A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this client's traffic over a 15 minute time period and then send the traffic to them in a PCAP file.What should you do?

Go to the client's AP in HPE Aruba Networking Central. Use the 'Security' page to run a packet capture.

Access the CLI for the client's AP. Set up a mirroring session between its radio and a management station running Wireshark.

Access the CLI for the client's AP's switch. Set up a mirroring session between the AP's port and a management station running Wireshark.

Go to that client in HPE Aruba Networking Central. Use the 'Live Events' page to run a packet capture.

Assume that an AOS-CX switch is already implementing DHCP snooping and ARP inspection successfully on several VLANs.What should you do to help minimize disruption time if the switch reboots?

Save the IP-to-MAC bindings to external storage.

Configure the switch to act as an ARP proxy.

Create static IP-to-MAC bindings for the DHCP and DNS servers.

Save the IP-to-MAC bindings to external storage.

Configure the IP helper address on this switch, rather than a core routing switch.

You have configured an AOS-CX switch to implement 802.1X on edge ports. Assume ports operate in the default auth-mode. VolP phones are assigned to the'voice' role and need to send traffic that is tagged for VLAN 12.Where should you configure VLAN 12?

As the allowed trunk VLAN in the 'voice' role (and not in the edge port settings)

As the trunk native VLAN on edge ports and the trunk native VLAN on the 'voice' role

As a trunk allowed VLAN on edge ports and the trunk native VLAN in the 'voice' role

As the trunk native VLAN in the 'voice' role (and not in the edge port settings)

As the allowed trunk VLAN in the 'voice' role (and not in the edge port settings)

You need to set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to provide certificate-based authentication of 802.1X supplicants.How should you upload the root CA certificate for the supplicants' certificates?

As a Trusted CA with the EAP usage

As a ClearPass Server certificate with the RADIUS/EAP usage

As a Trusted CA with the AD/LDAP usage

As a Trusted CA with the EAP usage

As a ClearPass Server certificate with the Database usage

A company has AOS-CX switches. The company wants to make it simpler and faster for admins to detect denial of service (DoS) attacks, such as ping or ARPfloods, launched against the switches.What can you do to support this use case?

Deploy an NAE agent on the switches to monitor control plane policing (CoPP).

Implement ARP inspection on all VLANs that support end-user devices.

Configure the switches to implement RADIUS accounting to HPE Aruba Networking ClearPass and enable HPE Aruba Networking ClearPass Insight.

Enabling debugging of security functions on the switches.

You have run an Active Endpoint Security Report on HPE Aruba Networking ClearPass. The report indicates that hundreds of endpoints have MAC addresses but no known IP addresses.What is one step for addressing this issue?

Add CPPM's IP address to the IP helper list on routing switches.

Set up network devices to implement RADIUS accounting to CPPM.

Add CPPM's IP address to the IP helper list on routing switches.

Set up switches to implement ARP inspection on client VLANs.

Configure CPPM as a Syslog destination on network devices.

An admin has configured an AOS-CX switch with these settings:port-access role employeesvlan access name employeesThis switch is also configured with CPPM as its RADIUS server.Which enforcement profile should you configure on CPPM to work with this configuration?

RADIUS Enforcement type with Aruba-User-Role VSA set to 'employees'

RADIUS Enforcement type with HPE-User-Role VSA set to 'employees'

HPE Aruba Networking Downloadable Role Enforcement type with role name set to 'employees'

HPE Aruba Networking Downloadable Role Enforcement type with gateway role name set to 'employees'

RADIUS Enforcement type with Aruba-User-Role VSA set to 'employees'

The security team needs you to show them information about MAC spoofing attempts detected by HPE Aruba Networking ClearPass Policy Manager (CPPM).What should you do?

Use ClearPass Insight to run an Active Endpoint Security report.

Export the Access Tracker records on CPPM as an XML file.

Use ClearPass Insight to run an Active Endpoint Security report.

Integrate CPPM with ClearPass Device Insight (CPDI) and run a security report on CPDI.

Show the security team the CPPM Endpoint Profiler dashboard.

You need to set up an HPE Aruba Networking VIA solution for a customer who needs to support 2100 remote employees. The customer wants employees to download their VIA connection profile from the VPNC. Only employees who authenticate with their domain credentials to HPE Aruba Networking ClearPass PolicyManager (CPPM) should be able to download the profile. (A RADIUS server group for CPPM is already set up on the VPNC.)How do you configure the VPNC to enforce that requirement?

Set up a VIA Authentication Profile that uses CPPM's server group; reference that profile in the VIA Web Authentication Profile.

Reference CPPM's server group in an AAA profile; then, apply that profile to the VPNC's Internet-facing ports.

Create a new VPN Authentication Profile and then reference CPPM's default server group in that profile.

Set up a VIA Authentication Profile that uses CPPM's server group; reference that profile in the VIA Connection Profile.

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). You have identified a device, which is currently classified as one type, but you want to classify it as a custom type. You also want to classify all devices with similar attributes as this type, both already-discovered devices and new devices discovered later.What should you do?

In the device details, select reclassify, create a user rule based on its attributes, and choose 'Save & Reclassify.'

Create a user tag from the Generic Devices page, select the desired attributes for the tag, and save the tag.

In the device details, select reclassify, create a user rule based on its attributes, and choose 'Save & Reclassify.'

In the device details, select filter, create a user tag based on the device attributes, and save the tag.

Create a user rule from the Generic Devices page, select the desired attributes for the rule, and choose 'Save.'

You are deploying a virtual Data Collector for use with HPE Aruba Networking ClearPass Device Insight (CPDI). You have identified VLAN 101 in the data center as the VLAN to which the Data Collector should connect to receive its IP address and connect to HPE Aruba Networking Central.Which Data Collector virtual ports should you tell the virtual admins to connect to VLAN 101?

The one with the lowest port ID

The one with the lowest MAC address

The one with the highest port ID

The one with the highest MAC address

The one with the lowest port ID

A company assigns a different block of VLAN IDs to each of its access layer AOS-CX switches. The switches run version 10.07. The IDs are used for standard purposes, such as for employees, VolP phones, and cameras. The company wants to apply 802.1X authentication to HPE Aruba Networking ClearPass Policy Manager (CPPM) and then steer clients to the correct VLANs for local forwarding.What can you do to simplify setting up this solution?

Assign consistent names to VLANs of the same type across the AOS-CX switches and have user-roles reference names.

Use the trunk allowed VLAN setting to assign multiple VLAN IDs to the same role.

Change the VLAN IDs across the AOS-CX switches so that they are consistent.

Avoid configuring the VLAN in the role; use trunk VLANs to assign multiple VLANs to the port instead.

A company lacks visibility into the many different types of user and loT devices deployed in its internal network, making it hard for the security team to address those devices.Which HPE Aruba Networking solution should you recommend to resolve this issue?

HPE Aruba Networking ClearPass Device Insight (CPDI)

HPE Aruba Networking Network Analytics Engine (NAE)

HPE Aruba Networking Mobility Conductor

HPE Aruba Networking ClearPass OnBoard

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). In the CPDI security settings, Security Analysis is On, the Data Source is ClearPass Devices Insight, and Enable Posture Assessment is On. You see that device has a Risk Score of 90.What can you know from this information?

The posture is unhealthy, and CPDI has also detected at least one vulnerability on the device.

The posture is unhealthy, but CPDI has not detected any vulnerabilities on the device.

The posture is healthy, but CPDI has detected multiple vulnerabilities on the device.

The posture is unknown, and CPDI has detected exactly four vulnerabilities on the device.

You have set up a mirroring session between an AOS-CX switch and a management station, running Wireshark. You want to capture just the traffic sent in the mirroring session, not the management station's other traffic.What should you do?

Apply this capture filter: udp port 5555

Apply this capture filter: ip proto 47

Edit protocol preferences and enable ARUBA_ERM.

Edit protocol preferences and enable HPE_ERM.

Apply this capture filter: udp port 5555

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. The company wants CPPM to control which commands managers are allowed to enter. You see there is no field to enter these commands in ClearPass.How do you start configuring the command list on CPPM?

Add the Shell service to the managers' TACACS+ enforcement profiles.

Edit the TACACS+ settings in the AOS-CX switches' network device entries.

Create an enforcement policy with the TACACS+ type.

Edit the settings for CPPM's default TACACS+ admin roles.

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses a service to authenticate clients. You are now adding the Endpoints Repository as an authorization source for the service, and you want to add rules to the service's policies that apply different access levels based, in part, on a client's device category. You need to ensure that CPPM can apply the new correct access level after discovering new clients' categories.What should you enable on the service?

The Profile Endpoints option in the Service tab

The Posture Compliance option in the Service tab

The Profile Endpoints option in the Service tab

The Use cached Roles and Posture attributes from previous sessions option in the Enforcement tab

The Audit End-host option in the Service tab

A company has AOS-CX switches and HPE Aruba Networking APs, which run AOS-10 and bridge their SSIDs. Company security policies require 802.1X on all edge ports, some of which connect to APs.How should you configure the auth-mode on AOS-CX switches?

Configure all edge ports in client auth-mode.

Configure all edge ports in device auth-mode.

Leave all edge ports in client auth-mode and configure device auth-mode in the AP role.

Configure all edge ports in client auth-mode.

Leave all edge ports in device auth-mode and configure client auth-mode in the AP role.

A company has HPE Aruba Networking Central-managed APs. The company wants to block all clients connected through the APs from using YouTube.Which steps should you take?

Enable DPI. Then, create application rules to deny YouTube on the firewall roles.

Deploy gateways and have the APs tunnel traffic to the gateways. Then, enable the gateway IDS/IPS engine.

Enable Client IPS at the 'custom' level, and then specify the check for YouTube.

Enable WebCC on all client firewall roles. Then, create WebCC category rules that deny suspicious URLs.

Enable DPI. Then, create application rules to deny YouTube on the firewall roles.

What is one use case for implementing user-based tunneling (UBT) on AOS-CX switches?

Applying enhanced security features such as deep packet inspection (DPI) to wired traffic

Centralizing the distribution of wired traffic without requiring HPE Aruba Networking gateways

Tunneling traffic directly to a third-party firewall in a client data center

Adding 802.1X while continuing to use the existing VLAN and ACL structure in the Ethernet network

Applying enhanced security features such as deep packet inspection (DPI) to wired traffic

A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The APs will:. Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM). Be assigned to the 'APs' role on the switches. Have their traffic forwarded locallyWhat information do you need to help you determine the VLAN settings for the 'APs' role?

Whether the APs bridge or tunnel traffic on their SSIDs

Whether the APs have static or DHCP-assigned IP addresses

Whether the switches are using local user-roles (LURs) or downloadable user-roles (DURs)

Whether the switches have established tunnels with an HPE Aruba Networking gateway

Whether the APs bridge or tunnel traffic on their SSIDs

Your company wants to implement Tunneled EAP (TEAP).How can you set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificated-based authentication for clients using TEAP?

Select an EAP-TLS-type authentication method for the TEAP method's inner method.

For the service using TEAP, set the authentication source to an internal database.

Select a service certificate when you specify TEAP as a service's authentication method.

Create an authentication method named 'TEAP' with the type set to EAP-TLS.

Select an EAP-TLS-type authentication method for the TEAP method's inner method.

Admins have recently turned on Wireless IDS/IPS infrastructure detection at the high level on HPE Aruba Networking APs. When you check WIDS events, you see several RTS rate and CTS rate anomalies, which were triggered by neighboring APs.What can you interpret from this event?

These neighboring APs might be hackers trying to launch a DoS, but are more likely operating normally; you should start by tuning the event thresholds.

These neighboring APs are likely to be wireless clients that are inappropriately bridging their wired and wireless NICs; you should track down and remove them.

These neighboring APs might be hackers trying to launch a DoS, but are more likely operating normally; you should start by tuning the event thresholds.

These neighboring APs are actually rogue APs, and you should enable wireless tarpit containment on them.

These neighboring APs are actually rogue APs, and you should enable wireless de-authentication containment on them.

HPE Aruba Networking Central displays an alert about an Infrastructure Attack that was detected. You go to the Security > RAPIDS events and see that the attack was 'Detect adhoc using Valid SSID.'What is one possible next step?

Use HPE Aruba Networking Central floorplans or the detecting AP identities to locate the general area for the threat.

Look for the IP address associated with the offender and then check for that IP address among HPE Aruba Networking Central clients.

Make sure that you have tuned the threshold for that check, as false positives are common for it.

Make sure that clients have updated drivers, as faulty drivers are a common explanation for this attack type.

A company has a variety of HPE Aruba Networking solutions, including an HPE Aruba Networking infrastructure and HPE Aruba Networking ClearPass PolicyManager (CPPM). The company passes traffic from the corporate LAN destined to the data center through a third-party SRX firewall. The company would like to further protect itself from internal threats.What is one solution that you can recommend?

Have the third-party firewall send Syslogs to CPPM, which can work with network devices to lock internal attackers out of the network.

Use tunnel mode SSIDs and user-based tunneling (UBT) on AOS-CX switches to pass all internal traffic directly through the third-party firewall.

Add ClearPass Device Insight (CPDI) to the solution; integrate it with the third-party firewall to develop more complete device profiles.

Configure CPPM to poll the third-party firewall for a broad array of information about internal clients, such as profile and posture.

A company wants to apply a standard configuration to all AOS-CX switch ports and have the ports dynamically adjust their configuration based on the identity of the user or device that connects. They want to centralize configuration of the identity-based settings as much as possible.What should you recommend?

Having switches download user-roles from HPE Aruba Networking ClearPass Policy Manager (CPPM)

Having HPE Aruba Networking ClearPass Policy Manager (CPPM) send standard RADIUS AVPs to customize port settings

Having switches pull port configurations dynamically from HPE Aruba Networking Activate

Having switches download user-roles from HPE Aruba Networking gateways

Having switches download user-roles from HPE Aruba Networking ClearPass Policy Manager (CPPM)

A company issues user certificates to domain computers using its Windows CA and the default user certificate template. You have set up HPE Aruba NetworkingClearPass Policy Manager (CPPM) to authenticate 802.1X clients with those certificates. However, during tests, you receive an error that authorization has failed because the usernames do not exist in the authentication source.What is one way to fix this issue and enable clients to successfully authenticate with certificates?

Configure rules to strip the domain name from the username.

Change the authentication method list to include both PEAP MSCHAPv2 and EAP-TLS.

Add the ClearPass Onboard local repository to the authentication source list.

Remove EAP-TLS from the authentication method list and add TEAP there instead.

You need to use 'Tips:Posture' conditions within an 802.1X service's enforcement policy.Which guideline should you follow?

Enable caching roles and posture attributes from previous sessions in the service's enforcement settings.

Create rules that assign postures in the service's role mapping policy.

Enable profiling in the service's general settings.

Select the Posture Policy type for the service's enforcement policy.

Which statement describes Zero Trust Security?

Companies should focus on protecting their resources rather than on protecting the boundaries of their internal network.

Companies must apply the same access controls to all users, regardless of identity.

Companies that support remote workers cannot achieve zero trust security and must determine if the benefits outweigh the cost.

Companies should focus on protecting their resources rather than on protecting the boundaries of their internal network.

Companies can achieve zero trust security by strengthening their perimeter security to detect a wider range of threats.

A company has AOS-CX switches. The company wants to make it simpler and faster for admins to detect denial of service (DoS) attacks, such as ping or ARP floods, launched against the switches.What can you do to support this use case?

Deploy an NAE agent on the switches to monitor control plane policing (CoPP).

Configure the switches to implement RADIUS accounting to HPE Aruba Networking ClearPass and enable HPE Aruba Networking ClearPass Insight.

Implement ARP inspection on all VLANs that support end-user devices.

Enabling debugging of security functions on the switches.

A company has AOS-CX switches at the access layer, managed by HPE Aruba Networking Central. You have identified suspicious activity on a wired client. You want to analyze the client's traffic with Wireshark, which you have on your management station.What should you do?

Set up a mirror session on the client's switch; set the client port as the source and your station IP address as the tunnel destination.

Access the client's switch's CLI from your management station. Access the switch shell and run a TCP dump on the client port.

Go to the client's switch in HPE Aruba Networking Central. Use the 'Security' page to run a packet capture.

Set up a policy that implements a captive portal redirect to your management station. Apply that policy to the client's port.

Set up a mirror session on the client's switch; set the client port as the source and your station IP address as the tunnel destination.

HPE Aruba Networking Central displays a Gateway Threat Count alert in the alert list. How can you gather more information about what caused the alert to trigger?

Check the threat list for the gateway associated with the alert. Access threat details and download packet info.

Use HPE Aruba Networking Central tools to run a Network Check on the gateway with which the alert is associated.

Use Live Monitoring on the gateway to download a packet capture of recent traffic flowing through the gateway.

Check the threat list for the gateway associated with the alert. Access threat details and download packet info.

Check the gateway's Audit Trail in HPE Aruba Networking Central for more details about the threats that triggered the alert.

The following firewall role is configured on HPE Aruba Networking Central-managed APs:wlan access-rule employeesindex 3rule any any match 17 67 67 permitrule any any match any 53 53 permitrule 10 5 5.0 255.255 255.0 match any any any denyrule 10.5 0.0 255.255 0.0 match 6 80 80 permitrule 10.5 0.0 255.255.0.0 match 6 443 443 permitrule 10.5.0.0 255.255.0.0 match any any any denyrule any any match any any any permitA client has authenticated and been assigned to the employees role. The client has IP address 10.2.2.2. Which correctly describes behavior in this policy?

HTTPS traffic from 10.2.2.2 to 10.5.5.5 is denied.

HTTPS traffic from 10.2.2.2 to 203.0.113.12 is denied.

Traffic from 10.5.3.3 in an active HTTPS session between 10.2.2.2 and 10.5.3.3 is permitted.

Traffic from 198.51.100.12 in an active HTTP session between 10.2.2.2 and 198.51.100.12 is denied.

You need to set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to provide certificate-based authentication of 802.1X supplicants. How should you upload the root CA certificate for the supplicants' certificates?

As a Trusted CA with the EAP usage.

As a ClearPass Server certificate with the RADIUS/EAP usage.

As a ClearPass Server certificate with the Database usage.

As a Trusted CA with the AD/LDAP usage.

As a Trusted CA with the EAP usage.

You are setting up policy rules in HPE Aruba Networking SSE. You want to create a single rule that permits users in a particular user group to access multiple applications. What is an easy way to meet this need?

Apply the same tag to the applications; select the tag as a destination in the policy rule.

Associate the applications directly with the IdP used to authenticate the users; choose any for the destination in the policy rule.

Apply the same tag to the applications; select the tag as a destination in the policy rule.

Place all the applications in the same connector zone; select that zone as a destination in the policy rule.

Select the applications within a non-default web profile; select that profile in the policy rule.

You have created this rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) service's enforcement policy: IF Authorization [Endpoints Repository]Conflict EQUALS true THEN apply 'quarantine_profile'What information can help you determine whether you need to configure cluster-wide profiler parameters to ignore some conflicts?

Whether the company has devices that use PXE boot

Whether the company has rare Internet of Things (loT) devices

Whether some devices are incapable of captive portal or 802.1X authentication

Whether the company has devices that use PXE boot

Whether some devices are running legacy operating systems

A company has HPE Aruba Networking APs, which authenticate users to HPE Aruba Networking ClearPass Policy Manager (CPPM).What does HPE Aruba Networking recommend as the preferred method for assigning clients to a role on the AOS firewall?

Configure CPPM to assign the role using a RADIUS enforcement profile with an Aruba-User-Role VSA.

Configure CPPM to assign the role using a RADIUS enforcement profile with a RADIUS:IETF Username attribute.

Configure CPPM to assign the role using a RADIUS enforcement profile with an Aruba-User-Role VSA.

OCreate server rules on the APs to assign clients to roles based on RADIUS IETF attributes returned by CPPM.

Create user rules on the APs to assign clients to roles based on a variety of criteria.

A security team needs to track a device's communication patterns and identify patterns such as how many destinations the device is accessing.Which Aruba solution can show this information at a glance?

HPE Aruba Networking ClearPass Device Insight (CPDI) under a device's network activity

HPE Aruba Networking ClearPass Insight Endpoints and Network Dashboards

HPE Aruba Networking ClearPass Policy Manager (CPPM) live monitoring Access Tracker

HPE Aruba Networking ClearPass Device Insight (CPDI) under a device's network activity

AOS-CX Analytics Dashboard using the system-installed NAE agent

HP HPE7-A02 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 40

You are setting up an HPE Aruba Networking VIA solution for a company. You need to configure access control policies for applications and resources that remote clients can access when connected to the VPN.

Where on the VPNC should you configure these policies?

In the tunneled network settings within the VIA Connection Profile

In the cloud security settings using IPsec maps

In the roles to which VIA clients are assigned after IKE authentication

In the roles to which VIA clients are assigned after VIA Web authentication

Comment (0)

HP HPE7-A02 Practice Test 1

Question

HP HPE7-A02 Practice Tests

Practice Tests