Cisco 400-251 CCIE Security Written Exam (v5.0) Online Training
Cisco 400-251 Online Training
The questions for 400-251 were last updated at Dec 19,2025.
- Exam Code: 400-251
- Exam Name: CCIE Security Written Exam (v5.0)
- Certification Provider: Cisco
- Latest update: Dec 19,2025
In your ISE design, there are two TACACS profiles that are created for a device administration:
Help Desk_Profile, and IOS_Admin_Profile. The Help Desk profile should login the user with privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with privilege 15 by default.
Which two commands must the help Desk enter on the IOS device to access privilege level 15? (Choose two)
- A . Enable secret
- B . Enable 15
- C . Enable
F, Enable lOS_Admin profile - D . Enable password
Which criteria does ASA use for packet classification if multiple contexts share an ingress interface MAC address?
A, ASA ingress interface IP address
B. policy-based routing on ASA
D. destination MAC address
E. ASA ingress interface MAC address
G. ASA egress interface IP address
For your enterprise ISE deployment, you want to use certificate-based authentication for all your Windows machines you have already pushed the machine and user certificates out to all the machines using GPO. By default, certificate-based authentication does not check the certificate against Active Directory, or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request.
In which way can the user be authorized based on Active Directory group membership?
- A . The certificate must be configured with the appropriate attributes that contain appropriate group formation, which can be used in Authorization policies
- B . Configure the Windows supplicant to used saved credentials as well as certificate based authentication
- C . Enable Change of Authorization on the deployment to perform double authentication
- D . Configure Network Access Device to bypass certificate-based authentication and push configured user credentials as a proxy to ISE
- E . Use EAP authorization to retrieve group information from Active directory
- F . Use ISE as the Certificate Authority which allows for automatic group retrieval from Active directory to perform the required authorization
Refer to the exhibit.
R3
ip vrf mgmt
!
crypto keyring CCIE vrf mgmt
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 33
encr 3des
authentication pre-share
group 2
lifetime 600
!
crypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile site_a
set security-association lifetime seconds 600
set transform-set site_ab
!
crypto gdoi group group_a
identity number 100
server local
rekey algorithm aes 256
rekey lifetime seconds 300
rekey retransmit 10 number 3
rekey authentication mypubkey rsa cciekey
rekey transport unicast
sa ipsec 1
profile site_a
match address ipv4 site_a
replay counter window-size 64
no tag
address ipv4 10.1.20.3
!
interface GigabitEthernet3
ip address 10.1.20.3 255.255.255.0
!
ip access-list extended site_a
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R3 is the key server in a GETVPN VRF-Aware implementation. the group members for the site a register with key server via interface address 10.1.20. 3/24 in the management VRF "mgmt". The GROUP ID for the site a is 100 to retrieve group policy and keys from the key server.
The traffic to be encrypted by the site a group members is between 192.186.4.0/24 and 192.186.5.0/24. The preshared key used by the group members to authenticate with the key server is "cisco”. It has bee reported that group members cannot perform encryption for the traffic defined in the group policy of site a.
Which two possible issues are true? (Choose two)
- A . The registration interface is not part of management VRF "mgmt”
- B . incorrect encryption traffic defined in the group policy
- C . incorrect encryption in ISAKMP policy
- D . incorrect password in the keyring configuration
- E . The GDOI group has an incorrect local server address
- F . incorrect security-association time in the IPsec profile
Refer to the exhibit.
R15
crypto pki trustpoint ccier15
enrollment url http://172.16.100.17:8080
serial-number
ip-address 172.16.100.15
subject-name CN=r15 O=cisco.com
revocation-check none
source interface Loopback0
rsakeypair ccier15
!
crypto isakmp policy 1516
encr aes
hash md5
group 2
!
crypto ipsec transform-set ts1516 esp-aes esp-sha-hmac
mode tunnel
!
crypto map r15r16 1516 ipsec-isakmp
set peer 10.1.7.16
set transform-set ts1516
match address 110
!
interface Loopback0
ip address 172.16.100.15 255.255.255.255
!
interface Loopback1
ip address 192.168.15.15 255.255.255.0
!
interface GigabiEthernet1
ip address 20.1.6.15 255.255.255.0
netgotiation auto
crypto map r15r16
!
router bgp 6
bgp log-neighbor-changes
network 172.16.100.15 mask 255.255.255.255
neighbor 20.1.6.18 remote-as 678
neighbor 20.1.6.18 password cisco
!
ip route 192.168.16.0 255.255.255.0 20.1.7.16
access-list 110 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
!
ntp authentication-key 11 md5 ccie
ntp authenticate
ntp trusted-key 12
ntp server 150.1.7.131 key 12
!
ip domain name cisco.com
R15 is building a Site-to-Site IPsec certificate-based VPN tunnel with the peer at 20.1.7.16. The CA is running at port 80 on address 172.16.100.18. R15 has a BGP peer at 20.6.1.18 doing an authenticated session to establish reachability with the VPN remote site.
The VPN tunnel secures traffic between 192.168.15.0/24 and 192.168.16.0/24 networks.
It has been reported that VPN tunnel is not coming up with remote site, what could be the issues? (Choose two)
- A . Incorrect ACL defined for the traffic encryption
- B . Incorrect static route
- C . Incorrect crypto map configuration
- D . Incorrect ISAKMP policy configuration
- E . The crypto map is not applied on the correct interface
- F . Incorrect truspoint configuration
- G . Incorrect BGP peer Configuration
- H . Incorrect transform set configuration
Refer to the exhibit.
aaa authentication login default group radius
aaa authentication login NO_AUTH none
aaa authentication login vty local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting dot1x default start-stop group radius
!
ip dhcp excluded-address 60.1.1.11
ip dhcp excluded-address 60.1.1.2
!
ip dhcp pool mabpc-pool
network 60.1.1.0 255.255.255.0
default-router 60.1.1.2
!
cts sxp enable
cts sxp default source-ip 10.9.31.22
cts sxp default password ccie
cts sxp connection peer 10.9.31.1 password default mode peer listener hold-time0
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/9
switchport mode access
ip device tracking maximum 10
authentication host-mode multi-auth
authentication port-control auto
mab
!
radius-server host 161.1.7.14 key cisco
radius-server timeout 60
!
interface VLAN10
ip address 10.9.31.22 255.255.255.0
!
interface Vlan50
no ip address
!
interface Vlan60
ip address 60.1.1.2 255.255.255.0
!
interface Vlan150
ip address 150.1.7.2.255.255.255.0
Looking at the configuration what may cause the MAB authentication to fail for a supplicant?
- A . There is an issue with the DHCP pool configuration
- B . The VLAN configuration is missing on the authentication port
- C . Incorrect CTS configuration on the switch
- D . AAA authorization is incorrectly configured on the switch.
- E . CoA configuration is missing
- F . Dot1x should be globally disabled for MAB to work
- G . Switch configuration is properly configured and the issue is on the Radius server.
In your Corporate environment, you have various Active Directory groups based o the organizational structure and would like to ensure that users are only able to access certain resources depending on which groups(s)they belong to This policy should apply across the network, You have ISE, ASA and WSA deployed, and would like to ensure the propriate policies are present to ensure access is only based on the user s group membership. Addionally, you don’t want the user to authenticate multiple times to get access.
Which two ploicies are used to set this up? (choose two)
- A . Deploy Cisco TrustSec Infrastructure, with ASA and WSA integrated with the ISE to transparently identity user based on SGT assignment. when the user authenticates to the network. the SGTs can then be used in access
- B . Deploy ISE, intergrate it with Active Directory, and based on group membership authirize the user to specific VLANs. These VLANs. These VLANs (with specific subnets) should then be used in access policies on the ASA as well as the WSA
- C . Deploy a Single Sign-On Infrastructure such as Ping, and Integrate ISE, ASA and WSA with it. Access policies will be applied based on the users group membership retrieved from the authentication Infrastructure.
- D . Configure ISE as an SSO Service Provider, and integrate with ASA and WSA using px Grid. ASA and WSA will be able to extract the relevant identity information from ISE to apply to the access policies once the user has authenticated to the network
- E . Integrate ISE, ASA and WSA with Active Directory. Once user is authenticated to the network through ISE, the ASSA and WSA will automatically extract the identity information from ad to apply the appropriate access
- F . Configure ISE to relay learned SGTs for the authenticates sessions with the binded destination ad dress using SXP ro SXp speakers that will be used to apply access policies at the traffic ingress point for segmentation
All your employees are required to authenticate their devices to the network, be it company owned or employee owned assets, with ISE as the authentication server. The primary identity store used is Microsoft Active directory, with username and password authentication. To ensure the security of your enterprise our security policy dictates that only company owned assets should be able to get access to the enterprise network, while personal assets should have restricted access.
Which option would allow you to enforce this policy using only ISE and Active Directory?
- A . Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company owned or personal
- B . This would require deployment of a Mobile Device Management (MDM)solution, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels.
Configure an authentication policy that checks against the MAC address database of company assets in ISE end points identity store to determine the level of access depending on the device. - C . Configure an Authorization policy that checks against the mac address database of company assets in ISE endpoint identity store to determine the level of access depending on the device
- D . Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or no
Which statement about the Sender Base functionality is true?
- A . ESA sees a high negative score from Sender Base as very unlikely that sender is sending spam
- B . Sender Base uses DNS-based blacklist as one of the sources of information to define reputation score of sender’s IP address.
- C . WSA uses Sender Base information to configure URL filtering policies.
- D . ESA uses destination address reputation information from SenderBase to configure mail policies
- E . Sender Base uses spam complaints as one of the sources of information of define reputation score of receiver IP address
- F . ESA sees a high positive score from Sender Base as very likely that sender is sending spam.
- G . ESA uses source address reputation to configure URL filtering policies.
You have an ISE deployment with two nodes that are configured as PAN and MnT (Primary and Secondary), and 4 Policy Services Nodes.
How many additional PSNs can you add to this deployment?
- A . 0
- B . 1
- C . 3
- D . 5
- E . 4
- F . 2
Latest 400-251 Dumps Valid Version with 124 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
