Vendor: Cisco Exam Code: 300-375 Exam Name: Securing Wireless Enterprise Networks

Vendor: Cisco
Exam Code: 300-375
Exam Name: Securing Wireless Enterprise Networks
Version: 19.041
Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.
Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@passleader.com and our technical experts will provide support in 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID: ****************
PayPal Name: ****************
PayPal ID: ****************

QUESTION 1
An engineer must provide a graphical trending report of the total number of wireless clients on the
network. Winch report provides the required data?
A. Client Summary
B. Posture Status Count
C. Client Traffic Stream Metrics
D. Mobility Client Summary
Answer: D
Explanation:
QUESTION 2
When a wireless client uses WPA2 AES, which keys are created at the end of the four way
handshake process between the client and the access point?
A. AES key, TKIP key, WEP key

B. AES key, WPA2 key, PMK
C. KCK, KEK, TK
D. KCK, KEK, MIC key
Answer: A
Explanation:
Technically Answer C would be right, but maybe cisco logic wants Answer A.
Get Latest & Actual 300-375 Exam's Question and Answers from Passleader. 2
http://www.passleader.com
QUESTION 3
Scenario
TOPOLOGY
MONITOR
WLAMS
CONTROLLER
WIRELESS
SECURITY
Which configuration changes need to be made to allow WPA2 + PSK to operate property on the
East-WLC-2504A controller? (Choose four.)
A. Disable Dynamic AP Management.
B. Click on the Status Enabled radio button.
C. Change the Layer 3 Security to Web Policy.
D. Change the WPA + WPA2 Parameters to WPA2 Policy-AES.
E. Change the PSK Format to HEX.
F. Change the WLAN ID.
G. Change the VLAN Identifier.
H. Change the IP Address of the Virtual interface.
I. Change the SSID name of the WLAN.
J. Click on the PSK radio button and add the password in the text box.
Answer: BFIJ
QUESTION 4
Which CLI command do you use on Cisco IOS XE Software to put the AP named Floor1_AP1
back in the default AP group?
A. ap Floor1_AP1 ap-groupname default-group

B. ap name Floor1_AP1 apgroup default-group
C. ap name Floor1_AP1 ap-groupname default-group
D. ap name Floor1_AP1 ap-groupname default
Answer: C
Explanation:
QUESTION 5
Refer to the exhibit. A WLAN with the SSID "Enterprise" is configured.
Which rogue is marked as malicious?
A. a rogue with two clients, broadcasting the SSID "Employee" heard at -50 dBm
B. a rogue with no clients, broadcasting the SSID "Enterprise" heard at -50 dBm
C. a rouge with two clients, broadcasting the SSID "Enterprise" heard at -80 dBm
D. a rogue with two clients, broadcasting the SSID "Enterprise" heard at -50 dBm
Answer: D
Explanation:
As minimum RSSI is -70, and anything heard greater than that is considered malicious. Since it is
a negative value dbm. Answer should be D.
QUESTION 6
Which three options are valid client profile probes m Cisco ISE? (Choose three.)
A. DHCP
B. 802.1X
C. CCX
D. NetFlow
E. TACACS
F. HTTP
Answer: ADF
Explanation:
QUESTION 7
An engineer is changing the authentication method of a wireless network from EAP-FAST to
EAP-TLS. Which two changes are necessary? (Choose two.)
A. Cisco Secure ACS is required.

B. A Cisco NAC server is required.
C. All authentication clients require their own certificates.
D. The authentication server now requires a certificate.
E. The users require the Cisco AnyConnect client.
Answer: CD
Explanation:
QUESTION 8
What is the maximum number of clients that a small branch deployment using a four- member
Cisco Catalyst 3850 stack (acting as MC/MA) can support?
A. 10000
B. 1000
C. 500
D. 2000
E. 5000
Answer: E
Explanation:
A four-member Catalyst 3850 stack can handle max 8000 clients 10000 is too high 5000 is too
low but is the best answer, so Answer E 5000.
QUESTION 9
Refer to the exhibit. A customer is having problems with clients associating to me wireless
network. Based on the configuration, which option describes the most likely cause of the issue?
A. Both AES and TKIP must be enabled

B. SA Query Timeout is set too low
C. Comeback timer is set too low
D. PME is set to "required"
E. MAC Filtering must be enabled
Answer: D
Explanation:
Answer E is wrong, never found anything regarding PMF and MAC Filtering
QUESTION 10
Which of the following user roles can access CMX Visitor Connect?
A. Administrator
B. Power User
C. Guest User
D. Super Administrator
Answer: A
Explanation:
QUESTION 11
A Customer is concerned about denial of service attacks that impair the stable operation of the
corporate wireless network. The customer wants to purchase mobile devices that will operate on
the corporate wireless network. Which IEEE standard should the mobile devices support to
address the customer concerns?
A. 802.11w
B. 802.11k
C. 802.11r
D. 802.11h
Answer: A
Explanation:
QUESTION 12
Scenario
TOPOLOGY
Answer:
Step-by-Step:
Step 1 Create the WLAN
On WLC navigate in Menu to WLAN>WLANS

Scroll totally to the right for find and klick Button Create New -Go-
In WLANs > New
Profilename: Employees
Type WLAN
SSID: Employees
ID: 11
Klick Button Apply
Step 2 Edit WLAN

In WLANs >WLANs klick on the WLAN ID 11
In General Tab
Security Policies: WPA2 Auth PSK
Radio Policy: All
Interface Group: Default
Broadcast SSID: check
Multicast WLAN Feature: unchecked
Klick Button Apply
Step 3 Add WPA+WPA2 PSK Layer 2 Security

In Security Tab>Layer 2 Tab
Layer 2 Security: WPA+WPA2
MAC Filtering: empty
WPA+WPA2 Parameter section
WPA Policy: Unchecked
WPA2 Policy: Check
WPA2 Encryption: AES: Check TKIP:Uncheck
Auth Key Mgmt: PSK
PSK Format: ASCII
Type in Key: ciscotest
Klick Button Apply
Step 4 Check if the client is connected to the WLAN

Check on monitor screen
Lab finished
QUESTION 13
Which EAP type requires the use of device certificates?
A. EAP-TLS
B. EAP-FAST
C. EAP-SSL
D. PEAP
E. LEAP
Answer: A
Explanation:
QUESTION 14
An engineer configures the wireless LAN controller to perform 802.1x user authentication. Which
option must be enabled to ensure that client devices can connect to the wireless, even when
WLC cannot communicate with the RADIUS?
A. local EAP
B. authentication caching
C. pre-authentication
D. Cisco Centralized Key Management
Answer: A
QUESTION 15
During the EAP process and specifically related to the logon session, which encrypted key is sent
from the RADIUS server to the access point?
A. WPA key
B. encryption key
C. session key
D. shared secret key
Answer: C
Explanation:
QUESTION 16
Which security method does a Cisco guest wireless deployment that relies on Cisco ISE guest
portal for user authentication use?
A. Layer 2 and Layer 3

B. Layer 2 only
C. No security methods are needed to deploy CWA
D. Layer 3 only
Answer: D
Explanation:
Answer D should be the right answer as MAB is configured on switch.
QUESTION 17
Which command is an SNMPv3-specific command that an engineer can use only in Cisco IOS
XE?
A. snmp-server user remoteuser1 group1 remote 10.12.0.4

B. snmp-server host 172.16.1.33 public
C. snmp-server community comaccess ro 4
D. snmp-server enable traps wireless
Answer: A
Explanation:
QUESTION 18
A customer wants to allow employees to easily onboard their devices to the wireless network.
Which process can be configured on Cisco ISE to support this requirement?
A. self registration guest portal
B. client provisioning
C. native supplicant provisioning
D. local web auth
Answer: B
Explanation:
QUESTION 19
Which two events are possible outcomes of a successful RF jamming attack? (Choose two.)
A. unauthentication association
B. deauthentication multicast
C. deauthentication broadcast
D. disruption of WLAN services
E. physical damage to AP hardware
Answer: DE
Explanation:
QUESTION 20
Which customizable security report on Cisco Prime Infrastructure would show rogue APs
detected since a point in time?
A. New Rogue APs

B. Rogue AP Events
C. Rogue APs
D. Rogue AP Count Summary
Answer: C
Explanation:
A is wrong - New Rogue Aps is not customizable
based on event time definition
B is wrong
based on last seen time definition
C is right
D is wrong - Rogue AP Count Summary is not customizable
QUESTION 21
After receiving an alert regarding a rogue AP, a network engineer logs into Cisco Prime and looks
at the floor map where the AP that detected the rogue is located. The map is synchronized with a
mobility services engine that determines the rogue device is actually inside the campus. The
engineer determines the rogue to be a security threat and decides to stop it from broadcasting
inside the enterprise wireless network. What is the fastest way to disable the rogue?
A. Go to the location the rogue device is indicated to be and disable the power.
B. Create an SSID on WLAN controller resembling the SSID of the rogue to spoof it and disable clients
from connecting to it.
C. Classify the rogue as malicious in Cisco Prime.
D. Update the status of the rogue in Cisco Prime to contained.
Answer: A
Explanation:
As MSE is used and location of Rogue is identified, the fastest way to disable the rogue is to
disable the power.
Option C is incorrect because if Rogue is identified as malicious then it just sends a "ALERT"
alarm in cisco prime, but the rogue is not disabled.
QUESTION 22
An engineer has determined that the source of an authentication issue is the client laptop.
Which three items must be verified for EAP-TLS authentication? (Choose three.)
A. The client certificate is formatted as X 509 version 3

B. The validate server certificate option is disabled.
C. The client certificate has a valid expiration date.
D. The user account is the same in the certificate.
E. The supplicant is configured correctly.
F. The subject key identifier is configured correctly.
Answer: ADF
Explanation:
QUESTION 23
Which three configuration steps are necessary on the WLC when implementing central web
authentication in conjunction with Cisco ISE. (Choose three.)
A. Set P2P Blocking Action to Drop.

B. Enable Security Layer 3 Web Policy.
C. Set NAC state to SNMP NAC.
D. Enable Allow AAA override.
E. Enable Security Layer 2 MAC Filtering.
F. Set NAC state to RADIUS NAC.
Answer: DEF
Explanation:
QUESTION 24
A customer has deployed PEAP authentication with a Novell eDirectory LDAP Server. Which
authentication method must be configured on the client to support this deployment?
A. PEAP(EAP-MSCHAPv2)
B. PEAP(EAP-TTLS)
C. PEAP(EAP-GTC)
D. PEAP(EAP-WPA)
Answer: C
Explanation:
QUESTION 25
An engineer is considering an MDM integration with Cisco ISE to assist with security for lost
devices. Which two functions of MDM increase security for lost devices that access data from the
network? (Choose two.)
A. PIN enforcement
B. Jailbreak/root detection
C. data wipe
D. data encryption
E. data loss prevention
Answer: AC
Explanation:
QUESTION 26
An engineer must change the wireless authentication from WPA2-Personal to WPA2- Enterprise.
Which three requirements are necessary? (Choose three.)
A. EAP
B. 802.1x
C. RADIUS
D. per-shared key
E. 802.11u
F. fast secure roaming
G. 802.11i
Answer: ACG
QUESTION 27
Which two considerations must a network engineer have when planning for voice over wireless
roaming? (Choose two.)
A. Roaming with only 802.1x authentication requires full reauthentication.

B. Full reauthentication introduces gaps in a voice conversation.
C. Roaming occurs when e phone has seen at least four APs.
D. Roaming occurs when the phone has reached -80 dBs or below.
Answer: AB
Explanation:
QUESTION 28
Refer to the exhibit. What is the 1.1.1.1 IP address?
A. the wireless client IP address

B. the RADIUS server IP address
C. the controller management IP address
D. the lightweight IP address
E. the controller AP-manager IP address
F. the controller virtual interface IP address
Answer: F
Explanation:
QUESTION 29
An engineer is deploying EAP-TLS as the authentication mechanism for an 802.1X- enabled
wireless network. Which network device is responsible for applying the digital signature to a
certificate to ensure that the certificate is trusted and valid?
A. supplicant
B. CA server
C. wireless controller
D. authentication server
Answer: B
Explanation:
QUESTION 30
An engineer is configuring a new mobility anchor for a WLAN on the CLI with the config wlan
mobility anchor add 3 10.10.10.10 command, but the command is failing. Which two conditions
must be met to be able to enter this command? (Choose two.)
A. The anchor controller IP address must be within the management interface subnet.
B. The anchor controller must be in the same mobility group.
C. The WLAN must be enabled.
D. The mobility group keepalive must be configured.
E. The indicated WLAN ID must be present on the controller.
Answer: BE
Explanation:
QUESTION 31
Which two options are types of MFP that can be performed? (Choose two.)
A. message integrity check

B. infrastructure
C. client
D. AES-CCMP
E. RSN
Answer: BC
Explanation:
QUESTION 32
Which three commands are part of the requirements on Cisco Catalyst 3850 series Switch with
Cisco IOX XE to create a RADIUS authentication server group? (Choose three.)
A. authentication dot1x default local

B. aaa session-idcommon
C. dot1x system-auth-control
D. aaa new-model
E. local-auth wcm_eap_prof
F. security dot1x
Answer: BCD
Explanation:
QUESTION 33
Which option describes the purpose of configuring switch peer groups?
A. enforces RF profiles
B. enables location services
C. restricts roaming traffic to certain switches
D. allows template based configuration changes
Answer: C
Explanation:
QUESTION 34
A customer is concerned that radar is impacting the access point that service the wireless
network in an office located near an airport. On which type of channel should you conduct
spectrum analysis to identify if radar is impacting the wireless network?
A. UNII-3 channels
B. UNII-1 channels
C. 802.11b channels
D. 2.4 GHz channels
E. UMII-2 channels
F. Channels 1, 5, 9, 13
Answer: E
Explanation:
QUESTION 35
A customer is concerned about DOS attacks from a neighboring facility. Which feature can be
enabled to help alleviate these concerns and mitigate DOS attacks on a WLAN?
A. PMF
B. peer-to-peer blocking
C. Cisco Centralized Key Management
D. split tunnel
Answer: A
Explanation:
QUESTION 36
A network engineer is implementing a wireless network and is considering deploying a single
SSID for device onboarding. Winch option is a benefit of using dual SSIDs with a captive portal
on the onboard SSID compared to a single SSID solution?
A. limit of a single device per user

B. restrict allowed devices types
C. allow multiple devices per user
D. minimize client configuration errors
Answer: B
Explanation:
QUESTION 37
Which mobility mode must a Cisco 5508 wireless Controller be in to use the MA functionality on a
cisco catalyst 3850 series switch with a cisco 550 Wireless Controller as an MC?
A. classic mobility
B. new mobility
C. converged access mobility
D. auto-anchor mobility
Answer: C
Explanation:
QUESTION 38
MFP is enabled globally on a WLAN with default settings on single controller wireless network.
Older client devices are disconnected from the network during a deauthentication attack. What is
the cause of this issue?
A. The client devices do not support WPA.

B. The client devices do not support CCXv5.
C. The MFP on the WLAN is set to optional
D. The NTP server is not configured on the controller.
Answer: C
Explanation:
QUESTION 39
An engineer is configuring client MFP. What WLAN Layer 2 security must be selected to use
client MFP?
A. Static WEP
B. CKIP
C. WPA+WPA2
D. 802 1x
Answer: C
Explanation:
QUESTION 40
Access points at branch sites for a company are in FlexConncct mode and perform local
switching, but they authenticate to the central RADIUS at headquarters. VPN connections to the
headquarters have gone down, but each branch site has a local authentication server. Which
three features on the wireless controller can be configured to maintain network operations if this
situation reoccurs? (Choose three.)
A. Put APs in FlexConnect Group for Remote Branches.

B. Set Branch RADIUS as Primary.
C. Put APs in AP Group Per Branch.
D. Put APs in FlexConnect Group Per Branch.
E. Set Branch RADIUS OS Secondary.
F. Set HQ RADIUS a-s primary.
Answer: AEF
Explanation:
QUESTION 41
When you configure BYOD access to the network, you face increased security risks and
challenges. Which challenge is resolved by deploying digital client certificates?
A. managing the increase connected devices

B. ensuring wireless LAN performance and reliability
C. providing device choice and support
D. enforcing company usage policies
Answer: D
Explanation:
QUESTION 42
Which option determines which RADIUS server is preferred the most by the Cisco WLC?
A. the Server Index (Priority) drop-down list
B. the server status
C. the server IP address
D. the port number
Answer: A
Explanation:
QUESTION 43
Which two 802.11 methods can be configured to protect card holder data? (Choose two.)
A. CCMP
B. WEP
C. SSL
D. TKIP
E. VPN
Answer: CE
Explanation:
SSL and VPN are technics to encrypt data traffic
QUESTION 44
An engineer requires authentication for WPA2 that will use fast rekeying to enable clients to roam
from one access point to another without going through the controller. Which security option
should be configured?
A. PSK
B. AES
C. Cisco Centralized key Management
D. 802.1x
Answer: C
Explanation:
QUESTION 45
A Cisco WLC has been added to the network and Cisco ISE as a network device, but
authentication is failing. Which configuration within the network device configuration should be
verified?
A. shared secret
B. device ID
C. SNMP RO community
D. device interface credentials
Answer: A
Explanation:
A shared secret is used in authentication process
B,C,D are not involved in device authentication process of WLC/ISE
QUESTION 46
How many mobility peers can a Cisco Catalyst 3850-MC node have?
A. 8
B. 2
C. 6
D. 16
E. 4
Answer: A
Explanation:
QUESTION 47
On which two ports does the RADIUS server maintain a database and listen for incoming
authentication and accounting requests? (Choose two.)
A. UDP 1900
B. UDP port 1812
C. TCP port 1812
D. TCP port 1813
E. UDP port 1813
Answer: BE
Explanation:
QUESTION 48
An engineer must enable EAP on a new WLAN and is ensuring that the necessary components
are available. Which component uses EAP and 802.1x to pass user authentication to the
authenticator?
A. AP
B. AAA server
C. supplicant
D. controller
Answer: D
Explanation:
QUESTION 49
A corporation has recently implemented a BYOD policy at their HQ. Which three risks should the
security director be concerned about? (Choose three.)
A. unauthorized users
B. rogue ad-hocs
C. software piracy
D. lost and stolen devices
E. malware
F. keyloggers
Answer: ADE
Explanation:
QUESTION 50
Which client roam is considered the fastest in a wireless deployment using Cisco IOS XE mobility
controllers and mobility agents?
A. Roam within stack members

B. Inlet-SPG roam
C. Interdomain roam
D. Intermobility roam
E. lntra-SPG roam
Answer: E
Explanation:
QUESTION 51
WPA2 Enterprise with 802.1x is being used for clients to authenticate to a wireless network
through an ACS server. For security reasons, the network engineer wants to ensure only PEAP
authentication can be used. The engineer sent instructions to clients on how to configure their
supplicants, but users are still in the ACS logs authentication using EAP- FAST. Which option
describes the most efficient way the engineer can ensure these users cannot access the network
unless the correct authentication mechanism is configured?
A. Enable AAA override on the SSID, gather the usernames of these users, and disable their RADIUS
accounts until they make sure they correctly configured their devices.
B. Enable AAA override on the SSID and configure an access policy in ACS that denies access to the
list of MACs that have used EAP-FAST.
C. Enable AAA override on the SSID and configure an access policy in ACS that allows access only
when the EAP authentication method is PEAP.
D. Enable AAA override on the SSID and configure an access policy in ACS that puts clients that
authenticated using EAP-FAST into a quarantine VLAN.
Answer: C
QUESTION 52
An engineer is configuring a BYOD deployment strategy and prefers a single SSID model. Which
technology is required to accomplish this configuration?
A. mobility service engine

B. wireless control system
C. identify service engine
D. Prime Infrastructure
Answer: C
Explanation:
QUESTION 53
Which Cisco feature must an engineer configure on a cisco WLC to enable PCI specification
compliance for communication of neighbor radio information?
A. RF Grouping
B. MFP
C. Rogue Access Point Detection
D. RRM NDP
E. Off Channel Scanning
Answer: D
Explanation:
QUESTION 54
The Cisco NAC Guest Server is configured as which kind of device on the wireless controller?
A. external web authentication server

B. RADIUS server
C. SNMP trap receiver
D. anchor controller
E. AAA client
Answer: B
Explanation:
QUESTION 55
Which two statements about the sponsor accounts on the Cisco NAC Guest Server are true?
(Choose two.)
A. The sponsor login to the Cisco NAC Guest Server is at https://NGS-IP-Address/admin to create,
view, and edit guest accounts.
B. The Cisco NAC Guest Server can authenticate the sponsors using the local database or via
Microsoft Active Directory or LDAP or RADIUS servers.
C. Sponsoring user groups is the method by which to assign permissions to the sponsors.
D. Guest roles provide a way to give different levels of access to different sponsor accounts.
E. Sponsor accounts require admin privileges to generate reports.
Answer: BC
Explanation:
QUESTION 56
Which two statements are true about configuring a wired guest LAN feature? (Choose two.)
A. Create a WLAN on the anchor controller only

B. Select the management interface as the egress interface to reach the anchor controller
C. Require an anchor controller to implement
D. Select the interface that you created as the guest LAN interface in the ingress interface menu
E. Configure on any controller from version 5.2 forward
Answer: BD
Explanation:
QUESTION 57
When configuring guest WLAN access, which two statements are true? (Choose two.)
A. The SSID that is defined for the guest WLAN on the foreign controllers must be the same as that
defined on the anchor controller.
B. The foreign controllers must be defined with an ingress interface and an egress interface in the
guest WLAN.
C. The foreign and anchor controllers must be configured in a mobility group for the foreign
controllers to be able to initiate EoIP tunnels to one or more anchor controllers.
D. The mobility domain name of the anchor controller should be the same as what is configured for
the foreign controllers.
Answer: AC
Explanation:
QUESTION 58
Which statement correctly describes the relationship between the foreign and anchor controllers
when used for guest access?
A. The foreign controller will load balance in round-robin fashion starting with the highest IP address
anchor controller to the lowest IP address anchor controller.
B. The foreign controller will load balance in round-robin fashion starting with the lowest IP address
anchor controller to the highest IP address anchor controller.
C. The foreign controller will load balance in round-robin fashion starting with the highest MAC
address anchor controller to the lowest MAC address anchor controller.
D. The foreign controller will load balance in round-robin fashion starting with the lowest MAC
address anchor controller to the highest MAC address anchor controller.
Answer: B
Explanation:
QUESTION 59
Which two firewall protocol port(s) need open access for secure management access to an
anchor WLC for guest access? (Choose two.)
A. TCP 22
B. TCP 23
C. TCP 80
D. TCP 8080
E. TCP 443
F. UDP 123
Answer: AE
Explanation:
QUESTION 60
Which two EAP type(s) require a client certificate? (Choose two.)
A. LEAP
B. PEAP
C. EAP-FAST
D. EAP-TLS
E. EAP-MD5
Answer: CD
Explanation:
QUESTION 61
Which attribute on the Cisco WLC v7.0 does RADIUS IETF attribute "Tunnel-Private-Group ID"
assign?
A. ACL
B. DSCP
C. QoS
D. VLAN
Answer: D
Explanation:
QUESTION 62
Which three WLAN polices can be controlled by using the Cisco IBNS on the Cisco WLC and
Cisco Secure ACS? (Choose three.)
A. QoS setting
B. VLAN
C. EAP type
D. ACL
E. authentication priority order
F. NAC state
Answer: ABD
Explanation:
QUESTION 63
An engineer is securing the wireless network from vulnerabilities. Which four strategies are
recommended for mitigation? (Choose four.)
A. MFP
B. identity-based networking
C. rogue location
D. EAP-TLS
E. guest monitoring
F. RF profiles
G. rogue detection
H. password policies
Answer: ACEG
Explanation:
QUESTION 64
Refer to the exhibit. A client reports being unable to log into the wireless network, which uses
PEAPv2. Which two issues appear in the output? (Choose two.)
A. There is a problem with the client supplicant.

B. The AP has the incorrect RADIUS server address.
C. The AP has lost IP connectivity to the authentication server.
D. The EAP client timeout value should be increased.
E. The authentication server is misconfigured on the controller.
F. The authentication server is misconfigured in the WLAN.
Answer: AD
QUESTION 65
When using the Standalone Profile Editor in the Cisco AnyConnect v3.0 to create a new NAM
profile, which two statements describe the profile becoming active? (Choose two.)
A. selects the new profile from NAM
B. selects "Network Repair" from NAM
C. becomes active after a save of the profile name
D. ensures use of "configuration.xml" as the profile name
E. ensures use of "config.xml" as the profile name
F. ensures use of "nam.xml" as the profile name
Answer: BD
Explanation:
QUESTION 66
Which feature should an engineer select to implement the use of VLAN tagging, QoS, and ACLs
to clients based on RADIUS attributes?
A. per-WLAN RADIUS source support

B. client profiling
C. AAA override
D. captive bypassing
E. identity-based networking
Answer: C
Explanation:
QUESTION 67
How should the Cisco Secure ACS v4.2 and the Cisco WLC v7.0 be configured to support
wireless client authentication?
A. The WLC configured for RADIUS and the Cisco Secure ACS configured for RADIUS (Cisco
Airespace)
B. The WLC configured for RADIUS and the Cisco Secure ACS configured for RADIUS (IETF)
C. The WLC configured for TACACS+ and the Cisco Secure ACS configured for TACACS+ (Cisco
Airespace)
D. The WLC configured for TACACS+ and the Cisco Secure ACS configured for TACACS+ (Cisco
IOS)
Answer: A
Explanation:
QUESTION 68
Clients are failing EAP authentication. A debug shows that an EAPOL start is sent and the clients
are then de-authenticated. Which two issues can cause this problem? (Choose two.)
A. The WLC certificate has changed.

B. The WLAN is not configured for the correct EAP supplicant type.
C. The shared secret of the WLC and RADIUS server do not match.
D. The WLC has not been added to the RADIUS server as a client.
E. The clients are configured for machine authentication, but the RADIUS server is configured for
user authentication.
Answer: CD
Explanation:
QUESTION 69
What are two of the benefits that the Cisco AnyConnect v3.0 provides to the administrator for
client WLAN security configuration? (Choose two.)
A. Provides a reporting mechanism for rouge APs

B. Prevents a user from adding any WLANs
C. Hides the complexity of 802.1X and EAP configuration
D. Supports centralized or distributed client architectures
E. Provides concurrent wired and wireless connectivity
F. Allows users to modify but not delete admin-created profiles
Answer: CD
QUESTION 70
When a supplicant and AAA server are configured to use PEAP, which mechanism is used by the
client to authenticate the AAA server in Phase One?
A. PMK
B. shared secret keys
C. digital certificate
D. PAC
Answer: C
QUESTION 71
Which EAP types are supported by MAC 10.7 for authentication to a Cisco Unified Wireless
Network?
A. LEAP and EAP-Fast only

B. EAP-TLS and PEAP only
C. LEAP, EAP-TLS, and PEAP only
D. LEAP, EAP-FAST, EAP-TLS, and PEAP
Answer: D
QUESTION 72
Which two attacks represent a social engineering attack? (Choose two.)
A. using AirMagnet Wi-Fi Analyzer to search for hidden SSIDs

B. calling the IT helpdesk and asking for network information
C. spoofing the MAC address of an employee device
D. entering a business and posing as IT support staff
Answer: BD
QUESTION 73
Client Management Frame Protection is supported on which Cisco Compatible Extensions
version clients?
A. v2 and later
B. v3 and later
C. v4 and later
D. v5 only
Answer: D
QUESTION 74
Which three items must be configured on a Cisco WLC v7.0 to allow implementation of isolated
bonding network? (Choose three.)
A. RADIUS server IP address
B. DHCP IP address
C. SNMP trap receiver IP address
D. interface name
E. SNMP community name
F. ACL name
Answer: ADF
QUESTION 75
802.1X AP supplicant credentials have been enabled and configured on a Cisco WLC v7.0 in
both the respective Wireless>AP>Global Configuration location and AP>Credentials tab
locations. What describes the 802.1X AP authentication process when connected via Ethernet to
a switch?
A. Only WLC AP global credentials are used.

B. Only AP credentials are used.
C. WLC global AP credentials are used first; upon failure, the AP credentials are used.
D. AP credentials are used first; upon failure, the WLC global credentials are used.
Answer: B
QUESTION 76
An engineer has configured passive fallback mode for RADIUS with default timer settings.
What will occur when the primary RADIUS fails then recovers?
A. RADIUS requests will be sent to the secondary RADIUS server until the secondary fails to
respond.
B. The controller will immediately revert back after it receives a RADIUS probe from the primary
server.
C. After the inactive time expires the controller will send RADIUS to the primary.
D. Once RADIUS probe messages determine the primary controller is active the controller will revert
back to the primary RADIUS.
Answer: C
QUESTION 77
What two actions must be taken by an engineer configuring wireless Identity-Based Networking
for a WLAN to enable VLAN tagging? (Choose two.)
A. enable AAA override on the WLAN

B. create and apply the appropriate ACL to the WLAN
C. update the RADIUS server attributes for tunnel type 64, medium type 65, and tunnel private group
type 81
D. configure RADIUS server with WLAN subnet and VLAN ID
E. enable VLAN Select on the wireless LAN controller and the WLAN
Answer: AC
QUESTION 78
Which method does a Cisco switch use to authenticate a Cisco lightweight access point that is
acting as an 802.1X supplicant?
A. 802 M
B. EAP-FAST with anonymous PAC provisioning
C. a password only
D. a username and password
Answer: B
QUESTION 79
An engineer is implementing SNMP v3 on a wireless LAN controller and wants to use the
combination of authentication and privacy protocols with the highest security available.
Which protocols must be configured?
A. CFB-AES-128 with HMAC-MD5

B. CBC-DES with HMAC-SHA
C. CFB-AES-128 with HMAC-SHA
D. CBC-DES with HMAC-MD5
Answer: C
QUESTION 80
Which three properties are used for client profiling of wireless clients? (Choose three)
A. MAC OUI
B. IP address
C. HTTP user agent
D. DHCP
E. hostname
F. OS version
Answer: ACD
QUESTION 81
A company wants to switch to BYOD to reduce IT support costs for the company. Which option is
an impact of BYOD should be considered?
A. increased VPN connections

B. restricted device enforcement
C. increased phishing attacks
D. decreased support calls
Answer: A
QUESTION 82
Refer the exhibit. In this IBN topology, device acts as the RADIUS server?
A. directory sewer
B. Cisco ISE
C. Cisco UCS
D. Cisco Catalyst 3850 Series Switch
Answer: B
QUESTION 83
Regarding the guidelines for using MFP, under what circumstances will a client without Cisco
Compatible Extensions v5 be able to associate to a WLAN?
A. The DHCP Required box is unchecked.

B. AAA override is configured for the WLAN.
C. Client MFP is disabled or optional.
D. WPA2 is enabled with TKIP or AES.
Answer: D
Explanation:
QUESTION 84
An engineer is working on a remote site that is configured using FlexConnect. They are worried
that the access points will not send RADIUS request directly to the authentication sever in
standalone mode. Which command ensures direct authentication using the default ports as
defined on the WIC?
A. config flexconnect group Remote radius server acct add primary 10.10.10.10 1813 Ciseo123
B. config flexconnect group Remote radius server auth add primary 10,10.10.10 1813 Cisco123
C. config flexconnect group Remote radius server acct add primary 10.10.10.10 1812 Cisco123
D. config flexconnect group Remote radius server auth add primary 10.10.10.10 1812 Cisco123
Answer: D
Explanation:
UDP 1812 = auth
UDP 1813 = Acct
QUESTION 85
Which three authentication methods correctly describe digital certificate requirements when using
EAP-TLS authentication? (Choose three)
A. The client does not need the corresponding private key.

B. EAP-TLS is sent in cleartext when the root certificate is not installed.
C. The certificate has to be X.509 Version 3.
D. EAP-TLS requires a root certificate but not a user certificate
E. The certificate must be installed when the requested user is logged in to the machine.
F. The subject name in the certificate must correspond to the user account name.
Answer: CEF
Explanation:
See other EAP-TLS certificate requirements explanation.
QUESTION 86
Which two requirements must be met to ensure that Cisco ISE can join the Active Directory
domain of the company. (Choose two.)
A. If a firewall exists between Cisco ISE and Active Directory domain server, these ports are allowed
through UDP 69, 123, and 389; and TCP 88, 389, 445, 464, 636, 3268, and 3269.
B. The hostname of Cisco ISE is less than 20 characters in length.
C. An account has been created in Active Directory for Cisco ISE that has the necessary
permissions.
D. The DNS name is configured on Cisco ISE and resolved on the Active Directory domain server
E. Time synchronization between Cisco ISE and Active Directory must be within 10 minutes.
Answer: CD
Explanation:
A is wrong see used ports table
B is wrong , see following:
It is important to limit Cisco ISE hostnames to 15 characters or less in length if you use Active
Directory on your network
E.is wrong, see following:
Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco
server and Active Directory. You can configure NTP settings from Cisco CLI.
QUESTION 87
Refer to the exhibit. What do the red circles represent in the exhibit?
A. detected interferers
B. RSSI cutoff
C. wIPs attackers
D. zones of impact
Answer: D
Explanation:
The question was, what does the red circles represent and not the symbol
QUESTION 88
An engineer is configuring central web authentication using a Cisco 5508 wireless controller and
the Cisco Identity Service Engine.
Which two attributes must be configured on Cisco ISE to add the controller as a network device?
(Choose two.)
A. authentication protocol
B. RADIUS shared secret
C. a out-of-band SGA PAC
D. controller IP address
E. controller software version
Answer: BD
Explanation:
As per question it is "must be configured". and configuring software version is optional whereas
configuring IP address is mandatory.
QUESTION 89
Refer to the exhibit. You are configuring an autonomous AP for 802.1x access to a wired
infrastructure.
What does the command do?
A. It enables the AP to override the authentication timeout on the RADIUS server.

B. It configures how long the AP must wait for a client to reply to an EAP/dot1x message before the
authentication fails
C. It enables the supplicant to override the authentication timeout on the client.
D. It configures how long the RADIUS server must wait for the supplicant to reply to an EAP/dot1x
message before the authentication fails.
Answer: A
Explanation:
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-
3/cg15-3 -3-chap11-authtypes.html
QUESTION 90
A company is deploying wireless PCs on forklifts within its new 10,000-square-foot (3048-square-
rneter) facility. The clients are configured for PEAP-MS-CHAPv2 with WPA TKIP. Users report
that applications frequently drop when the clients roam between access points on the floor. A
professional site survey was completed.
Which configuration change is recommended to improve the speed of client roaming?
A. EAP-FAST
B. EAP-TLS
C. WPA AES
D. WPA2 AES
Answer: D
Explanation:
Although the controller and APs support WLAN with SSID using WiFi Protected Access (WPA)
and WPA2 simultaneously, it is common that some wireless client drivers cannot handle complex
SSID settings. Whenever possible, Cisco recommends WPA2 only with Advanced Encryption
Standard (AES). However, due to standards and mandatory WiFi Alliance certification process,
TKIP support is required across future software versions. Keep the security policies simple for
any SSID. Use a separate WLAN/SSID with WPA and Temporal Key Integrity Protocol (TKIP),
and a separate one with WPA2 and Advanced Encryption Standard (AES). Since TKIP is being
deprecated, Cisco recommends to use TKIP together with WEP, or to migrate out of TKIP
completely and use PEAP, if possible.
QUESTION 91
An engineer is troubleshooting rogue access points that are showing up in Cisco Prime
Infrastructure. What is maximum number of APS the engineer can use to contain an identified
rogue access point in the WLC?
A. 3
B. 4
C. 6
D. 5
Answer: B
Explanation:
Enter the maximum number of Cisco APs to actively contain the rogue client [1-4].
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/112045-handlin g-rogue-cuwn-00.html
QUESTION 92
When a network engineer plans to implement the client MFP, which three settings should be
supported by the client? (Choose three)
A. WPA2 with AES

B. Short Preamble check box
C. WPA2 with TKIP
D. WEP
E. WPA with TKIP
F. Cisco Compatible Extensions v5
Answer: ACF
Explanation:
Client MFP is supported for use only with CCXv5 clients using WPA2 with TKIP or
https://learningnetwork.cisco.com/thread/6528
QUESTION 93
An engineer has configured central web authentication on the wireless network, but clients are
receiving untrusted certificate errors on their internet browsers when directed to the guest splash
page. Which file must be provided to an approved trusted certificate authority to fix this issue?
A. EAP-TLS certificate generated by WLC

B. CSR generated by Identity Service Engine
C. CSR generated by the WLC
D. EAP-TLS certificate generated by the access point
Answer: B
QUESTION 94
Which three methods are valid for guest wireless using web authentication? (Choose three.)
A. LDAP
B. SSL
C. local
D. TLS
E. EAP-TLS
F. RADIUS
Answer: FCA
Explanation:
There are three ways to authenticate users when you use web authentication. Local
authentication allows you to authenticate the user in the Cisco WLC. You can also use an
external RADIUS server or a LDAP server as a backend database in order to authenticate the
users. https://www.sslshopper.com/ssl-certificate-not-trusted-error.html
QUESTION 95
Which two statements describe the requirements for EAP-TLS? (Choose two)
A. requires client-side and server-side certificates.

B. It uses PAC on the client.
C. It requires PKI.
D. It requires a server-side digital certificate on only the RADIUS server.
E. It must use AES for encryption and cannot use TKIP for encryption.
Answer: AC
Explanation:
QUESTION 96
An engineer has configured the wireless controller to authenticate clients on the employee SSID
against Microsoft Active Directory using PEAP authentication.
Which protocol does the controller use to communicate with the authentication server?
A. EAP
B. 802.1X
C. RADIUS
D. WPA2
Answer: C
Explanation:
EAP is exchanged between supplicant and authenticator and RADIUS Is used between
authenticator and Auth server.
QUESTION 97
An engineer configures 802.1 X authentication for the access points using the config ap
802.1Xuser add username admin password secret AP_01 command.
Which EAP method does the access point use to authenticate?
A. EAP-TLS
B. MS-CHAPv2 PEAP
C. LEAP
D. EAP-FAST
Answer: D
Explanation:
Enables or disables Extensible Authentication Protocol-Flexible Authentication via Secure
Tunneling (EAP-FAST) authentication.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/cmd-
ref/b_cr80/config_commands_a_to_i.h tml
QUESTION 98
When implementing secure PCI wireless networks, which two are specific recommendations in
the PCI DSS? (Choose two)
A. Use a minimum 12-character random passphrase with WPA

B. Segment logging events with other networking devices within the organization.
C. Use VLAN based segmentation with MAC filters.
D. Change default settings.
E. Implement strong wireless authentication
Answer: ED
Explanation:
Wireless networks that are part of the CDE must comply with all PCI DSS requirements. This
includes using a firewall (requirement 1.2.3) and making sure that additional rogue wireless
devices have not been added to the CDE (requirement 11.1). In addition, PCI DSS compliance
for systems that include WLANs as a part of the CDE requires extra attention to WLAN specific
technologies and processes such as: A. Physical security of wireless devices, B. Changing
default passwords and settings on wireless devices, C. Logging of wireless access and intrusion
prevention, D. Strong wireless authentication and encryption, E. Use of strong cryptography and
security protocols, and F. Development and enforcement of wireless usage policies. This section
will cover each of these requirements sequentially.
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf
QUESTION 99
A customer wants the access points in the CEO's office to have different usernames and
passwords for administrative support than the other access points deployed throughout facility.
Which feature can be enabled on the WLC and access points to achieve this criteria?
A. override global credentials

B. HTTPS access
C. 802.1x supplicant credentials
D. local management users
Answer: A
Explanation:
Explanation:
Question specifically asks regarding different username/password on access points in one area
compared to other.
SO answer should be overriding global credentials by adding username password per AP in that
area.
Local management users is impacted globally, that username password will be applicable for all
the Access points.
QUESTION 100
WPA2 Enterprise with 802 1x is being used for clients to authenticate to a wireless network an
ISE server. For security reasons, the network engineer wants to ensure only PEAP authentication
can be used. The engineer sent Instructions to clients on how to configure their supplicants, but
users are still in the ISE logs authenticating EAP-FAST.
Which option describes the efficient can ensure these users cannot the network unless the
correct authentication mechanism is configured?
A. Enable AAA override on the SSID, gather the usernames of these users, and disable their
RADIUS accounts they make sure they correctly configured their devices
B. Enable AAA override on the SSID and configure an ACL on the WLC that will allow access to
users with ip address from a specific subnet
C. Enable AAA override on the SSID and configure an access policy in ISE that allows access when
the EAP authentication method is PEAP
D. Enable AAA override on the SSID and configure an access policy in ISE that denies access to the
list of MACs that have used EAP-FAST
Answer: C
QUESTION 101
A network engineer must segregate all iPads on the guest WLAN. How does the engineer
accomplish this task with without using ISE?
A. Use 802.1x authentication to profile the devices

B. Create a local policy on the WLC.
C. Use an mDNS profile for the iPad device.
D. Enable RADIUS DHCP profiling on the WLAN
Answer: B
QUESTION 102
An engineer is trying to determine if an existing configuration deviates from the Cisco defaults
while enabling PMF on a WLAN.
Which set represents the default timer configuration for PMF?
A. security pmf association-comeback 1 security pmf mandatory security pmf saquery-retry-time 100
B. security pmf association-comeback 20 security pmf mandatory security pmf saquery-retry-time
600
C. security pmf association-comeback 15 security pmf mandatory security pmf saquery-retry-time
200
D. security pmf association-comeback 1 security pmf mandatory security pmf saquery-retry-time 200
Answer: D
Explanation:
http://wirelessccie.blogspot.kr/2016/01/80211w-aka-pmf.html
QUESTION 103
An engineer is designing a high availability wireless network. What mechanism should be the
focus for high availability?
A. SNR
B. channel reuse
C. RSSI
D. cell overlap
Answer: B
Explanation:
Describe basic RF deployment considerations related to site survey design of data or VoWLAN
applications, common RF interference sources such as devices, building material, AP location,
and basic RF site survey design related to channel reuse, signal strength, and cell overlap.
QUESTION 104
You are configuring a Cisco WLC version 8.0.
Which two options do you find on the Layer 3 Security tab? (Choose two)
A. 802.1x
B. Authentication
C. Passthrough
D. CKIP
E. WPA+WPA2
Answer: BC
Explanation:
From the Layer 3 Security drop-down list, choose one of the following:
None--Layer 3 security is disabled.
Web Authentication--Causes users to be prompted for a username and password when
connecting to the wireless network. This is the default value.
Web Passthrough--Allows users to access the network without entering a username and
password.
QUESTION 105
Refer to the exhibit. The security team has configured an IBN profile on ISE for the guest wireless
network to provide captive service.
Where must the network engineer configure the ACL and portal for the Cisco AireOS controller?
A. GuestPreLogin downloadable ACL on ISE, login portal on ISE

B. GuestPreLogin local ACL on WLC, login portal on WLC
C. GuestPreLogin downloadable ACL on ISE, login portal on WLC
D. GuestPreLogin local ACL on WLC, login portal on ISE
Answer: C
Explanation:
The flow would be the following:
-User associate to the Web Auth SSID
-User starts its browser
-The WLC Redirect to the guest portal (ISE/NGS)
-The user authenticate on the portal
-The Guest Portal redirect back to the WLC with the credentials entered -The WLC Authenticate
the guest user via Radius
-The WLC Redirects back to the original URL.
https://supportforums.cisco.com/t5/wireless-mobility-documents/central-web-authentication-cwa-
for-guest s-with-ise/ta-p/3121101
QUESTION 106
An engineer is confining EAP-TLS with a client trusting server model and has configured a public
root certification authority.
Which action does this allow?
A. specifies a second certification authority to trust

B. utilizes two sub certification authority servers
C. creates a PKI infrastructure
D. validates the AAA server
Answer: D
Explanation:
This part will help you understand the concept of AAA server trust model. Specific configuration
information is given in Section 6 of this document.
To support EAP-TLS, the AAA server (for example, Cisco Secure ACS) must have a certificate.
Either a public certification authority or a private certification authority can be used to issue the
AAA server certificate. The AAA server will trust a client certificate that was issued from the same
root certification authority that issued its certificate.
https://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.sht
ml
QUESTION 107
Which configuration step is necessary to enable Visitor Connect on an SSID?
A. A preauthentication ACL must be defined.

B. Local client profiling must be enabled.
C. The SSID must use MAC filtering.
D. A passive client must be enabled.
Answer: A
Explanation:
The Pre-Authentication Flex Connect ACL is required for flex mode deployments. For more
information, see the Configuring FlexConnect ACLs.
https://www.cisco.com/c/en/us/td/docs/wireless/mse/7-6/CMX_Dashboard/Guide/
QUESTION 108
While deploying PEAP authentication on a customer laptop with the native Windows supplicant,
the PEAP security options do not appear.
Which option describes what must be done?
A. Enable automatic connection to the WLAN.
B. Enable DNS on WLAN.
C. Enable AES on WLAN settings
D. Enable WLAN autoconfig services on the PC
Answer: C
QUESTION 109
Which client roam is considered the fastest in a wireless deployment using Cisco IOS XE mobility
controllers and mobility agents?
A. Inter-SPG roam
B. Interdomain roam
C. Roam within stack members
D. Intermobility roam
Answer: A
Explanation:
Inter-SPG, Intra-subdomain roaming--The client roaming between mobility agents in different
SPGs within the same subdomain.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/system_m
anagem ent/configuration_guide/b_sm_3se_3850_cg/b_sm_3se_3850_cg_chapter_0111.pdf
QUESTION 110
An engineer is configuring a BYOD provisioning WLAN.
Which two advanced WLAN settings are required? (Choose two)
A. DHCP profiling
B. DHCP address assignment
C. passive client
D. RADIUS NAC
E. AAA override
Answer: DE
Explanation:
Allow AAA Override: Enabled
NAC State: Radius NAC (selected)
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113476-
wireless-b yod-ise-00.html
QUESTION 111
An engineer is configuring an autonomous AP for RADIUS authentication. What two pieces of
information must be known to configure the AP? (Choose two.)
A. shared secret
B. username and password
C. RADIUS IP address
D. group name
E. PAC encryption key
Answer: AC
Explanation:
You identify RADIUS security servers by their host name or IP address, host name and specific
UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP
address and the UDP port number creates a unique identifier allowing different ports to be
individually defined as RADIUS hosts providing a specific AAA service. This unique identifier
enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-3se/3850/sec-
usr-rad-xe -3se-3850-book/sec-rad-mult-udp-ports.html
QUESTION 112
A wireless engineer want to how many wlPS alerts have been detected in CISCO Prime. Which
tab does the engineer select in the windows dashboard?
A. Security
B. CleanAir
C. Context Aware
D. Mesh
Answer: A
Explanation:
Security Index, including the top security issues Security Adaptive WIPS
Rogue classification graph
Rogue containment graph
Attacks detected
Malicious, unclassified, friendly, and custom rogue APs CleanAir security
Adhoc rogues
https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/user/guide/pi_ug/view-
dash.html
QUESTION 113
You are configuring the social login for a guest network. Which three options are configurable
social connectors in Cisco CMX Visitor Connect? (Choose three)
A. LinkedIn
B. Pinterest
C. Medium
D. Google+
E. Facebook
F. Myspace
Answer: ADE
Explanation:
In this section we create an example Facebook application that can be used as a social
authenticator with a splash page. While it is possible to use a Google+ app login and/or LinkedIn
app, they are not covered as part of this version of the CMX guide. To get started with a
Facebook App, log in to the Facebook developer portal at the following URL with your Facebook
ID:
QUESTION 114
An engineer is preparing to implement a BYOD SSID at remote offices using local switching and
wants to ensure that Wi-Fi Direct clients can communicate after the SSID is deployed. The
engineer is planning on implementing the config wlan wifldlrect allow 1 command.
Which Wi-Fi Direct Policy consideration is applicable?
A. Policy is applicable only with central switched WLANs on FlexConnect APS.

B. Policy IS applicable only when P2P is set to disabled.
C. Policy is applicable only to APS in FlexConnect mode only.
D. Policy is applicable only on WLANs that have APS in local mode only.
Answer: D
Explanation:
QUESTION 115
An engineer is configuring a wireless network for local FlexConnect authentication.
What three configurations are required for the WLC with WLAN 1 and AP Cisco? (Choose three.)
A. config ap flexconnect vlan enable Cisco

B. config wlan flexconnect vlan-central-switching 1 enable
C. config ap flexconnect vlan wlan 1 Cisco
D. config wlan flexconnect local-switching 1 enable
E. config wlan flexconnect ap-auth 1 enable
F. config ap mode flexconnect Cisco
Answer: DEF
Explanation:
QUESTION 116
Drag and Drop Question
Drag the EAP Authentication type on the left to the accurate description provided on the right.
Answer:
Explanation:
QUESTION 117
Drag and Drop Question
A wireless engineer wants to schedule monthly security reports in Cisco Prime infrastructure.
Drag and drop the report the from the left onto the expected results when the report is generated
on the right.
Answer:
Explanation:
QUESTION 118
What snmpv3 commands are needed for configure snmp server?
A. snmp-server group
B. snmp group-ID server
C. snmp-server engineID
D. snmp group user
E. snmp-server community
F. snmp-server user
Answer: ACF
Explanation:
QUESTION 119
Testlet- Local Web Auth
Scenario
Local web auth is not working. What has to be changed for User Bill Smith can access
Contractors WLAN requirements shown in Topology.
Local web auth should work on WLAN Contractors only.(Choose 4)
Topology
On WLC
Controller>Interfaces>Vlans
WLANS>wlans
WLAN 2 and WLAN 10 Security Tab
Layer 2
WLAN 2
WLAN 10
WLAN 2/10 Layer 3 Security Tab
Security>AAA>Local Net Users
A. Delete User Bill Smith. Add new User Bill Smith with WLAN Profile Contractors
B. Delete WLAN 2 and WLAN 10. Create new WLAN 2 and WLAN 10, assign SSID WLAN 2 Contractors
and SSID WLAN 10 Employees
C. Delete WLAN 2 and WLAN 10. Create new WLAN 2 and WLAN 10, assign SSID WLAN 2 Employees
and SSID WLAN 10 Contractors
D. Set Layer 2 Security to None
E. Set Layer 3 Security to None and Web Policy
F. Put AP EAST-WING in EAST AP-Group
G. Create new User Bill Smith with WLAN Profile Employees
H. Set WLAN 10 to vlan interface Employees
Answer: ACDE
Explanation:
QUESTION 120
Scenario
Local Web Auth has been configured on the East-WLC-2504A, but it is not working. Determine
which actions must be taken to restore the Local Web Auth service. The Local Web Auth service
must operate only with the Contractors WLAN.
Contractors WLAN ID - 10
Employees WLAN ID - 2
Note, not all menu items, text boxes, or radio buttons are active.
Virtual Terminal
Which four changes must be made to configuration parameters to restore the Local Web Auth
feature on the East-WLC-2504A? Assume the passwords are correctly entered as "ciscotest".
(Choose four.)
A. Remove the existing Local Net User Bill Smith and add a New Local Net User "Bill Smith"
password "ciscotest', WLAN Profile "Contractors".
B. Remove WLAN 10 and WLAN 2, replace WLAN 10 with Profile Name Employees and SSID
Contractors;
replace WLAN 2 with Profile Name Employees and SSID Employees.
C. Remove WLAN 10 and WLAN 2, replace WLAN 10 with Profile Name Contractors and SSID
Contractors,
replace WLAN 2 with Profile Name Employees and SSID Employees.
D. Change the Layer 2 security to None on the Contractors WLAN.
E. Under Layer 3 Security, change the Layer 3 Security to Web Policy on the Contractors WLAN.
F. Under Security Local Net Users add a New Local Net User "Bill Smith" password "Cisco",
interface/ Interface Group "east-wing".
G. Change the Layer 2 Security to None + EAP Pass-through on the Contractors WLAN.
H. Under WLANs > Edit "Contractors "change the interface/Interface group to "east-wing".
Answer: ACDE
QUESTION 121
An engineer is implementing SNMP v3 on a Cisco 5700 Series WLC. Which three commands are
the minimum needed to configure SNMP v3? (Choose three.)
A. snmp-server enable traps

B. snmp-server group
C. snmp-server user
D. snmp-server community
E. snmp-server context
F. snmp-server engineID
Answer: BCF
QUESTION 122
Refer to the exhibit. An engineer has configured a BYOD policy that allows for printing on the
WLAN utilizing Bonjour services. However, the engineer cannot get printing working. The WLC
firmware is 8.x. the printer is connected on the wired network where a few of the access points
are also connected. Which reason that printing is not working is true?
A. Location-specific service is not enabled on the WLC.

B. Secure Web Mode Cipher-Option SSLv2 is not enabled.
C. mBNS and IGMP snooping is not enabled on the WLC.
D. IGMP Query Interval value is too low.
E. The number of mDNS services exceeds firmware limits.
Answer: C
QUESTION 123
Which two fast roaming algorithms will allow a WLAN client to roam to a new AP and re-establish
a new session key without a full reauthentication of the WLAN client? (Choose two.)
A. PKC
B. GTK
C. PMK
D. PTK
E. CKM
Answer: AE
QUESTION 124
A new MSE with wIPS service has been installed and no alarm information appears to be
reaching the MSE from controllers.
What protocol must be allowed to reach the MSE from the controllers?
A. NMSP
B. SOAP/XML
C. SNMP
D. CAPWAP
Answer: A
Explanation:
QUESTION 125
Which condition introduce security risk to a BYOD policy?
A. enterprise-managed MDM platform used for personal devices

B. access to LAN without implementing MDM solution
C. enforcement of BYOD access to internet only network
D. enterprise life-cycle enforcement of personal device refresh
Answer: B
QUESTION 126
An engineer ran the PCI report in Cisco Prime Infrastructure and received a warning on PCIDSS
Requirement 2.1.1 that the SNMP strings are set to default and must be changed. Which tab in
the Cisco WLC can the engineer use to navigate to these settings?
A. Management
B. Security
C. Controller
D. Wireless
Answer: A
QUESTION 127
Refer to the exhibit. A network engineer must configure a WLAN on a Cisco IOS-XE controller to
support corporate devices (using VLAN 30) and BYOD (using VLAN 40) on the same secure
SSID. The security team has built an ISE deployment to be used for VLAN assignment and to
restrict access based on policy and posture compliance.
Given the existing WLAN configuration, which configuration change must be made?
A. remove ip dhcp required

B. Add aaa-override
C. Remove nac
D. Add mac-filtering default
Answer: B
QUESTION 128
Which EAP method can an AP use to authenticate to the wired network?
A. EAP-GTC
B. EAP-MD5
C. EAP-TLS
D. EAP-FAST
Answer: D
Explanation:
Enables or disables Extensible Authentication Protocol-Flexible Authentication via Secure
Tunneling (EAP-FAST) authentication.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/cmd-
ref/b_cr80/config_commands_a_to_i.h tml
QUESTION 129
A wireless engineer must implement a corporate wireless network for a large company with ID
338860948 in the most efficient way possible. The wireless network must support a total of 32
VLANS for 300 employees in different departments.
What is the best configuration option in this scenario?
A. Configure a second WLC to support half of the APs in the deployment.

B. Configure different AP groups to support different VLANs, so that all of the WLANs can be
broadcast on both radios.
C. Configure 16 WLANs to be broadcast on the 2.4-GHz band and 16 WLANs to be broadcast on
the 5.0-GHz band.
D. Configure one single SSID and implement Cisco ISE VLLAN assignment according to different
user roles.
Answer: B
QUESTION 130
An engineer with ID 338860948 is implementing Cisco Identity-Based Networking on a Cisco
AireOS controller. The engineer has two ACLs on the controller. The first ACL, named
BASE_ACL, is applied to the corporate_clients interface on the WLC, which is used for all
corporate clients. The second ACL, named HR_ACL, is referenced by ISE in the Human
Resources group policy. Which option is the resulting ACL when a Human Resources user
connects?
A. HR_ACL only
B. HR_ACL appended with BASE_ACL
C. BASE_ACL appended with HR_ACL
D. BASE_ACL only
Answer: A
QUESTION 131
An engineer is adding APs to an existing VoWLAN to allow for location based services. Which
option will the primary change be to the network?
A. increased transmit power on all APs

B. moving to a bridging model
C. AP footprint
D. cell overlap would decrease
E. triangulation of devices
Answer: C
QUESTION 132
Refer to the exhibit. An engineer utilizing ISE as the wireless AAA service noticed that the
accounting process on the server at 10.10.2.3 has failed, but authentication process is still
functional. Which ISE nodes receive WLC RADIUS traffic, using the CLI output and assuming the
WLAN uses the servers in their indexed order?
A. authentication to 10.10.2.4, accounting to 10.10.2.3.

B. authentication to 10.10.2.3, accounting to 10.10.2.3.
C. authentication to 10.10.2.4, accounting to 10.10.2.4.
D. authentication to 10.10.2.3, accounting to 10.10.2.4.
Answer: B
QUESTION 133
Refer to the exhibit. You are configuring a controller that runs Cisco IOS XE by using the CLI.
Which three configuration options are used for 802.11w Protected Management Frames?
(Choose three.)
A. mandatory
B. association-comeback
C. SA teardown protection
D. saquery-retry-time
E. enable
F. comeback-time
Answer: ABD

Vendor: Cisco Exam Code: 300-375 Exam Name: Securing Wireless Enterprise Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vendor: Cisco Exam Code: 300-375 Exam Name: Securing Wireless Enterprise Networks

Uploaded by

Copyright:

Available Formats

Vendor: Cisco

Exam Code: 300-375

Exam Name: Securing Wireless Enterprise Networks

Order ID: ****************

PayPal Name: ****************

PayPal ID: ****************

A. AES key, TKIP key, WEP key

A. Disable Dynamic AP Management.

A. ap Floor1_AP1 ap-groupname default-group

A. Cisco Secure ACS is required.

A. Both AES and TKIP must be enabled

On WLC navigate in Menu to WLAN>WLANS

Step 2 Edit WLAN

Step 3 Add WPA+WPA2 PSK Layer 2 Security

Step 4 Check if the client is connected to the WLAN

A. Layer 2 and Layer 3

A. snmp-server user remoteuser1 group1 remote 10.12.0.4

A. New Rogue APs

A. The client certificate is formatted as X 509 version 3

A. Set P2P Blocking Action to Drop.

A. Roaming with only 802.1x authentication requires full reauthentication.

A. the wireless client IP address

A. message integrity check

A. authentication dot1x default local

A. limit of a single device per user

A. The client devices do not support WPA.

A. Put APs in FlexConnect Group for Remote Branches.

A. managing the increase connected devices

A. Roam within stack members

A. mobility service engine

A. external web authentication server

A. Create a WLAN on the anchor controller only

A. There is a problem with the client supplicant.

A. per-WLAN RADIUS source support

A. The WLC certificate has changed.

A. Provides a reporting mechanism for rouge APs

A. LEAP and EAP-Fast only

A. using AirMagnet Wi-Fi Analyzer to search for hidden SSIDs

A. RADIUS server IP address

A. Only WLC AP global credentials are used.

A. enable AAA override on the WLAN

A. CFB-AES-128 with HMAC-MD5

A. increased VPN connections

A. The DHCP Required box is unchecked.

A. The client does not need the corresponding private key.

B is wrong , see following:

A. It enables the AP to override the authentication timeout on the RADIUS server.

A. WPA2 with AES

A. EAP-TLS certificate generated by WLC

A. requires client-side and server-side certificates.

A. Use a minimum 12-character random passphrase with WPA

A. override global credentials

A. Use 802.1x authentication to profile the devices

A. GuestPreLogin downloadable ACL on ISE, login portal on ISE

A. specifies a second certification authority to trust

A. A preauthentication ACL must be defined.

A. Policy is applicable only with central switched WLANs on FlexConnect APS.

A. config ap flexconnect vlan enable Cisco

Security>AAA>Local Net Users

A. snmp-server enable traps

A. Location-specific service is not enabled on the WLC.

A. enterprise-managed MDM platform used for personal devices

A. remove ip dhcp required