HPE6-A84 Exam Dumps - Aruba Certified Network Security Expert Written Exam

Go to page:

Question # 9

Refer to the scenario.

An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.

You are helping the developer understand how to develop an NAE script for this use case.

The developer explains that they plan to define the rule with logic like this:

monitor > value

However, the developer asks you what value to include.

What should you recommend?

Checking one of the access switches' RADIUS statistics and adding 10 to the number listed for rejects

Defining a baseline and referring to it for the value

Using 10 (per hour) as a good starting point for the value

Defining a parameter and referring to it (self ^ramsfname]) for the value

Full Access

Answer:

Explanation:

This is because a parameter is a variable that can be defined and modified by the user or the script, and can be used to customize the behavior and output of the NAE script. A parameter can be referred to by using the syntax self ^ramsfname], where ramsfname is the name of the parameter.

By defining a parameter for the value, the developer can make the NAE script more flexible and adaptable to different scenarios and switches. The parameter can be set to a default value, such as 10, but it can also be changed by the user or the script based on the network conditions and requirements. For example, the parameter can be adjusted dynamically based on the average or standard deviation of the number of rejects per hour, or based on the feedback from the user or other admins. This way, the NAE script can trigger an alert only when the number of rejects is truly unusual and not just arbitrary.

A. Checking one of the access switchesâ€™ RADIUS statistics and adding 10 to the number listed for rejects. This is not a good recommendation because it does not account for the variability and diversity of the network environment and switches. The number of rejects listed for one switch might not be representative or relevant for another switch, as different switches might have different traffic patterns, client types, RADIUS configurations, etc. Moreover, adding 10 to the number of rejects is an arbitrary and fixed value that might not reflect the actual threshold for triggering an alert.

B. Defining a baseline and referring to it for the value. This is not a bad recommendation, but it is not as good as defining a parameter. A baseline is a reference point that represents the normal or expected state of a network metric or performance indicator. A baseline can be used to compare and contrast the current network situation and detect any anomalies or deviations. However, a baseline might not be easy or accurate to define, as it might require historical data, statistical analysis, or expert judgment. Moreover, a baseline might not be stable or constant, as it might change over time due to network growth, evolution, or optimization.

C. Using 10 (per hour) as a good starting point for the value. This is not a good recommendation because it is an arbitrary and fixed value that might not reflect the actual threshold for triggering an alert. Using 10 (per hour) as the value might result in false positives or false negatives, depending on the network conditions and switches. For example, if the normal number of rejects per hour is 5, then using 10 as the value might trigger an alert too frequently and unnecessarily. On the other hand, if the normal number of rejects per hour is 15, then using 10 as the value might miss some important alerts and risks.

Question # 10

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the â€œeth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

â€¢ Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

â€¢ Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

â€¢ VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.

What else should you make sure to do?

Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.

Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.

Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.

Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Full Access

Answer:

Explanation:

The correct answer is B. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.

User-based tunneling (UBT) is a feature that allows the AOS-CX switches to tunnel the traffic from wired clients to a mobility gateway cluster, where they can be assigned a role and a VLAN based on their authentication and authorization 1. To enable UBT, the switches need to have a UBT zone configured with the IP addresses of the gateways, and a UBT client VLAN configured with the ubt-client-vlan command 2.

The UBT client VLAN is a special VLAN that is used to encapsulate the traffic from the tunneled clients before sending it to the gateways. The UBT client VLAN must be different from any other VLANs used on the switch or the network, and it must not be assigned to any ports or interfaces on the switch 2. The UBT client VLAN is only used internally by the switch for UBT, and it is not visible to the clients or the gateways.

In this scenario, the customer wants to tunnel the clients that pass user authentication to the gateway cluster, where they will be assigned to VLAN 20. Therefore, the switch must have a UBT client VLAN configured that is different from VLAN 20 or any other VLANs on the network. For example, the switch can use VLAN 4000 as the UBT client VLAN, as shown in one of the web search results 3. The switch must also have a UBT zone configured with the system IP addresses of the gateways as the primary and backup controllers, as explained in question 3.

The other options are not correct or relevant for this issue:

Option A is not correct because assigning VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect would conflict with UBT. The access VLAN is the VLAN that is assigned to untagged traffic on a port, and it is used for local switching on the switch 4. If VLAN 20 is assigned as the access VLAN, then the traffic from the clients will not be tunneled to the gateways, but rather switched locally on VLAN 20. This would defeat the purpose of UBT and cause inconsistency in role and VLAN assignment.

Option C is not correct because VIA licenses are not required for UBT. VIA licenses are required for enabling VPN services on Aruba Mobility Controllers for remote access clients using Aruba Virtual Intranet Access (VIA) software . VIA licenses are not related to UBT or wired clients.

Option D is not correct because changing the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect would not affect UBT. The port-access auth-mode mode determines how a port handles authentication requests from multiple clients connected to a single port . Client-mode is the default mode that allows only one client per port, while multi-client-mode allows multiple clients per port. The port-access auth-mode mode does not affect how UBT works or how traffic is tunneled from a port.

Question # 11

A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.

What is a prerequisite for setting up the device role mappings?

Configuring a NetConductor-based fabric

Configuring Device Insight (client profile) tags in Central

Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight

Creating global role-to-role firewall policies in Central

Full Access

Question # 12

The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named â€œprovision.â€

The customerâ€™s security team dictates that you must limit these clientsâ€™ Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the â€œprovisionâ€ role.

What should you recommend?

Configuring the rules for the â€œprovisionâ€ role with IPv6 addresses, which tend to be more stable

Enabling tunneling to the MCs on the â€œprovisionâ€ role and then setting up the privileges on the MCs

Configuring the â€œprovisionâ€ role as a downloadable user role (DUR) in CPPM

Assigning the â€œprovisionâ€ role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)

Full Access

Answer:

Explanation:

This is because a downloadable user role (DUR) is a feature that allows the switch to use a central ClearPass server to download user-roles to the switch for authenticated users12Â A DUR can contain various attributes and rules that define the access level and privileges of the user, such as VLAN, ACL, PoE, reauthentication period, etc3Â A DUR can also be customized and updated on the ClearPass server without requiring any changes on the switch1

A DUR can be used to create a â€œprovisionâ€ role that allows users to enroll new wired clients in Intune. The â€œprovisionâ€ role can have limited access that only lets them enroll and receive certificates from the Intune service. The â€œprovisionâ€ role can also have rules that restrict the Internet access of the users to only the necessary sites, such as the Intune portal and the certificate authority.Â The rules can be based on IPv4 or IPv6 addresses, depending on the network configuration and preference2

A. Configuring the rules for the â€œprovisionâ€ role with IPv6 addresses, which tend to be more stable. This is not a valid recommendation because it does not address how to create and apply the â€œprovisionâ€ role on the switch.Â Moreover, IPv6 addresses do not necessarily tend to be more stable than IPv4 addresses, as both protocols have their own advantages and disadvantages4

B. Enabling tunneling to the MCs on the â€œprovisionâ€ role and then setting up the privileges on the MCs. This is not a valid recommendation because it does not explain how to enable tunneling or what MCs are.Â Moreover, tunneling is a technique that encapsulates one network protocol within another, which adds complexity and overhead to the network communication5

D. Assigning the â€œprovisionâ€ role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL). This is not a valid recommendation because it does not explain how to assign a role to a VLAN or how to create a Layer 2 ACL on the switch.Â Moreover, a Layer 2 ACL is limited in its filtering capabilities, as it can only match on MAC addresses or Ethernet types, which might not be sufficient for restricting Internet access to specific sites

Question # 13

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

â€¢ Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

â€¢ Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

â€¢ VRRP on VLAN 20 = 10.20.20.254

Assume that you are using the â€œmyzoneâ€ name for the UBT zone.

Which is a valid minimal configuration for the AOS-CX port-access roles?

port-access role eth-internet gateway-zone zone myzone gateway-role eth-user

port-access role internet-only gateway-zone zone myzone gateway-role eth-internet

port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20

port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access 20

Full Access

Question # 14

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The clientâ€™s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the â€œmobile-onboardedâ€ role

Clients that have passed TEAP Method 1 are assigned the â€œdomain-computerâ€ role

Clients in the AD group â€œMedicalâ€ are assigned the â€œmedical-staffâ€ role

Clients in the AD group â€œReceptionâ€ are assigned to the â€œreception-staffâ€ role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the â€œmedical-mobileâ€ firewall role

Assign other mobile-onboarded clients to the â€œmobile-otherâ€ firewall role

Assign medical staff on domain computers to the â€œmedical-domainâ€ firewall role

All reception staff on domain computers to the â€œreception-domainâ€ firewall role

All domain computers with no valid user logged in to the â€œcomputer-onlyâ€ firewall role

Deny other clientsâ€™ access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames

A customerâ€™s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customerâ€™s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

You have created a role mapping policy as shown in the exhibits below.

What is one change that you need to make to this policy?

In rule 1 change Subject-CN to Issuer-CN.

Move rules 2 and 3 to the top of the list.

Change the rules evaluation mechanism to first applicable.

Change the default role to 'mobile-onboarded*

Full Access

Question # 15

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

How could you fix this issue?

Change the UDP port in the MCsâ€™ RFC 3576 server config to 3799.

Enable RadSec on the MCsâ€™ RFC 3676 server config.

Configure the MC to obtain the time from a valid NTP server.

Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Full Access

Question # 16

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

# Requirements for issuing certificates to mobile clients

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The clientâ€™s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the â€œmobile-onboardedâ€ role

Clients that have passed TEAP Method 1 are assigned the â€œdomain-computerâ€ role

Clients in the AD group â€œMedicalâ€ are assigned the â€œmedical-staffâ€ role

Clients in the AD group â€œReceptionâ€ are assigned to the â€œreception-staffâ€ role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the â€œmedical-mobileâ€ firewall role

Assign other mobile-onboarded clients to the â€œmobile-otherâ€ firewall role

Assign medical staff on domain computers to the â€œmedical-domainâ€ firewall role

All reception staff on domain computers to the â€œreception-domainâ€ firewall role

All domain computers with no valid user logged in to the â€œcomputer-onlyâ€ firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

# ClearPass cluster IP addressing and hostnames

A customerâ€™s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customerâ€™s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

You have started to create a CA to meet the customerâ€™s requirements for issuing certificates to mobile clients, as shown in the exhibit below.

What change will help to meet those requirements and the requirements for authenticating clients?

Change the EST authentication method to use an external validator.

Change the EST Digest Algorithm to SHA-512.

Recreate the CA as a registration authority under Azure AD.

Specify an OCSP responder, setting the hostname to localhost.

Full Access

Go to page:

Hot Exams

ADM-201 Dumps

Platform-App-Builder Dumps

AZ-500 Dumps

350-701 Dumps

SY0-601 Dumps

NCSE-Core Dumps

PDP9 Dumps

DP-203 Dumps

AZ-700 Dumps

NSE7_EFW-7.0 Dumps

Integration-Architect Dumps

CS0-003 Dumps

Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

HPE6-A84 Exam Dumps - Aruba Certified Network Security Expert Written Exam

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Hot Exams