Helping Hand Questions for 350-101

The correct action is to expose only encrypted management services: HTTPS for WebUI administration and SSH for remote CLI administration. The exhibit confirms the WLC wireless management interface is VLAN 10 with IP address 10.10.1.2, but interface placement alone does not enforce secure management protocol policy. Cisco Catalyst 9800 documentation identifies web admin settings as controller management configuration that determines administrator access, protocols, and interfaces for remote management. Cisco further states that administrators can connect securely over HTTPS, while HTTP “is not a secure connection,” and that HTTPS encrypts data to and from the server.

For CLI access, Cisco’s Catalyst 9800 Secure Shell guidance states that SSH enables secure remote access, and usingtransport input sshprevents non-SSH Telnet connections, limiting the device to SSH-only access. Therefore, options A and B violate policy because they permit Telnet and/or HTTP. Option C fails because console access is local, not remote, and disabling only HTTP still leaves Telnet exposure unresolved. Reference topics:Wireless Monitoring and Management — WLC management access, secure administration, HTTPS, SSH, and management-plane hardening.

TACACS+ is used for device administration, especially for GUI and CLI access to infrastructure platforms such as Cisco Catalyst 9800 WLCs, switches, and routers. Cisco defines TACACS+ as a security application that provides centralized validation for users attempting to access a device or network access server, and it separates authentication, authorization, and accounting functions for administrative control. Cisco ISE device administration documentation further states that TACACS+ is used to control and audit network device configuration, allowing devices to query ISE for administrator authentication and authorization while sending accounting records for logging administrator actions.

Therefore, the primary benefit is streamlined administrator access across platforms. Instead of maintaining local administrator accounts independently on every WLC or network device, TACACS+ enables centralized identity validation, role-based authorization, and consistent audit trails. Option A is incorrect because TACACS+ supports differentiated authorization rather than static grouping. Option B is the opposite of centralized accounting. Option D is inaccurate because TACACS+ is mainly for device administration, whereas client or endpoint network access is typically handled with RADIUS. Reference topics:Wireless Monitoring and Management — AAA for WLC administration, TACACS+ device administration, role-based access, and centralized audit control.