Skip to Content

Cisco 300-715 SISE: Minimize the number of objects created in Cisco ISE

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

Question

The IT manager wants to provide different levels of access to network devices when users authenticate using TACACS+. The company needs specific commands to be allowed based on the Active Directory group membership of the different roles within the IT department. The solution must minimize the number of objects created in Cisco ISE. What must be created to accomplish this task?

A. one shell profile and one command set
B. multiple shell profiles and one command set
C. one shell profile and multiple command sets
D. multiple shell profiles and multiple command sets

Answer

C. one shell profile and multiple command sets

Explanation

C. one shell profile and multiple command sets

To accomplish this task, one shell profile and multiple command sets must be created in the Cisco Identity Services Engine (ISE). This solution minimizes the number of objects created in Cisco ISE while providing different levels of access to network devices based on the Active Directory group membership of the various IT department roles.

The shell profile defines the set of attributes that are sent to the network device during the TACACS+ authentication process. In this scenario, a single shell profile can be created to map the attributes for all IT department roles. The shell profile can include attributes such as Privilege-Level and custom attributes specific to the network device.

The command sets are used to define the specific sets of commands that are allowed or denied for each Active Directory group. In this case, multiple command sets can be created to map the required commands for each IT department role. For example, a command set can be created for network administrators with full access to all commands, while another command set can be created for helpdesk staff with limited access to specific commands.

By using one shell profile and multiple command sets, the IT manager can efficiently provide different levels of access to network devices based on the Active Directory group membership without creating an excessive number of objects in Cisco ISE. This approach allows for a scalable and manageable solution that meets the company’s requirements.

Here are the steps on how to create a shell profile and multiple command sets in Cisco ISE:

  1. Log in to Cisco ISE.
  2. Click on the Work Centers menu and select Device Administration.
  3. Click on the Shell Profiles tab.
  4. Click on the Add button.
  5. Enter a name for the shell profile.
  6. Select the TACACS+ authentication method.
  7. Click on the Add button next to the Command Sets field.
  8. Select the command sets that you want to include in the shell profile.
  9. Click on the Save button.

Once the shell profile has been created, you can assign it to users by following these steps:

  1. Click on the Work Centers menu and select Device Administration.
  2. Click on the Users tab.
  3. Click on the Add button.
  4. Enter a username and password for the user.
  5. Select the Shell Profiles tab.
  6. Select the shell profile that you created in the previous step.
  7. Click on the Save button.

Once the user has been assigned to the shell profile, they will be able to run the commands that are included in the command sets.

Once you have completed these steps, users will be able to access the network devices based on their Active Directory group membership and the commands that are defined in the command sets.

The other options are not correct because:

A. one shell profile and one command set: This option will not provide different levels of access to network devices based on the Active Directory group membership of the users. It will only provide one level of access for all users.

B. multiple shell profiles and one command set: This option will not provide different levels of access to network devices based on the Active Directory group membership of the users. It will only provide different session attributes for different users but not different commands.

D. multiple shell profiles and multiple command sets: This option will provide different levels of access to network devices based on the Active Directory group membership of the users but it will also create more objects in Cisco ISE than necessary. It will create multiple shell profiles that may have redundant or overlapping attributes.

In summary, to accomplish the task efficiently, the IT manager should create one shell profile and multiple command sets in Cisco ISE. This approach allows for different levels of access to network devices based on Active Directory group membership while minimizing the number of objects created.

Reference

Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) exam and earn Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) certification.