Exam 350-401 topic 1 question 993 discussion

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252

How can D by correct when it's denying access to the ISE server - I'll go with B

great link provided JeremieB which relates to multiple questions in this exam. all traffic to and from the ISE server must be denied here meaning D is correct. D is not an ideal configuration as 443 HTTPS is also permitted and Domain is not explicitly matched in a deny statement, but is blocked by the implicit deny in the ACL statement

Source : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html ip access-list extended REDIRECT deny ip any host <ISE-IP> deny ip host<ISE-IP> any deny udp any any eq domain deny udp any eq domain any permit tcp any any eq 80 You can improve the ACL by action to deny only the guest port 8443 to the ISE server.

D is the only one that closely matches Cisco's example in JeremieB's link The rest do not prohibit ISE hosts flows in both directions (src > dst AND dst -> src)

A & B are not correct, you need to deny traffic to your ISE servers. The answer could be C or D but I think both are missing some statements. Since 'C' denies DNS traffic, but 'D' doesn't. I would go with 'C'

You need to deny traffic to your ISE PSN (policy service node) nodes as well as deny DNS and permit all the rest. The WLC will look into traffic that it can redirect (ports 80 and 443 by default). CLI configuration for our scenario: ip access-list extended REDIRECT 10 deny ip any host 10.9.11.141 20 deny ip any host 10.1.11.141 30 deny ip host 10.9.11.141 any 40 deny ip host 10.1.11.141 any 50 deny udp any any eq domain 60 deny udp any eq domain any 70 permit tcp any any eq 80 ---> for HTTP redirection https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252:~:text=443%20by%20default).-,CLI%3A,-ip%20access%2Dlist

C should be the correct answer

correct answer is C Denies all IP traffic to and from the ISE servers. Denies DNS traffic (UDP port 53). Permits HTTP traffic (TCP port 80).

Make more sense.

D is correct. For the redirection ACL, think of the deny action as a deny redirection (not deny traffic) and the permit action as permit redirection. The WLC only looks into traffic that it can redirect (ports 80 and 443 by default).

Option C is right. There should be a deny traffic for UDP ports towards a domain ip access-list extended REDIRECT deny ip any host <ISE-IP> deny ip host<ISE-IP> any deny udp any any eq domain deny udp any eq domain any permit tcp any any eq 80 ip access-list extended REDIRECT deny ip any host <ISE-IP> deny ip host<ISE-IP> any deny udp any any eq domain deny udp any eq domain any permit tcp any any eq 80

C is the correct answer

C is correct You need to deny traffic to your ISE PSNs nodes as well as deny DNS and permit all the rest. This redirect ACL is not a security ACL but a punt ACL that defines what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the data plane (on deny) and avoids redirection.

from all chatbots (chatGPT,Gemini,Capilot , etc...) A) & C): These options deny traffic to the ISE servers (10.9.11.141 and 10.1.11.141) which would prevent communication for authentication purposes. D): This option also denies traffic to the ISE servers but with a different syntax. Additionally, it allows traffic to port 80 (HTTP) which might bypass the redirection process.