Implementing Cisco Enterprise Wireless Networks (ENWLSI) — Question 171

WPA2 Enterprise with 802.1X is being used for clients to authenticate to a wireless network through a Cisco ISE server. For security reasons, the network engineer wants to ensure that only PEAP authentication is used. The engineer sent instructions to clients on how to configure the supplicants, but the ISE logs still show users authenticating using EAP-FAST. Which action ensures that access to the network is restricted for these users unless the correct authentication mechanism is configured?

Answer options

• A. Enable AAA override on the SSID, gather the usernames of these users, and disable the RADIUS accounts until the devices are correctly configured.
• B. Enable AAA override on the SSID and configure an ACL on the WLC that allows access to users with IP addresses from a specific subnet.
• C. Enable AAA override on the SSID and configure an access policy in Cisco ISE that denies access to the list of MACs that have used EAP-FAST.
• D. Enable AAA override on the SSID and configure an access policy in Cisco ISE that allows access only when the EAP authentication method is PEAP.

Correct answer: D

Explanation

The correct action is to enable AAA override on the SSID and create an access policy in Cisco ISE that allows access only when PEAP is used, ensuring compliance with the desired authentication method. The other options do not effectively restrict access based on the authentication mechanism, as disabling RADIUS accounts or using MAC address filtering may not enforce the required PEAP-only authentication policy.