Exhibit:

Refer to the exhibit. A network administrator is working on a WLC to enable user access for employee tablets using PEAP-MSCHAPv2 with a RADIUS backend. The administrator verifies the external authentication configuration and plans to test network connectivity. Which code snippet must be added to the configuration for the WLC to support authentication with an external server?
Answer : A
The missing command is radius server external-radius. On a Catalyst 9800 WLC, the external RADIUS server object must be declared first with radius server <server-name>. The following lines, address ipv4 10.10.10.100 auth-port 1812 acct-port 1813 and key radiuskey, are subcommands entered under that RADIUS server configuration mode. Cisco's Catalyst 9800 802.1X configuration workflow starts by declaring the RADIUS server, then adding it to a RADIUS server group, then creating the authentication method list, and finally mapping that list to the WLAN. Cisco's configuration guide example uses the same IOS XE structure: radius server <name>, followed by address ipv4 ... auth-port 1812 acct-port 1813 and key ....
The server group later references server name external-radius, so the RADIUS server object must be named external-radius exactly. Option C would incorrectly create a server named RADIUS-GRP, which is already the AAA server group name, not the RADIUS server object. Options B and D are invalid IOS XE syntax. PEAP-MSCHAPv2 itself is handled through the 802.1X/EAP exchange with the RADIUS server; the WLC acts as the authenticator and forwards authentication requests through the configured AAA method list. Reference topic: Client Connectivity Configuration --- WPA2-Enterprise, 802.1X, RADIUS server objects, AAA groups, and WLAN authentication-list binding.
A network administrator at a construction company manages a Cisco Catalyst 9800 Series Wireless Controller running Cisco IOS XE 17.x. The WLAN named XYZ-Conference is set up for a large event, but attendees report slow network performance due to misbehaving clients. To improve connectivity, the network administrator decides to change the client exclusion policy on the WLAN to temporarily block the misbehaving clients. The XYZ-Conference WLAN must enable a client exclusion policy with a timeout of 120 seconds for misbehaving clients. Which set of Cisco IOS XE commands must be used?
Answer : D
Client exclusion is a feature in Cisco Catalyst 9800 WLCs that allows the administrator to temporarily block clients exhibiting misbehavior, such as excessive retries, excessive bandwidth usage, or roaming issues. The IOS XE CLI command for enabling client exclusion in a WLAN policy is client-exclusion <timeout>, where <timeout> defines the duration (in seconds) the client is prevented from associating with the WLAN. Option D correctly uses client-exclusion 120 to block the misbehaving clients for 120 seconds. Option A (exclude 120) is not valid IOS XE syntax. Option B (exclusionlist timeout 120) is also incorrect as it refers to internal exclusion lists, not the WLAN policy applied to live clients. Option C (security exclusion timeout 120) is invalid and does not configure client exclusion at the WLAN policy level. Cisco Wireless Core Technologies emphasize using client exclusion policies during high-density events or temporary network congestion to ensure network fairness, protect overall WLAN performance, and maintain connectivity for well-behaving clients. Reference topics: Client Connectivity Configuration --- Client exclusion, WLAN policy, misbehaving client mitigation, Cisco Catalyst 9800 IOS XE.
What is an attribute of the workgroup bridge mode for an AP in a wireless network?
Answer : D
The workgroup bridge mode on a Cisco access point is designed to integrate a wired network segment into an existing wireless infrastructure. In this mode, the AP acts as a client to a root AP or wireless controller-managed network, bridging Ethernet-connected devices on its wired ports to the wireless LAN. This is commonly deployed in environments where wired devices, such as printers, legacy systems, or isolated office equipment, require network connectivity but cannot directly connect to the wired backbone.
Traffic from devices on the wired segment is encapsulated and transmitted over the wireless link to the root AP, effectively extending network access without running physical cabling. Unlike bridging between multiple AP radios (2.4 GHz vs. 5 GHz), or providing inter-Ethernet port forwarding, the primary attribute of a workgroup bridge is wireless-to-wired integration, not radio-to-radio communication or internal LAN segmentation. Broadcast domains are limited to the bridged wired segment and the wireless uplink; they are not automatically extended across all interfaces without VLAN configuration.
Cisco deployment guides emphasize that workgroup bridge mode is ideal for connecting remote wired clusters to a centralized WLAN, providing seamless connectivity while maintaining security and management under the controller or root AP. Reference topic: Wireless Network Implementation --- AP operational modes, workgroup bridge, and wired segment integration.
What is a feature of an RTS frame in the context of 802.11 frame types?
Answer : B
An RTS frame is an 802.11 control frame used in the Request to Send/Clear to Send exchange. Cisco identifies RTS as a Request to Send frame and explains that 802.11 control frames assist in delivering data frames between stations. Cisco further states that the RTS/CTS function is optional, helps reduce collisions when hidden stations are associated to the same access point, and that a station sends an RTS frame as the first phase before transmitting a data frame.
Therefore, option B is correct because the RTS frame requests access to the wireless medium before data transmission. If the receiving station or AP replies with CTS, nearby stations defer transmission based on the duration information, reducing collision probability. This is especially relevant in hidden-node environments where two clients can hear the AP but cannot hear each other. Option A refers to RF spectral-mask compliance, which is a physical-layer regulatory concept. Option C confuses NAV behavior with roaming; RTS/CTS may influence virtual carrier sensing, not client roaming updates. Option D is unrelated because frame compression is not an RTS function. Reference topics: 802.11 frame types, control frames, RTS/CTS, CSMA/CA, hidden-node mitigation, and medium reservation.
A medium-sized enterprise must provide wireless internet to visitors in their lobby using a Cisco 9800 WLC. The solution must meet these requirements:
Ensure that guests cannot access the corporate LAN.
Guests are redirected to a login page before browsing.
The guest network must use a separate VLAN from internal users.
Access must be limited to web browsing only.
Guest access does not require any preshared keys or certificates.
Which two actions must be taken to achieve this solution? (Choose two.)
Answer : A, E
To implement a guest Wi-Fi network on a Cisco 9800 WLC with the requirements mentioned, the solution must ensure that guests are isolated from the corporate LAN and are redirected to a login page before being able to access the internet. Additionally, access needs to be restricted to web browsing only, with no need for preshared keys or certificates.
Option A: 'Create a WLAN that uses a web policy and points to a consent parameter map.'
This is necessary to enforce the login page and redirect users to a webauth page. By creating a WLAN with web policy, you ensure that users are redirected to a captive portal where they can accept the terms and conditions or login to the network. This solution also helps in segregating the guest network from the corporate network, as users are contained within their VLAN.
Option E: 'Deploy a WLAN policy that points wireless users to a webauth parameter map.'
Web authentication (webauth) is an essential part of guest access. Deploying a WLAN policy with webauth ensures that users are directed to the login page (a webauth parameter map), allowing them to authenticate before browsing the internet.
Other options:
Option B would block mDNS, but it does not directly address the need for a login page or VLAN segregation.
Option C is important for enforcing access control policies, but it doesn't fulfill all the requirements of the login page and limited access (web browsing only).
Option D is unrelated to the requirement of providing access only to web browsing, as it primarily addresses peer-to-peer traffic blocking, which is not directly tied to web access control.
Therefore, the correct solution involves combining a web policy with a webauth parameter map for login page redirection (A and E).
Which result is produced using a power ratio of 10:1 in standard decibel calculations?
Answer : C
In decibel calculations, the formula used to convert a power ratio to decibels (dB) is:
Thus, the power ratio of 10:1 corresponds to a 10 dB change in power.
Option A: -20 dB would correspond to a ratio of 0.01:1, not 10:1.
Option B: 5 dB would correspond to a power ratio of approximately 3.16:1, not 10:1.
Option D: 15 dB would correspond to a ratio of 31.62:1, not 10:1.
Therefore, Option C: 10 dB is the correct answer, as it is the result of a power ratio of 10:1.

Thus, the power ratio of 10:1 corresponds to a 10 dB change in power.
Option A: -20 dB would correspond to a ratio of 0.01:1, not 10:1.
Option B: 5 dB would correspond to a power ratio of approximately 3.16:1, not 10:1.
Option D: 15 dB would correspond to a ratio of 31.62:1, not 10:1.
Therefore, Option C: 10 dB is the correct answer, as it is the result of a power ratio of 10:1.
A retail store is setting up guest Wi-Fi on a Cisco 9800 WLC. The IT team has these requirements:
Guests are prompted for web authentication.
After login, traffic is restricted to internet-only access.
Guest WLAN must be available throughout all sales floors.
Guest WLAN must not impact the existing corporate WLAN.
Guest SSID must not require a password.
Which set of configurations must the IT team deploy to meet the requirements?
Answer : C
For a retail guest WLAN deployment, Cisco best practices dictate using central web authentication (web-auth) combined with access control lists (ACLs) to enforce network segmentation and restrict guest traffic to internet-only access. Central web authentication allows all guest devices to be redirected to a captive portal for login without requiring a pre-shared key or WPA2-Enterprise credentials, satisfying the ''no password'' requirement. Applying an ACL that blocks access to internal subnets ensures that guest traffic cannot interfere with corporate networks while still permitting internet connectivity. Option A is unsuitable because WPA2-Enterprise and dynamic VLAN assignment are designed for employee or secure networks, not open guest access. Option B provides local web-auth, which is limited to a single WLC and does not scale across multiple floors effectively. Option D (MAC filtering) only enforces device-level access but does not provide web-based login or segmentation, failing the requirement for captive portal and internet-only access. Cisco Wireless Core Technologies recommend central web authentication with ACL enforcement for guest networks to provide consistent coverage, network isolation, and compliance with security policies across multiple APs and WLCs. Reference topics: Client Connectivity Configuration --- Guest WLAN deployment, central web-auth, ACL enforcement, segmentation from corporate WLAN.