nerdexam
Cisco

300-430 · Question #216

Refer to the exhibit. An ACL is configured to restrict access for BYOD clients. The ACL must redirect devices to the guest portal. To which two devices on the local network must the ACL allow access o

The correct answer is B. DNS server C. Cisco ISE. A BYOD redirect ACL must permit client access to the DNS server and Cisco ISE so that clients can resolve hostnames and load the guest portal for authentication.

Security for Wireless Client Connectivity

Question

Refer to the exhibit. An ACL is configured to restrict access for BYOD clients. The ACL must redirect devices to the guest portal. To which two devices on the local network must the ACL allow access other than the DHCP server? (Choose two.)

Exhibit

300-430 question #216 exhibit

Options

  • ARADIUS server
  • BDNS server
  • CCisco ISE
  • DSNMP server
  • EWLC

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    83% (24)
  • D
    3% (1)
  • E
    10% (3)

Why each option

A BYOD redirect ACL must permit client access to the DNS server and Cisco ISE so that clients can resolve hostnames and load the guest portal for authentication.

ARADIUS server

The RADIUS server handles back-end authentication decisions between the WLC and the policy engine; it does not need to be directly reachable by the BYOD client in a web redirect ACL.

BDNS serverCorrect

DNS access is essential in a web-redirect scenario because the client browser must resolve the hostname in the guest portal URL before the HTTP redirect can succeed. If the ACL blocks DNS traffic on UDP/TCP port 53, the client cannot determine the IP address of the portal and the entire redirect flow fails. The ACL must explicitly permit traffic to the DNS server.

CCisco ISECorrect

Cisco ISE hosts the guest and BYOD onboarding portals that the redirect ACL is designed to direct clients toward. The ACL must explicitly permit HTTP and HTTPS traffic from the client to the ISE Policy Service Node interface so the portal page can load. Without this permit rule, the client will receive the redirect response but will get no reply from the portal server.

DSNMP server

The SNMP server is used for network management and monitoring and plays no role in the client-side portal redirect or BYOD authentication flow.

EWLC

The WLC enforces the ACL and terminates the wireless session; the client communicates with it implicitly through the wireless association, so no explicit ACL permit rule to the WLC is needed to enable the redirect.

Concept tested: BYOD redirect ACL required permit entries for portal access

Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/b_ISE_admin_guide_24_chapter_0111.html

Topics

#BYOD#ACL#guest portal redirect#ISE

Community Discussion

No community discussion yet for this question.

Full 300-430 Practice