Loading provider exams...
Loading provider exams...
Sign Up & unlock 100% of Exam Questions
No Strings Attached!
Updated
A client is connected to an AOS-CX switch, which tunnels the client's traffic to an AOS-10 gateway. The gateway assigns the client to a role with these rules: any any svc-dhcp permit user alias hostl svc-dns permit user alias net1 svc-https permit user alias net2 tcp 8086 permit user alias net3 any deny user alias net4 svc-https permit
The gateway has these aliases defined:
You are designing an AOS-10 architecture and ClearPass solution for a manufacturing company. The company that has legacy equipment that is only WPA2 capable. You need to enhance security for these devices.
This equipment will connect to an SSID named "Factory." If the equipment passes authentication and receives custom Device Category "Manufacturing," it should receive this AOS user role: "equipment." That role and a "profiling" role for unprofiled devices are already configured on the AOS devices.
The users responsible for configuring PSKs on the equipment belong to the "FactoryAdmins" group in the company's Active Directory domain. CPPM has an authentication source for that domain named MyAD. As part of the solution, you have created these services on CPPM:
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list. Which usages should you add to it based on the scenario requirements?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
Assume that you have set up CPPM to assign HPE Aruba Networking ClearPass roles and AOS user roles as indicated in the scenario. However, a penetration tester was able to access the network with medical staff privileges on a client with a valid computer certificate but revoked medical user certificate. In this circumstance, the customer wants the client to receive computer-only access.
What can you do to correct this issue while still meeting the other customer requirements?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
You have started to create a CA to meet the customer's requirements for issuing certificates to mobile clients, as shown in the exhibit below.
What change will help to meet those requirements and the requirements for authenticating clients?
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
The customer has now decided that it needs CPPM to assign certain mobile-onboarded devices to a "nurse-call" AOS user role. These are mobile-onboarded devices that are communicating with IP address 10.1.18.12 using port 4343.
What are the prerequisites for fulfilling this requirement?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment. You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.
What is one of those hostnames?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
You have created a role mapping policy as shown in the exhibits below.
What is one change that you need to make to this policy?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
A customer has AOS-CX switches with this configuration on their edge ports: port-access onboarding-method concurrent enable aaa authentication port-access mac-auth enable quiet-period 60 aaa authentication port-access dotx1 authenticator enable
The switch authenticates clients to HPE Aruba Networking ClearPass Policy Manager (CPPM) which has these services:
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
On CPPM, you are creating the authentication source. You have configured the settings shown in the tab and have not altered any other settings.
What else do you need to do to help authentication proceed correctly?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
You need to configure HPE Aruba Networking ClearPass Onboard to issue client certificates for Azure AD joined devices.
Which step is required to achieve this objective?
A hospital has an AOS-10 architecture that is managed by HPE Aruba Networking Central. The customer has deployed a pair of HPE Aruba Networking 9000 Series gateways with Security licenses at each clinic. The gateways implement IDS/IPS in IDS mode.
The Security Dashboard shows these several recent events with the same signature, as shown below:
Refer to the scenario.
You have learned that the source of the events is nurse call stations.
What can you conclude?
When would you implement BPDU protection on an AOS-CX switch port versus BPDU filtering?
A hospital has an AOS-10 architecture that is managed by HPE Aruba Networking Central. The customer has deployed a pair of HPE Aruba Networking 9000 Series gateways with Security licenses at each clinic. The gateways implement IDS/IPS in IDS mode.
The Security Dashboard shows these several recent events with the same signature, as shown below:
Refer to the scenario.
Which step could give you valuable context about the incident?
A hospital has an AOS-10 architecture that is managed by HPE Aruba Networking Central. The customer has deployed a pair of HPE Aruba Networking 9000 Series gateways with Security licenses at each clinic. The gateways implement IDS/IPS in IDS mode.
The Security Dashboard shows these several recent events with the same signature, as shown below:
Refer to the scenario.
You would like a record of the specific traffic that triggered the threat event.
What should you do?
Your company has an HPE Aruba Networking infrastructure, including a variety of HPE Aruba Networking APs and gateways. The company has recently added HPE Aruba Networking SSE. The company needs to improve security for branch users behind an HPE Aruba Networking SD-WAN gateway.
You need to control users' actions on various SaaS applications. What is part of the setup?
You are helping a company add HPE Aruba Networking ClearPass to their network, which uses HPE Aruba Networking network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
A customer's ClearPass cluster has these IP addresses:
• Publisher = 10.47.47.5
• Subscriber 1 = 10.47.47.6
• Subscriber 2 = 10.47.47.7
• Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
• cp.acnsxtest.com = 10.47.47.5
• cps1.acnsxtest.com = 10.47.47.6
• cps2.acnsxtest.com = 10.47.47.7
• radius.acnsxtest.com = 10.47.47.8
• onboard.acnsxtest.com = 10.47.47.8
Refer to the scenario.
The Onboard CA is using the settings shown in the exhibits below.
Microsoft Entra ID (Azure AD) admins need help setting up the app registration for integrating with ClearPass Onboard.
Which URL should you tell them to use?
What benefit does an organization gain from upgrading wireless security from WPA2-Personal to WPA3-Personal?
A customer’s admins have added RF Protect licenses and enabled WIDS for a customer's AOS-8-based solution. The customer wants to use the built-in capabilities of APs without deploying dedicated air monitors (AMs). Admins tested rogue AP detection by connecting a unauthorized wireless AP to a switch. The rogue AP was not detected even after several hours.
What is one point about which you should ask?
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on HPE Aruba Networking Mobility Controllers (MCs):
• Permitted to receive IP addresses with DHCP
• Permitted access to DNS services from 10.8.9.7 and no other server
• Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
• Denied access to other 10.0.0.0/8 subnets
• Permitted access to the Internet
• Denied access to the WLAN for a period of time if they send any SSH traffic
• Denied access to the WLAN for a period of time if they send any Telnet traffic
• Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
Refer to the scenario.
The exhibits below show the configuration for the role.
What setting not shown in the exhibit must you check to ensure that the requirements of the scenario?
Refer to the exhibit.
A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch: interface 1/1/2-1/1/24 no shutdown no routing vlan access 4 exit interface lag 1 no shutdown no routing vlan trunk native 1 vlan trunk allowed 2-4 arp inspection trust exit vlan 4 arp inspection exit
What is one issue with this configuration?
A customer has an AOS-10 architecture that is managed by HPE Aruba Networking Central. HPE Aruba Networking infrastructure devices authenticate clients to an HPE Aruba Networking ClearPass cluster.
In HPE Aruba Networking Central, you are examining network traffic flows on a wireless IoT device that is categorized as "Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
Refer to the scenario.
What possible issue is indicated?
Refer to the exhibit.
Which IP address should you record as a possibly compromised client?
A customer is migrating from on-prem AD to Microsoft Entra ID (Azure AD) as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).
The customer wants to improve security for the network edge. You are helping the customer design an HPE Aruba Networking ClearPass deployment for this purpose. HPE Aruba Networking devices will authenticate wireless and wired clients to a ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).
The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Microsoft Entra ID (Azure AD) shows that they have accounts in Microsoft Entra ID (Azure AD). To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
Refer to the scenario.
The Intune extension is configured as shown in this exhibit.
The customer wants to reduce the overhead of polling information from Intune to CPPM. However, they require fresh information about clients at least every hour.
What should you recommend?
A customer has an AOS-10 architecture that is managed by HPE Aruba Networking Central. HPE Aruba Networking infrastructure devices authenticate clients to an HPE Aruba Networking ClearPass cluster.
In HPE Aruba Networking Central, you are examining network traffic flows on a wireless IoT device that is categorized as "Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
Refer to the scenario.
You are helping the customer assess ways to mitigate the potential threat you have detected. The customer recommends simply adding a rule that denies SSH traffic to the IoT client’s AOS user role.
What is the security drawback of this option?
