Winter Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

HPE6-A78 Exam Dumps - Aruba Certified Network Security Associate Exam

Question # 4

Why might devices use a Diffie-Hellman exchange?

A.

to agree on a shared secret in a secure manner over an insecure network

B.

to obtain a digital certificate signed by a trusted Certification Authority

C.

to prove knowledge of a passphrase without transmitting the passphrase

D.

to signal that they want to use asymmetric encryption for future communications

Full Access
Question # 5

A company has an Aruba solution with a Mobility Master (MM) Mobility Controllers (MCs) and campus Aps. What is one benefit of adding Aruba Airwave from the perspective of forensics?

A.

Airwave can provide more advanced authentication and access control services for the AmbaOS solution

B.

Airwave retains information about the network for much longer periods than ArubaOS solution

C.

Airwave is required to activate Wireless Intrusion Prevention (WIP) services on the ArubaOS solution

D.

AirWave enables low level debugging on the devices across the ArubaOS solution

Full Access
Question # 6

How can hackers implement a man-in-the-middle (MITM) attack against a wireless client?

A.

The hacker uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks.

B.

The hacker runs an NMap scan on the wireless client to find its MAC and IP address. The hacker then connects to another network and spoofs those addresses.

C.

The hacker connects a device to the same wireless network as the client and responds to the client’s ARP requests with the hacker device’s MAC address.

D.

The hacker uses spear-phishing to probe for the IP addresses that the client is attempting to reach. The hacker device then spoofs those IP addresses.

Full Access
Question # 7

What is one way that WPA3-PerSonal enhances security when compared to WPA2-Personal?

A.

WPA3-Perscn3i is more secure against password leaking Because all users nave their own username and password

B.

WPA3-Personai prevents eavesdropping on other users' wireless traffic by a user who knows the passphrase for the WLAN.

C.

WPA3-Personai is more resistant to passphrase cracking Because it requires passphrases to be at least 12 characters

D.

WPA3-Personal is more complicated to deploy because it requires a backend authentication server

Full Access
Question # 8

What is an Authorized client as defined by ArubaOS Wireless Intrusion Prevention System (WIP)?

A.

a client that has a certificate issued by a trusted Certification Authority (CA)

B.

a client that is not on the WIP blacklist

C.

a client that has successfully authenticated to an authorized AP and passed encrypted traffic

D.

a client that is on the WIP whitelist.

Full Access
Question # 9

You are troubleshooting an authentication issue for Aruba switches that enforce 802 IX10 a cluster of Aruba ClearPass Policy Manager (CPPMs) You know that CPPM Is receiving and processing the authentication requests because the Aruba switches are showing Access-Rejects in their statistics However, you cannot find the record tor the Access-Rejects in CPPM Access Tracker

What is something you can do to look for the records?

A.

Make sure that CPPM cluster settings are configured to show Access-Rejects

B.

Verify that you are logged in to the CPPM Ul with read-write, not read-only, access

C.

Click Edit in Access viewer and make sure that the correct servers are selected.

D.

Go to the CPPM Event Viewer, because this is where RADIUS Access Rejects are stored.

Full Access
Question # 10

What is a Key feature of me ArubaOS firewall?

A.

The firewall is stateful which means that n can track client sessions and automatically allow return traffic for permitted sessions

B.

The firewall Includes application layer gateways (ALGs). which it uses to filter Web traffic based on the reputation of the destination web site.

C.

The firewall examines all traffic at Layer 2 through Layer 4 and uses source IP addresses as the primary way to determine how to control traffic.

D.

The firewall is designed to fitter traffic primarily based on wireless 802.11 headers, making it ideal for mobility environments

Full Access
Question # 11

Refer to the exhibit, which shows the settings on the company’s MCs.

— Mobility Controller

Dashboard General Admin AirWave CPSec Certificates

Configuration

WLANsv Control Plane Security

Roles & PoliciesEnable CP Sec

Access PointsEnable auto cert provisioning:

You have deployed about 100 new Aruba 335-APs. What is required for the APs to become managed?

A.

installing CA-signed certificates on the APs

B.

installing self-signed certificates on the APs

C.

approving the APs as authorized APs on the AP whitelist

D.

configuring a PAPI key that matches on the APs and MCs

Full Access
Question # 12

What distinguishes a Distributed Denial of Service (DDoS) attack from a traditional Denial or service attack (DoS)?

A.

A DDoS attack originates from external devices, while a DoS attack originates from internal devices

B.

A DDoS attack is launched from multiple devices, while a DoS attack is launched from a single device

C.

A DoS attack targets one server, a DDoS attack targets all the clients that use a server

D.

A DDoS attack targets multiple devices, while a DoS Is designed to Incapacitate only one device

Full Access
Question # 13

You have a network with ArubaOS-Switches for which Aruba ClearPass Policy Manager (CPPM) is acting as a TACACS+ server to authenticate managers. CPPM assigns the admins a TACACS+ privilege level, either manager or operator. You are now adding ArubaOS-CX switches to the network. ClearPass admins want to use the same CPPM service and policies to authenticate managers on the new switches.

What should you explain?

A.

This approach cannot work because the ArubaOS-CX switches do not accept standard TACACS+ privilege levels.

B.

This approach cannot work because the ArubaOS-CX switches do not support TACACS+.

C.

This approach will work, but will need to be adjusted later if you want to assign managers to the default auditors group.

D.

This approach will work to assign admins to the default "administrators" group, but not to the default "operators" group.

Full Access
Question # 14

Refer to the exhibit, which shows the current network topology.

You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs). and campus APs (CAPs). The solution will Include a WLAN that uses Tunnel for the forwarding mode and Implements WPA3-Enterprise security

What is a guideline for setting up the vlan for wireless devices connected to the WLAN?

A.

Assign the WLAN to a single new VLAN which is dedicated to wireless users

B.

Use wireless user roles to assign the devices to different VLANs in the 100-150 range

C.

Assign the WLAN to a named VLAN which specified 100-150 as the range of IDs.

D.

Use wireless user roles to assign the devices to a range of new vlan IDs.

Full Access
Question # 15

A company has Aruba Mobility Controllers (MCs), Aruba campus APs, and ArubaOS-Switches. The company plans to use ClearPass Policy Manager (CPPM) to classify endpoints by type. This company is using only CPPM and no other ClearPass solutions.

The ClearPass admins tell you that they want to use HTTP User-Agent strings to help classify endpoints.

What should you do as a part of configuring the ArubaOS-Switches to support this requirement?

A.

Create a device fingerprinting policy that includes HTTP, and apply the policy to edge ports.

B.

Create remote mirrors that collect traffic on edge ports, and mirror it to CPPM's IP address.

C.

Configure CPPM as the sFlow collector, and make sure that sFlow is enabled on edge ports.

D.

Connect the switches to CPPM's span ports, and set up mirroring of HTTP traffic on the switches.

Full Access
Question # 16

What is one of the policies that a company should define for digital forensics?

A.

which data should be routinely logged, where logs should be forwarded, and which logs should be archived

B.

what are the first steps that a company can take to implement micro-segmentation in their environment

C.

to which resources should various users be allowed access, based on their identity and the identity of their clients

D.

which type of EAP method is most secure for authenticating wired and wireless users with 802.1

Full Access
Question # 17

What is a consideration for implementing wireless containment in response to unauthorized devices discovered by ArubaOS Wireless Intrusion Detection (WIP)?

A.

It is best practice to implement automatic containment of unauthorized devices to eliminate the need to locate and remove them.

B.

Wireless containment only works against unauthorized wireless devices that connect to your corporate LAN, so it does not offer protection against Interfering APs.

C.

Your company should consider legal implications before you enable automatic containment or implement manual containment.

D.

Because wireless containment has a lower risk of targeting legitimate neighbors than wired containment, it is recommended in most use cases.

Full Access
Question # 18

An ArubaOS-CX switch enforces 802.1X on a port. No fan-through options or port-access roles are configured on the port The 802 1X supplicant on a connected client has not yet completed authentication

Which type of traffic does the authenticator accept from the client?

A.

EAP only

B.

DHCP, DNS and RADIUS only

C.

RADIUS only

D.

DHCP, DNS, and EAP only

Full Access
Question # 19

What is social engineering?

A.

Hackers use Artificial Intelligence (Al) to mimic a user’s online behavior so they can infiltrate a network and launch an attack.

B.

Hackers use employees to circumvent network security and gather the information they need to launch an attack.

C.

Hackers intercept traffic between two users, eavesdrop on their messages, and pretend to be one or both users.

D.

Hackers spoof the source IP address in their communications so they appear to be a legitimate user.

Full Access
Question # 20

A company has Aruba Mobility Controllers (MCs), Aruba campus APs, and ArubaOS-CX switches. The company plans to use ClearPass Policy Manager (CPPM) to classify endpoints by type. The company is contemplating the use of ClearPass’s TCP fingerprinting capabilities.

What is a consideration for using those capabilities?

A.

ClearPass admins will need to provide the credentials of an API admin account to configure on Aruba devices.

B.

You will need to mirror traffic to one of CPPM's span ports from a device such as a core routing switch.

C.

ArubaOS-CX switches do not offer the support necessary for CPPM to use TCP fingerprinting on wired endpoints.

D.

TCP fingerprinting of wireless endpoints requires a third-party Mobility Device Management (MDM) solution.

Full Access
Question # 21

A company with 439 employees wants to deploy an open WLAN for guests. The company wants the experience to be as follows:

*Guests select the WLAN and connect without having to enter a password.

*Guests are redirected to a welcome web page and log in.

The company also wants to provide encryption for the network for devices that are capable. Which security options should you implement for the WLAN?

A.

Opportunistic Wireless Encryption (OWE) and WPA3-Personal

B.

WPA3-Personal and MAC-Auth

C.

Captive portal and Opportunistic Wireless Encryption (OWE) in transition mode

D.

Captive portal and WPA3-Personal

Full Access
Question # 22

How can ARP be used to launch attacks?

A.

Hackers can use ARP to change their NIC's MAC address so they can impersonate legiti-mate users.

B.

Hackers can exploit the fact that the port used for ARP must remain open and thereby gain remote access to another user's device.

C.

A hacker can use ARP to claim ownership of a CA-signed certificate that actually belongs to another device.

D.

A hacker can send gratuitous ARP messages with the default gateway IP to cause devices to redirect traffic to the hacker's MAC address.

Full Access
Question # 23

Which endpoint classification capabilities do Aruba network infrastructure devices have on their own without ClearPass solutions?

A.

ArubaOS-CX switches can use a combination of active and passive methods to assign roles to clients.

B.

ArubaOS devices (controllers and lAPs) can use DHCP fingerprints to assign roles to clients.

C.

ArubaOS devices can use a combination of DHCP fingerprints, HTTP User-Agent strings, and Nmap to construct endpoint profiles.

D.

ArubaOS-Switches can use DHCP fingerprints to construct detailed endpoint profiles.

Full Access
Question # 24

Refer to the exhibit.

Device A is establishing an HTTPS session with the Arubapedia web sue using Chrome. The Arubapedia web server sends the certificate shown in the exhibit

What does the browser do as part of vacating the web server certificate?

A.

It uses the public key in the DigCen SHA2 Secure Server CA certificate to check the certificate's signature.

B.

It uses the public key in the DigCert root CA certificate to check the certificate signature

C.

It uses the private key in the DigiCert SHA2 Secure Server CA to check the certificate's signature.

D.

It uses the private key in the Arubapedia web site's certificate to check that certificate's signature

Full Access
Question # 25

You have been instructed to look in the ArubaOS Security Dashboard's client list Your goal is to find clients mat belong to the company and have connected to devices that might belong to hackers

Which client fits this description?

A.

MAC address d8:50:e6:f3;6d;a4; Client Classification Authorized; AP Classification, interfering

B.

MAC address d8:50:e6 f3;6e;c5; Client Classification Interfering. AP Classification Neighbor

C.

MAC address d8:50:e6:f3;6e;60; Client Classification Interfering. AP Classification Interfering

D.

MAC address d8:50:e6:f3;TO;ab; Client Classification Interfering. AP Classification Rogue

Full Access
Question # 26

What is an example or phishing?

A.

An attacker sends TCP messages to many different ports to discover which ports are open.

B.

An attacker checks a user’s password by using trying millions of potential passwords.

C.

An attacker lures clients to connect to a software-based AP that is using a legitimate SSID.

D.

An attacker sends emails posing as a service team member to get users to disclose their passwords.

Full Access
Question # 27

You are setting up an Aruba mobility solution which includes a Mobility Master (MM), Mobility Controllers (MCs), and campus APs (CAPs) for a university. The university plans to enforce WPA2-Enterprise for all users' connections. The university wants to apply one set of access control rules to faculty users' traffic and a different set of rules to students' traffic.

What is the best approach for applying the correct rules to each group?

A.

Create two VLANs, one for faculty and one for students. Create one set of firewall access control rules that specify faculty IP addresses for the source and a second set of rules that specify the student IP addresses for the source. Apply the rules to the WLAN.

B.

Create two roles, a "faculty" role and a "student" role. Apply firewall policies with the correct rules for each group to each role.

C.

Create two WLANs, one for faculty and one for students. Apply firewall policies with the correct rules for each group to each WLAN.

D.

Create two VLANs, one for faculty and one for students. Apply firewall policies with the correct rules for each group to each VLAN.

Full Access
Question # 28

The first exhibit shows roles on the MC, listed in alphabetic order. The second and third exhibits show the configuration for a WLAN to which a client connects. Which description of the role assigned to a user under various circumstances is correct?

A.

A user fails 802.1X authentication. The client remains connected, but is assigned the "guest" role.

B.

A user authenticates successfully with 802.1 X. and the RADIUS Access-Accept includes an Aruba-User-Role VSA set to "employeel.” The client’s role is "guest."

C.

A user authenticates successfully with 802.1X. and the RADIUS Access-Accept includes an Aruba-User-Role VSA set to "employee." The client’s role is "guest."

D.

A user authenticates successfully with 802.1X, and the RADIUS Access-Accept includes an Aruba-User-RoleVSA set to "employeel." The client's role is "employeel."

Full Access
Question # 29

You need to set up Aruba network infrastructure devices for management with SNMP. The SNMP server has this SNMPv3 user configured on it: username: airwave auth algorithm: sha auth key: fyluqp18@S!9a priv algorithm: aes priv key: 761oxaiaoeu19&

What correctly describes the setup on the infrastructure device?

A.

You must configure a user with the same name and keys, but can choose algorithms that meet the device's needs.

B.

You must configure the "airwave" server as an authorized user. Then, configure a separate user for this device with its own keys.

C.

You must configure a user with the same name and algorithms, but the keys should be unique to this device.

D.

You must configure a user with exactly the same name, algorithms, and keys.

Full Access
Question # 30

An admin has created a WLAN that uses the settings shown in the exhibits (and has not otherwise adjusted the settings in the AAA profile) A client connects to the WLAN Under which circumstances will a client receive the default role assignment?

A.

The client has attempted 802 1X authentication, but the MC could not contact the authentication server

B.

The client has attempted 802 1X authentication, but failed to maintain a reliable connection, leading to a timeout error

C.

The client has passed 802 1X authentication, and the value in the Aruba-User-Role VSA matches a role on the MC

D.

The client has passed 802 1X authentication and the authentication server did not send an Aruba-User-Role VSA

Full Access
Question # 31

Which is a use case for enabling Control Plane Policing on Aruba switches?

A.

to prevent unauthorized network devices from sending routing updates

B.

to prevent the switch from accepting routing updates from unauthorized users

C.

to encrypt traffic between tunneled node switches and Mobility Controllers (MCs)

D.

to mitigate Denial of Service (Dos) attacks on the switch

Full Access