300-430 Questions and Answers

 If the administrator is unable to see interferers on the Cisco Prime Infrastructure maps, it could be due to the MSE (Mobility Services Engine) not being added and synchronized with Cisco Prime Infrastructure, which is essential for tracking and locating devices, including interferers. Additionally, if interferer tracking is not enabled on the MSE, it would not track or display the location of interferers on the maps. The other options, such as SNMP failure, reaching the Context Aware Service tracking limit, or inactive NSMP communication, would affect other aspects of network visibility but not specifically the tracking and display of interferers. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 Cisco DNA Center is likely ignoring the interference detected by the AP because it includes only Cisco CleanAir interferers in the AP health score (option C), and the interference is less than or equal to 30% on the 5 GHz radio (option D). Cisco DNA Center’s AP health score algorithm may not consider interference that falls below a certain threshold or interference that is not identified as a CleanAir event. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, particularly the chapters on Cisco DNA Center and CleanAir technology.

 For a BYOD setup using a dual SSID approach, the first SSID is typically used for device registration and the second for network access. Setting the NAC State to Radius NAC enables the network access control (NAC) to use RADIUS for authentication, authorization, and accounting. Allowing AAA Override enables the RADIUS server to dynamically change the VLAN and ACLs assigned to the endpoint, which is crucial for BYOD where devices need to be placed into the correct VLAN based on user role and device type. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, particularly the chapters on BYOD and advanced WLAN configuration.

The Platinum QoS marking is typically used for the highest-priority traffic, such as voice and video. Given the requirement for a high average bitrate for the video application, Platinum would be the appropriate QoS marking to ensure the necessary bandwidth and priority on the WLAN. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

In a FlexConnect group with local switching but central DHCP, clients can use features like multicast and static IP without any issues. However, fast roaming, which allows clients to move seamlessly between access points with minimal delay, requires the access points to handle client information locally. If the configuration is changed to allow local DHCP, then the access points can cache client credentials, enabling fast roaming.

References :=

• CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide
• Cisco documentation on FlexConnect configurations

The issue described in the scenario occurs because when creating an Access Control List (ACL) to be used for managing traffic to the Wireless LAN Controller’s (WLC) CPU, it must be explicitly defined as a CPU ACL. If this specification is not made during the creation process, the ACL will not appear in the drop-down list when enabling the CPU ACL function. This is necessary because CPU ACLs are used to protect the WLC against potential Denial-of-Service (DoS) attacks by filtering incoming packets directed at the management interface before they are processed by the CPU. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

In a Cisco wireless LAN controller, setting a specific data rate to ‘Mandatory’ means that all wireless clients must be able to communicate at this rate. To ensure that multicast uses the 54Mbps rates, one must set the 54Mbps data rate to ‘Mandatory’. This configuration will make it so that all multicast traffic is transmitted at this minimum set data rate, thus meeting the requirement specified by the engineer.

To meet the requirement of allowing employees to easily onboard their personal devices and visitors to connect without reception desk intervention, configuring a self-registration guest portal on Cisco ISE is the appropriate solution. This feature enables guests to create their own accounts and gain network access, streamlining the process for both employees’ personal devices and visitors. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The bronze QoS level is typically recommended for guest services in a wireless network environment. This level prioritizes basic internet access, which is suitable for guest services that do not require high bandwidth or low latency. It ensures that more critical services are not impacted by guest traffic, which is often less sensitive to performance fluctuations. References := CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

A Public-Signed SAN (Subject Alternative Name) certificate allows multiple domain names to be protected with a single certificate. This is useful in a distributed environment like a guest portal on Cisco ISE, where there may be multiple nodes with different Common Names (CNs). Using a SAN certificate can prevent CN mismatch errors during SSL/TLS handshakes. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 mDNS has specific restrictions regarding its configuration. Option C is correct because mDNS is not supported on FlexConnect APs with a locally switched WLAN, which limits its deployment in certain network designs. Option D is also correct; the controller software must be newer than version 7.0.6 to support mDNS features, which means that older controller software versions do not have the necessary capabilities to handle mDNS. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

Application Visibility and Control (AVC) profiles must be implemented to remark the QoS value for WebEx traffic. AVC profiles allow the network to identify different applications and provide the appropriate QoS treatment, ensuring high-quality meetings. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

 A successful RF jamming attack primarily disrupts WLAN services by overwhelming the network with noise or unwanted signals, making it impossible for legitimate devices to communicate effectively. While physical damage to AP hardware is not a direct outcome of RF jamming, the persistent interference can lead to hardware malfunction due to overheating or overcompensation for the poor signal environment. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

In a historic building where adding APs is challenging, the best approach to implement intrusion protection with a focus on on-channel attacks is to use APs in monitor mode with the Wireless Intrusion Prevention System (WIPS) submode. This setup allows the APs to dedicate their time to scanning the environment for threats without serving clients, which is suitable given the adequate coverage and the need to monitor for attacks. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 In a Cisco WLAN deployment where it is required that all APs from branch1 remain operational even if the control plane CAPWAP tunnel is down, the operational mode that must be configured on the APs is standalone (option B). In standalone mode, the APs can continue to function and provide network access to clients even without a connection to the WLC, which is essential during a WAN failure to headquarters. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, with a focus on AP operational modes and their behavior during network disruptions.

To create an account for CLI access to an access point for troubleshooting, the WLC must be configured to allow user access with the capability to make changes. The ReadWrite User Access Mode enables an engineer to have full read and write access to the AP’s configuration via the CLI, which is necessary for performing troubleshooting tasks. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

 On a WLAN that uses IEEE 802.1X for wireless network authentication, enabling local EAP allows clients to authenticate using locally stored credentials on the Cisco Wireless LAN Controller (WLC), which is useful in scenarios where the external RADIUS server is unavailable. The LDAP server option is used to authenticate clients against a central repository, such as an LDAP directory. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

Wireless Multicast Forwarding (WMF) is the feature that allows the delivery of multicast content, such as a promotional video, to only interested hosts over a wireless network. It optimizes the use of network resources by ensuring that only the hosts that have expressed interest in the multicast group receive the data.

When a wireless controller is configured to authenticate clients against Microsoft Active Directory using PEAP (Protected Extensible Authentication Protocol), it uses RADIUS (Remote Authentication Dial-In User Service) as the protocol to communicate with the authentication server. RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

To integrate the Mobility Services Engine (MSE) with Cisco Prime Infrastructure for tracking the location of clients and rogues on maps, it is essential to add the MSE to Cisco Prime Infrastructure using the communication credentials specific to Cisco Prime Infrastructure. This ensures that both systems can communicate effectively. Additionally, a valid license for location tracking must be applied to enable the MSE’s location services capabilities. Without this license, the MSE would not be able to provide client and rogue location tracking functionalities. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

To segregate all iPads on the guest WLAN to a separate VLAN without using Cisco ISE, the engineer can create a local policy on the WLC (option A). This local policy can be configured to identify iPad devices and assign them to a specific VLAN based on their device profile or other identifying characteristics. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, especially the sections that cover local policies and device profiling on the WLC.

The Cisco Aironet 600 Series OfficeExtend APs support various Layer 2 security options, including WPA+WPA2 and 802.1X. WPA and WPA2 provide secure encryption for wireless data, while 802.1X offers a robust authentication framework. These security options ensure that the wireless network is protected against unauthorized access and data breaches, which is crucial for remote workers connecting to the corporate network. References := CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 For a startup company without LDAP, using the internal database of the RADIUS server is a viable solution to authenticate wireless users. This approach allows the company to maintain a directory of users within the RADIUS server itself, providing similar security and user experience as LDAP would. Users can be authenticated against this internal database, ensuring secure access to the wireless network. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

During the Extensible Authentication Protocol (EAP) process, the RADIUS server generates an encrypted session key after the client’s identity is authenticated. This session key is sent to the access point to encrypt data frames between the client and the access point. It ensures that each session has a unique encryption key, enhancing security. References: Look for information on EAP and RADIUS in the CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

The Media Stream feature on a Cisco WLC allows for the prioritization of streaming media. To guarantee at least 2 Mbps stream per user, the ‘coarse’ Resource Reservation Control (RRC) template should be used, as it provides the necessary bandwidth allocation for each user’s media stream. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

When a client is authenticated but cannot pass traffic in the RUN state, it indicates that an ACL may be blocking the traffic post-authentication. Disabling or modifying this ACL to allow traffic can resolve the connectivity issue, ensuring that the client’s traffic flows correctly after authentication with Cisco ISE.

Before running a Client Traffic Stream Metrics report in Cisco Prime Infrastructure, the task that must be run is “client status”. This task collects the necessary data regarding the clients’ traffic streams, which is then used to generate the report. References := Cisco Prime Infrastructure Reports User Guide

 The customizable security report in Cisco Prime Infrastructure that shows rogue access points (APs) detected since a point in time is the “New Rogue APs” report. This report is specifically designed to track and list all newly detected rogue APs within the network from a specified time, allowing network administrators to quickly identify unauthorized devices. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

 The correct configuration for limiting Internet bandwidth for each guest client on a Cisco Catalyst 9800 WLC is through a policy map. A policy map allows the creation of policies that can manage traffic within a network. By setting a bandwidth limit within the policy map, the WLC can enforce the required QoS for guest clients. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

When an MSE with wIPS service is installed, it is crucial for alarm information to reach the MSE from the controllers. The Network Mobility Services Protocol (NMSP) is the protocol that facilitates this communication. Ensuring that NMSP is allowed through any firewalls or network security devices is essential for the proper functioning of the wIPS service. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

The absence of rogue AP options in the navigation menu under Maps in Cisco Prime Infrastructure (PI) version 3.0 indicates that there is an issue with integrating location services, which are provided by Mobility Services Engine (MSE). Without adding MSE to PI, location-based services such as tracking rogue access points cannot be utilized or displayed within PI’s interface. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

For location analytics in a shopping center using AireOS controllers with Cisco Wave 2 APs, the CMX server settings must exclude probing clients to track only associated clients. This setting ensures that the location analytics data reflects the movements of clients that are actively connected to the WLAN, providing accurate insights into popular areas within the shopping center. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

For RADIUS to restrict administrative control effectively, the engineer needs to define a Network Access Server (NAS) entry that corresponds to the WLC’s management IP address and the AP subnet. The correct entry would be the NAS IP of the virtual interface (typically used for RADIUS communications) and the specific network range of the AP subnet, which is 192.168.2.0 with a subnet mask of 255.255.255.0. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

On a Cisco Catalyst 9800 Series Wireless Controller, the command set that prevents a FlexConnect AP from allowing wireless clients to connect when its Ethernet connection is nonoperational is the fallback-radio-shut command within the FlexConnect profile configuration. This command disables the radios on the AP, thus preventing client connections during Ethernet link failure. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The feature required on the Cisco Wireless LAN Controller to support dynamic VLAN mapping is AAA override. This feature allows for the assignment of VLANs on a per-user basis as determined by the authentication, authorization, and accounting server. When AAA override is enabled, attributes such as VLAN ID can be dynamically applied to a user’s session after successful authentication and authorization. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

To ensure reliable streaming of multicast video over a wireless link, it’s essential to optimize the multicast settings on the controller. Option B, implementing video-stream for the multicast video on the controller, is a feature that optimizes the delivery of multicast streams by converting them into unicast streams for specific clients, thus improving reliability. Option C, allowing multicast-direct to work correctly, involves enabling multicast-direct globally, which allows multicast packets to be sent directly to clients without the need for them to subscribe to a specific multicast group, enhancing efficiency and reliability. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The correct command to shut down the 2.4 GHz radio on a specific AP on a Cisco 3850 switch is ap name Floor1_AP1 dot11 24ghz shutdown. This command specifies the AP by name (Floor1_AP1), the radio frequency band (dot11 24ghz), and the action to be taken (shutdown). The other commands listed either reference the wrong frequency band, use incorrect syntax, or are not valid Cisco IOS commands for managing AP radios. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

In Cisco Prime Infrastructure, the maximum number of APs that can be used to contain an identified rogue access point in the WLC is four (4). This containment process involves using nearby APs to disrupt the rogue AP’s signals, thereby preventing it from effectively communicating with client devices. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide, which includes information on rogue AP detection and containment strategies within the WLC and Cisco Prime Infrastructure.

For new Access Points (APs) in a Cisco FlexConnect deployment, switch ports should be configured in trunk mode. This allows the APs to handle traffic for multiple WLANs or SSIDs, each associated with different VLANs. Trunk mode enables the AP to tag traffic with the correct VLAN IDs as per its configuration. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

Application Visibility and Control (AVC) profiles must be implemented to remark the QoS value for WebEx traffic. AVC profiles allow the network to identify different applications and provide the appropriate QoS treatment, ensuring high-quality meetings. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

To rename access points and add them to the correct AP groups on a wireless controller, the minimum custom attributes required using Cisco ISE TACACS is role1=WIRELESS. This role provides the necessary permissions for read/write access to wireless-related configurations. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

 The issue described occurs when the fallback feature is disabled on the Cisco AireOS controller. When fallback is disabled, the controller does not attempt to reconnect to the primary TACACS+ server after it becomes available again following a failure. Instead, it continues to use the secondary server until it fails or the controller is rebooted. Enabling fallback would allow the controller to periodically attempt to reconnect to the primary server. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide.

The feature that must be enabled to ignore non-802.11 interference is “Avoid Persistent Non-WiFi Interference.” This setting allows the Radio Resource Management (RRM) to not react to non-802.11 noise and interference, which can be crucial in environments where such interference is common but does not significantly impact wireless performance. By enabling this feature, RRM will not change the channel in response to non-IEEE 802.11 interferers, thus maintaining a stable channel plan. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

To integrate the Mobility Services Engine (MSE) with Cisco Prime Infrastructure for tracking the location of clients and rogues on maps, it is essential to add the MSE to Cisco Prime Infrastructure using the communication credentials specific to Cisco Prime Infrastructure. This ensures that both systems can communicate effectively. Additionally, a valid license for location tracking must be applied to enable the MSE’s location services capabilities. Without this license, the MSE would not be able to provide client and rogue location tracking functionalities. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

The command in question is typically used to configure the switch to interact with a RADIUS server for session tracking purposes. The RADIUS server keeps track of authenticated sessions, ensuring that they are still active and monitoring for any changes in status. This is crucial for maintaining network security and ensuring that only authorized users have access to network resources.

On the Global Configuration page of a Wireless LAN Controller (WLC), for an Access Point (AP) to use IEEE 802.1X for authenticating to the wired infrastructure, it is necessary to configure a RADIUS shared secret. This secret will be used by the AP as part of its credentials when communicating with a RADIUS server during the authentication process. References: (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

Cisco Connected Mobile Experiences (CMX) Location Analytics requires accurate tracking of devices within the wireless network’s coverage area. To utilize CMX Location Analytics effectively, it is essential to enable tracking parameters in Cisco Mobility Services Engine (MSE). This allows MSE to collect data on device locations and movements within the environment, which can then be analyzed by CMX for insights into customer behavior, asset tracking, or other analytical purposes. References := ( CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide )

 Cisco AVC (Application Visibility and Control) on a Cisco Wireless LAN Controller (WLC) is used to prioritize traffic by marking the packets. For Cisco IP cameras that use the wireless network, the AVC rule would be configured to mark the packets with a specific QoS value, ensuring that the video traffic is treated with higher priority as it traverses the network. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The correct command to add a VLAN with a specific ID to a FlexConnect group in a Cisco Wireless LAN Controller (WLC) is ‘config flexconnect group BranchA-FCG vlan 30 add’. This command specifies the FlexConnect group name ‘BranchA-FCG’ and the VLAN ID ‘30’, followed by the action ‘add’, which is consistent with Cisco’s CLI syntax for WLC configuration. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

The FlexConnect AP Upgrade feature allows for a selective upgrade process within a FlexConnect group. By not setting any master APs, the WLC will automatically select one AP of each model with the lowest MAC address to receive the upgrade directly from the controller. This ensures that the upgrade is distributed efficiently across different AP models in the group without manual intervention.

References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide)

 IGMP snooping is a feature that allows a network switch to listen to the Internet Group Management Protocol (IGMP) network traffic. This feature enables the switch to identify the multicast streams to which hosts are interested and to forward multicast traffic intelligently. By enabling IGMP snooping on the Wireless LAN Controller (WLC), it ensures that multicast streams are only forwarded to the access points (APs) where clients are subscribed to them. Setting the AP multicast mode to a specific multicast address, such as 238.255.255.255, allows the WLC to send multicast traffic to APs using this address, which helps in efficient distribution of the multicast stream.

Apple’s Fastlane technology is used to prioritize traffic from iOS devices on the network. By enabling Fastlane under each WLAN setting, the network can recognize and prioritize traffic from Apple iOS devices, addressing the QoS issues for these devices on the WLANs. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

In this scenario where branch wireless users can still associate locally but cannot access head office services due to WAN downtime indicates that Cisco FlexConnect is likely in use. The correct elements are: A - authentication-local/switch-local: This means that client authentication and data switching are happening locally at the branch. E - standalone mode: With WAN down, FlexConnect APs operate in standalone mode allowing clients to associate even without connectivity back to WLC. F - WEB authentication: This could be used as an authentication method regardless of WAN state since it’s processed locally at AP level. References := (CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is an EAP method that an Access Point (AP) can use to authenticate to the wired network. EAP-TLS is considered one of the most secure EAP methods because it uses mutual authentication, where both the client and the server authenticate each other using certificates.

Local EAP (Extensible Authentication Protocol) allows wireless LAN controllers to directly authenticate clients using an internal database, which can be useful when external RADIUS servers are unreachable. By enabling local EAP, client devices can still connect to wireless networks even if communication with RADIUS servers fails, ensuring continuous network access for users. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 To ensure the 1810 OEAP can join the controller from remote teleworker locations, the firewall must allow specific UDP ports that are used for AP communication with the controller. UDP ports 5246 and 5247 are used for Control and Provisioning of Wireless Access Points (CAPWAP) control and data messages, while UDP ports 12222 and 12223 are used for OfficeExtend APs’ data traffic. Blocking these ports would prevent the APs from joining the controller, hence they must be allowed on the firewall.

 The benefit of using dual SSIDs with a captive portal on the onboard SSID compared to a single SSID solution is the ability to restrict allowed device types. With a dual SSID setup, one SSID can be used for onboarding new devices with a captive portal that can enforce policies and check the device type before allowing access to the main SSID. This helps in maintaining a secure and compliant network environment. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide

 To ensure the 1810 OEAP can join the controller from remote teleworker locations, the firewall must allow specific UDP ports that are used for AP communication with the controller. UDP ports 5246 and 5247 are used for Control and Provisioning of Wireless Access Points (CAPWAP) control and data messages, while UDP ports 12222 and 12223 are used for OfficeExtend APs’ data traffic. Blocking these ports would prevent the APs from joining the controller, hence they must be allowed on the firewall.

Cisco CMX Visitor Connect supports various social connectors for guest network login. The configurable social connectors include LinkedIn, Google+, and Facebook, but not Pinterest, Medium, or Myspace. References: CCNP Enterprise Wireless Design ENWLSD 300-425 and Implementation ENWLSI 300-430 Official Cert Guide