The answer is to change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN. This resolves the wireless client association failure because the client only supports WPA2, not WPA3, and the hidden SSID prevents client discovery, while the missing DHCP scope on VLAN 100 blocks IP address assignment. On the CCNA 200-301 v2 exam, this scenario tests your ability to troubleshoot client association by correlating authentication mismatches, broadcast settings, and VLAN mapping—a common trap is assuming the management interface VLAN (1) handles client DHCP, but client traffic must use the designated WLAN VLAN. Remember the three-step fix: match security, reveal the SSID, and pair the VLAN with a DHCP scope. A useful memory tip is “AID” for Authentication (WPA2), Interface (broadcast on), and DHCP (VLAN scope).
CCNA Network Infrastructure and Connectivity Practice Question
This 200-301 practice question tests your understanding of network infrastructure and connectivity. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
WLC Configuration (partial)
interface Management
ip address 192.168.1.10 255.255.255.0
no shutdown
!
wlan CorpNet 1 CorpNet
ssid CorpNet
security wpa3-sae
security wpa akm sae
security wpa psk ascii 7 1234567890abcdef
no security wpa2
no security wpa
no security wpa3-sae
!
interface wlan 1
vlan 100
!
wlan enable 1
!
wlan ssid CorpNet
broadcast-ssid disable
!
! End of configuration
You are troubleshooting a wireless client association failure on a Cisco WLC. The client is unable to connect to the corporate SSID 'CorpNet' and reports an authentication error. Review the WLC configuration and fix the issue so that the client can associate and obtain an IP address from VLAN 100. The WLC management IP is 192.168.1.10/24.
WLC Configuration (partial)
interface Management
ip address 192.168.1.10 255.255.255.0
no shutdown
!
wlan CorpNet 1 CorpNet
ssid CorpNet
security wpa3-sae
security wpa akm sae
security wpa psk ascii 7 1234567890abcdef
no security wpa2
no security wpa
no security wpa3-sae
!
interface wlan 1
vlan 100
!
wlan enable 1
!
wlan ssid CorpNet
broadcast-ssid disable
!
! End of configuration
A
Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
This option correctly addresses all three issues: WPA3 is not backward compatible with WPA2 clients, so switching to WPA2 (or enabling WPA2/WPA3 mixed mode) allows the client to authenticate. Enabling SSID broadcast lets the client discover the network. Configuring the WLAN interface for VLAN 100 and ensuring a DHCP scope exists on that VLAN provides IP addressing.
B
Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.
Why wrong: This is incorrect because WPA3 only would still not work if the client does not support WPA3. Changing the management interface IP is unnecessary and does not fix the VLAN mismatch for client traffic; the WLAN interface should be mapped to VLAN 100, not the management interface.
C
Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.
Why wrong: This is incorrect because keeping WPA3 may still cause authentication failure if the client does not support it. Disabling SSID broadcast prevents the client from seeing the SSID. Configuring the WLAN interface for VLAN 100 but placing the DHCP scope on VLAN 1 means clients on VLAN 100 cannot obtain an IP address.
D
Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.
Why wrong: This is incorrect because while changing to WPA2 fixes the authentication issue, keeping SSID broadcast disabled prevents the client from seeing the SSID. Configuring the WLAN interface to use VLAN 1 would place clients on the management VLAN, not VLAN 100 as required.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.
Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
Why this is correct
This option correctly addresses all three issues: WPA3 is not backward compatible with WPA2 clients, so switching to WPA2 (or enabling WPA2/WPA3 mixed mode) allows the client to authenticate. Enabling SSID broadcast lets the client discover the network. Configuring the WLAN interface for VLAN 100 and ensuring a DHCP scope exists on that VLAN provides IP addressing.
Related concept
Access ports place end devices into a single VLAN.
✗
Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.
Why it's wrong here
This is incorrect because WPA3 only would still not work if the client does not support WPA3. Changing the management interface IP is unnecessary and does not fix the VLAN mismatch for client traffic; the WLAN interface should be mapped to VLAN 100, not the management interface.
✗
Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.
Why it's wrong here
This is incorrect because keeping WPA3 may still cause authentication failure if the client does not support it. Disabling SSID broadcast prevents the client from seeing the SSID. Configuring the WLAN interface for VLAN 100 but placing the DHCP scope on VLAN 1 means clients on VLAN 100 cannot obtain an IP address.
✗
Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.
Why it's wrong here
This is incorrect because while changing to WPA2 fixes the authentication issue, keeping SSID broadcast disabled prevents the client from seeing the SSID. Configuring the WLAN interface to use VLAN 1 would place clients on the management VLAN, not VLAN 100 as required.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.Correct answer▾
Why this is correct
This option correctly addresses all three issues: WPA3 is not backward compatible with WPA2 clients, so switching to WPA2 (or enabling WPA2/WPA3 mixed mode) allows the client to authenticate. Enabling SSID broadcast lets the client discover the network. Configuring the WLAN interface for VLAN 100 and ensuring a DHCP scope exists on that VLAN provides IP addressing.
✗Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.Wrong answer — click to see why▾
Why this is wrong here
The specific factual error is that WPA3-only security may not be supported by the client, and changing the management interface IP does not resolve the client VLAN assignment issue.
Why candidates choose this
Candidates might think that since the management IP is on VLAN 1, changing it to a different subnet could help, but the management interface is separate from the WLAN interface used for client data.
✗Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.Wrong answer — click to see why▾
Why this is wrong here
The specific factual errors are: WPA3 may not be compatible, disabling SSID broadcast hides the network, and DHCP scope must be on the same VLAN as the client (VLAN 100).
Why candidates choose this
Candidates might believe that disabling SSID broadcast improves security and that DHCP can be served from a different VLAN, but in this scenario the client cannot get an IP from a different subnet.
✗Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.Wrong answer — click to see why▾
Why this is wrong here
The specific factual errors are: SSID broadcast must be enabled for client discovery, and the WLAN interface must be mapped to VLAN 100, not VLAN 1.
Why candidates choose this
Candidates might think that since the management interface is on VLAN 1, using VLAN 1 for clients is simpler, but the requirement specifies VLAN 100 for client traffic.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: an active trunk can still block the VLAN you need
A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.
Detailed technical explanation
How to think about this question
VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.
KKey Concepts to Remember
Access ports place end devices into a single VLAN.
Trunk ports carry multiple VLANs between switches.
Allowed VLAN lists decide which VLANs can cross a trunk.
Native VLAN mismatch can create confusing symptoms.
TExam Day Tips
→Use show vlan brief to verify access VLANs.
→Use show interfaces trunk to verify trunk state and allowed VLANs.
→Do not treat every same-VLAN issue as a routing problem.
Key takeaway
A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
Network Infrastructure and Connectivity — This question tests Network Infrastructure and Connectivity — Access ports place end devices into a single VLAN..
What is the correct answer to this question?
The correct answer is: Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN. — The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.
What should I do if I get this 200-301 question wrong?
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
What is the key concept behind this question?
Access ports place end devices into a single VLAN.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A wireless client associates to an AP and successfully authenticates to the correct SSID, but it does not obtain an IP address. The WLC is running in local mode. What should the technician do next?
hard
A.Check the DHCP server to ensure it has available leases.
B.Verify the AP’s operating channel for interference.
✓ C.Verify the VLAN mapping on the WLC for the client’s WLAN.
D.Verify the WPA3 PSK on the client.
Why C: Option C is correct because when a wireless client authenticates to the SSID but fails to obtain an IP address, the most likely cause is a VLAN mapping mismatch on the WLC. In local mode, the WLC maps the WLAN to a specific VLAN (via the interface or VLAN tag), and if that VLAN does not have a DHCP relay or is not trunked to the correct switch, the client's DHCP requests will never reach the DHCP server. This is a common Layer 2 connectivity issue that prevents IP address assignment even though authentication succeeds.
Variation 2. You are troubleshooting a wireless client association failure on a Cisco WLC. A client reports it can see the SSID 'GuestNet' but fails to connect, while another client using the same SSID connects fine. You must check the WLC configuration, identify the cause, and fix it so that both clients can associate successfully.
hard
A.Change the WLAN security to WPA2-PSK only and disable PMF.
✓ B.Enable WPA3 Transition Mode and set PMF to Optional.
C.Disable PMF on the WLAN and keep WPA3 enabled.
D.Change the WLAN to use WPA2-PSK with PMF Required.
Why B: The client that cannot associate is likely a legacy client that does not support WPA3. The WLAN 'GuestNet' has WPA3 enabled with 'PMF Required', which forces all clients to support WPA3 and PMF. To fix this, enable WPA3 Transition Mode (which allows both WPA2 and WPA3 clients) and set PMF to Optional. This will allow the older client to associate using WPA2 while newer clients can use WPA3.
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.