300-715 Question #287: Real Exam Question with Answer & Explanation

Question

An administrator has manually added the MAC address of a wireless device to the Blocklist Identity Group for testing. When the device connects to the wireless network it triggers the Wireless Block List Default rule, but the device is still allowed to access the wireless network. What additional step must be taken to resolve tissue?

Options

• ADisable URL redirection on the Authorization Profile.
• BEnable SNMP with read and write access on the Cisco WLC.
• CCreate an ACL named BLOCKHOLE on the Cisco WLC.
• DChange the Access Type under the Authorization Profile lo ACCESS_REJECT.

Explanation

To effectively block a device added to the Blocklist Identity Group from accessing the wireless network, the associated authorization profile must be configured with an Access Type of ACCESS_REJECT.

Common mistakes.

• A. Disabling URL redirection is irrelevant to blocking access; URL redirection is typically used for guest portals or onboarding, not for denial of service.
• B. Enabling SNMP with read and write access on the Cisco WLC is for management and monitoring of the WLC, not for enforcing specific client access policies like a blocklist.
• C. Creating an ACL named BLOCKHOLE on the WLC might be a component of a denial strategy, but the primary missing step in ISE is applying an authorization profile that either uses such a denial ACL or directly issues an ACCESS_REJECT.

Concept tested. Cisco ISE authorization policy for blacklisting

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_3_0_chapter_0100.html

No community discussion yet for this question.