nerdexam
Cisco

350-401 · Question #1068

Refer to the exhibit. An engineer is configuring WebAuth on a Cisco Catalyst 9800 Series WLC. The engineer has purchased a third-party certificate using the FQDN of the WLC as the CN and intends to us

The correct answer is A. Virtual IPv4 Hostname must match the CN of the certificate. For clients to avoid certificate errors on a Cisco Catalyst 9800 Series WLC WebAuth splash page, the Virtual IPv4 Hostname must be configured to precisely match the Common Name (CN) of the third-party certificate.

Submitted by minji_kr· Mar 6, 2026

Question

Refer to the exhibit. An engineer is configuring WebAuth on a Cisco Catalyst 9800 Series WLC. The engineer has purchased a third-party certificate using the FQDN of the WLC as the CN and intends to use it on the WebAuth splash page. What must be configured so that the clients do not receive a certificate error?

Exhibits

350-401 question #1068 exhibit 1
350-401 question #1068 exhibit 2

Options

  • AVirtual IPv4 Hostname must match the CN of the certificate
  • BVirtual IPv4 Address must be set to a routable address
  • CWeb Auth Intercept HTTPs must be enabled
  • DTrustpoint must be set to the management certificate of the WLC

How the community answered

(32 responses)
  • A
    72% (23)
  • B
    16% (5)
  • C
    9% (3)
  • D
    3% (1)

Why each option

For clients to avoid certificate errors on a Cisco Catalyst 9800 Series WLC WebAuth splash page, the Virtual IPv4 Hostname must be configured to precisely match the Common Name (CN) of the third-party certificate.

AVirtual IPv4 Hostname must match the CN of the certificateCorrect

When a client is redirected to the WebAuth splash page, their browser attempts to establish an HTTPS connection to the WLC's virtual IP address. For the certificate to be trusted and avoid security warnings, the hostname presented by the WLC (its Virtual IPv4 Hostname) must exactly match the FQDN specified in the Common Name (CN) field of the installed third-party certificate.

BVirtual IPv4 Address must be set to a routable address

While the Virtual IPv4 Address must be routable for clients to reach the WLC, configuring it as such does not resolve certificate name mismatch errors.

CWeb Auth Intercept HTTPs must be enabled

Web Auth Intercept HTTPS forces HTTP traffic to be redirected over HTTPS, but it does not address the issue of a certificate hostname mismatch once the HTTPS connection is initiated.

DTrustpoint must be set to the management certificate of the WLC

The trustpoint is where the certificate itself is managed and stored on the WLC, but simply setting it to a management certificate does not configure the virtual hostname to match the purchased certificate's CN.

Concept tested: Cisco WLC WebAuth certificate configuration

Source: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_secure_web_authentication_wireless_17_3.html

Topics

#Cisco WebAuth#WLC Certificate Management#Certificate FQDN Matching#WLC Virtual Hostname

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice