nerdexam
Cisco

300-430 · Question #172

An ACL is configured to restrict access for BYOD clients. The ACL must redirect devices to the guest portal. To which two devices on the local network must the ACL allow access other than the DHCP ser

The correct answer is B. Cisco ISE C. DNS server. A BYOD redirect ACL must explicitly permit traffic to Cisco ISE and the DNS server so the unregistered device can resolve the portal URL and complete the web-based onboarding flow.

Security for Wireless Client Connectivity

Question

An ACL is configured to restrict access for BYOD clients. The ACL must redirect devices to the guest portal. To which two devices on the local network must the ACL allow access other than the DHCP server? (Choose two.)

Options

  • ASNMP server
  • BCisco ISE
  • CDNS server
  • DWLC
  • ERADIUS server

How the community answered

(24 responses)
  • A
    13% (3)
  • B
    79% (19)
  • D
    4% (1)
  • E
    4% (1)

Why each option

A BYOD redirect ACL must explicitly permit traffic to Cisco ISE and the DNS server so the unregistered device can resolve the portal URL and complete the web-based onboarding flow.

ASNMP server

An SNMP server handles network device polling and trap collection and plays no role in the BYOD client web-redirect or portal authentication flow.

BCisco ISECorrect

Cisco ISE hosts the BYOD and guest portals to which the redirect ACL sends unregistered clients, so the ACL must permit HTTP/HTTPS traffic to ISE or the redirect process will be blocked before the device can complete onboarding.

CDNS serverCorrect

The DNS server must be permitted in the redirect ACL because the client must resolve the portal hostname to an IP address before any HTTP redirect can succeed - without DNS, the browser cannot reach the ISE guest portal URL.

DWLC

The WLC manages wireless sessions and enforces the ACL policy, but it is not a destination that a redirected client needs to reach directly to complete portal-based BYOD onboarding.

ERADIUS server

RADIUS is a backend AAA protocol used between the WLC or switch and ISE for policy enforcement, not a service that the client itself communicates with during a web portal redirect.

Concept tested: BYOD redirect ACL permit entries for ISE portal and DNS

Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ISE_admin_guide_27/b_ise_admin_guide_27_chapter_011110.html

Topics

#BYOD ACL#guest portal redirect#Cisco ISE#DNS

Community Discussion

No community discussion yet for this question.

Full 300-430 Practice