300-375 Exam - Securing Cisco Wireless Enterprise Networks

NEW QUESTION 1
What are two of the benefits that the Cisco AnyConnect v3.0 provides to the administrator for client WLAN security configuration? (Choose two.)

• A. Provides a reporting mechanism for rouge APs
• B. Prevents a user from adding any WLANs
• C. Hides the complexity of 802.1X and EAP configuration
• D. Supports centralized or distributed client architectures
• E. Provides concurrent wired and wireless connectivity
• F. Allows users to modify but not delete admin-created profiles

Answer: CD

NEW QUESTION 2
Clients are failing EAP authentication. A debug shows that an EAPOL start is sent and the clients are then de-authenticated. Which two issues can cause this problem? (Choose two.)

• A. The WLC certificate has changed.
• B. The WLAN is not configured for the correct EAP supplicant type.
• C. The shared secret of the WLC and RADIUS server do not match.
• D. The WLC has not been added to the RADIUS server as a client.
• E. The clients are configured for machine authentication, but the RADIUS server is configured for user authentication.

Answer: CD

NEW QUESTION 3
On which two ports does the RADIUS server maintain a database and listen for incoming authentication and accounting requests? (Choose two.)

• A. UDP 1900
• B. UDP port 1812
• C. TCP port 1812
• D. TCP port 1813
• E. UDP port 1813

Answer: BE

NEW QUESTION 4
An engineer is implementing SNMP v3 on a wireless LAN controller and wants to use the combination of authentication and privacy protocols with the highest security available. Which protocols must be configured?

• A. CFB-AES-128 with HMAC-MD5
• B. CBC-DES with HMAC SHA
• C. CFB-AES-128 with HMAC-SHA
• D. CBC-DES with HMAC-MD5

Answer: C

NEW QUESTION 5
Refer to the exhibit.

A customer is having problems with clients associating to me wireless network. Based on the configuration, which option describes the most likely cause of the issue?

• A. Both AES and TKIP must be enabled
• B. SA Query Timeout is set too low
• C. Comeback timer is set too low
• D. PME is set to "required"
• E. MAC Filtering must be enabled

Answer: E

NEW QUESTION 6
An engineer has configured the wireless controller to authenticate clients on the employee SSID against Microsoft Active Directory using PEAP authentication. Which protocol does the controller use to communicate with the authentication server?

• A. EAP
• B. 802.1x
• C. RADIUS
• D. WPA2

Answer: A

Explanation:

Define the Layer 2 Authentication as WPA2 so that the clients perform EAP-based authentication (PEAP-MS-CHAP v2 in this example) and use the advanced encryption standard (AES) as the encryption mechanism. Leave all other values at their defaults. https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

NEW QUESTION 7
An engineer is configuring a BYOD deployment strategy and prefers a single SSID model. Which technology is required to accomplish this configuration?

• A. mobility service engine
• B. wireless control system
• C. identify service engine
• D. Prime Infrastructure

Answer: C

NEW QUESTION 8
Which three properties are used for client profiling of wireless clients? (Choose Three)

• A. MAC OUI
• B. IP Address
• C. HTTP user agent
• D. DHCP
• E. hostname
• F. OS Version

Answer: ACD

NEW QUESTION 9
A customer is concerned about DOS attacks from a neighboring facility. Which feature can be enabled to help alleviate these concerns and mitigate DOS attacks on a WLAN?

• A. PMF
• B. peer-to-peer blocking
• C. Cisco Centralized Key Management
• D. split tunnel

Answer: A

NEW QUESTION 10
Client Management Frame Protection is supported on which Cisco Compatible Extensions version clients?

• A. v2 and later
• B. v3 and later
• C. v4 and later
• D. v5 only

Answer: D

NEW QUESTION 11
Which option determines which RADIUS server is preferred the most by the Cisco WLC?

• A. the Server Index (Priority) drop-down list
• B. the server status
• C. the server IP address
• D. the port number

Answer: A

NEW QUESTION 12
Which mobility mode must a Cisco 5508 wireless Controller be in to use the MA functionality on a cisco catalyst 3850 series switch with a cisco 550 Wireless Controller as an MC?

• A. classic mobility
• B. new mobility
• C. converged access mobility
• D. auto-anchor mobility

Answer: C

NEW QUESTION 13
Scenario
Local Web Auth has been configured on the East-WLC-2504A, but it is not working. Determine which actions must be taken to restore the Local Web Auth service. The Local Web Auth service must operate only with the Contractors WLAN.
Contractors WLAN ID – 10 Employees WLAN ID - 2
Note, not all menu items, text boxes, or radio buttons are active.

Virtual Terminal





Which four changes must be made to configuration parameters to restore the Local Web Auth feature on the East-WLC-2504A? Assume the passwords are correctly entered as “ciscotest”. (Choose four.)

• A. Remove the existing Local Net User Bill Smith and add a New Local Net User “Bill Smith” password “ciscotest’, WLAN Profile “Contractors”.
• B. Remove WLAN 10 and WLAN 2, replace WLAN 10 with Profile Name Employees and SSID Contractors;replace WLAN 2 with Profile Name Employees and SSID Employees.
• C. Remove WLAN 10 and WLAN 2, replace WLAN 10 with Profile Name Contractors and SSID Contractors, replace WLAN 2 with Profile Name Employees and SSID Employees.
• D. Change the Layer 2 security to None on the Contractors WLAN.
• E. Under Layer 3 Security, change the Layer 3 Security to Web Policy on the Contractors WLAN.
• F. Under Security Local Net Users add a New Local Net User “Bill Smith” password “Cisco”, interface/ Interface Group “east-wing”.
• G. Change the Layer 2 Security to None + EAP Pass-through on the Contractors WLAN.
• H. Under WLANs > Edit “Contractors “change the interface/Interface group to “east-wing”.

Answer: CEFG

NEW QUESTION 14
A wireless engineer must implement a corporate wireless network for a large company with ID 338860948 in the most efficient way possible. The wireless network must support a total of 32 VLANS for 300 employees in different departments.
What is the best configuration option in this scenario?

• A. Configure a second WLC to support half of the APs in the deployment.
• B. Configure different AP groups to support different VLANs, so that all of the WLANs can be broadcast on both radios.
• C. Configure 16 WLANs to be broadcast on the 2.4-GHz band and 16 WLANs to be broadcast on the 5.0-GHz band.
• D. Configure one single SSID and implement Cisco ISE VLLAN assignment according to different user roles.

Answer: B

NEW QUESTION 15
Regarding the guidelines for using MFP, under what circumstances will a client without Cisco compatible Extensions v5 be able to associate to a WLAN?

• A. The DHCP Required box is unchecked.
• B. AAA override is configured for the WLAN
• C. Client MFP is disabled or optional.
• D. WPA2 is enabled with TKIP or AE

Answer: D

NEW QUESTION 16
An engineer ran the PCI report in Cisco Prime Infrastructure and received a warning on PCIDSS
Requirement 2.1.1 that the SNMP strings are set to default and must be changed. Which tab in the Cisco WLC can the engineer use to navigate to these settings?

• A. Management
• B. Security
• C. Controller
• D. Wireless

Answer: A

NEW QUESTION 17
DRAG DROP
Drag the EAP Authentication type on the left to the accurate description provided on the right

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 18
A customer wants the access points in the CEO’s office to have different usernames and passwords for administrative support than the other access points deployed throughout the facility. Which feature can be enabled on the WLC and access points to achieve this criteria?

• A. Override global credentials
• B. HTTPS access
• C. 802.1x supplicant credentials
• D. local management users

Answer: D

Explanation:

You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the switch and viewing configuration information. This section provides instructions for initial configuration and for password recovery.
You can also set administrator usernames and passwords to manage and configure one or more access points that are associated with the switch. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-1/configuration_guide/b_161_consolidated_3650_cg/b_161_consolidated_3650_cg_chapter_01010 111.pdf

NEW QUESTION 19
What is the maximum number of clients that a small branch deployment using a four-member Cisco Catalyst 3850 stack (acting as MC/MA) can support?

• A. 10000
• B. 1000
• C. 500
• D. 2000
• E. 5000

Answer: E

NEW QUESTION 20
An engineer is changing the authentication method of a wireless network from EAP-FAST to EAP-TLS. Which two changes are necessary? (Choose two.)

• A. Cisco Secure ACS is required.
• B. A Cisco NAC server is required.
• C. All authentication clients require their own certificates.
• D. The authentication server now requires a certificate.
• E. The users require the Cisco AnyConnect clien

Answer: CD

NEW QUESTION 21
A customer wants to allow employees to easily onboard their devices to the wireless network. Which process can be configured on Cisco ISE to support this requirement?

• A. self registration guest portal
• B. client provisioning
• C. native supplicant provisioning
• D. local web auth

Answer: B

NEW QUESTION 22
An engineer must enable EAP on a new WLAN and is ensuring that the necessary components are available. Which component uses EAP and 802.1x to pass user authentication to the authenticator?

• A. AP
• B. AAA server
• C. supplicant
• D. controller

Answer: D

NEW QUESTION 23
An engineer configures the wireless LAN controller to perform 802.1x user authentication. Which option must be enabled to ensure that client devices can connect to the wireless, even when WLC cannot communicate with the RADIUS?

• A. local EAP
• B. authentication caching
• C. pre-authentication
• D. Cisco Centralized Key Management

Answer: A

NEW QUESTION 24
Refer to the exhibit. You are configuring an autonomous AP for 802.1x access to a wired infrastructure. What does the command do?

• A. It enables the AP to override the authentication timeout on the RADIUS server.
• B. It configures how long the AP must wait for a client to reply to an EAP/dot1x message before the authentication fails.
• C. It enables the supplicant to override the authentication timeout on the client
• D. It configures how long the RADIUS server must wait for supplicant to reply to an EAP/dot1x message before the authentication fails.

Answer: C

NEW QUESTION 25
A new MSE with wIPS service has been installed and no alarm information appears to be reaching
the MSE from controllers.
What protocol must be allowed to reach the MSE from the controllers?

• A. NMSP
• B. SOAP/XML
• C. SNMP
• D. CAPWAP

Answer: B

NEW QUESTION 26
......