Ask Question
HPE6-A84: Aruba Certified Network Security Expert Written
HP
Exam Questions:
60
.png)
2.370 Learners
The HPE6-A84 Exam: Also known as Aruba Certified Network Security Expert, this exam is crucial for professionals in the field of Aruba network security solutions. To increase your chances of passing, practicing with real exam questions shared by those who have succeeded can be invaluable. In this guide, we’ll provide you with practice test questions and answers, offering insights directly from candidates who have already passed the exam.
Why Use HPE6-A84 Practice Test?
-
Real Exam Experience: Our practice tests accurately replicate the format and difficulty of the actual HPE6-A84 exam, providing you with a realistic preparation experience.
-
Identify Knowledge Gaps: Practicing with these tests helps you identify areas where you need more study, allowing you to focus your efforts effectively.
-
Boost Confidence: Regular practice with exam-like questions builds your confidence and reduces test anxiety.
-
Track Your Progress: Monitor your performance over time to see your improvement and adjust your study plan accordingly.
Key Features of HPE6-A84 Practice Test:
-
Up-to-Date Content: Our community ensures that the questions are regularly updated to reflect the latest exam objectives and technology trends.
-
Detailed Explanations: Each question comes with detailed explanations, helping you understand the correct answers and learn from any mistakes.
-
Comprehensive Coverage: The practice tests cover all key topics of the HPE6-A84 exam, including:
- PKI Solutions
- Network Design
- Role-Based Access Control
- Integration with Ecosystem Partners
- Endpoint Classification Policy
- Proactive Remediation
- ClearPass Device Insight
-
Customizable Practice: Create your own practice sessions based on specific topics or difficulty levels to tailor your study experience to your needs.
Exam Details:
-
Exam Number: HPE6-A84
-
Exam Name: Aruba Certified Network Security Expert
-
Length of Test: 2 hours
-
Exam Format: Multiple-choice, multiple-response, drag-and-drop, and point-and-click questions
-
Exam Language: English
-
Number of Questions: 60 questions
-
Passing Score: 66%
Use the member-shared HPE6-A84 Practice Tests to ensure you're fully prepared for your certification exam. Start practicing today and take a significant step towards achieving your certification goals!
Related questions
When would you implement BPDU protection on an AOS-CX switch port versus BPDU filtering?
Explanation:
BPDU (Bridge Protocol Data Unit) is a message that is exchanged between switches to maintain the spanning tree topology and prevent loops. BPDU protection and BPDU filtering are two features that can be configured on AOS-CX switch ports to enhance security and performance.
BPDU protection is a feature that disables a port if it receives a BPDU, indicating that an unauthorized switch or device has been connected to the port. BPDU protection is typically used on edge ports, which are ports that connect to end devices such as PCs or printers, and are not expected to receive BPDUs. BPDU protection prevents rogue devices from connecting to the network and affecting the spanning tree topology.
BPDU filtering is a feature that prevents a port from sending or receiving BPDUs, effectively isolating the port from the spanning tree topology. BPDU filtering is typically used on inter-switch ports, which are ports that connect to other switches, for specialized use cases such as creating a separate spanning tree domain or reducing the overhead of BPDUs. BPDU filtering should be used with caution, as it can create loops or inconsistencies in the network.
You can find more information about how to configure BPDU protection and BPDU filtering on AOSCX switch ports in the [Configuring Spanning Tree Protocol - Aruba] page and the [AOS-CX Switching Configuration Guide] page. The other options are not correct because they either use BPDU protection or BPDU filtering on the wrong type of ports or for the wrong purpose. For example, using BPDU protection on inter-switch ports would disable the ports if they receive BPDUs, which are expected in normal operation. Using BPDU filtering on edge ports would allow rogue devices to connect to the network and create loops or affect the spanning tree topology.
Refer to the scenario.
A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).
The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).
The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
The customer wants you to configure CPPM to collect information from Intune on demand during the authentication process.
What should you tell the Intune admins about the certificates issued to clients?
Explanation:
To configure CPPM to collect information from Intune on demand during the authentication process, you need to use the Intune extension for ClearPass. This extension allows ClearPass to query Intune for device compliance and configuration information using the Intune API. To use this extension, you need to register an app in Azure AD and grant it the required permissions to access Intune1
The Intune extension uses the device ID as the key to query Intune for device information. The device ID is a unique identifier that is assigned by Intune to each enrolled device. The device ID can be obtained from the client certificate that is used for EAP-TLS authentication. Therefore, the certificates issued to clients must include the Intune ID in the subject name, so that ClearPass can extract it and use it to query Intune2
The certificates issued to clients do not need to be issued by a well-known, trusted CA, as long as ClearPass trusts the CA that issued them. The certificates do not need to include the client MAC address in the subject name, as this is not relevant for querying Intune. The certificates do not need to be issued by a ClearPass Onboard CA, as this is not a requirement for using the Intune extension.
Reference:
1: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring Microsoft Extension in ClearPass" 2: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring EAP-TLS Authentication"
You are working with a developer to design a custom NAE script for a customer. You are helping the developer find the correct REST API resource to monitor.
Refer to the exhibit below.
What should you do before proceeding?
Explanation:
The exhibit shows the ArubaOS-CX REST API documentation interface, which allows you to explore the available resources and try out the API calls using the "Try it out" button. However, before you can use this feature, you need to authenticate yourself with your Aruba passport account and collect a token that will be used for subsequent requests. This token will expire after a certain time, so you need to refresh it periodically. You can find more details about how to use the documentation interface and collect a token in the ArubaOS-CX REST API Guide1.
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.
What should you recommend?
Unlock Premium Member
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
EAP-TLS to authenticate users on mobile clients registered in Intune
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them
To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
Clients that have passed TEAP Method 1 are assigned the "domain-computer" role
Clients in the AD group "Medical" are assigned the "medical-staff" role
Clients in the AD group "Reception" are assigned to the "reception-staff" role
The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
Assign other mobile-onboarded clients to the "mobile-other" firewall role
Assign medical staff on domain computers to the "medical-domain" firewall role
All reception staff on domain computers to the "reception-domain" firewall role
All domain computers with no valid user logged in to the "computer-only" firewall role
Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
Publisher = 10.47.47.5
Subscriber 1 = 10.47.47.6
Subscriber 2 = 10.47.47.7
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
cp.acnsxtest.com = 10.47.47.5
cps1.acnsxtest.com = 10.47.47.6
cps2.acnsxtest.com = 10.47.47.7
radius.acnsxtest.com = 10.47.47.8
onboard.acnsxtest.com = 10.47.47.8
The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.
You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.
What is one of those hostnames?
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
Denied access to other 10.0.0.0/8 subnets
Permitted access to the Internet
Denied access to the WLAN for a period of time if they send any SSH traffic
Denied access to the WLAN for a period of time if they send any Telnet traffic
Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.
There are multiple issues with the configuration.
What is one of the changes that you must make to the policies to meet the scenario requirements?
(In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit'.)
Explanation:
Rules 6 and 7 in the "medical-mobile" policy are used to deny access to the WLAN for a period of time if the clients send any SSH or Telnet traffic, as required by the scenario. However, these rules are currently placed below rule 5, which permits access to the Internet for any traffic. This means that rule 5 will override rules 6 and 7, and the clients will not be denied access to the WLAN even if they send SSH or Telnet traffic.
To fix this issue, rules 6 and 7 should be moved to the top of the list, before rule 5. This way, rules 6 and 7 will take precedence over rule 5, and the clients will be denied access to the WLAN if they send SSH or Telnet traffic, as expected.
You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.
Which integration can you suggest?
Explanation:
This option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies 12. For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network 2.
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
The developer explains that they plan to define the rule with logic like this:
monitor > value
However, the developer asks you what value to include.
What should you recommend?
Refer to the scenario.
A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.
In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as "Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
You want an easy way to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM).
What step should you take?
You are reviewing an endpoint entry in ClearPass Policy Manager (CPPM) Endpoints Repository.
What is a good sign that someone has been trying to gain unauthorized access to the network?
Explanation:
A profile conflict occurs when ClearPass Policy Manager (CPPM) detects a change in the device category or OS family of an endpoint that has been previously profiled. This could indicate that someone has spoofed the MAC address of a legitimate device and is trying to gain unauthorized access to the network. For example, if an endpoint that was previously profiled as a Printer suddenly shows a new profile of Computer, this could be a sign of an attack. You can find more information about profile conflicts and how to resolve them in the ClearPass Policy Manager User Guide1. The other options are not necessarily signs of unauthorized access, as they could have other explanations. For example, multiple DHCP options under the fingerprints could indicate that the device has connected to different networks or subnets, an Unknown status could indicate that the device has not been authenticated yet, and a lack of hostname or a random hostname could indicate that the device has not been configured properly or has been reset to factory settings.
Question