Cisco Retake Policy confusion

Dear All,
I appeared for CIPT 2 exam on 13th of May 2009, but i failed the exam. I retake the exam for free and again i failed the exam. My confusion is that should i have to pay the examination fee again for the same exam or i can appear in the exam again for free.
And can anyone tell me how long this policy is valid for.
Please let me know i will be very grateful to you.
Thanks,
Malik.

As far as I know you must pay for it each time you take an exam, pass or fail.
Cheers,
Chad

Similar Messages

Exam retake policy

If I didn't pass in a Microsft exam, like 070-450, how long time I need to wait for re-take the exam?

It's a shame the Microsoft website doesn't provide very much information on this topic. Here's what the Prometric site states:
https://www.prometric.com/en-us/clients/Microsoft/Pages/clientinformation.aspx
Microsoft Exam Retake Policy
If a candidate does not achieve a passing score on an exam the first time,
the candidate must wait at least a 24-hour period before retaking the exam.
If a candidate does not achieve a passing score the second time, the
candidate must wait at least a 14-day period before retaking the exam a third
time.
A 14-day waiting period will also be imposed for the fourth and fifth
subsequent exam retakes. A candidate may not take a given exam any more than
five times per year (12 months). This 12-month period would start the day of the
fifth unsuccessful exam retake. The candidate would then be eligible to retake
the exam 12 months from that date. In order to take a given exam more than five
times per year, a candidate must submit a request and obtain prior permission
from Microsoft.
If a candidate achieves a passing score on an exam, the candidate cannot
take it again.
Beta exams may be taken only once. This policy supersedes the general retake
policy.
In some cases, Microsoft may have special policies for specific exams.
When you see answers and helpful posts, please click Vote As Helpful,
Propose As Answer, and/or Mark As Answer
Jeff Wharton
MSysDev (C.Sturt), MDbDsgnMgt (C.Sturt), MCT, MCPD, MCSD, MCITP, MCDBA
Blog: Mr. Wharty's Ramblings
Twitter: @Mr_Wharty
MC ID:
Microsoft Transcript

Cisco ACS Policy Mapping

Hallo,
I have a question about the policy mapping in ACS 5.4.
When a request matches in "Access Selection Rule" the request goes to an "Access Service".
In "Access Service" there are three kinds of policy rules:
- Identity:
If condition match then result "Identity Source"
- Group Mapping
If condition match then result "Identity Group"
- Authorization
If condition match the result "Auth Profil"
Q1:
For example:
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
Q2:
What does it mean: "Group mapping"?
Thx for your answer!
Stefan

Hi Stefan,
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
(you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Group mapping is a feature to assign a local identity group as a result by choose conditions.
EG:
If (Active directory x) Then (Internal group x)
The IF is the condition and Then is Result.
https://supportforums.cisco.com/docs/DOC-34890
Hope this Helps.
Ed

Cisco prime license confusion

Hi I have installed cisco prime 1.2 to manage router, AP, controller, switch and ISE
and I am confused wiht license
I have this 3 item
1. L-PILMS42-100
2. L-PINCSW11-100
3. L-PINCS11-100
I have already genereted and added item 3 on prime and it work
I gererated item 1 but I cannont add it on cisco prime, he dont reconnize the file
I am unnable to add my ISE on cisco prime
Do I need special licence fro ISE
Do I need to add the 3 license
Please advise

Do you want to use Prime Infrastructure or Prime LMS to manage the Catalyst 2960 switches? In either case it is possible - simply add the devices manually or discover them. Procedure for PI is here. Procedure for LMS is here.
The ISE appliances are not manageable in any but the most basic sense as they are not a supported Cisco device (for either Prime Infrastructure or Prime LMS) and will be seen the same as a generic non-Cisco deivce. i.e., only SNMP polling and traps (and, with LMS, potentially syslog data).

Cisco VSG Policy Engine Logs

Hi,
We are just testing VSG in our environment and have a question regarding policy engine logging.
In reference material , syslog is the method to view what rules and being processed via the enforced policy. So the source
is the VSG to a syslog server.
Is there a way on the Cisco Prime NSC to view the traffic parsing through the VSG.
Regards
Daren

You need to use vpath service chaining if you want to use VSG/ASA together. Below link has information about the service chaining:
http://www.cisco.com/en/US/docs/switches/datacenter/vsg/sw/4_2_1_VSG_1_4_1/video/cisco_vsg_service_chaining_part01.html
Thanks,
Vinod

Cisco 3945 Policy Base Routing

I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
Any help would be greatly appreciated
This is my current config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname MOVLABT3-CA-ES
boot-start-marker
boot-end-marker
card type t3 1
card type t3 2
enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
no aaa new-model
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1015775704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1015775704
revocation-check none
rsakeypair TP-self-signed-1015775704
crypto pki certificate chain TP-self-signed-1015775704
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
6E67990A 9A7B49F9 8D1A8CA0 51AAF2
quit
license udi pid C3900-SPE150/K9 sn FOC16313DE8
hw-module sm 1
hw-module sm 2
controller T3 1/0
cablelength 75
controller T3 2/0
cablelength 75
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip nat outside
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end

This is what it looks like now, and I still can't ping gig 0/1 from the internet
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip virtual-reassembly in
ip policy route-map pbr
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
ip local policy route-map PBR
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map pbr permit 10
match ip address 101
set ip next-hop 205.214.40.5
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end

Cisco NAC policy sync

I have a failover CAM configured, one is configured as the Master and the other one is receiver.
when I do manual sync between them this is what happen:
Successfuly completed pre-sync check with 10.10.80.248
then I click continue it fails to sync:
this is the log :
*************** Master Log ***************
Starting policy import/export on Policy Sync Master.
Created dump file for policy: Device Management > Filters > Devices (all Access Types other than ROLE and CHECK)
Created dump file for policy: User Management > User Roles > List of Roles/Schedule
Created dump file for policy: Device Management > Clean Access > Clean Access Agent > Role-Requirements
Created dump file for policy: Device Management > Filters > Devices (Access Type ROLE and CHECK only)
Created dump file for policy: User Management > Traffic Control > IP
Created dump file for policy: User Management > Traffic Control > Host
Created dump file for policy: User Management > Traffic Control > Ethernet
Dump file creation is complete.
Created policy import/export dump file.
No file available for policy sync as large object.
Created policy import/export header file.
Created policy import/export tar file.
*************** Receiver Log ***************
Starting policy import on Policy Sync Receiver.
Hash value is a match.
Policy Sync Master and Receiver CAM versions match.
The Policy Sync Reciever is not active, Please retry policy sync later.
Failed to store all policies on Policy Sync Receiver.
Receiver failed sync

Hi,
Please note that this feature is not meant to be used between 2 CAMs of an HA pair.
As you can see on the config guide:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1050935,
- All CAMs must run release 4.5 or later to enable Policy Sync.
- On CAM HA-pairs, Policy Sync settings are disabled for the Standby CAM.
So, this means you can use this feature only in active CAMs or Standalone CAMs.
In HA pairs, Only the Active CAM will be active for this feature.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Cisco Security Policy Builder, does it still exist?

I'm going through the Cisco CCNA Security Lab manual and in Chapter 9 I need to use the security policy builder. The link has since been deprecated (www.ciscowebtools.com/spb). Does anyone know where I can still find this tool or if maybe it has been updated and named something else?
Thanks for the help!
-Mark

Hi Mark,
Did you find it or any other tool similar to it ? It seems to be a very nice tool to start a Security Policy for a company.
If any one know anything about it let us know.
Thanks,
Paulo

Group Policy Confusion

I have a policy package setup that does a number of things. One of these is to set the corporate wallpaper and screensaver. I have the Windows Desktop Prefernces setup to do this and I also have a Windows Group Policy for other things. To enable the screensaver to run I have had to enable the screensaver settings in the GP.
The user is required to enter their password to resume once the screensaver has run. Here-in lies the problem. The screensaver will not accept the novell/edir password to unlock, it will only unlock using the windows credentials.
If I set the GP to handle the screensaver settings this seems to take preference over the desktop policy but the result is the same.
Any ideas why I cant unlock with my edir credentials ?
Thanks

JeffSheehan,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com

Failed SP certification 3 times:Retake Policy

I gave SAP Certified Application Associate - Financial Accounting with SAP ERP 6.0 EHP4 3 times (Did not get certified)
Attended Classroom training from an SAP authorized Training Partner.
(I lost access to E Learning as my exams got delayed beyond 6 months.Had to give the exams without access to them through had some net based material)
Now I want to join another SAP Authorized Training partner (and do E learning) and give the exams.
SAP says one cannot give the exam for the same version after giving the exams 3 times but can one give exams after undergoing training again with a SAP Authorized Partner.I have told them that I have given it 3 times earlier.
Is there a newer version available.
Edited by: Rambo100 on Nov 26, 2011 11:24 AM
Edited by: Rambo100 on Nov 26, 2011 10:42 PM

If you have lots of money, then go and join with another autorised training partner, but it will be the same old story, you will see.
Talk to SAP Singapore, Dubai or Malaysia, probably you do not need to have any pre-requisites.

Cisco ISE inline posture node Posture assessment query

Hi all,
i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
"In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
they are likely to fall into one of the identity groups that already have authenticated and authorized users
connected to the network.
For instance, there may be an employee, executive, and guest that have been granted access through the
outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
and authorization uses the existing installed profiles on the Inline Posture node, unless the original
profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
Thanks!
Mario

I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
https://communities.cisco.com/docs/DOC-30977
HTH,
Ryan

Cisco ISE 1.1 Guest Portal Services

Do you have to have separate ISE appliances or VM clusters to have have 2 separate "Guest Portal" services?
I have two sites that have their own equipment (Arizona / Illinois):
- Cisco ISE Server
- Cisco Wireless LAN Controller
- Cisco Wireless Anchor Controller
- Cisco ASA
My understanding is that I'd need to have the ISE boxes running in "STAND ALONE" mode in order to have two separate "Guest Networks / Portal".
Thanks in advance!!!

Hi,
Each Cisco ISE policy services node can run a guest portal also if they run in one deployment.
Depending on the way you mean "separate", your requirement can be met in one deployment or in two stand alone deployments.
Depending on your approach you need four Cisco ISE machines to build the in "one deployment" option.
2 Admin/Monitoring Nodes (Admin is Active/Standby, Monitoring is Active/Active) and two Policy Services Nodes (RADIUS Servers). Both Policy Services Nodes can run the guestportal. The configuration of the WLC determines which Policy Services Node is being used. ISE use RADIUS URL redirect is used to redirect to it's own guest portal.
Hope that helps.

Cisco support for third-party apps on SRE?

Hi - I am thinking about running some third-party unified communications apps under VMWare ESXi5 on a Cisco SRE 900 module. According to the Cisco docs, third-party apps are supported on these modules (see table below) but the app in question is NOT on Cisco's list below.
http://www.cisco.com/en/US/prod/collateral/modules/ps10598/data_sheet_c78-553913.html
Some questions:
1. As long as the third-party app is capable of running under VMWare/VSphere ESXi5, is there anything on the SRE that would prevent you from running this third-party app even though it's not on Cisco's list?
2. What is Cisco's policy on the use of third-party apps that are not on their list? For example, will they take a support call on the SRE running a non-listed app (I am not expecting them to help me with the app but I don't want to void any sort of support contract through the use of a third-party app not on their list).
Thanks !

As long as 3rd party app is capable of running on ESXi 5 it would run on SRE hardware. Cisco doesn't prevent these apps from running even if they are competitive. From a support perspective Cisco TAC will not take any support calls for these applications nor would know how to redirect the call to these 3rd party partners. Cisco TAC will only support SRE and ESXi related issues.

NAC appliance(security policy/update-files)

Does anyone know something concerning to the following issues?
Please teach me what I can refer to on the WEB,if possible.
1. Is there any way to apply the policy(checking OS/AV) to the kind of client devices which CAA hadn't been installed such like guest user?
2. Is it possible that NAC appliance does clients only "port-scanning" (not checking OS/AV)?
3. If user-company already has their own "Anti-Virus Server" or "Windows-update Server", can CAM refer to their servers(not Cisco's policy-update-server) to get current update files?
4. How long does it take the update-files become available via Cisco's policy-update-server after each OS/AV-vender had released them?
Regards

No, we should install Cisco Trust agent S/W in order to collect the information about the OS versions, AV versions etc to the Policy server. And based on the security policy of the organisation, we can communicate with the AV vendors like symmntac, Mcafee servers directly for the latest patches and updates.

RE: Upgrading IDS4210 to Signature S289

Hello,
With regard to the Upgrading of the above IDS device, just reading through the "Cisco IPS Active Update Bulletin: 06-05-2007" that was emailed to me it states:
"The S289 signature update can ONLY be applied to version 5.1(5)E1 or later sensors as follows:
This signature update is supported on the IDS-4210, IDS-4215, IDS-4235, IPS-4240, IDS-4250, IPS-4255 and IPS-4260 Series Sensor Appliances"
But reading the Readme file on the Website it states:
"The IPS-sig-S289-req-E1.pkg upgrade file can be applied to
the following sensor platforms:
- IPS-42xx Cisco Intrusion Prevention System (IPS) sensors
- IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4210, IDS-4220, and IDS-4230)"
Which one is right?
Slightly confused.
Regards,
Mark

It is a grey area.
The IDS-4210 was End-of-sale back on Dec 6, 2003:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notice09186a008032d508.html
By Cisco's Policy it will support signature updates on an End-of-sale sensor for a minimum of 3 years from the End-of-sale. So Signature Update support was guaranteed by policy only up till this past Dec 3, 3006.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd80358daa.html
However, nothing has been done to intentionally prevent signature udpates newer than Dec 2006 from being installed on an IDS-4210.
I am not aware of any plan at this point to intentionally prevent installation of siganture updates on an IDS-4210.
In addition understand that the policy is a minimum of 3 years, but I am not sure how much longer than 3 years it would be officially supported.
IPS 5.1 software will continue to receive signature updates for another 18 months, and it is possible these 5.1 sig updates will continue to be installable on an IDS-4210.
This confusion is likely why the 2 documents are not in sync.
In addition the E1 signature update readme was originally written for 6.0 updates and IDS-4210 is not supported in 6.0. The 5.1 versions did not switch to E1 until later. When the readme was updated to cover both 5.1 and 6.0 it is possible that the supported platform list change (to add back in IDS-4210) was just overlooked. So I am not sure if it was intentionally put in not to support the IDS-4210 or if it was an editing mistake.
Personally I would recommend going ahead and installing it (save off your config before upgrading just in case).
If it installs OK (no bugs pop up during installation), then you should be fine running it on your IDS-4210.
But if problems do arise in installation of a future signature update, then you hit that grey area. And I am not sure what the response would be if that were to happen.
I will send an email out to our internal team and see what the "official" word is on IDS-4210 sig update support.
I would, however, recommend that you go ahead and see about upgrading to a newer sensor model.

Cisco Retake Policy confusion

Similar Messages

Maybe you are looking for