Exam 350-401 topic 1 question 983 discussion

Option A (aaa server radius dynamic-author) is essential to enable CoA, which is a core component of CWA. It allows the RADIUS server to dynamically update client sessions (e.g., to redirect or authorize clients after authentication). Option E (config wlan aaa-override enable <wlan-id>) is critical to enable AAA override, which allows the WLC to apply the dynamic redirect URL and ACL sent by the RADIUS server. Together, these commands address the core requirements for CWA: enabling CoA for dynamic session management and allowing the WLC to use RADIUS-provided attributes.

B,C,E are wrong, because of "(Cisco Controller) >" this mode is only for old AirOS and not for 9800 which based on IOS XE. A,D are correct: WLC-9800-Lab(config)# aaa new-model WLC-9800-Lab(config)# aaa server radius dynamic-author WLC-9800-Lab(config-locsvr-da-radius)#client 10.10.10.12 server-key 0 SECRET WLC-9800-Lab(config-locsvr-da-radius)#do sh inv NAME: "Chassis", DESCR: "C9800-CL Chassis"

I think people choice of and and AE is due to the command sets being related. # aaa server radius dynamic-author # client <radius-server-ip> server-key <shared-key>

A and E , recall there were questions in this 350-401 topic where we were asked what changes must we do for ISE(AAA Server) can assign custom VLAN's to users when they log in , and the right answer there was (first box to check) "enable AAA override" .

Anwser AD. Réf: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.pdf

ref: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html Here is the relevant part of the configuration of the WLC that corresponds to this example: aaa new-model ! aaa authorization network CWAauthz group radius aaa accounting identity CWAacct start-stop group radius ! aaa server radius dynamic-author client <ISE-IP> server-key cisco123 ! aaa session-id common ! ! radius server ISE-server address ipv4 <ISE-IP> auth-port 1812 acct-port 1813 key cisco123 ! ! (check the rest in the URL) so: ANS: AD

Configures the Change of Authorization (CoA) on the controller. # aaa server radius dynamic-author Specifies a RADIUS client and the RADIUS key to be shared between a device and a RADIUS client. # client 123.123.134.112 server-key 0 SECRET

C and D are the answers

To configure AAA on a Cisco 9800 WLC for central web authentication, you’ll need the following two commands: Device(config)# aaa server radius dynamic-author: This command enables the RADIUS dynamic authorization feature and enters dynamic authorization local server configuration mode1. (Cisco Controller) > config wlan aaa-override enable <wlan-id>: This command enables AAA override for a specific WLAN, allowing you to apply custom authentication, authorization, and accounting (AAA) settings for that WLAN1. Remember to adjust the <wlan-id> placeholder with the actual WLAN ID you want to configure. These commands will help you set up central web authentication effectively on your Cisco 9800 WLC. 🛡️

Going through elimination I think the answer is AD

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-14/config-guide/b_wl_17_14_cg/m_vewlc_central_web_authentication.html Configuring AAA for Central Web Authentication

A, C is OK https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/central-web-authentication.html

B, C and E does not exist in a 9800 WLC ???????-WLC#configure ? confirm Confirm replacement of running-config with a new config file memory Configure from NV memory network Configure from a TFTP network host overwrite-network Overwrite NV memory from TFTP network host replace Replace the running-config with a new config file revert Parameters for reverting the configuration terminal Configure from the terminal <cr> <cr>

C and E. You will never see A on a wireless controller CLI. That’s a Switch/Router.

A and E (In my Opinion) A - configures the WLC to use RADIUS for dynamic authorization (correct) B - diables AAA override (central web auth, we should want AAA override) C - configures a RADIUS accounting server (logging, not used for authentication) D - appears to be configuring a local RADIUS server on device, rather then setting up central web auth. E - enables AAA override for the WLAN, allowing WLC to use AAA for client authentication/authorization