300-430 · Question #172
An ACL is configured to restrict access for BYOD clients. The ACL must redirect devices to the guest portal. To which two devices on the local network must the ACL allow access other than the DHCP ser
The correct answer is B. Cisco ISE C. DNS server. A BYOD redirect ACL must explicitly permit traffic to Cisco ISE and the DNS server so the unregistered device can resolve the portal URL and complete the web-based onboarding flow.
Question
An ACL is configured to restrict access for BYOD clients. The ACL must redirect devices to the guest portal. To which two devices on the local network must the ACL allow access other than the DHCP server? (Choose two.)
Options
- ASNMP server
- BCisco ISE
- CDNS server
- DWLC
- ERADIUS server
How the community answered
(24 responses)- A13% (3)
- B79% (19)
- D4% (1)
- E4% (1)
Why each option
A BYOD redirect ACL must explicitly permit traffic to Cisco ISE and the DNS server so the unregistered device can resolve the portal URL and complete the web-based onboarding flow.
An SNMP server handles network device polling and trap collection and plays no role in the BYOD client web-redirect or portal authentication flow.
Cisco ISE hosts the BYOD and guest portals to which the redirect ACL sends unregistered clients, so the ACL must permit HTTP/HTTPS traffic to ISE or the redirect process will be blocked before the device can complete onboarding.
The DNS server must be permitted in the redirect ACL because the client must resolve the portal hostname to an IP address before any HTTP redirect can succeed - without DNS, the browser cannot reach the ISE guest portal URL.
The WLC manages wireless sessions and enforces the ACL policy, but it is not a destination that a redirected client needs to reach directly to complete portal-based BYOD onboarding.
RADIUS is a backend AAA protocol used between the WLC or switch and ISE for policy enforcement, not a service that the client itself communicates with during a web portal redirect.
Concept tested: BYOD redirect ACL permit entries for ISE portal and DNS
Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ISE_admin_guide_27/b_ise_admin_guide_27_chapter_011110.html
Topics
Community Discussion
No community discussion yet for this question.