Which two advanced WLAN options are required when deploying central web authentication with Cisco ISE? (Choose two.)
The WLC configuration is fairly straightforward.
Atrickis used (same as on switches) in order to obtain the dynamic authentication URL from the ISE (since it uses Change of Authorization (CoA), a session must be created and the session ID is part of the URL)
The SSID is configured in order to use MAC filtering.
The ISE is configured in order to return an access-accept even if the MAC address is not found, so that it sends the redirection URL for all users.
In addition to this, RADIUS Network Admission Control (NAC) and Authentication, Authorization, and Accounting (AAA) Override must be enabled.
The RADIUS NAC allows the ISE to send a CoA request that indicates that the user is now authenticated and is able to access the network.
It is also used for posture assessment, in which case the ISE changes the user profile based on the posture result.
Ensure that the RADIUS server has RFC3576 (CoA) enabled, which is by default.http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Central web authentication with Cisco ISE (Identity Services Engine) is used to authenticate wireless clients against a central web authentication portal hosted by the ISE. This provides a higher level of security by ensuring that wireless clients are authenticated before accessing the network.
The two advanced WLAN options required when deploying central web authentication with Cisco ISE are:
NAC State RADIUS NA - This option is used to enable Network Admission Control (NAC) for wireless clients. When NAC is enabled, the ISE verifies that the wireless client is compliant with the organization's security policies before allowing it to access the network. RADIUS NA (Network Access) is a type of RADIUS message used to convey the result of the NAC posture assessment.
Allow AAA Override enabled - This option is used to allow the ISE to override the AAA (Authentication, Authorization, and Accounting) settings configured on the wireless LAN controller. This is necessary to ensure that all wireless clients are authenticated against the central web authentication portal hosted by the ISE. If AAA Override is not enabled, wireless clients may be able to bypass the central web authentication portal and access the network without proper authentication.
The other options listed in the question are not directly related to central web authentication with Cisco ISE.
DHCP Addr. Assighment disabled - Disabling DHCP address assignment would prevent wireless clients from obtaining an IP address from the DHCP server. This is not necessary for central web authentication with Cisco ISE.
NAC State SNMP NA - SNMP (Simple Network Management Protocol) is used for network monitoring and management, and is not directly related to central web authentication with Cisco ISE.
P2P Blocking Action set to Drop - This option is used to block peer-to-peer traffic on the wireless network, which can improve security and reduce network congestion. However, it is not required for central web authentication with Cisco ISE.
In summary, the two advanced WLAN options required when deploying central web authentication with Cisco ISE are NAC State RADIUS NA and Allow AAA Override enabled.