Which two advanced WLAN options are required when deploying central web authentication with Cisco ISE? (Choose two.)

Which two advanced WLAN options are required when deploying central web authentication with Cisco ISE? (Choose two.)
A . NAC State RADIUS NA
C . DHCP Addr. Assighment disabled.
D . NAC State SNMP NA
F . P2P Blocking Action set to Drop.
G . Allow AAA Override enabled.

View Answer

Answer: AE

Explanation:

The WLC configuration is fairly straightforward. Atrickis used (same as on switches) in order to obtain the dynamic authentication URL from the ISE (since it uses Change of Authorization (CoA), a session must be created and the session ID is part of the URL). The SSID is configured in order to use MAC filtering. The ISE is configured in order to return an access-accept even if the MAC address is not found, so that it sends the redirection URL for all users.

In addition to this, RADIUS Network Admission Control (NAC) and Authentication, Authorization, and Accounting (AAA) Override must be enabled. The RADIUS NAC allows the ISE to send a CoA request that indicates that the user is now authenticated and is able to access the network. It is also used for posture assessment, in which case the ISE changes the user profile based on the posture result.

Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is by default.

Reference: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central­web-auth-00.html