An engineer must construct an access list for a Cisco Catalyst 9800 Series WLC that will redirect wireless guest users to a splash page that is hosted on a Cisco ISE server. The Cisco ISE servers are hosted at 10.9.11.144 and 10.1.11.141. Which access list meets the requirements?
The correct access list (ACL) should allow traffic to the Cisco Identity Services Engine (ISE) servers and permit necessary web traffic for the splash page redirection. Option B allows traffic to both Cisco ISE server IP addresses (10.9.11.141 and 10.1.11.141) and includes permitting essential web traffic over ports 80 (HTTP), 443 (HTTPS), and 8443. Furthermore, it denies UDP traffic to any domain, which is a common requirement for preventing certain types of traffic while allowing the necessary redirections. This setup ensures that the wireless guest users are redirected to the appropriate splash page hosted by the ISE servers.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252
thank's for this link. But I'm little confused, it indicates that "domain" must be denyed, so the answer would be "C" ! Another thing, in the anwser D, the port www and 80 are the same, so it's a repetition ?
How can D by correct when it's denying access to the ISE server - I'll go with B
Option C is right. There should be a deny traffic for UDP ports towards a domain ip access-list extended REDIRECT deny ip any host <ISE-IP> deny ip host<ISE-IP> any deny udp any any eq domain deny udp any eq domain any permit tcp any any eq 80 ip access-list extended REDIRECT deny ip any host <ISE-IP> deny ip host<ISE-IP> any deny udp any any eq domain deny udp any eq domain any permit tcp any any eq 80
C is correct You need to deny traffic to your ISE PSNs nodes as well as deny DNS and permit all the rest. This redirect ACL is not a security ACL but a punt ACL that defines what traffic goes to the CPU (on permits) for further treatment (like redirection) and what traffic stays on the data plane (on deny) and avoids redirection.
C is the correct answer
my bad, D is the correct Answer
from all chatbots (chatGPT,Gemini,Capilot , etc...) A) & C): These options deny traffic to the ISE servers (10.9.11.141 and 10.1.11.141) which would prevent communication for authentication purposes. D): This option also denies traffic to the ISE servers but with a different syntax. Additionally, it allows traffic to port 80 (HTTP) which might bypass the redirection process.