HP HPE6-A84 Practice Test - Questions Answers, Page 2

The RAPIDS Security Dashboard is a feature of Aruba Central that provides a comprehensive view of the network security status, including IDS/IPS events, rogue APs, and wireless intrusion detection. By viewing the RAPIDS Security Dashboard, you can see if the threat sources are rogue APs that are spoofing legitimate DNS servers or clients. This can give you valuable context about the incident and help you identify the root cause of the attack1

Reference: Aruba Central User Guide

The UBT solution requires that the VLAN assignments for the wired clients are done by the gateway, not by the switch. Therefore, the role configurations on the gateways should not have any VLAN assignments, as they would override the VLAN 20 that is specified in the enforcement profile.

Instead, the role configurations should only have policies that define the access rights for the clients in the "eth-internet" role. This way, the gateway can assign the clients to VLAN 20 and apply the appropriate policies based on their role1

Reference:

1: Aruba Certified Network Technician (ACNT) | HPE Aruba Networking, section "Get the Edge: An Introduction to Aruba Networking Solutions"

The UBT solution requires that the edge ports on the switches are configured in VLAN trunk mode, not access mode. This is because the UBT solution uses a special VLAN (VLAN 4095 by default) to encapsulate the user traffic and tunnel it to the gateway. The edge ports need to allow this VLAN as well as any other VLANs that are used for management or control traffic. Therefore, the edge ports should be configured as VLAN trunk ports and allow the necessary VLANs1

Reference:

1: Aruba Certified Network Technician (ACNT) | HPE Aruba Networking, section "Get the Edge: An Introduction to Aruba Networking Solutions"

The scenario requires that the clients in the "medical-mobile" role are denied access to the 10.1.12.0/22 subnet, which is a range of IP addresses from 10.1.12.0 to 10.1.15.255. However, the current configuration in rule 5 has a subnet mask of 255.255.240.0, which means that it matches any IP address from 10.1.0.0 to 10.1.15.255. This is too broad and would deny access to other subnets in the 10.1.0.0/16 range that should be permitted according to the scenario. Therefore, the subnet mask in rule 5 should be changed to 255.255.252.0, which would match only the IP addresses from 10.1.12.0 to 10.1.15.255 and deny access to them as required by the scenario.1

Reference:

1: Configuring Firewall Policies - Aruba, section "Firewall Policies"

The VIA web authentication profile is used to authenticate the users who want to download the VIA connection settings from the VPNCs. The VPNCs can use either an internal database or an external server (such as RADIUS or LDAP) as the authentication source for this profile. To ensure that only authorized users obtain VIA connection settings, you should use CPPM as the external server and configure a service on CPPM that uses AD as the authentication source. This way, you can leverage the role mapping and enforcement features of CPPM to check if the users belong to the "RemoteEmployees" AD group and grant or deny them access accordingly1 The other options are not correct because they do not allow you to verify the users' AD group membership before providing them with VIA connection settings. Option B would only check the users' credentials against AD, but not their group membership. Option C would only apply to the VPN connection phase, not the VIA connection settings phase. Option D would not work because the VPNCs do not support LDAP as an authentication source for VIA connection profiles2

Reference:

1: Configuring the VIA Controller - Aruba, section "Configuring VIA Web Authentication Profile" 2: Configuring VIA Connection Profile - Aruba, section "Configuring Authentication Profile"

To configure CPPM to collect information from Intune on demand during the authentication process, you need to use the Intune extension for ClearPass. This extension allows ClearPass to query Intune for device compliance and configuration information using the Intune API. To use this extension, you need to register an app in Azure AD and grant it the required permissions to access Intune1

The Intune extension uses the device ID as the key to query Intune for device information. The device ID is a unique identifier that is assigned by Intune to each enrolled device. The device ID can be obtained from the client certificate that is used for EAP-TLS authentication. Therefore, the certificates issued to clients must include the Intune ID in the subject name, so that ClearPass can extract it and use it to query Intune2

The certificates issued to clients do not need to be issued by a well-known, trusted CA, as long as ClearPass trusts the CA that issued them. The certificates do not need to include the client MAC address in the subject name, as this is not relevant for querying Intune. The certificates do not need to be issued by a ClearPass Onboard CA, as this is not a requirement for using the Intune extension.

Reference:

1: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring Microsoft Extension in ClearPass" 2: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring EAP-TLS Authentication"

To use Azure AD as the authentication source in 802.1X services, you need to configure CPPM as a SAML service provider and Azure AD as a SAML identity provider. This allows CPPM to use Azure AD for user authentication and role mapping. To do this, you need to create an app registration on Azure AD that references the CPPM's FQDN as the reply URL and the entity ID. You also need to grant the app registration the required permissions to access user information from Azure AD1

The Fail Strategy is a configuration option for the IPS mode of inspection on Aruba gateways. It defines the action to be taken when the IPS engine crashes and cannot inspect the traffic. There are two possible options for the Fail Strategy: Bypass and Block1

If you set the Fail Strategy to Bypass, you are telling the gateway to allow the traffic to flow without inspection when the IPS engine fails. This option ensures that there is no disruption in the network connectivity, but it also exposes the network to potential threats that are not detected or prevented by the IPS engine1

If you set the Fail Strategy to Block, you are telling the gateway to stop the traffic flow until the IPS engine resumes inspection. This option ensures that there is no compromise in the network security, but it also causes a loss of network connectivity for the duration of the IPS engine failure1

Aruba Central supports site-to-site VPNs between AOS 10 gateways, which are Aruba devices that provide routing, firewall, and VPN functions. Aruba Central can automatically provision and manage the site-to-site VPNs using the VPN Manager feature. The VPN Manager allows you to create VPN groups that consist of one or more hubs and branches, and define the VPN settings for each group1 Aruba Central uses IPsec as the protocol to secure the site-to-site connections between the AOS 10 gateways. IPsec is a standard protocol that provides encryption, authentication, and integrity for IP packets. Aruba Central automatically establishes IPsec tunnels for all site-to-site connections using keys that are securely distributed by Central. The keys are generated by Central and pushed to the gateways using a secure channel. The keys are rotated periodically to enhance security2