HP HP Certifications HPE6-A84 Questions & Answers

• Question 1:

  Refer to the scenario.

  A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the

  gateways.

  The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.

  For which devices does CPPM require network device entries?

  A. Forgateways' actual IP addresses and dynamic authorization VRRP addresses

  B. For gateways' actual IP addresses and AP clusters' virtual IP addresses for dynamic authorization

  C. For APs' actual IP addresses

  D. ForAP clusters'virtual IP addresses

  Correct Answer: A

  ClearPass Policy Manager (CPPM) requires network device entries for the devices that communicate with it using RADIUS or TACACS+ protocols. In this scenario, the gateways are the devices that act as RADIUS clients and send authentication requests to CPPM for the WLAN users. Therefore, CPPM needs to have network device entries for the gateways' actual IP addresses and the shared secrets that match the ones configured on the gateways.

  Additionally, CPPM also requires network device entries for the gateways' dynamic authorization VRRP addresses, which are used for sending CoA messages to the gateways. CoA messages are used to change the attributes or status of a user session on the gateways without requiring re-authentication. For example, CPPM can use CoA to apply policies, roles, or bandwidth limits based on various conditions. To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations.

• Question 2:

  Refer to the scenario.

  A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

  

  What is one immediate remediation that you should recommend?

  A. Changing the switch's DNS server to the mgmt VRF

  B. Setting the clock manually instead of using NTP

  C. Either disabling DHCPv4-snoopinq or leaving it enabled, but also enabling ARP inspection

  D. Disabling Telnet

  Correct Answer: D

  According to the AOS-CX Switches Multiple Vulnerabilities1, one of the vulnerabilities (CVE-2021-41001) affects the Telnet service on AOS-CX switches. This vulnerability allows an unauthenticated remote attacker to cause a denial-ofservice condition on the switch by sending specially crafted Telnet packets. The impact of this vulnerability is high, as it could result in a loss of management access and network disruption. Therefore, one immediate remediation that you should recommend is to disable Telnet on the switch. This way, the switch can prevent any malicious Telnet traffic from reaching it and avoid the exploitation of this vulnerability.

• Question 3:

  You are reviewing an endpoint entry in ClearPass Policy Manager (CPPM) Endpoints Repository.

  What is a good sign that someone has been trying to gain unauthorized access to the network?

  A. The entry shows multiple DHCP options under the fingerprints.

  B. The entry shows an Unknown status.

  C. The entry shows a profile conflict of having a new profile of Computer for a profiled Printer.

  D. The entry lacks a hostname or includes a hostname with long seemingly random characters.

  Correct Answer: C

  A profile conflict occurs when ClearPass Policy Manager (CPPM) detects a change in the device category or OS family of an endpoint that has been previously profiled. This could indicate that someone has spoofed the MAC address of a legitimate device and is trying to gain unauthorized access to the network. For example, if an endpoint that was previously profiled as a Printer suddenly shows a new profile of Computer, this could be a sign of an attack. You can find more information about profile conflicts and how to resolve them in the ClearPass Policy Manager User Guide1. The other options are not necessarily signs of unauthorized access, as they could have other explanations. For example, multiple DHCP options under the fingerprints could indicate that the device has connected to different networks or subnets, an Unknown status could indicate that the device has not been authenticated yet, and a lack of hostname or a random hostname could indicate that the device has not been configured properly or has been reset to factory settings.

• Question 4:

  You want to use Device Insight tags as conditions within CPPM role mapping or enforcement policy rules.

  What guidelines should you follow?

  A. Create an HTTP authentication source to the Central API that queries for the tags. To use that source as the type for rule conditions, add it an authorization source for the service in question.

  B. Use the Application type for the rule conditions; no extra authorization source is required for services that use policies with these rules.

  C. Use the Endpoints Repository type for the rule conditions; Add Endpoints Repository as a secondary authentication source for services that use policies with these rules.

  D. Use the Endpoint type for the rule conditions; no extra authorization source is required for services that use policies with these rules.

  Correct Answer: D

  According to the Aruba Cloud Authentication and Policy Overview1, Device Insight tags are stored in the Endpoint Repository and can be used as conditions within CPPM role mapping or enforcement policy rules. The rule condition type should be Endpoint, and the attribute should be Device Insight Tags. No extra authorization source is required for services that use policies with these rules. Therefore, option D is the correct answer. Option A is incorrect because creating an HTTP authentication source to the Central API is not necessary to use Device Insight tags as conditions. Device Insight tags are already synchronized between Central and CPPM, and can be accessed from the Endpoint Repository. Option B is incorrect because using the Application type for the rule conditions is not applicable to Device Insight tags. The Application type is used to match attributes from the Application Authentication source, which is used to integrate with third-party applications such as Microsoft Intune or Google G Suite. Option C is incorrect because using the Endpoints Repository type for the rule conditions is not valid for Device Insight tags. The Endpoints Repository type is used to match attributes from the Endpoints Repository source, which is different from the Endpoint type. The Endpoints Repository source contains information about endpoints that are manually added or imported into CPPM, while the Endpoint type contains information about endpoints that are dynamically discovered and profiled by CPPM or Device Insight. Adding Endpoints Repository as a secondary authentication source for services that use policies with these rules is also unnecessary and redundant.

• Question 5:

  Refer to the scenario.

  A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

  The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

  The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.

  The customer wants you to configure CPPM to collect information from Intune on demand during the authentication process.

  What should you tell the Intune admins about the certificates issued to clients?

  A. They must be issued by a well-known, trusted CA.

  B. They must include the Intune ID in the subject name.

  C. They must include the client MAC address in the subject name.

  D. They must be issued by a ClearPass Onboard CA.

  Correct Answer: B

  To configure CPPM to collect information from Intune on demand during the authentication process, you need to use the Intune extension for ClearPass. This extension allows ClearPass to query Intune for device compliance and configuration information using the Intune API. To use this extension, you need to register an app in Azure AD and grant it the required permissions to access Intune1 The Intune extension uses the device ID as the key to query Intune for device information. The device ID is a unique identifier that is assigned by Intune to each enrolled device. The device ID can be obtained from the client certificate that is used for EAP-TLS authentication. Therefore, the certificates issued to clients must include the Intune ID in the subject name, so that ClearPass can extract it and use it to query Intune2 The certificates issued to clients do not need to be issued by a well-known, trusted CA, as long as ClearPass trusts the CA that issued them. The certificates do not need to include the client MAC address in the subject name, as this is not relevant for querying Intune. The certificates do not need to be issued by a ClearPass Onboard CA, as this is not a requirement for using the Intune extension. Reference:

  1: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring Microsoft Extension in ClearPass"

  2: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring EAP-TLS Authentication"

• Question 6:

  Refer to the scenario.

  A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.

  In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as "Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.

  You want an easy way to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM).

  What step should you take?

  A. On CPPM create an Endpoint Context Server that points to the Central API.

  B. On CPPM enable Device Insight integration.

  C. On Central configure APs and gateways to use CPPM as the RADIUS accounting server.

  D. On Central set up CPPM as a Webhook application.

  Correct Answer: A

  This is because an Endpoint Context Server (ECS) is a feature that allows ClearPass to receive contextual information from external sources, such as Aruba Central, and use it for policy enforcement and reporting. An ECS can be configured to point to the Aruba Central API and fetch data such as device type, category, OS, applications, traffic flows, etc. An ECS can be used to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM). The ECS can query the Aruba Central API and retrieve the network traffic flows of the wireless IoT devices that are categorized as "Raspberry Pi" clients. The ECS can then filter the traffic flows by the SSH protocol and send the relevant information to CPPM. CPPM can then use this information for policy decisions, such as allowing or denying SSH access, or triggering alerts or actions. B. On CPPM enable Device Insight integration. This is not a valid step because Device Insight is a feature that allows ClearPass to discover, profile, and fingerprint devices on the network using deep packet inspection (DPI) and machine learning (ML). Device Insight does not communicate with Aruba Central or receive information from it. Moreover, Device Insight might not be able to detect SSH traffic on encrypted wireless IoT devices without decrypting it first.

  C. On Central configure APs and gateways to use CPPM as the RADIUS accounting server. This is not a valid step because RADIUS accounting is a feature that allows network devices to send periodic updates about the status and activity of authenticated users or devices to a RADIUS server, such as CPPM. RADIUS accounting does not communicate with Aruba Central or receive information from it. Moreover, RADIUS accounting might not be able to capture SSH traffic on wireless IoT devices without inspecting it first.

  D. On Central set up CPPM as a Webhook application. This is not a valid step because Webhook is a feature that allows Aruba Central to send notifications or events to external applications or services using HTTP requests. Webhook does not communicate with CPPM or send information to it. Moreover, Webhook might not be able to send SSH traffic information on wireless IoT devices without filtering it first.

• Question 7:

  Refer to the scenario.

  A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

  1.

  Permitted to receive IP addresses with DHCP

  2.

  Permitted access to DNS services from 10.8.9.7 and no other server

  3.

  Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

  4.

  Denied access to other 10.0.0.0/8 subnets

  5.

  Permitted access to the Internet

  6.

  Denied access to the WLAN for a period of time if they send any SSH traffic

  7.

  Denied access to the WLAN for a period of time if they send any Telnet traffic

  8.

  Denied access to all high-risk websites

  External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

  The exhibits below show the configuration for the role.

  

  There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit".)

  A. In the "medical-mobile" policy, move rules 2 and 3 between rules 7 and 8.

  B. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.

  C. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical-mobile" policy.

  D. In the "medical-mobile" policy, change the source in rule 8 to "user."

  Correct Answer: B

  The subnet mask in rule 3 of the "medical-mobile" policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet 1. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access. To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet 1. This way, the rule matches the scenario requirements more precisely.

• Question 8:

  Refer to the scenario.

  A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

  Switches are using local port-access policies.

  The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth- internet" role. The gateway should also handle assigning clients

  to their VLAN, which is VLAN 20.

  The plan for the enforcement policy and profiles is shown below:

  

  The gateway cluster has two gateways with these IP addresses:

  Gateway 1

  1.

  VLAN 4085 (system IP) = 10.20.4.21

  2.

  VLAN 20 (users) = 10.20.20.1

  3.

  VLAN 4094 (WAN) = 198.51.100.14

  Gateway 2

  1.

  VLAN 4085 (system IP) = 10.20.4.22

  2.

  VLAN 20 (users) = 10.20.20.2

  3.

  VLAN 4094 (WAN) = 198.51.100.12

  VRRP on VLAN 20 = 10.20.20.254

  The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

  Assume that you are using the "myzone" name for the UBT zone.

  Which is a valid minimal configuration for the AOS-CX port-access roles?

  A. port-access role eth-internet gateway-zone zone myzone gateway-role eth-user

  B. port-access role internet-only gateway-zone zone myzone gateway-role eth-internet

  C. port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20

  D. port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access 20

  Correct Answer: B

  The UBT solution requires that the edge ports on the switches are configured in VLAN trunk mode, not access mode. This is because the UBT solution uses a special VLAN (VLAN 4095 by default) to encapsulate the user traffic and tunnel it to the gateway. The edge ports need to allow this VLAN as well as any other VLANs that are used for management or control traffic. Therefore, the edge ports should be configured as VLAN trunk ports and allow the necessary VLANs

• Question 9:

  What is a common characteristic of a beacon between a compromised device and a command and control server?

  A. Use of IPv6 addressing instead of IPv4 addressing

  B. Lack of encryption

  C. Use of less common protocols such as SNAP

  D. Periodic transmission of small, identically sized packets

  Correct Answer: D

  A beacon is a type of network traffic that is sent from a compromised device to a command and control (C2) server, which is a remote system that controls the malicious activities of the device . A beacon is used to establish and maintain communication between the device and the C2 server, as well as to receive instructions or exfiltrate data . A common characteristic of a beacon is that it is periodic, meaning that it is sent at regular intervals, such as every few minutes or hours . This helps the C2 server to monitor the status and availability of the device, as well as to avoid detection by network security tools . Another common characteristic of a beacon is that it is small and identically sized, meaning that it contains minimal or fixed amount of data, such as a simple acknowledgment or a random string . This helps the device to conserve bandwidth and resources, as well as to avoid detection by network security tools .

• Question 10:

  Refer to the scenario.

  A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

  1.

  Permitted to receive IP addresses with DHCP

  2.

  Permitted access to DNS services from 10.8.9.7 and no other server

  3.

  Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

  4.

  Denied access to other 10.0.0.0/8 subnets

  5.

  Permitted access to the Internet

  6.

  Denied access to the WLAN for a period of time if they send any SSH traffic

  7.

  Denied access to the WLAN for a period of time if they send any Telnet traffic

  8.

  Denied access to all high-risk websites

  External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

  The exhibits below show the configuration for the role.

  

  What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

  A. That denylisting is enabled globally on the MCs' firewalls

  B. That stateful handling of traffic is enabled globally on the MCs' firewalls and on the medical-mobile role.

  C. That AppRF and WebCC are enabled globally and on the medical-mobile role

  D. That the MCs are assigned RF Protect licenses

  Correct Answer: C

  AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories 12. These features are required to meet the scenario requirements of denying access to

  all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic.

  To enable AppRF and WebCC, you need to check the following settings:

  On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services > WebCC, respectively 12. On the role level, you need to enable AppRF and WebCC under Configuration >

  Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively 12. You also need to make sure that the MCs have valid licenses for AppRF and

  WebCC, which are included in the ArubaOS PEFNG license 3.