WPA2 Personal (PSK) authentication relies on a shared secret (preshared key) configured on both the wireless LAN controller (WLC) and the client device. In the exhibit, the WLAN is configured with WPA2 and PSK (set-key ascii MyKey123), which means the network expects clients to use the same preshared key to authenticate. To enable client connectivity, the preshared key must be manually entered on each client device; this aligns the client and WLC authentication parameters. Options B, C, and D are unrelated to WPA2 Personal: MAC filtering is a security policy mechanism, Active Directory integration supports WPA2 Enterprise with 802.1X authentication, and client certificates are used for certificate-based EAP methods, not PSK. Cisco Wireless Core Technologies emphasize that PSK deployments require consistent key configuration across the WLAN and clients, and that the preshared key is the critical element for successful authentication. This ensures secure, encrypted communication while providing simple setup for small or branch deployments without an enterprise RADIUS infrastructure. Reference topics:Client Connectivity Configuration — WPA2 Personal, preshared key authentication, WLAN configuration, branch deployment WLAN security.

Fast secure roaming in enterprise wireless networks is achieved using the 802.11r standard, also known as Fast BSS Transition (FT). 802.11r allows clients to authenticate with a new access point (AP) before disassociating from the current AP, significantly reducing the time required for the re-authentication process. This pre-authentication mechanism ensures that client sessions, such as voice or video calls, are maintained seamlessly when moving between APs in a mobility domain. DCA (Dynamic Channel Assignment) optimizes channel selection but does not affect roaming speed. 802.11ax enhances overall throughput and spectral efficiency but does not directly provide fast roaming. MIMO (Multiple Input Multiple Output) improves signal reliability and capacity but is unrelated to the authentication handoff process. Cisco Wireless Core Technologies highlight the deployment of 802.11r in conjunction with PMK caching and Opportunistic Key Caching (OKC) to further accelerate roaming in high-density environments. Implementing 802.11r is critical for environments requiring minimal packet loss and low latency during client movement, such as voice over Wi-Fi or real-time video applications. Reference topics:Client Connectivity Configuration — 802.11r, Fast BSS Transition, secure fast roaming, mobility domains, PMK caching.

The correct element is theget() method. In the script, each device object is treated as a Python dictionary created from parsed JSON API output. The lines device.get("macAddress", "N/A") and device.get("ipAddress", "N/A") perform direct key-based lookup against the dictionary and return the associated value when the key exists. Python documentation defines dictionaries as key-value mappings and states that get() is used to avoid a KeyError by returning None or a specified default value when the key is absent.

This behavior is exactly what automation scripts need when consuming controller or wireless inventory APIs, because returned device records may not always contain every field. Cisco API inventory models commonly return structured device objects containing properties such as MAC address, model, network ID, product type, and wireless-related inventory attributes, which are then parsed by automation code. The pop operation would remove a dictionary key, not safely read it. The import function only loads modules such as requests and json. The format expression only builds the printed output string. Reference topics:Automation and AI — Python scripting, REST API consumption, JSON parsing, and wireless inventory automation.

The correct configuration is option C because Cisco IOS XE restricts inbound protocols on VTY lines with thetransport inputcommand. Cisco’s Catalyst 9800 best-practice guidance states that administrators should confirm SSH is enabled and Telnet is disabled for better controller security, and that the Catalyst 9800 follows standard Cisco IOS XE behavior for enabling or disabling Telnet and SSH. Cisco IOS XE SSH documentation explicitly showsline vty line_number [ending_line_number]followed bytransport input ssh, and explains that this prevents non-SSH Telnet connections, limiting access to SSH only.

The existing exhibit already includes the SSH prerequisites: hostname, domain name, RSA key generation, AAA new-model, a default login method using local credentials, and a local privileged user. The missing VTY configuration must therefore apply that default AAA login list to the VTY lines withlogin authentication defaultand restrict inbound transport to SSH. Cisco AAA documentation confirms thatlogin authentication defaultapplies the configured default authentication list to the line or set of lines. Option A is incomplete and does not explicitly permit SSH. Option B uses invalid syntax. Option D omits the requiredinputkeyword. Reference topics:Catalyst 9800 secure management, VTY access control, SSH, Telnet hardening, AAA login authentication, and IOS XE device administration.

The correct configuration isaaa-overridefollowed bynacunder the existing Catalyst 9800 wireless policy profile. The exhibit already places the administrator in policy-profile configuration mode with wireless profile policy my-policy, so the missing commands must be policy-profile subcommands, not another profile declaration. Cisco’s Catalyst 9800 configuration examples show the exact sequence: enter wireless profile policy < policy-profile-name > , enable aaa-override, enable nac, then configure VLAN and no shutdown.

aaa-override permits authorization attributes returned by AAA or Cisco ISE, such as VLAN, ACL, QoS, redirect ACL, or posture-related access controls, to override the locally defined policy. Cisco’s documentation explicitly states that AAA override applies policies coming from AAA or ISE servers, while nac enables Network Access Control in the policy profile. This is the required behavior when endpoints must be posture-validated before normal network access is granted. Cisco also notes that NAC State is enabled in the policy profile and can only be enabled when AAA override is enabled.

Option A is invalid because nac-policy is not the correct CLI keyword. Options B and D omit NAC. Reference topic:Client Connectivity Configuration — Catalyst 9800 policy profiles, AAA override, NAC State, posture enforcement, and ISE-based access control.

In decibel calculations, the formula used to convert a power ratio to decibels (dB) is:

Thus, the power ratio of 10:1 corresponds to a10 dBchange in power.

Option A: -20 dBwould correspond to a ratio of 0.01:1, not 10:1.

Option B: 5 dBwould correspond to a power ratio of approximately 3.16:1, not 10:1.

Option D: 15 dBwould correspond to a ratio of 31.62:1, not 10:1.

Therefore,Option C: 10 dBis the correct answer, as it is the result of a power ratio of 10:1.

Thus, the power ratio of 10:1 corresponds to a10 dBchange in power.

Option A: -20 dBwould correspond to a ratio of 0.01:1, not 10:1.

Option B: 5 dBwould correspond to a power ratio of approximately 3.16:1, not 10:1.

Option D: 15 dBwould correspond to a ratio of 31.62:1, not 10:1.

Therefore,Option C: 10 dBis the correct answer, as it is the result of a power ratio of 10:1.

Layer 3 roaming is the process that allows a wireless client to retain its original IP address when roaming across different Layer 3 client subnets or controller client VLAN contexts. Cisco describes intercontroller Layer 3 roaming as occurring when wireless LAN interfaces are on different IP subnets. During this roam, the controllers exchange mobility messages, but instead of simply moving the client database entry, the original controller marks the client as anAnchor, while the new controller marks the copied client entry asForeign. Cisco explicitly states that the roam remains transparent to the wireless client and that the client maintains its original IP address.

The exhibit creates WLAN profileguest-networkwith WLAN ID20and enables web authentication, but it does not yet define the client VLAN or bind the WLAN to a deployable policy. On Catalyst 9800 controllers, the WLAN profile defines SSID and wireless/security characteristics, while thepolicy profiledefines client-facing network policy, including VLAN assignment, AAA, ACLs, and switching behavior. Cisco’s web authentication configuration guide states that the policy profile specifies client VLAN, AAA, ACLs, timeout settings, and related policy, and the VLAN is assigned under the policy profile.

The second required object is thepolicy tag, because a policy tag maps the WLAN profile to the policy profile. Cisco also notes that the default policy tag automatically maps only WLAN IDs1 through 16; WLAN ID17 or highercannot use that default mapping. Since this WLAN is ID 20, a custom policy tag mapping is required. Mesh bridging, STP, AP group naming, or physical-interface isolation do not complete the Catalyst 9800 WLAN-to-VLAN policy model. Reference topics:Wireless Network Implementation — Catalyst 9800 configuration model, WLAN profiles, policy profiles, policy tags, guest VLAN assignment, and web authentication.

The correct command iskey 0 MySecretKey123under RADIUS server configuration mode. On a Catalyst 9800 WLC, the RADIUS server is defined with radius server < radius-server-name > , then the server address and ports are configured, and the shared secret is applied with the key < shared-key > command. Cisco’s Catalyst 9800 802.1X configuration workflow shows the exact sequence: radius server < radius-server-name > , address ipv4 < radius-server-ip > auth-port 1812 acct-port 1813, and key < shared-key > .

Cisco IOS XE command examples also show Device(config-radius-server)# key 0 cisco, with Cisco describing it as setting the clear-text key for the RADIUS authentication server. The 0 indicates that the key is entered in clear-text form at the CLI; it does not mean “no security.” The value must match the shared secret configured for the WLC network device in Cisco ISE, otherwise RADIUS Access-Request messages are rejected or ignored. Options A, B, and C are not valid Catalyst 9800 RADIUS server subcommands. Reference topic:Client Connectivity Configuration — WPA2/WPA3 Enterprise, 802.1X, Cisco ISE integration, RADIUS server objects, AAA method lists, and shared-secret configuration.

U-NII-1 (Unlicensed National Information Infrastructure-1) is a segment of the 5 GHz band commonly used in enterprise wireless deployments. It is specifically designated for indoor use to help minimize interference with other devices and reduce regulatory conflicts. U-NII-1 operates in the lower 5 GHz range (5.150–5.250 GHz in the U.S.) and imposes power and indoor restrictions, which prevents outdoor deployment that could interfere with radar and other critical communications. This band supports 802.11a/n/ac/ax Wi-Fi clients, providing multiple non-overlapping channels that facilitate high-density enterprise deployments. By restricting usage to indoor environments, U-NII-1 helps maintain predictable coverage and mitigates interference from outdoor sources, making it ideal for office and campus environments where controlled radio propagation is critical. The access points and wireless controllers dynamically handle channel assignment and power levels to ensure efficient spectrum usage while conforming to these regulatory limitations. Option C accurately reflects these operational parameters by highlighting indoor restriction and interference minimization, whereas the other options mischaracterize the frequency range, power, or permitted use. Reference topics:802.11 Technology Fundamentals — U-NII-1 band, indoor use restriction, interference mitigation, enterprise 5 GHz Wi-Fi deployment.