CCIE SEC v5 Diagnostic Set -2

How to Identify DIAG variation:

Which Diagnostic you got can be identified by TASK7 and TASK10. If you got TASK10 about
DNAC that means you got DIAG2+++ otherwise by analyzing TASK7 we can identify DIAG2
variation.

TASK7: Username Password is correct: DIAG2

TASK7: Username is Wrong: DIAG2+
TASK7: Password is Wrong: DIAG2++
TASK10: if question related to DNAC: DIAG2+++

I know this is not a good way… we need resources to properly identify. If anyone resources for
DIAG2 please share will document them properly and highlight to differences.

DIAG2
DIAG2+
DIAG2++
DIAG2+++

NOTE: DIAG2+++ solution is not verified and 100% correct.

Task Number-1: MAB_PC not allowed network resources.

Support Engineer from Meezaam Inc. opened case with cisco TAC reporting issue that one of
the PC MAB_PC not able to access network resources.

Points 1

Answer
Select an answer:
 Incorrect network device group configuration on ISE DIAG2+
 Authorization policy needs to be corrected on ISE
 Radius Packet from SW2 has been sourced from an incorrect interface.
 Authentication policy needs to be corrected on ISE for the MAB session. DIAG2
 There is an issue with aaa login authentication method configuration on SW2
 Authorization condition needs to be corrected on ISE for the MAB session DIAG2+++
 SW2 port is incorrectly configured for MAB
 ISE has the incorrect key for the network device DIAG2++
Task Number-2: Network Connectivity issue with Employee profile
Support engineer from Sunshine Inc. has opened a TAC case with Cisco TAC reporting
issue with employee profile has network connectivity.

Point 1

Answer
Select an answer:
 Authentication Condition needs to be corrected on ISE for DOT1x session. DIAG2++
 The ISE has incorrect network device address. DIAG2
 Authorization condition needs to be corrected on ISE for the Dot1x session.
 SW1 is pointing to incorrect ISE server for Dot1x session authentication
 Incorrect user group configuration on ISE DIAG2+
 Issue with aaa network authorization method configuration on SW1.
 SW1 port is incorrectly configured for Dot1x
 Authorization policy needs to be corrected on ISE for the Dot1x session.

.
Task Number- 3: Network Connectivity issue with Contractor profile
Support engineer from Mezrak Inc. opened case with Cisco TAC reporting issue that users
with contractor profile has network connectivity issue.

Point 1

Answer
Select an answer:
 ISE unable to communicate with active directory server.
 Incorrect network device configuration group. DIAG2+
 Issue with AD group mapping on ISE DIAG2++
 There is an issue with CoA configuration on ISE.
 There is an issue with CoA configuration on SW2.
 SW2 port is incorrectly configured for MAB authentication.
 Radius packet has been sourced from an incorrect interface on SW2.
 Issue with MAB Authorization result configuration on ISE. DIAG2
Task Number-4: Site-to-Site IPsec VPN Issue
Support engineer from Opensky Inc. opened case with Cisco TAC on site-to-site IPsec VPN
failure on FTDs.

Point 1

Answer
Select an answer:
 FMC 6.2 does not support point-to-point VPN tunnel.
 FTD2 VPN policy is Incorrect.
 Issue with FTDs network zones configuration.
 R4 is missing static routes for VPN tunnel establishment
 FTD1 policy is not consistent with the topology. DIAG2++
 FTD2 interface configuration not consistent from topology. DIAG2+
 Issue with FMC Licensing DIAG2
 FTD1 outside object is incorrectly configured. DIAG2+++

Task Number-5: Scanned events issue with FireAMP Connector

Support engineer from TransienNet Limited opened case with Cisco TAC not able to see the
scanned events from end host protected by FireAMP connector from TransienNet Limited
opened case with Cisco TAC complaining on FNC.

Point 1

Answer
Select an answer:
 Incorrect export group mapping on the Cloud for FMC.
 DNS is incorrectly configured for the cloud “Defense Centre Link” resolution. DIAG2
 FMC should be manually configured for time and NTP should not be used.
 Probably Issue with sliding windows time-range for AMP events analysis on FMC.
DIAG2++
 Cloud and FMC should not be doing lookups using same DNS.
 Cloud has an incorrect next hop DIAG2+
 Time synchronization issue with the NTP server on Cloud.
 Cloud is disable under FMC AMP management.
 FMC 6.2 is pointing to the incorrect DNS.
 FMC is pointing to a wrong default gateway for cloud reachabililty.
 DNS is incorrectly configured for the cloud “Defense Centre Link” resolution. DIAG2+++
Task Number-6: Unable to add a device into DNAC
Support engineer from Supplychane Limited. Opened case with Cisco TAC complaining on
unable to add a device into cisco DNA center (DNAC) from network orchestration

Point 1

Answer
Select an answer:
 Incorrect protocol used on DNAC to communicate with SW1_V.
 RO community string mismatch when adding device to DNAC DIAG2
 Incorrect enable password used when adding device to DNAC. DIAG2+++
 Incorrect VTY password entered when adding devices to DNAC DIAG2+
 SW1_V interface to reach DNAC is down.
 SW1 Should disable NTP DIAG2++
 SW1_V not setup for RO community string.
 SNMP version mismatch between DNAC and SW1_V.
 VTY line missing authentication method.

Task Number-7: Python Script Failing

Support engineer from Cosmos Inc. opened case with Cisco TAC complaining that python
script is failing to retrieve network devices list from cisco DNA center inventory.

Point 1

Answer
Select an answer:
 Management PC cannot reach DNAC.
 DNAC is blocking HTTPS access.
 Script is not referencing IP address of network devices.
 Script is calling incorrect API to retrieve device list from DNAC.
 Script has incorrect DNAC login username. DIAG2+
 Script has incorrect DNAC address
 Script has incorrect DNAC login password. DIAG2++
 Script his not configured to use service ticket for DNAC login.
 Script is not configured to use HTTPS for DNAC access. DIAG2
 Script has incorrect DNAC login password. DIAG2+++
Task number-8: CWA Broken
Support engineer from Sunshine Inc. has opened case with Cisco TAC complaining that central
WebAuth is broken from the suget account.

Point 1

Answer
Select an answer:
 ISE CoA authorization rule is incorrectly configured.
 SW2 is not able to communicate with ISE.
 Incorrect ACL pushed on MAB Authorization profile. DIAG2+
 Switch redirect ACL is incorrectly configured.
 Issue with CoA configuration on SW2.
 CWA authentication rule is pointing to incorrect database.
 MAB is disabled on SW2 authentication port.
 Issue with CWA policy set condition on ISE. DIAG2
 CWA authentication rule is incorrectly configured for supplicant MAC not found.
 SW2 belongs to incorrect device group in ISE. DIAG2++

Task Number- 9: Anyconnect ISE Posture Broken

support engineer from Meezan inc has opened a case with Cisco TAC complaining that
Anyconnect ISE posture is broken.

Point 1

Answer
Select an answer:
 Incorrect Redirect ACL configured on ASA1.
 Incorrect provisioning portal URL.
 HTTP server not enabled on ASA1.
 HTTPS server not enabled on ASA1.
 Posture profile missing on ASA1.
 Redirect ACL not properly configured in posture authorization profile.
 Incorrect translation for ISE on ASA1.
 No inside route on ASA1 for ISE.
 Incorrect Posture policy set configuration.
 Incorrect posture policy set configuration DIAG2++
 Issue with network device configuration on ISE. DIAG2
 Issue with network device configuration on ISE. DIAG2+++
Task Number- 10: Device Profile Not Working
Support engineer from Meezan inc has opened a case with Cisco TAC complaining device
profiing is not working to deny authorization rogue MAC

Point 1

Answer
Select an answer:
 Authorizaion rule is incorrectly configured DIAG2++
 Matching identity group should be disabled for profile.
 Authentication rule is incorrectly configured.
 Profiler Policy is disabled DIAG2+
 Issue with network device configuration on switch.
 Access policy is incorrectly configured.
 Profile policy rule is incorrectly configured DIAG2
 Issue with authentication port configuration on SW2.
 Logical profile incorrectly configured.
 Issue with network device configuration on ISE.

NOTE: TASK10 is completely different in DIAG2+++ you can use for identification.