Black Friday Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

HPE6-A84 Exam Dumps - Aruba Certified Network Security Expert Written Exam

Question # 4

Refer to the scenario.

An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.

You are helping the developer understand how to develop an NAE script for this use case.

You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.

What should you recommend?

A.

Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script.

B.

Define a parameter for the RADIUS server; reference that parameter instead of the server name/ip when defining the monitor URI.

C.

Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created.

D.

Make the script editable so that admins can edit it on demand when they are creating scripts.

Full Access
Question # 5

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

A.

Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

B.

Importing clients' MAC addresses to configure known clients for MAC authentication more quickly

C.

Establishing a double layer of authentication at both the campus edge and the data center DMZ

D.

Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Full Access
Question # 6

Refer to the scenario.

A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.

In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as “Raspberry Pi” clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.

You want an easy way to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM).

What step should you take?

A.

On CPPM create an Endpoint Context Server that points to the Central API.

B.

On CPPM enable Device Insight integration.

C.

On Central configure APs and gateways to use CPPM as the RADIUS accounting server.

D.

On Central set up CPPM as a Webhook application.

Full Access
Question # 7

A customer has an AOS 10-based mobility solution, which authenticates clients to Aruba ClearPass Policy Manager (CPPM). The customer has some wireless devices that support WPA2 in personal mode only.

How can you meet these devices’ needs but improve security?

A.

Use MPSK on the WLAN to which the devices connect.

B.

Configure WIDS policies that apply extra monitoring to these particular devices.

C.

Connect these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback.

D.

Enable dynamic authorization (RFC 3576) in the AAA profile for the devices.

Full Access
Question # 8

How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?

A.

It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.

B.

It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.

C.

It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.

D.

It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.

Full Access
Question # 9

Refer to the scenario.

An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.

You are helping the developer understand how to develop an NAE script for this use case.

The developer explains that they plan to define the rule with logic like this:

monitor > value

However, the developer asks you what value to include.

What should you recommend?

A.

Checking one of the access switches' RADIUS statistics and adding 10 to the number listed for rejects

B.

Defining a baseline and referring to it for the value

C.

Using 10 (per hour) as a good starting point for the value

D.

Defining a parameter and referring to it (self ^ramsfname]) for the value

Full Access
Question # 10

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.

What else should you make sure to do?

A.

Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.

B.

Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.

C.

Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.

D.

Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Full Access
Question # 11

A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.

What is a prerequisite for setting up the device role mappings?

A.

Configuring a NetConductor-based fabric

B.

Configuring Device Insight (client profile) tags in Central

C.

Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight

D.

Creating global role-to-role firewall policies in Central

Full Access
Question # 12

The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named “provision.”

The customer’s security team dictates that you must limit these clients’ Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the “provision” role.

What should you recommend?

A.

Configuring the rules for the “provision” role with IPv6 addresses, which tend to be more stable

B.

Enabling tunneling to the MCs on the “provision” role and then setting up the privileges on the MCs

C.

Configuring the “provision” role as a downloadable user role (DUR) in CPPM

D.

Assigning the “provision” role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)

Full Access
Question # 13

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you are using the “myzone” name for the UBT zone.

Which is a valid minimal configuration for the AOS-CX port-access roles?

A.

port-access role eth-internet gateway-zone zone myzone gateway-role eth-user

B.

port-access role internet-only gateway-zone zone myzone gateway-role eth-internet

C.

port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20

D.

port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access 20

Full Access
Question # 14

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Clients in the AD group “Medical” are assigned the “medical-staff” role

Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Assign other mobile-onboarded clients to the “mobile-other” firewall role

Assign medical staff on domain computers to the “medical-domain” firewall role

All reception staff on domain computers to the “reception-domain” firewall role

All domain computers with no valid user logged in to the “computer-only” firewall role

Deny other clients’ access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

You have created a role mapping policy as shown in the exhibits below.

What is one change that you need to make to this policy?

A.

In rule 1 change Subject-CN to Issuer-CN.

B.

Move rules 2 and 3 to the top of the list.

C.

Change the rules evaluation mechanism to first applicable.

D.

Change the default role to 'mobile-onboarded*

Full Access
Question # 15

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

How could you fix this issue?

A.

Change the UDP port in the MCs’ RFC 3576 server config to 3799.

B.

Enable RadSec on the MCs’ RFC 3676 server config.

C.

Configure the MC to obtain the time from a valid NTP server.

D.

Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Full Access
Question # 16

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Clients in the AD group “Medical” are assigned the “medical-staff” role

Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Assign other mobile-onboarded clients to the “mobile-other” firewall role

Assign medical staff on domain computers to the “medical-domain” firewall role

All reception staff on domain computers to the “reception-domain” firewall role

All domain computers with no valid user logged in to the “computer-only” firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

You have started to create a CA to meet the customer’s requirements for issuing certificates to mobile clients, as shown in the exhibit below.

What change will help to meet those requirements and the requirements for authenticating clients?

A.

Change the EST authentication method to use an external validator.

B.

Change the EST Digest Algorithm to SHA-512.

C.

Recreate the CA as a registration authority under Azure AD.

D.

Specify an OCSP responder, setting the hostname to localhost.

Full Access
Question # 17

You are reviewing an endpoint entry in ClearPass Policy Manager (CPPM) Endpoints Repository.

What is a good sign that someone has been trying to gain unauthorized access to the network?

A.

The entry shows multiple DHCP options under the fingerprints.

B.

The entry shows an Unknown status.

C.

The entry shows a profile conflict of having a new profile of Computer for a profiled Printer.

D.

The entry lacks a hostname or includes a hostname with long seemingly random characters.

Full Access
Question # 18

A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.

Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.

What is one step you could recommend trying first?

A.

Send the email notifications directly to a specific folder, and only check the folder once a week.

B.

Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.

C.

Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.

D.

Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.

Full Access