HP HP Certifications HPE6-A84 Questions & Answers

• Question 11:

  A customer wants CPPM to authenticate non-802.1X-capable devices. An admin has created the service shown in the exhibits below: What is one recommendation to improve security?

  

  A. Adding an enforcement policy rule that denies access to endpoints with the Conflict flaq

  B. Using Active Directory as the authentication source

  C. Creating and using a custom MAC-Auth authentication method

  D. Enabling caching of posture and roles

  Correct Answer: C

  MAC Authentication Bypass (MAB) is a technique that allows non-802.1X-capable devices to bypass the 802.1X authentication process and gain network access based on their MAC addresses. However, MAB has some security drawbacks, such as the possibility of MAC address spoofing or unauthorized devices being added to the network. Therefore, it is recommended to use a custom MAC-Auth authentication method that adds an additional layer of security to MAB.

  A custom MAC-Auth authentication method is a method that uses a combination of the MAC address and another attribute, such as a username, password, or certificate, to authenticate the device. This way, the device needs to provide both the MAC address and the additional attribute to gain access, making it harder for an attacker to spoof or impersonate the device. A custom MAC-Auth authentication method can be created and configured in ClearPass Policy Manager (CPPM) by following the steps in the Customizing MAC Authentication - Aruba page.

• Question 12:

  Refer to the exhibit.

  

  Which security issue is possibly indicated by this traffic capture?

  A. An attempt at a DoS attack by a device acting as an unauthorized DNS server

  B. A port scan being run on the 10.1.7.0/24 subnet

  C. A command and control channel established with DNS tunneling

  D. An ARP poisoning or man-in-the-middle attempt by the device at 94:60:d5:bf:36:40

  Correct Answer: C

  DNS tunneling is a technique that abuses the DNS protocol to tunnel data or commands between a compromised host and an attacker's server. DNS tunneling can be used to establish a command and control channel, which allows the attacker to remotely control the malware or exfiltrate data from the infected host1 The traffic capture in the exhibit shows some signs of DNS tunneling. The source IP address is 10.1.7.2, which is likely an internal host behind a firewall. The destination IP address is 8.8.8.8, which is a public DNS resolver. The DNS queries are for subdomains of badsite.com, which is likely a malicious domain registered by the attacker. The subdomains have long and random names, such as 0x2a0x2a0x2a0x2a0x2a0x2a0x2a0x2a.badsite.com, which could be used to encode data or commands. The DNS responses have large sizes, such as 512 bytes, which could be used to carry data or commands back to the host2

• Question 13:

  A customer requires a secure solution for connecting remote users to the corporate main site. You are designing a client-to-site virtual private network (VPN) based on Aruba VIA and Aruba Mobility Controllers acting as VPN Concentrators (VPNCs). Remote users will first use the VIA client to contact the VPNCs and obtain connection settings.

  The users should only be allowed to receive the settings if they are the customer's "RemoteEmployees" AD group. After receiving the settings, the VIA clients will automatically establish VPN connections, authenticating to CPPM with certificates.

  What should you do to help ensure that only authorized users obtain VIA connection settings?

  A. Set up the VPNCs' VIA web authentication profile to use CPPM as the authentication server; set up a service on CPPM that uses AD as the authentication source.

  B. Set up the VPNCs' VIA web authentication profile to use an AD domain controller as the LDAP server.

  C. Set up the VPNCs' VIA connection profile to use two authentication profiles, one RADIUS profile to CPPM and one LDAP profile to AD.

  D. Set up the VPNCs' VIA connection profile to use one authentication profile, which is set to the AD domain controller's hostname.

  Correct Answer: A

  The VIA web authentication profile is used to authenticate the users who want to download the VIA connection settings from the VPNCs. The VPNCs can use either an internal database or an external server (such as RADIUS or LDAP) as the authentication source for this profile. To ensure that only authorized users obtain VIA connection settings, you should use CPPM as the external server and configure a service on CPPM that uses AD as the authentication source. This way, you can leverage the role mapping and enforcement features of CPPM to check if the users belong to the "RemoteEmployees" AD group and grant or deny them access accordingly The other options are not correct because they do not allow you to verify the users' AD group membership before providing them with VIA connection settings. Option B would only check the users' credentials against AD, but not their group membership. Option C would only apply to the VPN connection phase, not the VIA connection settings phase. Option D would not work because the VPNCs do not support LDAP as an authentication source for VIA connection profiles

  Reference:

  1: Configuring the VIA Controller - Aruba, section "Configuring VIA Web Authentication Profile"

  2: Configuring VIA Connection Profile - Aruba, section "Configuring Authentication Profile"

• Question 14:

  You are working with a developer to design a custom NAE script for a customer. The NAE agent should trigger an alert when ARP inspection drops packets on a VLAN. The customer wants the admins to be able to select the correct VLAN ID for the agent to monitor when they create the agent.

  What should you tell the developer to do?

  A. Use this variable, %{vlan-id} when defining the monitor URI in the NAE agent script.

  B. Define a VLAN ID parameter; reference that parameter when defining the monitor URI.

  C. Create multiple monitors within the script from which admins can select when they create the agent.

  D. Use a callback action to collect the ID of the VLAN on which admins have enabled NAE monitoring.

  Correct Answer: B

  A custom NAE script is a Python script that defines the monitors, the alert-trigger logic, and the remedial actions for an NAE agent. A monitor is a URI that specifies the data source and the data type that the NAE agent should collect and analyze. For example, to monitor the ARP inspection statistics on a VLAN, the monitor URI would be something like this:

  

  where is the ID of the VLAN to be monitored.

  To allow the admins to select the correct VLAN ID for the agent to monitor when they create the agent, you need to define a VLAN ID parameter in the NAE script. A parameter is a variable that can be set by the user when creating or modifying an agent. A parameter can be referenced in other parts of the script by using the syntax ${parameter-name}. For example, to define a VLAN ID parameter and reference it in the monitor URI, you would write something like this: This way, when the admins create or modify the agent, they can enter the VLAN ID that they want to monitor, and the NAE script will use that value in the monitor URI. You can find more information about how to write custom NAE scripts and use parameters in the NAE Scripting Guide

  

• Question 15:

  Refer to the scenario.

  A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

  Switches are using local port-access policies.

  The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth- internet" role. The gateway should also handle assigning clients

  to their VLAN, which is VLAN 20.

  The plan for the enforcement policy and profiles is shown below:

  

  The gateway cluster has two gateways with these IP addresses:

  Gateway 1

  1.

  VLAN 4085 (system IP) = 10.20.4.21

  2.

  VLAN 20 (users) = 10.20.20.1

  3.

  VLAN 4094 (WAN) = 198.51.100.14

  Gateway 2

  1.

  VLAN 4085 (system IP) = 10.20.4.22

  2.

  VLAN 20 (users) = 10.20.20.2

  3.

  VLAN 4094 (WAN) = 198.51.100.12

  VRRP on VLAN 20 = 10.20.20.254

  The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

  What is one change that you should make to the solution?

  A. Change the ubt-client-vlan to VLAN 13.

  B. Configure edge ports in VLAN trunk mode.

  C. Remove VLAN assignments from role configurations on the gateways.

  D. Configure the UBT solution to use VLAN extend mode.

  Correct Answer: C

  The UBT solution requires that the VLAN assignments for the wired clients are done by the gateway, not by the switch. Therefore, the role configurations on the gateways should not have any VLAN assignments, as they would override the VLAN 20 that is specified in the enforcement profile. Instead, the role configurations should only have policies that define the access rights for the clients in the "eth-internet" role. This way, the gateway can assign the clients to VLAN 20 and apply the appropriate policies based on their role

• Question 16:

  You are configuring gateway IDS/IPS settings in Aruba Central.

  For which reason would you set the Fail Strategy to Bypass?

  A. To permit traffic if the IPS engine falls to inspect It

  B. To enable the gateway to honor the allowlist settings configured in IDS/IPS policies

  C. To tell gateways to stop enforcing IDS/IPS policies if they lose connectivity to the Internet

  D. To avoid wasting IPS engine resources on filtering traffic for unauthenticated clients

  Correct Answer: A

  The Fail Strategy is a configuration option for the IPS mode of inspection on Aruba gateways. It defines the action to be taken when the IPS engine crashes and cannot inspect the traffic. There are two possible options for the Fail Strategy: Bypass and Block1 If you set the Fail Strategy to Bypass, you are telling the gateway to allow the traffic to flow without inspection when the IPS engine fails. This option ensures that there is no disruption in the network connectivity, but it also exposes the network to potential threats that are not detected or prevented by the IPS engine1 If you set the Fail Strategy to Block, you are telling the gateway to stop the traffic flow until the IPS engine resumes inspection. This option ensures that there is no compromise in the network security, but it also causes a loss of network connectivity for the duration of the IPS engine failure1

• Question 17:

  Refer to the scenario.

  # Introduction to the customer

  You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

  The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

  

  The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

  # Requirements for issuing certificates to mobile clients

  The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be

  provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

  The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

  # Requirements for authenticating clients

  The customer requires all types of clients to connect and authenticate on the same corporate SSID.

  The company wants CPPM to use these authentication methods:

  1.

  EAP-TLS to authenticate users on mobile clients registered in Intune

  2.

  TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

  1.

  Their certificate is valid and is not revoked, as validated by OCSP

  2.

  The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

  1.

  Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role

  2.

  Clients that have passed TEAP Method 1 are assigned the "domain-computer" role

  3.

  Clients in the AD group "Medical" are assigned the "medical-staff" role

  4.

  Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

  1.

  Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role

  2.

  Assign other mobile-onboarded clients to the "mobile-other" firewall role

  3.

  Assign medical staff on domain computers to the "medical-domain" firewall role

  4.

  All reception staff on domain computers to the "reception-domain" firewall role

  5.

  All domain computers with no valid user logged in to the "computer-only" firewall role

  6.

  Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not

  managed by Central at this point.

  

  # ClearPass cluster IP addressing and hostnames A customer's ClearPass cluster has these IP addresses:

  1.

  Publisher = 10.47.47.5

  2.

  Subscriber 1 = 10.47.47.6

  3.

  Subscriber 2 = 10.47.47.7

  4.

  Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8 The customer's DNS server has these entries

  1.

  cp.acnsxtest.com = 10.47.47.5

  2.

  cps1.acnsxtest.com = 10.47.47.6

  3.

  cps2.acnsxtest.com = 10.47.47.7

  4.

  radius.acnsxtest.com = 10.47.47.8

  5.

  onboard.acnsxtest.com = 10.47.47.8 You cannot see flow attributes for wireless clients. What should you check?

  A. Deep packet inspection is enabled on the role to which the Aruba APs assign the wireless clients.

  B. Firewall application visibility is enabled on the Aruba gateways, and the gateways have been rebooted.

  C. Gateway IDS/IPS is enabled on the Aruba gateways, and the gateways have been rebooted.

  D. Deep packet inspection is enabled on the Aruba Aps, and the APs have been rebooted.

  Correct Answer: A

• Question 18:

  Refer to the scenario.

  A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

  

  What is one recommendation to make?

  A. Let the RADIUS server confiqure VLANs on LAG 1 dynamically.

  B. Use MDS instead of SHA1 for the NTP authentication key.

  C. Encrypt the certificate in the TA-profile.

  D. Create a control plane ACL to limit the sources that can access the switch with SSH.

  Correct Answer: D

  According to the AOS-CX Switches Multiple Vulnerabilities1, one of the vulnerabilities (CVE-2021-41000) affects the SSH service on AOS-CX switches. This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service condition on the switch by sending specially crafted SSH packets. The impact of this vulnerability is high, as it could result in a loss of management access and network disruption. Therefore, one recommendation to make is to create a control plane ACL to limit the sources that can access the switch with SSH. This way, the switch can filter out unwanted or malicious SSH traffic and reduce the risk of exploitation.

• Question 19:

  Refer to the scenario.

  An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure

  how many rejections are usual or unusual. You expect that the value could be different on each switch.

  You are helping the developer understand how to develop an NAE script for this use case.

  You are helping the developer find the right URI for the monitor.

  Refer to the exhibit.

  

  You have used the REST API reference interface to submit a test call. The results are shown in the exhibit.

  Which URI should you give to the developer?

  A. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatisti cs

  B. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatisti cs?attributes=access_rejects

  C. /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp

  D. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatisti cs.access_rejects

  Correct Answer: D

  This is because this URI specifies the exact attribute that contains the number of access rejects from the RADIUS server, which is the information that the NAE script needs to monitor and trigger an alert.

  A.

  /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatisti cs. This is not the correct URI because it returns the entire authstatistics object, which contains more information than the access rejects, such as

  access accepts, challenges, timeouts, etc. This might make the NAE script more complex and inefficient to parse and process the data.

  B.

  /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatisti cs?attributes=access_rejects. This is not a valid URI because it has two question marks, which is a syntax error. The question mark is used to

  indicate the start of the query string, which can have one or more parameters separated by ampersands. The correct way to specify multiple attributes is to use a comma-separated list after the question mark, such as ?

  attributes=attr1,attr2,attr3.

  C. /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp. This is not a valid URI because it has an extra underscore before servers, which is a typo. The correct resource name is servers, not _servers. Moreover, this URI does

  not specify any attributes, which means it will return the default attributes of the RADIUS server object, such as name, port, protocol, etc., but not the authstatistics or access_rejects.

• Question 20:

  Refer to the scenario.

  A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

  The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

  The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.

  Assume that the Azure AD deployment has the proper prerequisites established.

  You are planning the CPPM authentication source that you will reference as the authentication source in 802.1X services.

  How should you set up this authentication source?

  A. As Kerberos type

  B. As Active Directory type

  C. As HTTP type, referencing the Intune extension

  D. AS HTTP type, referencing Azure AD's FODN

  Correct Answer: D

  An authentication source is a configuration element in CPPM that defines how to connect to an external identity provider and retrieve user or device information . CPPM supports various types of authentication sources, such as Active

  Directory, LDAP, SQL, Kerberos, and HTTP .

  To authenticate wireless and wired clients to Azure AD, you need to set up an authentication source as HTTP type, referencing Azure AD's FQDN . This type of authentication source allows CPPM to use REST API calls to communicate with

  Azure AD and validate the user or device credentials . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .

  To use information collected by Intune to make access control decisions, you need to set up another authentication source as HTTP type, referencing the Intune extension . This type of authentication source allows CPPM to use REST API

  calls to communicate with Intune and retrieve the device compliance status . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .