nerdexam
Cisco

350-401 · Question #1209

Refer to the exhibit. A client requests a new SSID that will use web-based authentication and external RADIUS servers. Which Layer 2 security mode must be selected?

The correct answer is B. None. Option B (None) is correct because web-based authentication (also called WebAuth or captive portal) operates at Layer 3, not Layer 2. When using external RADIUS servers for web-based authentication, no Layer 2 encryption or security mechanism is applied to the wireless frame itse

Submitted by rohit_dlh· Mar 6, 2026Security

Question

Refer to the exhibit. A client requests a new SSID that will use web-based authentication and external RADIUS servers. Which Layer 2 security mode must be selected?

Exhibits

350-401 question #1209 exhibit 1
350-401 question #1209 exhibit 2

Options

  • AWPA2 + WPAS
  • BNone
  • CStatic WEP
  • DWPA+WPA2

How the community answered

(36 responses)
  • A
    11% (4)
  • B
    81% (29)
  • C
    3% (1)
  • D
    6% (2)

Explanation

Option B (None) is correct because web-based authentication (also called WebAuth or captive portal) operates at Layer 3, not Layer 2. When using external RADIUS servers for web-based authentication, no Layer 2 encryption or security mechanism is applied to the wireless frame itself - the authentication happens after the client associates, through a web browser redirect. Selecting "None" for Layer 2 security allows clients to associate openly, after which the controller redirects HTTP traffic to a login page validated by the RADIUS server.

Why the distractors are wrong: WPA2+WPA2 (A) and WPA+WPA2 (D) are Layer 2 encryption standards that require credential exchange before association completes, which conflicts with the web-based authentication flow. Static WEP (C) is also a Layer 2 security method that encrypts frames at association, again incompatible with a captive portal approach.

Memory Tip: Think of it this way - "Web auth lives at Layer 3, so Layer 2 gets None." If authentication happens in a browser after connecting, the wireless connection itself must be open (no Layer 2 security), because the client needs to associate first before being redirected to the login page.

Topics

#Wi-Fi Security#Web-based Authentication#Captive Portal#RADIUS

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice