nerdexam
Cisco

350-401 · Question #1084

An engineer modifies the existing ISE guest portal URL to use a static FQDN. Users immediately report that they receive certificate errors when they are redirected to the new page. Which two additiona

The correct answer is A. Add a new DNS record to resolve the FQDN to the PSN IP address B. Create and sign a new CSR that contains the static FQDN entry. To resolve certificate errors after changing an ISE guest portal URL to a static FQDN, a new DNS record must map the FQDN to the PSN IP, and a new SSL certificate containing the static FQDN must be generated and installed.

Submitted by rohit_dlh· Mar 6, 2026

Question

An engineer modifies the existing ISE guest portal URL to use a static FQDN. Users immediately report that they receive certificate errors when they are redirected to the new page. Which two additional configuration steps are needed to implement the change? (Choose two.)

Options

  • AAdd a new DNS record to resolve the FQDN to the PSN IP address
  • BCreate and sign a new CSR that contains the static FQDN entry
  • CManually configure the hosts file on each user device.
  • DDisable HTTPS on the WLC under the Management menu
  • EAdd the FQDN entry under the WLC virtual interface

How the community answered

(47 responses)
  • A
    66% (31)
  • C
    19% (9)
  • D
    4% (2)
  • E
    11% (5)

Why each option

To resolve certificate errors after changing an ISE guest portal URL to a static FQDN, a new DNS record must map the FQDN to the PSN IP, and a new SSL certificate containing the static FQDN must be generated and installed.

AAdd a new DNS record to resolve the FQDN to the PSN IP addressCorrect

For users to successfully reach the guest portal using the new static FQDN, a DNS record (typically an A record) must be created and propagated that accurately resolves the FQDN to the IP address of the Policy Service Node (PSN) hosting the guest portal service.

BCreate and sign a new CSR that contains the static FQDN entryCorrect

When the FQDN associated with a web service like an ISE guest portal changes, the existing SSL certificate becomes invalid because its Subject Alternative Name (SAN) or Common Name (CN) no longer matches the new FQDN; therefore, a new Certificate Signing Request (CSR) must be generated that includes the new static FQDN, signed by a trusted Certificate Authority (CA), and then installed on the ISE PSN.

CManually configure the hosts file on each user device.

Manually configuring the hosts file on each user device is not a scalable, practical, or manageable solution for a production guest network.

DDisable HTTPS on the WLC under the Management menu

Disabling HTTPS would remove encryption, compromising the security and integrity of the guest portal, which is an unacceptable security practice.

EAdd the FQDN entry under the WLC virtual interface

Adding the FQDN entry under the WLC virtual interface is irrelevant to the ISE guest portal's FQDN and certificate, as the WLC virtual interface primarily handles the WLC's own management or client redirection.

Concept tested: Cisco ISE guest portal FQDN and SSL certificate management

Source: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216262-configure-and-troubleshoot-ise-posture-a.html

Topics

#Cisco ISE Guest Services#SSL Certificate Management#DNS Configuration

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice