300-430 · Question #102
The security learn is concerned about the access to all network devices, including the Cisco WLC. To permit only the admin subnet to have access to management, a CPU ACL is created and applied. Howeve
The correct answer is B. Access to Cisco ISE must be allowed on the pre authentication ACL.. In a Cisco ISE Central Web Authentication deployment, the pre-authentication ACL on the WLC must explicitly permit guest traffic toward ISE so that unauthenticated clients can be redirected to the guest portal.
Question
The security learn is concerned about the access to all network devices, including the Cisco WLC. To permit only the admin subnet to have access to management, a CPU ACL is created and applied. However, guest users cannot get to the web portal. What must be configured to permit only admins to have access?
Options
- AThe guest portal must be configured on the CPU ACLs on the Cisco WLC.
- BAccess to Cisco ISE must be allowed on the pre authentication ACL.
- CManagement traffic from the guest network must be configured on the ACL rules.
- DTraffic toward the virtual interface must be permitted.
How the community answered
(38 responses)- A3% (1)
- B66% (25)
- C11% (4)
- D21% (8)
Why each option
In a Cisco ISE Central Web Authentication deployment, the pre-authentication ACL on the WLC must explicitly permit guest traffic toward ISE so that unauthenticated clients can be redirected to the guest portal.
CPU ACLs filter only traffic destined to the WLC's own CPU for management purposes and have no effect on guest data-plane redirect traffic, so configuring the guest portal within the CPU ACL does not restore portal access.
The CPU ACL and the pre-authentication ACL serve different purposes - the CPU ACL correctly restricts management-plane access to the admin subnet, while the per-WLAN pre-authentication ACL must separately allow DNS, DHCP, and traffic destined for ISE so the redirect URL can be delivered and the guest portal can be reached before authentication completes.
Adding management traffic from the guest network to the CPU ACL rules would grant guests management-plane access, which contradicts the security goal, and still would not enable the guest portal redirect flow.
Permitting traffic to the virtual interface is relevant for local web authentication where the WLC itself hosts the portal, but in an ISE-based CWA scenario the portal is hosted on ISE and the pre-authentication ACL - not virtual-interface permissions - controls redirect reachability.
Concept tested: WLC CPU ACL vs pre-authentication ACL for ISE CWA guest portal
Source: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213900-configure-ise-central-web-authentication.html
Topics
Community Discussion
No community discussion yet for this question.