nerdexam
Cisco

300-425 · Question #221

A customer has this wireless design: - two Cisco Catalyst 9800 Series wireless controllers configured in a high-availability SSO cluster to manage APs in the local office network - 100 APs in local mo

The correct answer is B. Send the AAA server accounting and authentication traffic from the anchor WLC.. When a WLAN is anchored to a specific WLC, all AAA authentication and accounting traffic for that WLAN must originate from the anchor WLC, not the foreign or HA cluster controllers.

Wireless Security and Mobility

Question

A customer has this wireless design:

  • two Cisco Catalyst 9800 Series wireless controllers configured in a

high-availability SSO cluster to manage APs in the local office network

  • 100 APs in local mode and registered to the high-availability cluster
  • one Catalyst 9800 Series wireless controller that is deployed as an

anchor in a DMZ

  • Cisco ISE for user authentication and authorization

The customer wants to deploy a new SSID to support staff BYOD devices and authenticate users via Cisco ISE. The SSID terminates on the anchor WLC. How must the requirement be incorporated into the design to address the AAA servers for the WLAN?

Options

  • ASend the AAA server accounting and authentication traffic from the high-availability cluster.
  • BSend the AAA server accounting and authentication traffic from the anchor WLC.
  • CSend the accounting traffic from the anchor WLC and the authentication traffic from the high-
  • DSend the accounting traffic from the high-availability cluster and the authentication traffic from the

How the community answered

(27 responses)
  • A
    4% (1)
  • B
    78% (21)
  • C
    7% (2)
  • D
    11% (3)

Why each option

When a WLAN is anchored to a specific WLC, all AAA authentication and accounting traffic for that WLAN must originate from the anchor WLC, not the foreign or HA cluster controllers.

ASend the AAA server accounting and authentication traffic from the high-availability cluster.

Sending AAA traffic from the HA cluster is incorrect because the client session is not terminated on the foreign cluster - the cluster only tunnels client traffic to the anchor and cannot authoritatively generate authentication or accounting requests for anchored clients.

BSend the AAA server accounting and authentication traffic from the anchor WLC.Correct

In a foreign-anchor WLC architecture, the anchor WLC owns the client session for anchored SSIDs - it handles IP address assignment, policy enforcement, and all associated AAA interactions. Because the BYOD SSID terminates on the anchor WLC in the DMZ, all RADIUS authentication and accounting requests must be sourced from the anchor so that Cisco ISE can correctly identify the policy context, match the correct authorization profile, and maintain accurate session accounting records.

CSend the accounting traffic from the anchor WLC and the authentication traffic from the high-

Splitting accounting from the anchor and authentication from the HA cluster is not supported in the anchor-foreign model and would result in mismatched session records in ISE, causing unreliable authorization and broken CoA flows.

DSend the accounting traffic from the high-availability cluster and the authentication traffic from the

Sending accounting from the HA cluster and authentication from the anchor contradicts the anchor-foreign design - the anchor must handle both functions because it owns the anchored WLAN client session end-to-end.

Concept tested: Anchor WLC AAA server configuration for anchored SSIDs

Source: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/m_anchor_guest.html

Topics

#anchor WLC#ISE authentication#BYOD SSID#AAA traffic flow

Community Discussion

No community discussion yet for this question.

Full 300-425 Practice