350-101 Certification Exam Guide + Practice Questions Updated 2026

Explanation:
The fault domain is DHCP forwarding, not RF, client-side addressing, or AP discovery. Cisco explains that when a wireless client associates, it sends a DHCP Discover broadcast, and depending on AP mode, that traffic is either forwarded through the WLC or passed to the next hop. Cisco further states that if no DHCP server exists in the client’s local Layer 2 domain, the router or SVI for the client VLAN must forward DHCP discovery traffic using an IP helper address.
Because the APs are in Local mode, client traffic is centrally switched through CAPWAP to the WLC, where the client VLAN/SVI path must correctly relay DHCP toward the DHCP server. Cisco’s Catalyst 9800 DHCP configuration guide shows DHCP relay configuration under the client VLAN SVI by entering the IPv4 helper address, and the CLI example uses ip helper-address <ip-address> to forward UDP broadcasts such as DHCP requests.
Option C resolves the issue because all clients are affected and none receive a DHCP offer, indicating the DHCP Discover is not reaching the DHCP server or the offer is not returning through the relay path. DHCP option 43 is for AP controller discovery, not client DHCP addressing.
Reference topics: DHCP relay, Local mode AP forwarding, Catalyst 9800 client VLANs, and wireless client IP assignment.

Explanation:
When configuring 802.1X authentication with Cisco ISE, the wireless LAN controller (WLC) acts as a RADIUS client, and ISE functions as the RADIUS server. A shared secret is required to encrypt authentication messages between the WLC and ISE, preventing unauthorized access and ensuring integrity. On Cisco WLCs, the correct command to configure this shared secret is radius-server shared-secret <secret>, which explicitly associates the secret key with the configured RADIUS server entry.
Option A (radius enable authentication) is invalid syntax for WLCs; it does not set the shared secret.
Option C (ISE MySecretKey123) is not recognized as a WLC CLI command.
Option D (key 0 <secret>) is used on older IOS devices or some switch configurations but is not the proper syntax for WLC RADIUS integration. Cisco Wireless Core Technologies documentation and lab guides consistently show radius-server shared-secret as the standard method to secure RADIUS communications for 802.1X deployments. Implementing this ensures proper encryption and authentication between the controller and ISE, supporting secure wireless client access.
Reference topics: Client Connectivity Configuration ― 802.1X, RADIUS shared secret, WLC to ISE integration, secure authentication.

Explanation:
Signal-to-Noise Ratio (SNR) is a critical metric in wireless networking that quantifies the relationship between the received signal power and the background noise. A higher SNR indicates that the signal strength is significantly stronger than the noise level, which directly impacts the quality and reliability of wireless communication. When SNR is high, the receiver can more accurately decode transmitted frames, leading to fewer errors, reduced retransmissions, and improved data integrity. This results in more consistent throughput and better overall performance of wireless clients, especially in environments with high client density or potential sources of interference. Conversely, a low SNR increases susceptibility to multipath distortion, frame loss, and degraded network performance.
Option C correctly identifies the outcome of a high SNR: enhanced data integrity with fewer errors.
Option A is incorrect because multipath distortion is primarily influenced by environmental reflections, not directly by SNR.
Option B refers to antenna design and MIMO techniques, which affect directional gain and spatial streams but are independent of SNR measurement.
Option D is unrelated to SNR, as output frequency ranges are set by regulatory standards and hardware capabilities rather than signal-to-noise conditions. Cisco Wireless Core Technologies emphasizes monitoring SNR to optimize RF planning, AP placement, and client experience in enterprise wireless networks.
Reference topics: RF Fundamentals ― SNR, signal quality, wireless performance, error rate, enterprise Wi-Fi.

Explanation:
Client exclusion is a feature in Cisco Catalyst 9800 WLCs that allows the administrator to temporarily block clients exhibiting misbehavior, such as excessive retries, excessive bandwidth usage, or roaming issues. The IOS XE CLI command for enabling client exclusion in a WLAN policy is client-exclusion <timeout>, where <timeout> defines the duration (in seconds) the client is prevented from associating with the WLAN.
Option D correctly uses client-exclusion 120 to block the misbehaving clients for 120 seconds.
Option A (exclude 120) is not valid IOS XE syntax.
Option B (exclusionlist timeout 120) is also incorrect as it refers to internal exclusion lists, not the WLAN policy applied to live clients.
Option C (security exclusion timeout 120) is invalid and does not configure client exclusion at the WLAN policy level. Cisco Wireless Core Technologies emphasize using client exclusion policies during high-density events or temporary network congestion to ensure network fairness, protect overall WLAN performance, and maintain connectivity for well-behaving clients.
Reference topics: Client Connectivity Configuration ― Client exclusion, WLAN policy, misbehaving client mitigation, Cisco Catalyst 9800 IOS XE.

Explanation:
In this scenario, the client is placed in the wrong VLAN (VLAN 50) even though the ISE server is configured to assign VLAN 100. The key part of the issue is that the VLAN assignment returned by ISE is not being applied correctly.
Option A: "Configure the policy profile to allow ISE to override the VLAN."
This is the correct answer. The policy profile on the Wireless LAN Controller (WLC) should be configured to allow the ISE server's VLAN assignment to override the locally configured VLAN settings on the WLC. Without this, the WLC might default to its pre-configured VLAN (VLAN 50) instead of the VLAN assigned by ISE (VLAN 100).
Option B: "Configure VLAN 100 as an SVI on the WLC."
This option is unnecessary. While an SVI (Switched Virtual Interface) is required to route between VLANs, it is not the cause of the issue here. The problem is that the correct VLAN (VLAN 100) is not being applied to the client, not that the WLC lacks an SVI.
Option C: "Configure VLAN 100 on the trunk ports of the WLC."
This option is also not relevant. The issue is not with trunking but with VLAN assignment from ISE. The trunking configuration ensures that VLANs are allowed across ports, but it does not address the client being placed in the wrong VLAN.
Option D: "Configure AAA VLAN enable on the WLAN."
This option is not directly related to the issue. While enabling AAA VLAN can allow for more dynamic VLAN assignments, the core issue is related to overriding the default VLAN setting from ISE, which is handled by configuring the policy profile on the WLC.
Therefore, Option A is the correct solution, as it ensures the WLC will allow the ISE server's VLAN assignment to override the default VLAN on the WLC, resolving the issue of incorrect VLAN assignment.