This page was exported from Free Exams Dumps Materials [ http://exams.dumpsmaterials.com ] Export date:Tue Dec 3 16:49:07 2024 / +0000 GMT ___________________________________________________ Title: HPE6-A84 exam questions for practice in 2023 Updated 60 Questions [Q33-Q53] --------------------------------------------------- HPE6-A84 exam questions for practice in 2023 Updated 60 Questions Updated Nov-2023 Premium HPE6-A84 Exam Engine pdf - Download Free Updated 60 Questions HPE6-A84 exam covers a wide range of topics related to network security and Aruba technologies, including network access control, secure network design, wireless security, firewall technologies, VPN technologies, and more. HPE6-A84 exam is designed to be comprehensive and challenging, and is intended to test the knowledge and skills of network security professionals in a variety of real-world scenarios. HPE6-A84 exam consists of 60 multiple-choice questions, and candidates are given 90 minutes to complete the exam. To become an Aruba Certified Network Security Expert, candidates must pass the HPE6-A84 exam. HPE6-A84 exam is designed to test the candidate's understanding of Aruba's network security solutions, including ClearPass Policy Manager, AirWave, and Aruba's wireless LANs. Additionally, the exam covers topics such as network security policy design, security risk assessments, and regulatory compliance.   QUESTION 33Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet” role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:* Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14* Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12* VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.You are setting up the UBT zone on an AOS-CX switch.Which IP addresses should you define in the zone?  Primary controller = 10.20.4.21; backup controller = 10.20.4.22  [Primary controller = 198.51.100.14; backup controller = 10.20.4.21  Primary controller = 10 20 4 21: backup controller not defined  Primary controller = 10.20.20.254; backup controller, not defined ExplanationTo configure user-based tunneling (UBT) on an AOS-CX switch, you need to specify the IP addresses of the mobility gateways that will receive the tunneled traffic from the switch 1. The primary controller is the preferred gateway for the switch to establish a tunnel, and the backup controller is the alternative gateway in case the primary controller fails or becomes unreachable 1. The IP addresses of the gateways should be their system IP addresses, which are used for inter-controller communication and cluster discovery 2.In this scenario, the customer has a gateway cluster with two gateways, each with a system IP address on VLAN 4085. Therefore, the switch should use these system IP addresses as the primary and backup controllers for UBT. The IP addresses of the gateways on VLAN 20 and VLAN 4094 are not relevant for UBT, as they are used for user traffic and WAN connectivity, respectively 2. The VRRP IP address on VLAN 20 is also not applicable for UBT, as it is a virtual IP address that is not associated with any specific gateway 3.Therefore, the best option is to use 10.20.4.21 as the primary controller and 10.20.4.22 as the backup controller for UBT on the switch. This will ensure high availability and cluster discovery for the tunneled traffic from the switch to the gateway cluster 12.QUESTION 34You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?  Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.  Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.  Add a custom attribute for userAccountControl to the filters in the AD authentication source.  Install a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension. QUESTION 35Refer to the scenario.# Introduction to the customerYou are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.# Requirements for issuing certificates to mobile clientsThe company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.# Requirements for authenticating clientsThe customer requires all types of clients to connect and authenticate on the same corporate SSID.The company wants CPPM to use these authentication methods:* EAP-TLS to authenticate users on mobile clients registered in Intune* TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:Their certificate is valid and is not revoked, as validated by OCSPThe client’s username matches an account in AD# Requirements for assigning clients to rolesAfter authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:* Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role* Clients that have passed TEAP Method 1 are assigned the “domain-computer” role Clients in the AD group “Medical” are assigned the “medical-staff” role Clients in the AD group “Reception” are assigned to the “reception-staff” role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:* Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role* Assign other mobile-onboarded clients to the “mobile-other” firewall role* Assign medical staff on domain computers to the “medical-domain” firewall role* All reception staff on domain computers to the “reception-domain” firewall role* All domain computers with no valid user logged in to the “computer-only” firewall role* Deny other clients access# Other requirementsCommunications between ClearPass servers and on-prem AD domain controllers must be encrypted.# Network topologyFor the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.# ClearPass cluster IP addressing and hostnamesA customer’s ClearPass cluster has these IP addresses:* Publisher = 10.47.47.5* Subscriber 1 = 10.47.47.6* Subscriber 2 = 10.47.47.7* Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8The customer’s DNS server has these entries* cp.acnsxtest.com = 10.47.47.5* cps1.acnsxtest.com = 10.47.47.6* cps2.acnsxtest.com = 10.47.47.7* radius.acnsxtest.com = 10.47.47.8* onboard.acnsxtest.com = 10.47.47.8You cannot see flow attributes for wireless clients.What should you check?  Deep packet inspection is enabled on the role to which the Aruba APs assign the wireless clients.  Firewall application visibility is enabled on the Aruba gateways, and the gateways have been rebooted.  Gateway IDS/IPS is enabled on the Aruba gateways, and the gateways have been rebooted.  Deep packet inspection is enabled on the Aruba Aps, and the APs have been rebooted. QUESTION 36Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet” role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:* Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14* Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12* VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.Assume that you are using the “myzone” name for the UBT zone.Which is a valid minimal configuration for the AOS-CX port-access roles?  port-access role eth-internet gateway-zone zone myzone gateway-role eth-user  port-access role internet-only gateway-zone zone myzone gateway-role eth-internet  port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20  port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access 20 QUESTION 37Refer to the scenario.An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.You are helping the developer understand how to develop an NAE script for this use case.You are helping the developer find the right URI for the monitor.Refer to the exhibit.You have used the REST API reference interface to submit a test call. The results are shown in the exhibit.Which URI should you give to the developer?  /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics  /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=a  /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp  /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics.access_rejec QUESTION 38A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?  Configuring a relatively high threshold for the gateway threat count alerts  Making sure that the gateways have formed a cluster and operate in default gateway mode  Setting the IDS or IPS policy to the least restrictive option, Lenient  Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors ExplanationThe correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2.The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3.The other options are not correct or relevant for this issue:Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4.Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option.The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .QUESTION 39Refer to the scenario.# Introduction to the customerYou are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.# Requirements for issuing certificates to mobile clientsThe company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.# Requirements for authenticating clientsThe customer requires all types of clients to connect and authenticate on the same corporate SSID.The company wants CPPM to use these authentication methods:EAP-TLS to authenticate users on mobile clients registered in IntuneTEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:Their certificate is valid and is not revoked, as validated by OCSPThe client’s username matches an account in AD# Requirements for assigning clients to rolesAfter authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role Clients that have passed TEAP Method 1 are assigned the “domain-computer” role Clients in the AD group “Medical” are assigned the “medical-staff” role Clients in the AD group “Reception” are assigned to the “reception-staff” role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role Assign other mobile-onboarded clients to the “mobile-other” firewall role Assign medical staff on domain computers to the “medical-domain” firewall role All reception staff on domain computers to the “reception-domain” firewall role All domain computers with no valid user logged in to the “computer-only” firewall role Deny other clients access# Other requirementsCommunications between ClearPass servers and on-prem AD domain controllers must be encrypted.# Network topologyFor the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.# ClearPass cluster IP addressing and hostnamesA customer’s ClearPass cluster has these IP addresses:Publisher = 10.47.47.5Subscriber 1 = 10.47.47.6Subscriber 2 = 10.47.47.7Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8The customer’s DNS server has these entriescp.acnsxtest.com = 10.47.47.5cps1.acnsxtest.com = 10.47.47.6cps2.acnsxtest.com = 10.47.47.7radius.acnsxtest.com = 10.47.47.8onboard.acnsxtest.com = 10.47.47.8The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices.You will need to add several hostnames to the captive portal allowlist manually.What is one of those hostnames?  The hostname used by ClearPass Policy ManaGer’s RADIUS services  The ClearPass Onboard hostname referenced in an Onboard provisioninG profile  The ClearPass Onboard hostname referenced in Intune SCEP profiles  The hostname used by the on-prem domain controllers QUESTION 40You are working with a developer to design a custom NAE script for a customer. The NAE agent should trigger an alert when ARP inspection drops packets on a VLAN. The customer wants the admins to be able to select the correct VLAN ID for the agent to monitor when they create the agent.What should you tell the developer to do?  Use this variable, %{vlan-id} when defining the monitor URI in the NAE agent script.  Define a VLAN ID parameter; reference that parameter when defining the monitor URI.  Create multiple monitors within the script from which admins can select when they create the agent.  Use a callback action to collect the ID of the VLAN on which admins have enabled NAE monitoring. ExplanationA custom NAE script is a Python script that defines the monitors, the alert-trigger logic, and the remedial actions for an NAE agent. A monitor is a URI that specifies the data source and the data type that the NAE agent should collect and analyze. For example, to monitor the ARP inspection statistics on a VLAN, the monitor URI would be something like this:where <vlan-id> is the ID of the VLAN to be monitored.To allow the admins to select the correct VLAN ID for the agent to monitor when they create the agent, you need to define a VLAN ID parameter in the NAE script. A parameter is a variable that can be set by the user when creating or modifying an agent. A parameter can be referenced in other parts of the script by using the syntax ${parameter-name}. For example, to define a VLAN ID parameter and reference it in the monitor URI, you would write something like this:This way, when the admins create or modify the agent, they can enter the VLAN ID that they want to monitor, and the NAE script will use that value in the monitor URI.You can find more information about how to write custom NAE scripts and use parameters in the NAE Scripting GuideQUESTION 41Refer to the scenario.A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.CPPM is using the service shown in the exhibits.Which step can you take to improve operations during a possible gateway failover event?  Chanqe the WLANs to mixed-mode forwardinq so that vou can select multiple qatewav clusters.  Set up qatewav clusters manually and set VRRP IP addresses for dynamic authorization.  Use auto-group clustering instead of auto-site clustering for the gateways.  Enable default gateway mode for the gateway clusters. QUESTION 42Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet” role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:* Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14* Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12* VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.What is one change that you should make to the solution?  Change the ubt-client-vlan to VLAN 13.  Configure edge ports in VLAN trunk mode.  Remove VLAN assignments from role configurations on the gateways.  Configure the UBT solution to use VLAN extend mode. ExplanationThe UBT solution requires that the VLAN assignments for the wired clients are done by the gateway, not by the switch. Therefore, the role configurations on the gateways should not have any VLAN assignments, as they would override the VLAN 20 that is specified in the enforcement profile. Instead, the role configurations should only have policies that define the access rights for the clients in the “eth-internet” role. This way, the gateway can assign the clients to VLAN 20 and apply the appropriate policies based on their role1QUESTION 43You need to install a certificate on a standalone Aruba Mobility Controller (MC). The MC will need to use the certificate for the Web UI and for implementing RadSec with Aruba ClearPass Policy Manager. You have been given a certificate with these settings:Subject: CN=mc41.site94.example.com* No SANs* Issuer: CN=ca41.example.comEKUs: Server Authentication, Client AuthenticationWhat issue does this certificate have for the purposes for which the certificate is intended?  It has conflicting EKUs.  It is issued by a private CA.  It specifies domain info in the CN field instead of the DC field.  It lacks a DNS SAN. ExplanationA DNS SAN (Subject Alternative Name) is an extension of the X.509 certificate standard that allows specifying additional hostnames or IP addresses that the certificate can be used for. A DNS SAN is useful for validating the identity of the server or client that presents the certificate, especially when the common name (CN) field does not match the hostname or IP address of the server or client.In this case, the certificate has a CN of mc41.site94.example.com, which is the fully qualified domain name (FQDN) of the standalone Aruba Mobility Controller (MC). However, this CN may not match the hostname or IP address that the MC uses for the Web UI or for implementing RadSec with Aruba ClearPass Policy Manager. For example, if the MC uses a different FQDN, such as mc41.example.com, or an IP address, such as 192.168.1.41, for these purposes, then the certificate would not be valid for them. Therefore, the certificate should have a DNS SAN that includes all the possible hostnames or IP addresses that the MC may use for the Web UI and RadSec.QUESTION 44You are working with a developer to design a custom NAE script for a customer. You are helping the developer find the correct REST API resource to monitor.Refer to the exhibit below.What should you do before proceeding?  Go to the v1 API documentation interface instead of the v10.10 interface.  Use your Aruba passport account and collect a token to use when trying out API calls.  Enable the switch to listen to REST API calls on the default VRF.  Make sure that your browser is set up to store authentication tokens and cookies. ExplanationThe exhibit shows the ArubaOS-CX REST API documentation interface, which allows you to explore the available resources and try out the API calls using the “Try it out” button. However, before you can use this feature, you need to authenticate yourself with your Aruba passport account and collect a token that will be used for subsequent requests. This token will expire after a certain time, so you need to refresh it periodically. You can find more details about how to use the documentation interface and collect a token in the ArubaOS-CX REST API Guide1.QUESTION 45You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.Which integration can you suggest?  Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients  Importing clients’ MAC addresses to configure known clients for MAC authentication more quickly  Establishing a double layer of authentication at both the campus edge and the data center DMZ  Importing the firewall’s rules to program downloadable user roles for AOS-CX switches more quickly ExplanationThis option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies 12. For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network 2.QUESTION 46Refer to the scenario.# Introduction to the customerYou are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.# Requirements for issuing certificates to mobile clientsThe company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.# Requirements for authenticating clientsThe customer requires all types of clients to connect and authenticate on the same corporate SSID.The company wants CPPM to use these authentication methods:* EAP-TLS to authenticate users on mobile clients registered in Intune* TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:Their certificate is valid and is not revoked, as validated by OCSPThe client’s username matches an account in AD# Requirements for assigning clients to rolesAfter authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:* Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role* Clients that have passed TEAP Method 1 are assigned the “domain-computer” role Clients in the AD group “Medical” are assigned the “medical-staff” role Clients in the AD group “Reception” are assigned to the “reception-staff” role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:* Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role* Assign other mobile-onboarded clients to the “mobile-other” firewall role* Assign medical staff on domain computers to the “medical-domain” firewall role* All reception staff on domain computers to the “reception-domain” firewall role* All domain computers with no valid user logged in to the “computer-only” firewall role* Deny other clients access# Other requirementsCommunications between ClearPass servers and on-prem AD domain controllers must be encrypted.# Network topologyFor the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.# ClearPass cluster IP addressing and hostnamesA customer’s ClearPass cluster has these IP addresses:* Publisher = 10.47.47.5* Subscriber 1 = 10.47.47.6* Subscriber 2 = 10.47.47.7* Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8The customer’s DNS server has these entries* cp.acnsxtest.com = 10.47.47.5* cps1.acnsxtest.com = 10.47.47.6* cps2.acnsxtest.com = 10.47.47.7* radius.acnsxtest.com = 10.47.47.8* onboard.acnsxtest.com = 10.47.47.8You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.Which usages should you add to it based on the scenario requirements?  EAP and AD/LDAP Server  LDAP and Aruba infrastructure  Radsec and Aruba infrastructure  EAP and Radsec QUESTION 47Refer to the scenario.This customer is enforcing 802.1X on AOS-CX switches to Aruba ClearPass Policy Manager (CPPM). The customer wants switches to download role settings from CPPM. The “reception-domain” role must have these settings:– Assigns clients to VLAN 14 on switch 1, VLAN 24 on switch 2, and so on.– Filters client traffic as follows:– Clients are permitted full access to 10.1.5.0/24 and the Internet– Clients are denied access to 10.1.0.0/16The switch topology is shown here:How should you configure the VLAN setting for the reception role?  Assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings.  Configure the enforcement profile as a downloadable role, but specify only the role name and leave the VLAN undefined. Then define a ‘reception’ role with the correct VLAN setting on each individual access layer switch.  Assign a number-based ID to the access layer switches. Then use this variable in the enforcement profile VLAN settings: %(NAS-ID]4.  Create a separate enforcement profile with a different VLAN ID for each switch. Add all profiles to the profile list in the appropriate enforcement policy rule. ExplanationAccording to the AOS-CX User Guide, one way to configure the VLAN setting for the reception role is to assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings. This way, the switches can download the role settings from CPPM and apply the correct VLAN based on the name, rather than the ID. For example, the enforcement profile VLAN settings could be:And the VLAN configuration on each switch could be:QUESTION 48Refer to the scenario.A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):Permitted to receive IP addresses with DHCPPermitted access to DNS services from 10.8.9.7 and no other serverPermitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets Permitted access to the Internet Denied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.The exhibits below show the configuration for the role.There are multiple issues with the configuration.What is one of the changes that you must make to the policies to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, “medical-mobile” rule 1 is “ipv4 any any svc-dhcp permit,” and rule 8 is “ipv4 any any any permit’.)  In the “medical-mobile” policy, change the source in rule 1 to “user.”  In the “medical-mobile” policy, change the subnet mask in rule 3 to 255.255.248.0.  In the “medical-mobile” policy, move rules 6 and 7 to the top of the list.  Move the rule in the “apprf-medical-mobile-sacl” policy between rules 7 and 8 in the “medical-mobile” policy. QUESTION 49Refer to the scenario.A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients’ privileges, ClearPass also should use information collected by Intune to make access control decisions.You are planning to use Azure AD as the authentication source in 802.1X services.What should you make sure that the customer understands is required?  An app registration on Azure AD that references the CPPM’s FQDN  Windows 365 subscriptions  CPPM’s RADIUS certificate was imported as trusted in the Azure AD directory  Azure AD Domain Services ExplanationTo use Azure AD as the authentication source in 802.1X services, you need to configure CPPM as a SAML service provider and Azure AD as a SAML identity provider. This allows CPPM to use Azure AD for user authentication and role mapping. To do this, you need to create an app registration on Azure AD that references the CPPM’s FQDN as the reply URL and the entity ID. You also need to grant the app registration the required permissions to access user information from Azure AD1QUESTION 50Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet” role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:* Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14* Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12* VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.Assume that you are using the “myzone” name for the UBT zone.Which is a valid minimal configuration for the AOS-CX port-access roles?  port-access role eth-internet gateway-zone zone myzone gateway-role eth-user  port-access role internet-only gateway-zone zone myzone gateway-role eth-internet  port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20  port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access 20 ExplanationThe UBT solution requires that the edge ports on the switches are configured in VLAN trunk mode, not access mode. This is because the UBT solution uses a special VLAN (VLAN 4095 by default) to encapsulate the user traffic and tunnel it to the gateway. The edge ports need to allow this VLAN as well as any other VLANs that are used for management or control traffic. Therefore, the edge ports should be configured as VLAN trunk ports and allow the necessary VLANs1QUESTION 51Refer to the scenario.A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):* Permitted to receive IP addresses with DHCP* Permitted access to DNS services from 10.8.9.7 and no other server* Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets* Permitted access to the InternetDenied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.The exhibits below show the configuration for the role.What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?  That denylisting is enabled globally on the MCs’ firewalls  That stateful handling of traffic is enabled globally on the MCs’ firewalls and on the medical-mobile role.  That AppRF and WebCC are enabled globally and on the medical-mobile role  That the MCs are assigned RF Protect licenses ExplanationAppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories 12. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic.To enable AppRF and WebCC, you need to check the following settings:On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services On the role level, you need to enable AppRF and WebCC under Configuration > Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively 12.You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license 3.QUESTION 52A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager’s (CPPM’s) settings for an Aruba Mobility Controller (MC).The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:aaa rfc-3576-server 10.47.47.8But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:How could you fix this issue?  Change the UDP port in the MCs’ RFC 3576 server config to 3799.  Enable RadSec on the MCs’ RFC 3676 server config.  Configure the MC to obtain the time from a valid NTP server.  Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile. ExplanationDynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events 1. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol 2.To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly 3.In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics .To fix this issue, you need to change the UDP port in the MCs’ RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .QUESTION 53Refer to the scenario.A hospital has an AOS10 architecture that is managed by Aruba Central. The customer has deployed a pair of Aruba 9000 Series gateways with Security licenses at each clinic. The gateways implement IDS/IPS in IDS mode.The Security Dashboard shows these several recent events with the same signature, as shown below:Which step could give you valuable context about the incident?  View firewall sessions on the APs and record the threat sources’ type and OS.  View the user-table on APs and record the threat sources’ 802.11 settings.  View the RAPIDS Security Dashboard and see if the threat sources are listed as rogues.  Find the Central client profile for the threat sources and note their category and family.  Loading … Authentic HPE6-A84 Dumps With 100% Passing Rate Practice Tests Dumps: https://www.dumpsmaterials.com/HPE6-A84-real-torrent.html --------------------------------------------------- Images: https://exams.dumpsmaterials.com/wp-content/plugins/watu/loading.gif https://exams.dumpsmaterials.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2023-11-05 16:41:47 Post date GMT: 2023-11-05 16:41:47 Post modified date: 2023-11-05 16:41:47 Post modified date GMT: 2023-11-05 16:41:47