300-430: Implementing Cisco Enterprise Wireless Networks (300-430 ENWLSI) Part 3
Question #: 101
Topic #: 1
A customer wants to allow employees to easily onboard their personal devices to the wireless network. The visitors also must be able to connect to the same network without the need to engage with anyone from the reception desk. Which process must be configured on Cisco ISE to support this requirement?
A. MAC authentication bypass
B. native supplicant provisioning
C. local web auth
D. self-registration guest portal
Selected Answer: D
Question #: 102
Topic #: 1
A customer has a distributed wireless deployment model where the WLCs are located in the data centers. Because the file servers are located in the data center, the traffic from the corporate WLAN `Corp-401266017` must go through the controllers, where the guest WLAN `Guest-19283746` traffic must use the local
Internet line installed in each office. Which configuration will accomplish this task?
A. Disable Local Switching for the corporate and guest WLAN.
B. Disable Local Switching for the corporate WLAN and enable it for the guest WLAN.
C. Enable Local Switching for the corporate and guest WLAN.
D. Enable Local Switching for the corporate WLAN and disable it for the guest WLAN.
Selected Answer: B
Question #: 103
Topic #: 1
A network engineer is implementing BYOD on a wireless network. Based on the customer requirements, a dual SSID approach must be taken. Which two advanced WLAN configurations must be performed? (Choose two.)
A. Set NAC State to Radius NAC.
B. Set Allow AAA Override to Enabled.
C. Set DHCP Addr. Assignment to Required.
D. Select DHCP Profiling.
E. Select Enable Session Timeout.
Selected Answer: BC
Question #: 104
Topic #: 1
Which three characteristics of a rogue AP pose a high security risk? (Choose three.)
A. open authentication
B. high RSSI
C. foreign SSID
D. accepts clients
E. low RSSI
F. distant location
Selected Answer: ABD
Question #: 105
Topic #: 1
Which AP model of the Cisco Aironet Active Sensor is used with Cisco DNA Center?
A. 1800s
B. 3600e
C. 3800s
D. 4800i
Selected Answer: A
Question #: 106
Topic #: 1
Which component must be integrated with Cisco DNA Center to display the location of a client that is experiencing connectivity issues?
A. Cisco Hyperlocation Module
B. Wireless Intrusion Prevention System
C. Cisco Connected Mobile Experiences
D. Cisco Mobility Services Engine
Selected Answer: C
Question #: 107
Topic #: 1
The IT manager is asking the wireless team to get a report for all guest user associations during the past two weeks. In which two formats can Cisco Prime save this report? (Choose two.)
A. CSV
B. PDF
C. XLS
D. DOC
E. plain text
Selected Answer: AB
Question #: 108
Topic #: 1
A customer is experiencing performance issues with its wireless network and asks a wireless engineer to provide information about all sources of interference and their impacts to the wireless network over the past few days. Where can the requested information be accessed?
A. CleanAir reports on Cisco Prime Infrastructure
B. Performance reports on Cisco Prime Infrastructure
C. Interference Devices reports on Cisco Wireless LAN Controller
D. Air Quality reports on Cisco Wireless LAN Controller
Selected Answer: A
Question #: 109
Topic #: 1
An engineer must provide a graphical report with summary grouped data of the total number of wireless clients on the network. Which Cisco Prime Infrastructure report provides the required data?
A. Client Traffic Stream Metrics
B. Client Summary
C. Posture Status Count
D. Mobility Client Summary
Selected Answer: B
Question #: 110
Topic #: 1
An engineer is using Cisco Prime Infrastructure reporting to monitor the state of security on the WLAN. Which output is produced when the Adaptive wIPS Top 10
AP report is run?
A. last 10 wIPS events from monitor mode APs
B. last 10 wIPS events from sniffer mode APs
C. last of 10 sniffer mode APs with the most wIPS events
D. last of 10 monitor mode APs with the most wIPS events
Selected Answer: A
Question #: 111
Topic #: 1
Refer to the exhibit. An engineer tries to manage the rogues on the Cisco WLC. Based on the configuration, which AP is marked as malicious by the controller?
A. rogue AP with SSID admin seen for 4000 seconds and heard at -70dBm
B. rogue AP with SSID admin seen for 3000 seconds and heard at -60dBm
C. rogue AP with SSID admin seen for 4000 seconds and heard at -60dBm
D. rogue AP with SSID admin seen for 3000 seconds and heard at -70dBm
Selected Answer: D
Question #: 112
Topic #: 1
Which devices can be tracked with the Cisco Context Aware Services?
A. wired and wireless devices
B. wireless devices
C. wired devices
D. Cisco certified wireless devices
Selected Answer: A
Question #: 113
Topic #: 1
Which two events are outcomes of a successful RF jamming attack? (Choose two.)
A. disruption of WLAN services
B. unauthentication association
C. deauthentication broadcast
D. deauthentication multicast
E. physical damage to AP hardware
Selected Answer: C
Question #: 114
Topic #: 1
An engineer must create an account to log in to the CLI of an access point for troubleshooting. Which configuration on the WLC will accomplish this?
A. Allow New Telnet Sessions
B. ReadWrite User Access Mode
C. SNMP V3 User
D. Global Configuration Enable Password
Selected Answer: B
Question #: 115
Topic #: 1
A multitenant building contains known wireless networks in most of the suites. Rogues must be classified in the WLC. How are the competing wireless APs classified?
A. adhoc
B. friendly
C. malicious
D. unclassified
Selected Answer: B
Question #: 116
Topic #: 1
An enterprise has recently deployed a voice and video solution available to all employees using AireOS controllers. The employees must use this service over their laptops, but users report poor service when connected to the wireless network. The programs that consume bandwidth must be identified and restricted.
Which configuration on the WLAN aids in recognizing the traffic?
A. NetFlow Monitor
B. AVC Profile
C. QoS Profile
D. Application Visibility
Selected Answer: B
Question #: 117
Topic #: 1
Which customizable security report on Cisco Prime Infrastructure will show rogue APs detected since a point in time?
A. Network Summary
B. Rogue APs Events
C. New Rogue APs
D. Rogue APs Count Summary
Selected Answer: B
Question #: 118
Topic #: 1
After receiving an alert about a rogue AP, a network engineer logs into Cisco Prime Infrastructure and looks at the floor map where the AP that detected the rogue is located. The map is synchronized with a mobility services engine that determines that the rogue device is actually inside the campus. The engineer determines that the rogue is a security threat and decides to stop if from broadcasting inside the enterprise wireless network. What is the fastest way to disable the rogue?
A. Go to the location where the rogue device is indicated to be and disable the power.
B. Create an SSID similar to the rogue to disable clients from connecting to it.
C. Update the status of the rogue in Cisco Prime Infrastructure to contained.
D. Classify the rogue as malicious in Cisco Prime Infrastructure.
Selected Answer: C
Question #: 119
Topic #: 1
Refer to the exhibit.
Which area indicates the greatest impact on the wireless network when viewing the Cisco CleanAir Zone of Impact map of interferers?
A. A
B. B
C. C
D. D
Selected Answer: D
Question #: 120
Topic #: 1
A wireless network engineer must present a list of all rogue APs with a high severity score to senior management. Which report must be created in Cisco Prime
Infrastructure to provide this information?
A. Rogue AP Count Summary
B. New Rogue APs
C. Rogue AP Events
D. Rogue APs
Selected Answer: D
Question #: 121
Topic #: 1
An engineer must run a Client Traffic Stream Metrics report in Cisco Prime Infrastructure. Which task must be run before the report?
A. scheduled report
B. radio performance
C. client status
D. software
Selected Answer: B
Question #: 122
Topic #: 1
What is the maximum time range that can be viewed on the Cisco DNA Center issues and alarms page?
A. 3 hours
B. 24 hours
C. 3 days
D. 7 days
Selected Answer: A
Question #: 123
Topic #: 1
A wireless engineer must configure access control on a WLC using a TACACS+ server for a company that is implementing centralized authentication on network devices. Which role value must be configured under the shell profile on the TACACS+ server for a user with read-only permissions?
A. ADMIN
B. MANAGEMENT
C. MONITOR
D. READ
Selected Answer: C
Question #: 124
Topic #: 1
The CTO of an organization wants to ensure that all Android devices are placed into a separate VLAN on their wireless network. However, the CTO does not want to deploy ISE. Which feature must be implemented on the Cisco WLC?
A. WLAN local policy
B. RADIUS server overwrite interface
C. AAA override
D. custom AVC profile
Selected Answer: A
Question #: 125
Topic #: 1
Refer to the exhibit. A wireless engineer has integrated the wireless network with a RADIUS server. Although the configuration on the RADIUS is correct, users are reporting that they are unable to connect. During troubleshooting, the engineer notices that the authentication requests are being dropped. Which action will resolve the issue?
A. Allow connectivity from the wireless controller to the IP of the RADIUS server.
B. Provide a valid client username that has been configured on the RADIUS server.
C. Configure the shared-secret keys on the controller and the RADIUS server.
D. Authenticate the client using the same EAP type that has been set up on the RADIUS server.
Selected Answer: C
Question #: 126
Topic #: 1
What must be configured on the Global Configuration page of the WLC for an AP to use 802.1x to authenticate to the wired infrastructure?
A. local access point credentials
B. RADIUS shared secret
C. TACACS server IP address
D. supplicant credentials
Selected Answer: D
Question #: 127
Topic #: 1
For security purposes, an engineer enables CPU ACL and chooses an ACL on the Security > Access Control Lists > CPU Access Control Lists menu. Which kind of traffic does this change apply to as soon as the change is made?
A. wireless traffic only
B. wired traffic only
C. VPN traffic
D. wireless and wired traffic
Selected Answer: D
Question #: 128
Topic #: 1
Refer to the exhibit. An engineer is creating an ACL to restrict some traffic to the WLC CPU. Which selection must be made from the direction drop-down list?
A. It must be Inbound because traffic goes to the WLC.
B. Packet direction has no significance; it is always Any.
C. It must be Outbound because it is traffic that is generated from the WLC.
D. To have the complete list of options, the CPU ACL must be created only by the CLI.
Selected Answer: B
Question #: 129
Topic #: 1
An engineer must implement a CPU ACL that blocks web management traffic to the controller, but they also must allow guests to reach a Web Authentication
Redirect page. To which IP address is guest client HTTPS traffic allowed for this to work?
A. DNS server IP
B. controller management IP
C. virtual interface IP
D. client interface IP
Selected Answer: C
Question #: 130
Topic #: 1
An engineer needs to configure an autonomous AP for 802.1x authentication. To achieve the highest security an authentication server is used for user authentication. During testing, the AP fails to pass the user authentication request to the authentication server. Which two details need to be configured on the AP to allow communication between the server and the AP? (Choose two.)
A. username and password
B. PAC encryption key
C. RADIUS IP address
D. shared secret
E. group name
Selected Answer: CD
Question #: 131
Topic #: 1
A customer wants the APs in the CEO’s office to have different usernames and passwords for administrative support than the other APs deployed throughout the facility. Which feature must be enabled on the WLC and APs to achieve this goal?
A. local management users
B. HTTPS access
C. 802.1X supplicant credentials
D. override global credentials
Selected Answer: D
Question #: 132
Topic #: 1
An engineer configured a Cisco AireOS controller with two TACACS+ servers. The engineer notices that when the primary TACACS+ server fails, the WLC starts using the secondary server as expected, but the WLC does not use the primary server again until the secondary server fails or the controller is rebooted. Which cause of this issue is true?
A. Fallback is enabled
B. Fallback is disabled
C. DNS query is disabled
D. DNS query is enabled
Selected Answer: B
Question #: 133
Topic #: 1
An engineer is implementing RADIUS to restrict administrative control to the network with the WLC management IP address of 192.168.1.10 and an AP subnet of
192.168.2.0/24. Which entry does the engineer define in the RADIUS server?
A. administrative access defined on the WLC and the network range 192.168.2.0/255.255.254.0
B. NAS entry of the virtual interface and the network range 192.168.2.0/255.255.255.0
C. shared secret defined on the WLC and the network range 192.168.1.0/255.255.254.0
D. WLC roles for commands and the network range 192.168.1.0/255.255.255.0
Selected Answer: C
Question #: 134
Topic #: 1
A customer requires wireless traffic from the branch to be routed through the firewall at corporate headquarters. A RADIUS server is in each branch location.
Which Cisco FlexConnect configuration must be used?
A. central authentication and local switching
B. central authentication and central switching
C. local authentication and local switching
D. local authentication and central switching
Selected Answer: D
Question #: 135
Topic #: 1
Refer to the exhibit.
An engineer must restrict some subnets to have access to the WLC. When the CPU ACL function is enabled, no ACLs in the drop-down list are seen. What is the cause of the problem?
A. The ACL does not have a rule that is specified to the Management interface.
B. No ACLs have been created under the Access Control List tab.
C. When the ACL is created, it must be specified that it is a CPU ACL.
D. This configuration must be performed through the CLI and not though the web GUI.
Selected Answer: B
Question #: 136
Topic #: 1
An engineer configures the wireless LAN controller to perform 802.1x user authentication. Which configuration must be enabled to ensure that client devices can connect to the wireless, even when WLC cannot communicate with the RADIUS?
A. pre-authentication
B. local EAP
C. authentication caching
D. Cisco Centralized Key Management
Selected Answer: B
Question #: 137
Topic #: 1
An IT team is growing quickly and needs a solution for management device access. The solution must authenticate users from an external repository instead of the current local on the WLC, and it must also identify the user and determine what level of access users should have. Which protocol do you recommend to achieve these goals?
A. network policy server
B. RADIUS
C. TACACS+
D. LDAP
Selected Answer: C
Question #: 138
Topic #: 1
Refer to the exhibit. An engineer must connect a fork lift via a WGB to a wireless network and must authenticate the WGB certificate against the RADIUS server.
Which three steps are required for this configuration? (Choose three.)
A. Configure the certificate, WLAN, and radio interface on WGB.
B. Configure the certificate on the WLC.
C. Configure WLAN to authenticate using ISE.
D. Configure the access point with the root certificate from ISE.
E. Configure WGB as a network device in ISE.
F. Configure a policy on ISE to allow devices to connect that validate the certificate.
Selected Answer: ACF
Question #: 139
Topic #: 1
During the EAP process and specifically related to the client authentication session, which encrypted key is sent from the RADIUS server to the access point?
A. WPA key
B. session key
C. encryption key
D. shared-secret key
Selected Answer: B
Question #: 140
Topic #: 1
A network is set up to support wired and wireless clients. Both types must authenticate using 802.1X before connecting to the network. Different types of client authentication must be separated on a Cisco ISE deployment. Which two configuration items achieve this task? (Choose two.)
A. device profiles
B. policy sets
C. separate networks
D. policy groups
E. policy results
Selected Answer: BD
Question #: 141
Topic #: 1
An engineer is troubleshooting a Cisco CMX high-availability deployment and notices that the primary and backup Cisco CMX servers are both considered primary. Which command must the engineer run on the backup server?
A. cmxha convert backup
B. cmxha backup convert
C. cmxha secondary convert
D. cmxha convert secondary
Selected Answer: C
Question #: 142
Topic #: 1
A network administrator managing a Cisco Catalyst 9800-80 WLC must place all iOS connected devices to the guest SSID on VLAN 101. The rest of the clients must connect on VLAN 102 distribute load across subnets. To achieve this configuration, the administrator configures a local policy on the WLC. Which two configurations are required? (Choose two.)
A. Assign a policy map under global security policy settings.
B. Add local profiling policy under global security policy settings.
C. Create a service template.
D. Allow HTTP and DHCP profiling under policy map.
E. Enable device classification on global wireless settings.
Selected Answer: CE
Question #: 143
Topic #: 1
An engineer is assembling a PCI report for compliance purposes and must include missed best practices that are related to WLAN controllers. The engineer has access to all WLCs, Cisco MSE, and Cisco Prime Infrastructure. Which method most efficiently displays a summary of inconsistencies?
A. WLC running-config
B. Cisco Prime Infrastructure monitoring
C. Cisco Prime Infrastructure reporting
D. WLC logs
Selected Answer: C
Question #: 144
Topic #: 1
An engineer is ensuring that, on the IEEE 802.1X wireless network, clients authenticate using a central repository and local credentials on the Cisco WLC. Which two configuration elements must be completed on the WLAN? (Choose two.)
A. TACACS+
B. MAC authentication
C. local EAP enabled
D. web authentication
E. LDAP server
Selected Answer: CE
Question #: 145
Topic #: 1
An engineer must enable LSS for the AppleTV mDNS service only when ORIGIN is set to Wired. Which action meets this requirement?
A. Set ORIGIN to Wired. Enable LSS by using the config mdns service Iss All command.
B. Set ORIGIN to Wired. Enable LSS by using the config mdns service Iss AppleTV command.
C. Set ORIGIN to either Wireless or All. Enable LSS by using the config mdns service Iss All command.
D. Set ORIGIN to either Wireless or All. Enable LSS by using the config mdns service Iss enable AppleTV command.
Selected Answer: D
Question #: 146
Topic #: 1
A Cisco 8540 WLC manages Cisco Aironet 4800 Series Aps and send AoA data to a Cisco CMX 3375 Appliance for Hyperlocation. The load from the WLC is distributed to another virtual CMX server using CMX grouping. The virtual CMX server shows location RSSI data and not Hyperlocation. No AoA metrics are shown on the metrics page of the CMX virtual appliance under System > Metrics > Location Metrics. How must the network administrator resolve this issue?
A. Enable Wireless > Access Points > Global configuration > Enable Hyperlocation on the WLC.
B. Enable the HALO module on the CMX appliance for the data collection.
C. Allow port 2003 for AoA packets to flow through between the CMX appliances.
D. Use one Hyperlocation-enabled WLC and CMX for AoA data.
Selected Answer: D
Question #: 147
Topic #: 1
An engineer completes the setup of a two-node Cisco ISE deployment for a guest portal. When testing the portal, the engineer notices that sometimes there is a certificate CN mismatch. Which certificate type helps resolve this issue?
A. Public-Signed Root
B. Public-Signed SAN
C. Self-Signed Wildcard
D. Self-Signed Standard
Selected Answer: B
Question #: 148
Topic #: 1
On a Cisco Catalyst 9800 Series Wireless Controller, an engineer wants to prevent a FlexConnect AP from allowing wireless clients to connect when its Ethernet connection is nonoperational. Which command set prevents this connection?
A. config terminal wireless flexconnect profile [profile name] ethernet-fallback-enable end
B. config terminal wireless flexconnect profile [profile name] fallback-radio-shut end
C. config terminal wireless profile flex [profile name] fallback-radio-shut end
D. config terminal wireless profile flex [profile name] ethernet-fallback-enable end
Selected Answer: C
Question #: 149
Topic #: 1
The security policy mandates that only controller web management traffic is allowed from the IT subnet. In testing, an engineer is trying to connect to a WLAN with
Web Authentication for guest users, but the page is timing out on the wireless client browser. What is the cause of the issue?
A. The implemented CPU ACL on the controller is blocking HTTP/HTTPS traffic from the guest clients.
B. Web Authentication Redirect is not supported with CPU ACLs.
C. The DNS server that is configured on the controller is incorrect.
D. Web Authentication Redirect is supported only with Internet Explorer, and the client is using Google Chrome.
Selected Answer: A
Question #: 150
Topic #: 1
A controller shows that an AP in your environment is detecting interference, but the AP health score in Cisco DNA Center is unaffected. What are two reasons that
Cisco DNA Center is ignoring the interference? (Choose two.)
A. The interference is less than or equal to 30% on the 2.4 GHz radio.
B. The interference is less than or equal to 50% on the 2.4 GHz radio.
C. Cisco DNA Center includes only Cisco CleanAir interferers in the AP health score.
D. The interference is less than or equal to 30% on the 5 GHz radio.
E. Cisco DNA Center does not include interference in the AP health score.
Selected Answer: BD
Question #: 151
Topic #: 1
An engineer must control administrative access to the WLC using their Active Directory without being concerned about RBAC after the admin user is authenticated. Which two features does the engineer configure to accomplish this task? (Choose two.)
A. Device Admin Policy Set
B. User Access Mode: ReadWrite
C. ACL
D. RADIUS server
E. TACACS server
Selected Answer: AE
Question #: 152
Topic #: 1
A network engineer must segregate all IPads on the guest WLAN to a separate VLAN. How does the engineer accomplish this task without using Cisco ISE?
A. Create a local policy on the WLC.
B. Use 802.1x authentication to profile the devices.
C. Use an mDNS profile for the iPad device.
D. Enable RADIUS DHCP profiling on the WLAN.
Selected Answer: A
Question #: 153
Topic #: 1
In a Cisco WLAN deployment, it is required that all Aps from branch1 remain operational even if the control plane CAPWAP tunnel is down because of a WAN failure to headquarters. Which operational mode must be configured on the APs?
A. disconnected
B. standalone
C. lightweight
D. connected
Selected Answer: B
Question #: 154
Topic #: 1
An engineer added more APs to newly renovated areas in building. The engineer is now receiving Out-of-Sync alarms on Cisco Prime Infrastructure. Which two actions resolve this issue? (Choose two.)
A. Manually synchronize from Cisco Prime Infrastructure.
B. Manually synchronize from MSE.
C. Enable automatic synchronization on Cisco Prime Infrastructure.
D. Enable automatic synchronization on MSE.
E. Add new APs to maps on Cisco Prime Infrastructure.
Selected Answer: AE
Question #: 155
Topic #: 1
A wireless administrator must assess the different client types connected to Cisco Catalyst 9800 Series Wireless Controller without using any external servers.
Which configuration must be added to the controller to achieve this assessment?
A. native profile
B. MAC classification
C. local profile
D. device classification
Selected Answer: D
Question #: 156
Topic #: 1
A customer is concerned that their wireless network is detecting spurious threats from channels that are not being used by their wireless infrastructure. Which two technologies must they deploy? (Choose two.)
A. FlexConnect mode
B. monitor mode
C. sniffer mode with no submode
D. local mode with WIPS submode
E. rogue detector mode
Selected Answer: BD
Question #: 157
Topic #: 1
A network engineer created a new wireless network that will be used for guest access. The corporate network must utilize all rates. The guest network must use only lower rates instead of 802.11n data rates. To what must the WMM policy of the WLAN be set to accomplish this task?
A. required
B. allowed
C. disabled
D. mandatory
Selected Answer: C
Question #: 158
Topic #: 1
Refer to the exhibit. An engineer implemented the CPU ACL on your Cisco 5520 Series Wireless LAN Controller, and the controller is no longer manageable via the network. What must be changes on this CPU ACL to enable it to manage the controller again?
A. Permit statements must be added to the top of the ACL in both directions, which specify the network to be managed from and the virtual interface of the controller.
B. Line 1 must be set to a destination port of HTTP.
C. Permit statements must be added to the top of the ACL, which specify the network to be managed from.
D. Line 1 must be set to the inbound direction.
Selected Answer: C
Question #: 159
Topic #: 1
A hospital wants to offer indoor directions to patient rooms utilizing its existing wireless infrastructure. The wireless network has been using location services specifications. Which two components must be installed to support this requirement? (Choose two.)
A. WIPS
B. Cisco MSE
C. Cisco CMX Visitor Connect
D. Cisco CMX AppEngage
E. Cisco CMX Analytics
Selected Answer: BC
Question #: 160
Topic #: 1
When configuring a large, high-availability wireless network, which change to a mobility group creates less load on the controllers and maintains the same mobility messages?
A. Configure mobility group multicast messaging.
B. Remove unnecessary controllers from the mobility group.
C. Configure the controllers into separate RF groups from the mobility groups.
D. Separate the controllers into different mobility groups per controller.
Selected Answer: B
