Refer to the exhibit. An engineer implemented a CPU ACL on the controller, and now the Web Authentication Redirect page is not working. What must be changed for the redirect page to work?
A.
The permit statement must be directed to the controller management address.
B.
The permit statement for 192.0.2.100 must be in both directions.
C.
The Web Authentication Redirect must be configured on the CPU ACLs.
- Therefore, if CPU ACLs are enabled in the WLC, an allow rule for the virtual interface IP is required (In ANY direction) in these conditions:
- When the CPU ACL does not have an allow ALL rule for both directions.
- When there exists an allow ALL rule, but there also exists a DENY rule for port 443 or 80 of higher precedence.
- The allow rule for the virtual IP must be for TCP protocol and port 80 if secureweb is disabled, or port 443 if secureweb is enabled. This is needed in order to allow the access of the client to the virtual interface IP address post successful authentication when CPU ACLs are in place.
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html
Looking at the exhibit, ACL named "mgmt" is applied as CPU ACL, and line Seq 3 is permitting traffic to the WLC Virtual IP ADD already (so option C is not correct, it is a redundant statement). What that line needs is to be amended, to both directions.
A is correct - Option B is not the correct answer because the permit statement for 192.0.2.100 being in both directions does not directly address the issue of the Web Authentication Redirect page not working.
Option C is also not the correct answer because the Web Authentication Redirect does not need to be configured on the CPU ACLs. The issue lies with the CPU ACL implementation and not the configuration of the Web Authentication Redirect itself.
answer is B as per the below
- Therefore, if CPU ACLs are enabled in the WLC, an allow rule for the virtual interface IP is required (In ANY direction) in these conditions:
- When the CPU ACL does not have an allow ALL rule for both directions.
- When there exists an allow ALL rule, but there also exists a DENY rule for port 443 or 80 of higher precedence.
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html
C is correct. From https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01110.html.
When you apply CPU ACLs on a Cisco 5508 WLC or a Cisco WiSM2, you must permit traffic towards the virtual interface IP address for web authentication. The packet direction does not have any significance, it is always ‘Any’.
This section is not available anymore. Please use the main Exam Page.300-430 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
masters777
1 month, 2 weeks agoR3DAlert
5 months, 3 weeks agoGOfeni
6 months, 1 week agoLe91
6 months, 2 weeks ago[Removed]
1 year, 6 months agotera671
1 year, 7 months agomost_ahdy
1 year, 8 months ago[Removed]
1 year, 9 months agoSeba_o_s
1 year, 5 months ago