Back to Cisco SCOR / CCNP Security Core 350-701 questions

Scenario-based practice

Wireless LAN and WLC Scenarios

Practise Cisco SCOR / CCNP Security Core 350-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
350-701
exam code
Cisco
vendor

Scenario guide

How to approach wireless lan and wlc scenarios

Wireless questions on the CCNA cover 802.11 standards (ax/ac/n), WPA3, SSID/BSSID concepts, WLC architecture (FlexConnect, local switching), and client connectivity troubleshooting. These are mostly MCQ and multi-select.

Quick answer

Wireless security questions usually test authentication protocols (WPA2/WPA3), encryption modes, 802.11 standards and troubleshooting clients that cannot connect or associate.

WPA2 vs WPA3 authentication and encryption standards.

802.11 wireless standards, frequency bands and channel behaviour.

WLAN client troubleshooting — association, authentication and DHCP.

How SSID, authentication method and pre-shared key affect wireless access.

Related practice questions

Related 350-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full wireless explanation →

A university is using Cisco ISE to provide secure wireless access for students and faculty. The wireless network uses WPA2-Enterprise with PEAP-MSCHAPv2. Recently, some faculty members reported that they cannot connect to the wireless network from their personal laptops, while student devices connect without issues. The faculty members are using the same SSID and entering their credentials correctly. The ISE logs show that the authentication attempts from faculty devices are failing with 'RADIUS Access-Reject' due to incorrect credentials. However, the faculty members are certain they are using the correct password. The IT department has verified that the user accounts in Active Directory are active and not locked. What is the most likely cause of the issue?

Question 2hardmultiple choice
Read the full wireless explanation →

A global company uses Cisco Umbrella to enforce security policies across roaming users. Recently, a user reported that they could not access a legitimate business application while connected to a guest Wi-Fi at an airport. The application is categorized as 'Productivity' in Umbrella. Other users outside the office can access it. What is the most likely reason?

Question 3easymultiple choice
Read the full wireless explanation →

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

Question 4hardmultiple choice
Read the full wireless explanation →

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules:

1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any)

Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

Question 5easymultiple choice
Read the full wireless explanation →

An organization uses ISE for wireless LAN authentication via 802.1X with PEAP-MSCHAPv2. Users authenticate against Active Directory. Recently, some users report that after changing their domain password, they cannot connect to the wireless network for about 30 minutes. What is the most likely cause?

Question 6easymultiple choice
Read the full wireless explanation →

A network administrator wants to centrally manage and enforce access policies for wired and wireless users. Which Cisco product provides this functionality?

Question 7mediummultiple choice
Read the full wireless explanation →

An organization wants to provide guest wireless access with a captive portal. Which Cisco ISE portal type should be used?

Question 8mediummultiple choice
Open the full VLAN trunking answer →

A company wants to provide both corporate and guest wireless access using the same access points. They require that guest users be placed into a separate VLAN and have internet-only access. Which Cisco solution should be used?

Question 9mediummultiple choice
Read the full wireless explanation →

A company deploys Cisco ISE for network access control. They want to enforce that only employees with a valid certificate and a compliant posture can access the corporate Wi-Fi. Which policy combination should be used?

Question 10hardmultiple choice
Open the full VLAN trunking answer →

A large enterprise with over 2,000 employees recently experienced a security breach. An attacker gained initial access through a phishing email and then moved laterally across the network to reach a critical database server. The network currently has a flat Layer 2 topology with all devices in a single large VLAN. The company wants to prevent lateral movement in the future while maintaining operational simplicity. They have a Cisco ISE deployment already but it is only used for wireless guest access. The security team is evaluating options. Option A: Deploy 802.1X with dynamic VLAN assignment across all wired ports. This would authenticate users and assign them to different VLANs based on identity. Option B: Implement micro-segmentation using Cisco TrustSec with Security Group Tags (SGTs) on the existing switches and enforce SGT-based policies on the firewalls. This would allow traffic control between groups regardless of IP. Option C: Install a next-generation firewall at the internet edge and enable IPS to block known attack signatures. Option D: Upgrade all access switches to support Private VLANs (PVLANs) and configure promiscuous ports for servers. Which solution BEST addresses the lateral movement problem while leveraging existing infrastructure?

Question 11mediummultiple choice
Open the full VLAN trunking answer →

A large enterprise has deployed Cisco ISE for network access control. The network consists of multiple access switches and wireless LAN controllers. The security team wants to enforce that only domain-joined Windows computers with up-to-date antivirus can access the corporate network. Non-compliant devices should be placed in a quarantine VLAN with limited access to remediation servers. The ISE policies are configured with posture assessment. However, during a test, a non-compliant Windows computer is granted full network access instead of being quarantined. The ISE logs show that the posture assessment passed, but the computer's antivirus is outdated. What is the most likely reason for this behavior?

Question 12hardmultiple choice
Read the full wireless explanation →

A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module.

Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?

Question 13hardmultiple choice
Open the full VLAN trunking answer →

A hospital is deploying Cisco ISE for network access control. They have a mix of employee laptops, medical devices (e.g., infusion pumps), and guest smartphones. The network uses Cisco Catalyst 9300 switches and Aironet 3700 series access points. For medical devices, the policy must use Machine Authentication (MAB) since they are 802.1X incapable. The ISE policy authenticates via MAB and then assigns the device to a specific VLAN for medical devices. During a pilot, the network team notices that some infusion pumps (MAC: 00:1A:2B:3C:4D:5E) are failing MAB authentication. The switch logs show 'Authentication failed for MAC 001a.2b3c.4d5e on interface GigabitEthernet1/0/10'. ISE logs show 'Authentication failed - RADIUS server rejected - Reason: Invalid Endpoint ID'. The engineer has verified the MAC address is in the ISE endpoint repository with correct identity group. What should the engineer check next to resolve this issue?

Question 14mediummultiple choice
Read the full wireless explanation →

A university is implementing 802.1X for student wireless networks using Cisco Wireless LAN Controllers (WLCs) and ISE. Students connect with their personal devices using PEAP-MSCHAPv2. During heavy usage, some students report authentication failures and sporadic disconnections. The network team examines the ISE live logs and sees many 'Authentication failed' entries with reason 'Internal error - unable to find a suitable proxy target'. The team has configured two ISE nodes as authentication proxies for the wireless subnets. What is the most likely cause of this issue?

Question 15easymultiple choice
Read the full wireless explanation →

A small business uses Cisco ISE to authenticate employees via Active Directory. The company has a single ISE node and two Catalyst 2960-X switches. Employees connect to the network and are successfully authenticated using 802.1X with PEAP. The business wants to provide guest wireless access using a separate SSID with a captive portal. The engineer configures a new WLAN on the WLC (Cisco 2504) pointing to the same ISE node. Guest users can associate to the WLAN and get an IP address, but when they open a browser, they do not see the captive portal page; instead, they get a 'Connection refused' error. The engineer verifies that the guest portal is enabled on ISE and the WLC is configured to use ISE for RADIUS. What is the most likely cause?

These 350-701 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.