nerdexam
Cisco

300-430 · Question #356

Refer to the exhibit. A network administrator must migrate a Cisco Catalyst 9800 WLC from local client profiling to RADIUS profiling through Cisco ISE. The engineer must enable RADIUS CoA based on det

The correct answer is B. reauth. When Cisco ISE detects a client profile change, it must trigger a CoA to immediately apply the updated authorization policy. The reauth CoA type forces client re-authentication without dropping the connection, allowing ISE to assign the correct policy based on the Windows profile

Security for Wireless Client Connectivity

Question

Refer to the exhibit. A network administrator must migrate a Cisco Catalyst 9800 WLC from local client profiling to RADIUS profiling through Cisco ISE. The engineer must enable RADIUS CoA based on detecting the client type as Windows to update the access policy based on profile detection immediately. Which CoA type configuration must the engineer apply on Cisco ISE?

Exhibit

300-430 question #356 exhibit

Options

  • Ano CoA
  • Breauth
  • Cport
  • Dbounce
  • Epreauth

How the community answered

(50 responses)
  • A
    2% (1)
  • B
    82% (41)
  • C
    4% (2)
  • D
    2% (1)
  • E
    10% (5)

Why each option

When Cisco ISE detects a client profile change, it must trigger a CoA to immediately apply the updated authorization policy. The reauth CoA type forces client re-authentication without dropping the connection, allowing ISE to assign the correct policy based on the Windows profile detection.

Ano CoA

No CoA disables Change of Authorization entirely, meaning ISE will not trigger any policy update when it detects the Windows client type, failing the requirement for immediate policy enforcement.

BreauthCorrect

Reauth CoA sends a RADIUS Disconnect or CoA-Request that forces the wireless client to re-authenticate against ISE, which causes ISE to evaluate the updated profiling result (Windows device type) and apply the appropriate authorization policy immediately. Unlike port bounce, reauth is non-disruptive to the network session and is the recommended CoA type for policy updates triggered by profiling on wireless clients connected to a Catalyst 9800 WLC. This satisfies the requirement to update access policy immediately upon profile detection without unnecessarily interrupting connectivity.

Cport

Port CoA bounces the physical switch port, which is disruptive and designed for wired infrastructure - it disconnects all clients on that port and is not appropriate for a wireless RADIUS profiling scenario where only re-authentication is needed.

Dbounce

Bounce CoA also triggers a port bounce, which disconnects the client from the network and forces a full reconnect cycle - this is more disruptive than necessary and not the correct approach when the goal is simply to re-evaluate authorization policy based on updated profile data.

Epreauth

Preauth is not a standard Cisco ISE CoA type for post-authentication profiling - it is not a valid CoA configuration option in this context and would not achieve the goal of updating access policy after client type detection.

Concept tested: Cisco ISE RADIUS CoA type for client profiling policy update

Source: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_profiler.html

Topics

#RADIUS profiling#Cisco ISE#CoA#client profiling migration

Community Discussion

No community discussion yet for this question.

Full 300-430 Practice