Exam 350-701 topic 1 question 346 discussion

I believe it should be A based on: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

Answer a

it is not a DACL, it is an ACL in WLC AireSpace that name must match the ACL name in ISE

The only one that can be right is A. A dynamic ACL does not redirect traffic is just saying you are allowed to reach that traffic, for redirecting the traffic in the common task you select the type of portal hotspot, cwa and so one, after that you write by yourself the redirect-acl and then you select the specific portal. You will not use the DACL for redirecting the traffic.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252 Search for authorization profile and it's step 2. DACL isn't an ACL everyone ;)

Not to muddy the waters here, But C can't be it because it references a DACL (Downloadable ACL). Which if it is referencing an ACL that is already created on the WLC, it would use a DACL. It would just reference the already created ACL. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

The correct answer is A. I know this from a practise.

Answer is A. The devices arent being redirected and instead have full access. You need to update the authorization profile to enable CWA redirection. This will ensure that they are placed in a URL_Redirect state that limits their access to the CWA portal. No ACL / DACL required for this state...

C: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

C is correct

A. Tag the guest portal in the CWA part of the Common Tasks section of the authorization profile for the authorization policy line that the unauthenticated devices hit. In order to redirect guest endpoints to the guest portal for authentication and authorization, the engineer must tag the guest portal in the CWA part of the Common Tasks section of the authorization profile for the authorization policy line that the unauthenticated devices hit. This will ensure that the endpoints are redirected to the portal for authentication and authorization before gaining full access to the network.

C is correct

Guest-Portal (with redirection to Guest portal Cisco_Guest and a Redirect ACL named GuestRedirect). This GuestRedirect ACL was created earlier on WLC. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

I vote for A. Cheers

C ????