HP HP Certifications HPE6-A68 Questions & Answers

• Question 81:

  Refer to the exhibit.

  

  Based on the network topology diagram shown, how many clusters are needed for this deployment?

  A. 1

  B. 2

  C. 3

  D. 4

  E. 8

  Correct Answer: D

  References: http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/5%20Cluster%20Deployment/Design_guidelines.htm

• Question 82:

  When a third party Mobile Device Management server is integrated with ClearPass, where is the endpoint information from the MDM server stored in ClearPass?

  A. Endpoints repository

  B. Onboard Device repository

  C. MDM repository

  D. Guest User repository

  E. Local User repository

  Correct Answer: A

  A service running in CPPM periodically polls MDM servers using their exposed APIs. Device attributes obtained from MDM are added as endpoint tags. Profiler related attributes are send to profiler which uses these attributes to derive final profile. References: ClearPass Profiling TechNote (2014), page 23 https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/653/1/ClearPass%20Profiling%20TechNote.pdf

• Question 83:

  Which database in the Policy Manager contains the device attributes derived by profiling?

  A. Endpoints Repository

  B. Client Repository

  C. Local Users Repository

  D. Onboard Devices Repository

  E. Guest User Repository

  Correct Answer: A

  Configure [Endpoints Repository] as Authorization Source. Endpoint profile attributes derived by Profile are available through the `[Endpoint Repository]' authorization source. These attributes can be used in role-mapping or enforcement policies to control network access. Available attributes are: Authorization:[Endpoints Repository]:MAC Vendor Authorization:[Endpoints Repository]:Category Authorization:[Endpoints Repository]:OS Family Authorization:[Endpoints Repository]:Name References: ClearPass Profiling TechNote (2014), page 29 https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/653/1/ClearPass%20Profiling%20TechNote.pdf

• Question 84:

  An SNMP probe is sent from ClearPass to a network access device, but ClearPass is unable to obtain profiling information. What are likely causes? (Select three.)

  A. Only SNMP read has been configured but SNMP write is needed for profiling information.

  B. An external firewall is blocking SNMP traffic.

  C. SNMP is not enabled on the NAD.

  D. SNMP community string in the ClearPass and NAD configuration is mismatched.

  E. SNMP probing is not supported between ClearPass and NADs.

  Correct Answer: BCD

  Verify firewall port 162 (default) is open between AMP and the controller.

  SNMP must be enabled on the NAD.

  The community string that ClearPass is using to access the NAD might be wrong.

  References: https://community.arubanetworks.com/t5/Monitoring-Management-Location/SNMP-Get-Failed-quot-error-message/ta-p/169774

• Question 85:

  Refer to the exhibit.

  

  A user who is tagged with the ClearPass roles of Role_Engineer and developer, but not testqa, connects to the network with a corporate Windows laptop. Which Enforcement Profile is applied?

  A. WIRELESS_GUEST_NETWORK

  B. WIRELESS_CAPTIVE_NETWORK

  C. WIRELESS_HANDHELD_NETWORK

  D. Deny Access

  E. WIRELESS_EMPLOYEE_NETWORK

  Correct Answer: E

  MATCHES_ANY: For list data types, true if any of the run-time values in the list match one of the configured values.

  Example: Tips:Role MATCHES_ANY HR,ENG,FINANCE

  References:

  http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_User Guide/Rules/Operators.htm

• Question 86:

  Refer to the exhibit.

  

  Based on the Endpoint information shown, which collectors were used to profile the device as Apple iPad? (Select two.)

  A. HTTP User-Agent

  B. SNMP

  C. DHCP fingerprinting

  D. SmartDevice

  E. Onguard Agent

  Correct Answer: AC

  HTTP User-Agent

  In some cases, DHCP fingerprints alone cannot fully classify a device. A common example is the Apple family of smart devices; DHCP fingerprints cannot distinguish between an Apple iPad and an iPhone. In these scenarios, User-Agent

  strings sent by browsers in the HTTP protocol are useful to further refine classification results.

  User-Agent strings are collected from:

  *

  ClearPass Guest

  *

  ClearPass Onboard

  *

  Aruba controller through IF-MAP interface

  Note: Collectors are network elements that provide data to profile endpoints. The following collectors send endpoint attributes to Profile:

  *

  DHCP

  DHCP snooping

  Span ports

  *

  ClearPass Onboard

  *

  HTTP User-Agent

  *MAC OUI - Acquired via various auth mechanisms such as 802.1X, MAC auth, etc.

  *

  ActiveSync plugin

  *

  CPPM OnGuard

  *SNMP

  *

  Subnet Scanner

  *

  IF-MAP

  *

  Cisco Device Sensor (Radius Accounting)

  *

  MDM

  References: Tech Note: ClearPass Profiling (2014), page 11

  https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/653/1/ClearPass%20Profiling%20TechNote.pdf

• Question 87:

  A ClearPass administrator wants to make Enforcement decisions during 802.1x authentication based on a client's Onguard posture token. Which Enforcement profile should be used on the health check service?

  A. RADIUS CoA

  B. Quarantine VLAN

  C. Full Access VLAN

  D. RADIUS Accept

  E. RADIUS Reject

  Correct Answer: A

  The Health Check Service requires a profile to terminate the session so that the RADIUS 802.1X authentication Service can use the posture token in a new authentication routine. The terminate session profile will utilize the Change of

  Authorization feature to force a re-authentication.

  See step 6) below.

  1.

  Navigate to the list of Enforcement Profiles by selecting, Configuration > Enforcement > Profiles.

  2.

  Click the + Add link in the upper right hand corner.

  3.

  From the Template dropdown menu, choose RADIUS Change of Authorization (CoA).

  4.

  Name the policy.

  This example uses Dell Terminate Session as the profile name.

  5.

  Leave all the other settings as default, and click Next > to move to the Attributes tab.

  6.

  On the dropdown menu for Select RADIUS CoA Template, choose IETF-Terminate-Session-IETF.

  7.

  Click Next > and review the Summary tab (Figure 22).

  8.

  Click Save.

  References: ClearPass NAC and Posture Assessment for Campus Networks Configuring ClearPass OnGuard, Switching, and Wireless (v1.0) (September 2015), page 22

  http://en.community.dell.com/cfs-file/_key/telligent-evolution-components-attachments/13-4629-00-00-20-44-16-18/ClearPass-NAC-and-Posture-Assessment-for-Campus-Networks.pdf?forcedownload=true

• Question 88:

  Refer to the exhibit.

  

  Based on the Enforcement Profile configuration shown, which statement accurately describes what is sent?

  A. A limited access VLAN value is sent to the Network Access Device.

  B. An unhealthy role value is sent to the Network Access Device.

  C. A message is sent to the Onguard Agent on the client device.

  D. A RADIUS CoA message is sent to bounce the client.

  E. A RADIUS access-accept message is sent to the Controller

  Correct Answer: C

  The OnGuard Agent enforcement policy retrieves the posture token. If the token is HEALTHY it returns a healthy message to the agent and bounces the session. If the token is UNHEALTHY it returns an unhealthy message to the agent and bounces the session.

  References: CLEARPASS ONGUARD CONFIGURATION GUIDE (July 2015), page 27

• Question 89:

  Why can the Onguard posture check not be performed during 802.1x authentication?

  A. Health Checks cannot be used with 802.1x.

  B. Onguard uses RADIUS, so an additional service must be created.

  C. Onguard uses HTTPS, so an additional service must be created.

  D. Onguard uses TACACS, so an additional service must be created.

  E. 802.1x is already secure, so Onguard is not needed.

  Correct Answer: C

  OnGuard uses HTTPS to send posture information to the ClearPass appliance. For OnGuard to use HTTPS, it must have access to the network. If a customer requires 802.1x authentication on the wired switch, a separate 802.1x authentication must be used prior to the OnGuard posture check. In this example, an 802.1x PEAP-EAP-MSCHAPv2 authentication is completed first. A separate WebAuth service must be setup with posture checks to use the OnGuard agent.

  References: MAC Authentication and OnGuard Posture Enforcement using Dell WSeries ClearPass and Dell Networking Switches (August 2013), page 21

• Question 90:

  Refer to the exhibit.

  

  Based on the Access Tracker output for the user shown, which statement describes the status?

  A. The Aruba Terminate Session enforcement profile as applied because the posture check failed.

  B. A Healthy Posture Token was sent to the Policy Manager.

  C. A RADIUS-Access-Accept message is sent back to the Network Access Device.

  D. The authentication method used is EAP-PEAP.

  E. A NAP agent was used to obtain the posture token for the user.

  Correct Answer: B

  We see System Posture Status: HEALTHY(0)

  End systems that pass all SHV tests receive a Healthy Posture Token, if they fail a single test they receive a Quarantine Posture Token.

  References: CLEARPASS ONGUARD CONFIGURATION GUIDE (July 2015), page 13

  https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/21122/1/OnGuard%20config%20Tech%20Note%20v1.pdf