Question 791 - 350-401 discussion

Option D is the correct access list to redirect wireless guest users to a splash page that is hosted on a Cisco ISE server.The configuration steps are as follows12:

Define an extended access list that permits TCP traffic from any source to the Cisco ISE servers on port 80 (HTTP) and port 443 (HTTPS). In this case, the access list is namedACL_WEBAUTH_REDIRECTand it allows any host to connect to the IP addresses 10.9.11.141 and 10.1.11.141 on port 80 and port 443:ip access-list extended ACL_WEBAUTH_REDIRECTandpermit tcp any host 10.9.11.141 eq 80,permit tcp any host 10.9.11.141 eq 443,permit tcp any host 10.1.11.141 eq 80,permit tcp any host 10.1.11.141 eq 443.

Apply the access list to the guest WLAN using theip access-groupcommand. This command filters the traffic on the interface based on the access list. In this case, the access listACL_WEBAUTH_REDIRECTis applied to the guest WLAN interface in the inbound direction, which means that only the traffic that matches the access list can enter the interface:interface wlan-guestandip access-group ACL_WEBAUTH_REDIRECT in.

Option A is incorrect because it does not permit TCP traffic to the Cisco ISE servers on port 80, which is required for HTTP redirection.Without this, the guest users will not be able to see the splash page on their web browsers12.

Option B is incorrect because it does not permit TCP traffic to the Cisco ISE servers on port 443, which is required for HTTPS redirection.Without this, the guest users will not be able to see the splash page on their web browsers if they use HTTPS12.

Option C is incorrect because it permits TCP traffic from any source to any destination on port 80 and port 443, which is too broad and may allow unwanted traffic to enter the guest WLAN interface.This may compromise the security and performance of the guest network12.Reference:1:Configuring Web Authentication,2:ISE and Catalyst 9800 Series Integration Guide