immediately enforce stricter App Protection Policies or trigger a selective wipe without requiring the user to reconnect.

In contrast, Posture Assessment focuses solely on verifying device compliance with security requirements such as antivirus status, OS patch level, disk encryption, or firewall configuration. Although posture plays an important role in determining whether a device is secure enough to access resources, it does not handle the protection of corporate applications or manage selective wiping processes. Posture checks cannot isolate corporate data or enforce in-app restrictions and therefore cannot meet requirements involving the removal of corporate data from personal devices.

Similarly, Policy Sets themselves define access conditions but do not manage application-level protection. They determine which network access rules apply but do not provide controls for containerizing corporate applications, limiting data sharing, or removing corporate content. While Policy Sets form the decision-making framework, App Protection Policies execute the application-specific controls needed for BYOD security.

Guest Access offers temporary network connectivity for visitors who require internet access or access to limited guest resources. This feature has no capability to manage corporate apps, enforce application-level restrictions, or perform selective wipes. Guest Access does not involve long-term device management and therefore cannot support corporate app protection requirements. It is designed simply to provide short-term network access with minimal security controls.

App Protection Policies are essential for organizations that rely on mobile access to corporate resources while allowing employees to use their personal devices. They reduce the risk of data breaches by protecting sensitive corporate information and ensuring it can be removed at any time without affecting personal data. They help organizations comply with regulatory requirements by ensuring that sensitive data remains controlled and removable. Most importantly, they support user privacy by ensuring that corporate security actions do not interfere with personal applications or files. Because App Protection Policies uniquely offer selective wiping, corporate data isolation, and application-specific controls, they are the correct and most appropriate solution to the requirement of securing corporate apps on BYOD devices while preserving personal content.

Question 105

Which Cisco ISE feature allows administrators to dynamically adjust access privileges for active sessions in real time based on changes in user compliance, device posture, or security events?

A) Change of Authorization (CoA)
B) Posture Assessment
C) Policy Sets
D) Profiling

Answer: A

Explanation

Change of Authorization in Cisco Identity Services Engine is a foundational mechanism that enables real-time modification of network access privileges for endpoints that are already authenticated and actively connected. In traditional access control environments, any significant change in policy, device posture, or user status would typically require the user to disconnect and reconnect before new rules could take effect. This approach introduces delays, creates operational friction, and increases security exposure. CoA eliminates these limitations by allowing Cisco ISE to send RADIUS Change of Authorization messages directly to network enforcement points, prompting them to update the access parameters of an active session instantly. These parameters may include VLAN assignments, applied access control lists, downloadable ACLs, session timeout values, or Security Group Tags used for TrustSec segmentation. Because these adjustments do not require the endpoint to undergo a full reauthentication process, CoA ensures that changes happen quickly and without disrupting user productivity.

Real-time adaptability is essential in circumstances where the device’s security posture changes after initial authentication. For instance, a laptop may pass all posture checks at login, receiving full access to corporate resources. However, during the session, if posture assessment discovers that the antivirus software has become outdated, the firewall has been disabled, or a required patch is missing, Cisco ISE can immediately trigger a CoA event. Through this event, the enforcement device may move the endpoint into a restricted or remediation VLAN, apply a stricter ACL that only permits access to update servers, or restrict the device to a portal designed for compliance remediation. Once the user corrects the issue, the posture assessment module may send updated compliance results to ISE, prompting a second CoA that restores the original level of access. This mechanism ensures continuous enforcement of compliance policies rather than relying solely on checks performed at login.

CoA also plays an important role in environments where external threat intelligence feeds or security monitoring systems are integrated with Cisco ISE through pxGrid. For example, if an endpoint is flagged by an endpoint detection and response solution for exhibiting suspicious behavior, Cisco ISE may receive this alert in real time. Rather than waiting for a session timeout or requiring manual intervention, ISE can immediately issue a CoA command that isolates the device, applies micro-segmentation rules, or restricts the device to network resources necessary for incident investigation. This enables the network to proactively limit potential compromise, reduce the likelihood of lateral movement, and maintain stronger alignment with zero-trust security principles.

Another important integration involves the profiling system within Cisco ISE. Profiling continuously analyzes device attributes based on DHCP data, network traffic patterns, MAC address characteristics, and other contextual hints. Sometimes a device initially appears generic but later reveals enough information for ISE to classify it accurately, such as identifying an IoT sensor, VoIP phone, gaming console, or personal mobile device. When this updated classification becomes available, CoA can be used to modify the device’s access in line with the policies associated with the newly identified category. These adjustments may include containment, assignment to a more appropriate VLAN, updating SGT values, or reducing permissions so that the device cannot access sensitive segments of the network. Without CoA, such changes would not take effect until the device reconnected, which could leave security gaps.

While Posture Assessment plays a crucial role in determining compliance, it does not independently apply new permissions to active sessions. It serves as the evaluation mechanism, generating the compliance status that triggers CoA, but it does not deliver the dynamic enforcement itself. Similarly, Policy Sets define the authentication and authorization logic used by Cisco ISE at the time of initial connection. These sets determine which rules apply based on identity, device characteristics, posture results, and contextual information. However, once the session is established, Policy Sets alone cannot initiate modifications to the session. CoA serves as the enforcement engine that executes those dynamic policy changes. Profiling, while important for visibility and classification, also lacks the ability to adjust privileges during an active session.

Guest Access likewise does not influence CoA operations. It is designed for onboarding visitors and providing temporary access credentials, not managing ongoing session modifications. Guest workflows focus on usability and temporary isolation, rather than adaptive, session-based security adjustments.

The primary value of Change of Authorization lies in its ability to maintain a continuously adaptive security posture that evolves in real time with the state of each endpoint. It ensures that user privileges, segmentation policies, and security restrictions remain aligned with the most current available information. This reduces risk by narrowing the window in which noncompliant or compromised devices may operate with elevated permissions. At the same time, CoA minimizes operational disruption, since endpoints remain connected while their access permissions shift behind the scenes. Because it enables immediate, dynamic modification of network privileges for active sessions based on posture changes, threat intelligence, device profiling updates, or policy requirements, Change of Authorization is the correct answer.