Implementing and Configuring Cisco Identity Services Engine (SISE) — Question 323

A Cisco ISE engineer is creating a certificate authentication profile to be used with machine authentication for the network. The engineer wants to be able to compare the user-presented certificate with a certificate stored in Active Directory. What must be done to accomplish this?

Answer options

• A. Configure the user-presented password hash and a hash stored in Active Directory for comparison
• B. Enable the option for performing binary comparison
• C. Use MS-CHAPv2 since it provides machine credentials and matches them to credentials stored in Active Directory
• D. Add the subject alternative name and the common name to the CAP

Correct answer: B

Explanation

The correct answer is B, as enabling binary comparison allows the Cisco ISE to accurately compare the user-presented certificate with the one stored in Active Directory. Option A is incorrect because password hashes are not applicable in certificate comparison. Option C is not relevant, as MS-CHAPv2 is a protocol for authentication rather than certificate comparison. Option D does not directly address the requirement of comparing certificates.