350-401 · Question #1212
350-401 Question #1212: Real Exam Question with Answer & Explanation
The correct answer is D: ip access-list extended ACL_WEBAUTH_REDIRECT 50 deny ip host 10.9.11.141 any 60 deny ip host 10.1.11.141 any 70 deny ip host 10.1.11.141 any 80 deny ip any host 10.1.11.141 500 permit tcp any any eq www 600 permit tcp any any eq 443 700 permit tcp any any eq 80. Option D correctly implements the redirect ACL logic used by Cisco WLC for web authentication: DENY entries allow traffic to pass through without redirection, while PERMIT entries trigger the redirect to the splash page. D denies traffic both from and to the ISE servers (lines 50
Question
An engineer must construct an access list for a Cisco Catalyst 9800 Series WLC that will redirect wireless guest users to a splash page that is hosted on a Cisco ISE server. The Cisco ISE servers are hosted at 10.9.11.144 and 10.1.11.141. Which access list meets the requirements? A. B. C. D.
Options
- Aip access-list extended ACL_WEBAUTH_REDIRECT 70 permit ip any host 10.9.11.141 80 permit ip any host 10.1.11.141 500 deny tcp any any eq www 600 deny tcp any any eq 443 700 deny tcp any any eq 8443 800 deny udp any any eq domain 901 deny ip any any
- Bip access-list extended ACL_WEBAUTH_REDIRECT 70 permit ip any host 10.9.11.141 80 permit ip any host 10.1.11.141 500 permit tcp any any eq www 600 permit tcp any any eq 443 700 permit tcp any any eq 8443 800 deny udp any any eq domain
- Cip access-list extended ACL_WEBAUTH_REDIRECT 70 deny ip any host 10.9.11.141 80 deny ip any host 10.1.11.141 500 permit tcp any any eq www 600 permit tcp any any eq 443 700 permit tcp any any eq 8443 800 deny udp any any eq domain
- Dip access-list extended ACL_WEBAUTH_REDIRECT 50 deny ip host 10.9.11.141 any 60 deny ip host 10.1.11.141 any 70 deny ip host 10.1.11.141 any 80 deny ip any host 10.1.11.141 500 permit tcp any any eq www 600 permit tcp any any eq 443 700 permit tcp any any eq 80
Explanation
Option D correctly implements the redirect ACL logic used by Cisco WLC for web authentication: DENY entries allow traffic to pass through without redirection, while PERMIT entries trigger the redirect to the splash page. D denies traffic both from and to the ISE servers (lines 50–80), ensuring ISE authentication traffic flows freely in both directions. It then permits HTTP/HTTPS traffic (lines 500–700), causing those flows to be intercepted and redirected to the ISE-hosted splash page.
Why the distractors fail:
- A uses
DENYfor HTTP/HTTPS (port 80, 443, 8443), which means web traffic bypasses the redirect entirely — the opposite of what's needed. - B uses
PERMITfor the ISE server IPs, which would redirect authentication traffic to itself rather than letting it pass through to ISE. - C only denies traffic going to ISE servers but not traffic from them, leaving return ISE traffic unprotected and potentially subject to redirection.
Memory tip: Think of WLC redirect ACLs as "inverted" — DENY = "let it pass," PERMIT = "redirect it." A common mistake is applying normal ACL intuition; always ask "what do I want redirected?" and PERMIT only that.
Topics
Community Discussion
No community discussion yet for this question.