Question 9 - Cisco 300-430 Real Exam Questions [Jan 2026 Update]

Q: 9

The security policy mandates that only controller web management traffic is allowed from the IT subnet. In testing, an engineer is trying to connect to a WLAN with Web Authentication for guest users, but the page is timing out on the wireless client browser. What is the cause of the issue? Google Chrome.

Options

Correct Answer:

Explanation

A CPU Access Control List (ACL) on a Cisco Wireless LAN Controller (WLC) filters traffic destined for the controller's own CPU. This includes management traffic (HTTP/S, SSH) and client-related control plane traffic, such as Web Authentication redirects. The stated policy restricts access to the IT subnet only. When a guest client connects, the WLC intercepts its initial web request to redirect it to the authentication portal. This intercepted traffic originates from the guest subnet and is destined for the WLC's CPU. The overly restrictive CPU ACL, which only permits traffic from the IT subnet, will block the guest's request, causing the connection to time out.

Why Incorrect

B: Web Authentication is fully supported with CPU ACLs; the feature is designed to selectively permit such traffic while blocking other unwanted traffic.

C: An incorrect DNS server on the controller would affect its ability to resolve external hostnames, not the initial IP-based redirection to its internal web portal.

D: Web Authentication uses standard HTTP/HTTPS redirects and is browser-agnostic; it is not limited to a specific browser like Internet Explorer.

References

1. Cisco Wireless LAN Controller Configuration Guide

Release 8.5

"Configuring CPU ACLs" section: "The controller has a CPU ACL. This ACL is configurable and is used to protect the controller CPU from DoS attacks and other malicious traffic... When you create a CPU ACL

you must permit the traffic from your wireless clients that require access to the controller CPU. For example

if you are using web authentication

you must permit HTTP and HTTPS." This confirms that a misconfigured ACL will block web authentication.

2. Cisco

"Cisco Wireless LAN Controller (WLC) CPU ACLs" White Paper: "The CPU ACLs are applied to traffic that is destined to the CPU of the WLC. This includes management traffic (Telnet

SSH

HTTP

HTTPS

and SNMP) and traffic from wireless clients that is terminated on the WLC

such as web authentication." This document explicitly states that web authentication traffic is processed by the CPU ACL.

3. Enterprise Mobility 8.5 Design Guide

"WLC Platform Features > CPU ACL" section: "The purpose of the CPU ACL is to protect the WLC CPU from being overloaded by traffic that is not essential to the operation of the WLC... If you configure a CPU ACL

you must be sure to permit all of the traffic that you want the WLC to process. For example

if you are using external web authentication

you must be sure to permit traffic from the web server to the WLC." This highlights the necessity of correctly permitting required traffic.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE