ExamGecko
Search Search Login
Home Home / HP / HPE6-A84

HP HPE6-A84 Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the scenario. An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch. You are helping the developer understand how to develop an NAE script for this use case. You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script. What should you recommend?
You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center. Which integration can you suggest?
Refer to the exhibit. Which security issue is possibly indicated by this traffic capture?
Refer to the scenario. A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune). The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10). The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions. The customer wants you to configure CPPM to collect information from Intune on demand during the authentication process. What should you tell the Intune admins about the certificates issued to clients?
Refer to the scenario. An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch. You are helping the developer understand how to develop an NAE script for this use case. The developer explains that they plan to define the rule with logic like this: monitor > value However, the developer asks you what value to include. What should you recommend?
Refer to the scenario. An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch. You are helping the developer understand how to develop an NAE script for this use case. You are helping the developer find the right URI for the monitor. Refer to the exhibit. You have used the REST API reference interface to submit a test call. The results are shown in the exhibit. Which URI should you give to the developer?
Refer to the scenario. # Introduction to the customer You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices. The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here. The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD. # Requirements for issuing certificates to mobile clients The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down. The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device. # Requirements for authenticating clients The customer requires all types of clients to connect and authenticate on the same corporate SSID. The company wants CPPM to use these authentication methods: EAP-TLS to authenticate users on mobile clients registered in Intune TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements: Their certificate is valid and is not revoked, as validated by OCSP The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules: Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows: Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point. # ClearPass cluster IP addressing and hostnames A customer's ClearPass cluster has these IP addresses: Publisher = 10.47.47.5 Subscriber 1 = 10.47.47.6 Subscriber 2 = 10.47.47.7 Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8 The customer's DNS server has these entries cp.acnsxtest.com = 10.47.47.5 cps1.acnsxtest.com = 10.47.47.6 cps2.acnsxtest.com = 10.47.47.7 radius.acnsxtest.com = 10.47.47.8 onboard.acnsxtest.com = 10.47.47.8 You have started to create a CA to meet the customer's requirements for issuing certificates to mobile clients, as shown in the exhibit below. What change will help to meet those requirements and the requirements for authenticating clients?
When would you implement BPDU protection on an AOS-CX switch port versus BPDU filtering?
Refer to the scenario. A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM). Switches are using local port-access policies. The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20. The plan for the enforcement policy and profiles is shown below: The gateway cluster has two gateways with these IP addresses: • Gateway 1 o VLAN 4085 (system IP) = 10.20.4.21 o VLAN 20 (users) = 10.20.20.1 o VLAN 4094 (WAN) = 198.51.100.14 • Gateway 2 o VLAN 4085 (system IP) = 10.20.4.22 o VLAN 20 (users) = 10.20.20.2 o VLAN 4094 (WAN) = 198.51.100.12 • VRRP on VLAN 20 = 10.20.20.254 The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster. You are setting up the UBT zone on an AOS-CX switch. Which IP addresses should you define in the zone?
Refer to the scenario. # Introduction to the customer You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices. The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here. The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD. # Requirements for issuing certificates to mobile clients The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down. The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device. # Requirements for authenticating clients The customer requires all types of clients to connect and authenticate on the same corporate SSID. The company wants CPPM to use these authentication methods: EAP-TLS to authenticate users on mobile clients registered in Intune TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements: Their certificate is valid and is not revoked, as validated by OCSP The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules: Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows: Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point. # ClearPass cluster IP addressing and hostnames A customer's ClearPass cluster has these IP addresses: Publisher = 10.47.47.5 Subscriber 1 = 10.47.47.6 Subscriber 2 = 10.47.47.7 Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8 The customer's DNS server has these entries cp.acnsxtest.com = 10.47.47.5 cps1.acnsxtest.com = 10.47.47.6 cps2.acnsxtest.com = 10.47.47.7 radius.acnsxtest.com = 10.47.47.8 onboard.acnsxtest.com = 10.47.47.8 You have imported the root certificate for the Windows CA to the ClearPass CA Trust list. Which usages should you add to it based on the scenario requirements?

Question 41

Report
Export
Collapse

Refer to the exhibit.

Aruba ClearPass Policy Manager (CPPM) is using the settings shown in the exhibit. You reference the tag shown in the exhibit in enforcement policies related to NASes of several types, including Aruba APs, Aruba gateways, and AOS-CX switches.

What should you do to ensure that clients are reclassified and receive the correct treatment based on the tag?

A.
Change the RADIUS action to [Aruba Wireless -Terminate Session] which is supported by all the NASes in question.
A.
Change the RADIUS action to [Aruba Wireless -Terminate Session] which is supported by all the NASes in question.
Answers
B.
Change the RADIUS action to [Aruba Wireless - Bounce Switch Port] which is supported by all the NASes in question.
B.
Change the RADIUS action to [Aruba Wireless - Bounce Switch Port] which is supported by all the NASes in question.
Answers
C.
Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.
C.
Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.
Answers
D.
Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.
D.
Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.
Answers
Suggested answer: C

Explanation:

According to the ClearPass Policy Manager User Guide1, the tag shown in the exhibit is a Device Insight tag, which is used to classify and identify devices based on their behavior and characteristics.

Device Insight tags can be used as conditions in enforcement policies to apply different actions or roles to devices based on their tags. However, in order to ensure that devices are reclassified and receive the correct treatment based on their tags, profiling must be enabled in each service that uses one of these enforcement profiles. Profiling is a feature that allows ClearPass to dynamically discover and profile devices on the network, and update their attributes and tags accordingly. Profiling also allows ClearPass to send RADIUS Change of Authorization (CoA) messages to the network access servers (NASes) that control the access of the devices, and instruct them to reauthenticate or terminate the sessions of the devices that have changed their tags. The profiling action must be set to the correct one for the NASes using that service, as different NASes may support different types of CoA messages. Therefore, option C is the correct answer.

Question 42

Report
Export
Collapse

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

A.
Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
A.
Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
Answers
B.
Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
B.
Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
Answers
C.
Add a custom attribute for userAccountControl to the filters in the AD authentication source.
C.
Add a custom attribute for userAccountControl to the filters in the AD authentication source.
Answers
D.
Install a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.
D.
Install a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.
Answers
Suggested answer: C

Explanation:

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in

Active Directory that contains a set of flags that define the properties and behavior of user accounts.

One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.

Question 43

Report
Export
Collapse

Refer to the scenario.

This customer is enforcing 802.1X on AOS-CX switches to Aruba ClearPass Policy Manager (CPPM).

The customer wants switches to download role settings from CPPM. The "reception-domain" role must have these settings:

— Assigns clients to VLAN 14 on switch 1, VLAN 24 on switch 2, and so on.

— Filters client traffic as follows:

— Clients are permitted full access to 10.1.5.0/24 and the Internet

— Clients are denied access to 10.1.0.0/16

The switch topology is shown here:

How should you configure the VLAN setting for the reception role?

A.
Assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings.
A.
Assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings.
Answers
B.
Configure the enforcement profile as a downloadable role, but specify only the role name and leave the VLAN undefined. Then define a 'reception' role with the correct VLAN setting on each individual access layer switch.
B.
Configure the enforcement profile as a downloadable role, but specify only the role name and leave the VLAN undefined. Then define a 'reception' role with the correct VLAN setting on each individual access layer switch.
Answers
C.
Assign a number-based ID to the access layer switches. Then use this variable in the enforcement profile VLAN settings: %(NAS-ID]4.
C.
Assign a number-based ID to the access layer switches. Then use this variable in the enforcement profile VLAN settings: %(NAS-ID]4.
Answers
D.
Create a separate enforcement profile with a different VLAN ID for each switch. Add all profiles to the profile list in the appropriate enforcement policy rule.
D.
Create a separate enforcement profile with a different VLAN ID for each switch. Add all profiles to the profile list in the appropriate enforcement policy rule.
Answers
Suggested answer: A

Explanation:

According to the AOS-CX User Guide, one way to configure the VLAN setting for the reception role is to assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings. This way, the switches can download the role settings from CPPM and apply the correct VLAN based on the name, rather than the ID. For example, the enforcement profile VLAN settings could be:

And the VLAN configuration on each switch could be:

Question 44

Report
Export
Collapse

Which element helps to lay the foundation for solid network security forensics?

A.
Enable BPDU protection and loop protection on edqe switch ports
A.
Enable BPDU protection and loop protection on edqe switch ports
Answers
B.
Enabling debug-level information for network infrastructure device logs
B.
Enabling debug-level information for network infrastructure device logs
Answers
C.
Implementing 802.1X authentication on switch ports that connect to APs
C.
Implementing 802.1X authentication on switch ports that connect to APs
Answers
D.
Ensuring that all network devices use a correct, consistent clock
D.
Ensuring that all network devices use a correct, consistent clock
Answers
Suggested answer: D

Explanation:

This is because network forensics relies on the analysis of network traffic data, which is often timestamped by the devices that generate or transmit it. Having a synchronized and accurate clock across all network devices helps to establish a reliable timeline of events and correlate different sources of evidence12

A. Enable BPDU protection and loop protection on edge switch ports is not related to network security forensics, but rather to preventing network loops and topology changes caused by rogue switches or bridges3

B. Enabling debug-level information for network infrastructure device logs might provide more details about the network activity, but it also consumes more resources and storage, and might not be relevant or useful for forensic analysis. Moreover, debug-level information might not be available for long-term retention or legal purposes4

C. Implementing 802.1X authentication on switch ports that connect to APs is a good security practice to prevent unauthorized access to the network, but it does not directly help with network security forensics. 802.1X authentication does not capture or record network traffic data, which is the main source of evidence for network forensics

Question 45

Report
Export
Collapse

Refer to the exhibit.

A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:

What is one issue with this configuration?

A.
ARP proxy is not enabled on VLAN 4.
A.
ARP proxy is not enabled on VLAN 4.
Answers
B.
LAG 1 is configured as trusted for ARP inspection but should be untrusted.
B.
LAG 1 is configured as trusted for ARP inspection but should be untrusted.
Answers
C.
DHCP snooping is not enabled on VLAN 4.
C.
DHCP snooping is not enabled on VLAN 4.
Answers
D.
Edge ports are not configured as untrusted for ARP inspection.
D.
Edge ports are not configured as untrusted for ARP inspection.
Answers
Suggested answer: D

Explanation:

This is because ARP inspection is a security feature that validates ARP packets in a network and prevents ARP poisoning attacks12 ARP inspection works by intercepting, logging, and discarding ARP packets with invalid IP-to-MAC address bindings1 To enable ARP inspection, the switch needs to know which ports are trusted and which are untrusted. Trusted ports are those that connect to authorized DHCP servers or other network devices that are not vulnerable to ARP spoofing. Untrusted ports are those that connect to end hosts or devices that might send forged ARP packets13

In the exhibit, LAG 1 is configured as a trusted port for ARP inspection, which is correct because it connects to the core switch. However, the edge ports (1/1/1-1/1/24) are not configured as untrusted ports for ARP inspection, which is incorrect because they connect to end hosts that might be compromised by an attacker. By default, all ports are untrusted for ARP inspection, but this can be changed by using the command ip arp inspection trust on the interface configuration mode3 Therefore, to protect VLAN 4 against ARP poisoning, the edge ports should be configured as untrusted for ARP inspection by using the command no ip arp inspection trust on the interface configuration mode. This way, the switch will validate the ARP packets received on these ports against the DHCP snooping database or an ARP access-list and drop any invalid packets34

A. ARP proxy is not enabled on VLAN 4. This is not an issue because ARP proxy is an optional feature that allows the switch to respond to ARP requests on behalf of hosts in different subnets5 It is not related to ARP poisoning or ARP inspection.

B. LAG 1 is configured as trusted for ARP inspection but should be untrusted. This is not an issue because LAG 1 connects to the core switch, which is a trusted device that does not send forged ARP packets.

C. DHCP snooping is not enabled on VLAN 4. This is not an issue because DHCP snooping is a separate feature that prevents rogue DHCP servers from offering IP addresses to clients6 It is not directly related to ARP poisoning or ARP inspection, although it can provide information for ARP inspection validation if enabled

Question 46

Report
Export
Collapse

Refer to the scenario.

A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.

In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as "Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.

You want a relatively easy way to communicate the information that an IoT client has used SSH to Aruba CPPM.

What is one prerequisite?

A.
Enable event processing on subscribers in the ClearPass cluster.
A.
Enable event processing on subscribers in the ClearPass cluster.
Answers
B.
In CPPM's CA trust list, add the Aruba Infrastructure usage to the DigiCert certificate.
B.
In CPPM's CA trust list, add the Aruba Infrastructure usage to the DigiCert certificate.
Answers
C.
Obtain a data collector token from Central's platform integration settings.
C.
Obtain a data collector token from Central's platform integration settings.
Answers
D.
Create an API application and token within the REST API settings.
D.
Create an API application and token within the REST API settings.
Answers
Suggested answer: C

Question 47

Report
Export
Collapse

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows C

A.
The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.# Requirements for issuing certificates to mobile clientsThe company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.# Requirements for authenticating clientsThe customer requires all types of clients to connect and authenticate on the same corporate SSID.The company wants CPPM to use these authentication methods:EAP-TLS to authenticate users on mobile clients registered in IntuneTEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on themTo succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:Their certificate is valid and is not revoked, as validated by OCSPThe client's username matches an account in AD# Requirements for assigning clients to rolesAfter authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:Clients with certificates issued by Onboard are assigned the "mobile-onboarded" roleClients that have passed TEAP Method 1 are assigned the "domain-computer" roleClients in the AD group "Medical" are assigned the "medical-staff" roleClients in the AD group "Reception" are assigned to the "reception-staff" roleThe customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall roleAssign other mobile-onboarded clients to the "mobile-other" firewall roleAssign medical staff on domain computers to the "medical-domain" firewall roleAll reception staff on domain computers to the "reception-domain" firewall roleAll domain computers with no valid user logged in to the "computer-only" firewall roleDeny other clients' access# Other requirementsCommunications between ClearPass servers and on-prem AD domain controllers must be encrypted.# Network topologyFor the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.# ClearPass cluster IP addressing and hostnamesA customer's ClearPass cluster has these IP addresses:Publisher = 10.47.47.5Subscriber 1 = 10.47.47.6Subscriber 2 = 10.47.47.7Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8The customer's DNS server has these entriescp.acnsxtest.com = 10.47.47.5cps1.acnsxtest.com = 10.47.47.6cps2.acnsxtest.com = 10.47.47.7radius.acnsxtest.com = 10.47.47.8onboard.acnsxtest.com = 10.47.47.8You have created a role mapping policy as shown in the exhibits below.What is one change that you need to make to this policy?
A.
The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.# Requirements for issuing certificates to mobile clientsThe company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.# Requirements for authenticating clientsThe customer requires all types of clients to connect and authenticate on the same corporate SSID.The company wants CPPM to use these authentication methods:EAP-TLS to authenticate users on mobile clients registered in IntuneTEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on themTo succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:Their certificate is valid and is not revoked, as validated by OCSPThe client's username matches an account in AD# Requirements for assigning clients to rolesAfter authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:Clients with certificates issued by Onboard are assigned the "mobile-onboarded" roleClients that have passed TEAP Method 1 are assigned the "domain-computer" roleClients in the AD group "Medical" are assigned the "medical-staff" roleClients in the AD group "Reception" are assigned to the "reception-staff" roleThe customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall roleAssign other mobile-onboarded clients to the "mobile-other" firewall roleAssign medical staff on domain computers to the "medical-domain" firewall roleAll reception staff on domain computers to the "reception-domain" firewall roleAll domain computers with no valid user logged in to the "computer-only" firewall roleDeny other clients' access# Other requirementsCommunications between ClearPass servers and on-prem AD domain controllers must be encrypted.# Network topologyFor the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.# ClearPass cluster IP addressing and hostnamesA customer's ClearPass cluster has these IP addresses:Publisher = 10.47.47.5Subscriber 1 = 10.47.47.6Subscriber 2 = 10.47.47.7Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8The customer's DNS server has these entriescp.acnsxtest.com = 10.47.47.5cps1.acnsxtest.com = 10.47.47.6cps2.acnsxtest.com = 10.47.47.7radius.acnsxtest.com = 10.47.47.8onboard.acnsxtest.com = 10.47.47.8You have created a role mapping policy as shown in the exhibits below.What is one change that you need to make to this policy?
Answers
B.
In rule 1 change Subject-CN to Issuer-CN.
B.
In rule 1 change Subject-CN to Issuer-CN.
Answers
C.
Move rules 2 and 3 to the top of the list.
C.
Move rules 2 and 3 to the top of the list.
Answers
D.
Change the rules evaluation mechanism to first applicable.
D.
Change the rules evaluation mechanism to first applicable.
Answers
E.
Change the default role to 'mobile-onboarded*
E.
Change the default role to 'mobile-onboarded*
Answers
Suggested answer: A

Question 48

Report
Export
Collapse

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client's username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role

Clients that have passed TEAP Method 1 are assigned the "domain-computer" role

Clients in the AD group "Medical" are assigned the "medical-staff" role

Clients in the AD group "Reception" are assigned to the "reception-staff" role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role

Assign other mobile-onboarded clients to the "mobile-other" firewall role

Assign medical staff on domain computers to the "medical-domain" firewall role

All reception staff on domain computers to the "reception-domain" firewall role

All domain computers with no valid user logged in to the "computer-only" firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames

A customer's ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer's DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.

You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.

What is one of those hostnames?


A.
The hostname used by ClearPass Policy ManaGer's RADIUS services
A.
The hostname used by ClearPass Policy ManaGer's RADIUS services
Answers
B.
The ClearPass Onboard hostname referenced in an Onboard provisioninG profile
B.
The ClearPass Onboard hostname referenced in an Onboard provisioninG profile
Answers
C.
The ClearPass Onboard hostname referenced in Intune SCEP profiles
C.
The ClearPass Onboard hostname referenced in Intune SCEP profiles
Answers
D.
The hostname used by the on-prem domain controllers
D.
The hostname used by the on-prem domain controllers
Answers
Suggested answer: B

Question 49

Report
Export
Collapse

The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named "provision."

The customer's security team dictates that you must limit these clients' Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the "provision" role.

What should you recommend?

A.
Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable
A.
Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable
Answers
B.
Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs
B.
Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs
Answers
C.
Configuring the "provision" role as a downloadable user role (DUR) in CPPM
C.
Configuring the "provision" role as a downloadable user role (DUR) in CPPM
Answers
D.
Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)
D.
Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)
Answers
Suggested answer: C

Explanation:

This is because a downloadable user role (DUR) is a feature that allows the switch to use a central ClearPass server to download user-roles to the switch for authenticated users12 A DUR can contain various attributes and rules that define the access level and privileges of the user, such as VLAN, ACL, PoE, reauthentication period, etc3 A DUR can also be customized and updated on the ClearPass server without requiring any changes on the switch1

A DUR can be used to create a "provision" role that allows users to enroll new wired clients in Intune.

The "provision" role can have limited access that only lets them enroll and receive certificates from the Intune service. The "provision" role can also have rules that restrict the Internet access of the users to only the necessary sites, such as the Intune portal and the certificate authority. The rules can be based on IPv4 or IPv6 addresses, depending on the network configuration and preference2

A. Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable. This is not a valid recommendation because it does not address how to create and apply the "provision" role on the switch. Moreover, IPv6 addresses do not necessarily tend to be more stable than IPv4 addresses, as both protocols have their own advantages and disadvantages4

B. Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs. This is not a valid recommendation because it does not explain how to enable tunneling or what MCs are. Moreover, tunneling is a technique that encapsulates one network protocol within another, which adds complexity and overhead to the network communication5

D. Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL). This is not a valid recommendation because it does not explain how to assign a role to a VLAN or how to create a Layer 2 ACL on the switch. Moreover, a Layer 2 ACL is limited in its filtering capabilities, as it can only match on MAC addresses or Ethernet types, which might not be sufficient for restricting Internet access to specific sites

Question 50

Report
Export
Collapse

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client's username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role

Clients that have passed TEAP Method 1 are assigned the "domain-computer" role

Clients in the AD group "Medical" are assigned the "medical-staff" role

Clients in the AD group "Reception" are assigned to the "reception-staff" role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role

Assign other mobile-onboarded clients to the "mobile-other" firewall role

Assign medical staff on domain computers to the "medical-domain" firewall role

All reception staff on domain computers to the "reception-domain" firewall role

All domain computers with no valid user logged in to the "computer-only" firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames

A customer's ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer's DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

You have started to create a CA to meet the customer's requirements for issuing certificates to mobile clients, as shown in the exhibit below.

What change will help to meet those requirements and the requirements for authenticating clients?


A.
Change the EST authentication method to use an external validator.
A.
Change the EST authentication method to use an external validator.
Answers
B.
Change the EST Digest Algorithm to SHA-512.
B.
Change the EST Digest Algorithm to SHA-512.
Answers
C.
Recreate the CA as a registration authority under Azure AD.
C.
Recreate the CA as a registration authority under Azure AD.
Answers
D.
Specify an OCSP responder, setting the hostname to localhost.
D.
Specify an OCSP responder, setting the hostname to localhost.
Answers
Suggested answer: A
Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms