HP HP Certifications HPE6-A84 Questions & Answers

• Question 41:

  Refer to the exhibit.

  

  Which IP address should you record as a possibly compromised client?

  A. 10.1.26.151

  B. 10.1J.100

  C. 10.1.26.1

  D. 10.254.1.21

  Correct Answer: A

  The exhibit shows a screenshot of a Malwarebytes alert that indicates that a website was blocked due to compromise. The alert contains the following information: The type of protection: Web Protection The website that was blocked: 10.254.1.21 The port that was used: 80 The process that initiated the connection: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe The IP address of the device that initiated the connection: 10.1.26.151 The IP address of the device that initiated the connection is the one that should be recorded as a possibly compromised client, as it indicates that the device tried to access a malicious website that could infect it with malware or steal its data. In this case, the IP address of the possibly compromised client is 10.1.26.151.

• Question 42:

  Refer to the scenario.

  # Introduction to the customer

  You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

  The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

  

  

  The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

  # Requirements for issuing certificates to mobile clients

  The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be

  provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

  The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

  # Requirements for authenticating clients

  The customer requires all types of clients to connect and authenticate on the same corporate SSID.

  The company wants CPPM to use these authentication methods:

  1.

  EAP-TLS to authenticate users on mobile clients registered in Intune

  2.

  TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

  1.

  Their certificate is valid and is not revoked, as validated by OCSP

  2.

  The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

  1.

  Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role

  2.

  Clients that have passed TEAP Method 1 are assigned the "domain-computer" role

  3.

  Clients in the AD group "Medical" are assigned the "medical-staff" role

  4.

  Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

  1.

  Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role

  2.

  Assign other mobile-onboarded clients to the "mobile-other" firewall role

  3.

  Assign medical staff on domain computers to the "medical-domain" firewall role

  4.

  All reception staff on domain computers to the "reception-domain" firewall role

  5.

  All domain computers with no valid user logged in to the "computer-only" firewall role

  6.

  Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not

  managed by Central at this point.

  

  # ClearPass cluster IP addressing and hostnames A customer's ClearPass cluster has these IP addresses:

  1.

  Publisher = 10.47.47.5

  2.

  Subscriber 1 = 10.47.47.6

  3.

  Subscriber 2 = 10.47.47.7

  4.

  Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

  The customer's DNS server has these entries

  1.

  cp.acnsxtest.com = 10.47.47.5

  2.

  cps1.acnsxtest.com = 10.47.47.6

  3.

  cps2.acnsxtest.com = 10.47.47.7

  4.

  radius.acnsxtest.com = 10.47.47.8

  5.

  onboard.acnsxtest.com = 10.47.47.8

  You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.

  Which usages should you add to it based on the scenario requirements?

  A. EAP and AD/LDAP Server

  B. LDAP and Aruba infrastructure

  C. Radsec and Aruba infrastructure

  D. EAP and Radsec

  Correct Answer: A

• Question 43:

  Refer to the scenario.

  # Introduction to the customer

  You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

  The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is

  shown here.

  

  The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

  # Requirements for issuing certificates to mobile clients

  The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be

  provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

  The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

  # Requirements for authenticating clients

  The customer requires all types of clients to connect and authenticate on the same corporate SSID.

  The company wants CPPM to use these authentication methods:

  1.

  EAP-TLS to authenticate users on mobile clients registered in Intune

  2.

  TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

  1.

  Their certificate is valid and is not revoked, as validated by OCSP

  2.

  The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

  1.

  Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role

  2.

  Clients that have passed TEAP Method 1 are assigned the "domain-computer" role

  3.

  Clients in the AD group "Medical" are assigned the "medical-staff" role

  4.

  Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

  1.

  Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role

  2.

  Assign other mobile-onboarded clients to the "mobile-other" firewall role

  3.

  Assign medical staff on domain computers to the "medical-domain" firewall role

  4.

  All reception staff on domain computers to the "reception-domain" firewall role

  5.

  All domain computers with no valid user logged in to the "computer-only" firewall role

  6.

  Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not

  managed by Central at this point.

  

  # ClearPass cluster IP addressing and hostnames

  A customer's ClearPass cluster has these IP addresses:

  1.

  Publisher = 10.47.47.5

  2.

  Subscriber 1 = 10.47.47.6

  3.

  Subscriber 2 = 10.47.47.7

  4.

  Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

  The customer's DNS server has these entries

  1.

  cp.acnsxtest.com = 10.47.47.5

  2.

  cps1.acnsxtest.com = 10.47.47.6

  3.

  cps2.acnsxtest.com = 10.47.47.7

  4.

  radius.acnsxtest.com = 10.47.47.8

  5.

  onboard.acnsxtest.com = 10.47.47.8

  The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.

  You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.

  What is one of those hostnames?

  A. The hostname used by ClearPass Policy ManaGer's RADIUS services

  B. The ClearPass Onboard hostname referenced in an Onboard provisioninG profile

  C. The ClearPass Onboard hostname referenced in Intune SCEP profiles

  D. The hostname used by the on-prem domain controllers

  Correct Answer: B

• Question 44:

  A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.

  What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

  A. Configuring a relatively high threshold for the gateway threat count alerts

  B. Making sure that the gateways have formed a cluster and operate in default gateway mode

  C. Setting the IDS or IPS policy to the least restrictive option, Lenient

  D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors

  Correct Answer: D

  The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors. Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2. The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3. The other options are not correct or relevant for this issue: Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4. Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it

  provides less security and more false negatives .

• Question 45:

  How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?

  A. It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.

  B. It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.

  C. It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.

  D. It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.

  Correct Answer: B

  Aruba Central supports site-to-site VPNs between AOS 10 gateways, which are Aruba devices that provide routing, firewall, and VPN functions. Aruba Central can automatically provision and manage the site-to-site VPNs using the VPN Manager feature. The VPN Manager allows you to create VPN groups that consist of one or more hubs and branches, and define the VPN settings for each group1 Aruba Central uses IPsec as the protocol to secure the site-to-site connections between the AOS 10 gateways. IPsec is a standard protocol that provides encryption, authentication, and integrity for IP packets. Aruba Central automatically establishes IPsec tunnels for all site-to-site connections using keys that are securely distributed by Central. The keys are generated by Central and pushed to the gateways using a secure channel. The keys are rotated periodically to enhance security2

• Question 46:

  The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named "provision."

  The customer's security team dictates that you must limit these clients' Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the "provision" role.

  What should you recommend?

  A. Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable

  B. Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs

  C. Configuring the "provision" role as a downloadable user role (DUR) in CPPM

  D. Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)

  Correct Answer: C

  This is because a downloadable user role (DUR) is a feature that allows the switch to use a central ClearPass server to download user-roles to the switch for authenticated users12 A DUR can contain various attributes and rules that define the access level and privileges of the user, such as VLAN, ACL, PoE, reauthentication period, etc3 A DUR can also be customized and updated on the ClearPass server without requiring any changes on the switch1 A DUR can be used to create a "provision" role that allows users to enroll new wired clients in Intune. The "provision" role can have limited access that only lets them enroll and receive certificates from the Intune service. The "provision" role can also have rules that restrict the Internet access of the users to only the necessary sites, such as the Intune portal and the certificate authority. The rules can be based on IPv4 or IPv6 addresses, depending on the network configuration and preference2 A. Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable. This is not a valid recommendation because it does not address how to create and apply the "provision" role on the switch. Moreover, IPv6 addresses do not necessarily tend to be more stable than IPv4 addresses, as both protocols have their own advantages and disadvantages4

  B. Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs. This is not a valid recommendation because it does not explain how to enable tunneling or what MCs are. Moreover, tunneling is a technique that encapsulates one network protocol within another, which adds complexity and overhead to the network communication5

  D. Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL). This is not a valid recommendation because it does not explain how to assign a role to a VLAN or how to create a Layer 2 ACL on the switch. Moreover, a Layer 2 ACL is limited in its filtering capabilities, as it can only match on MAC addresses or Ethernet types, which might not be sufficient for restricting Internet access to specific sites

• Question 47:

  Refer to the scenario.

  An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.

  You are helping the developer understand how to develop an NAE script for this use case.

  You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.

  What should you recommend?

  A. Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script.

  B. Define a parameter for the RADIUS server; reference that parameter instead of the server name/ip when defining the monitor URI.

  C. Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created.

  D. Make the script editable so that admins can edit it on demand when they are creating scripts.

  Correct Answer: B

  This is because a parameter is a variable that can be defined and modified by the user or the script, and can be used to customize the behavior and output of the NAE script. A parameter can be referred to by using the syntax self ^ramsfname], where ramsfname is the name of the parameter. By defining a parameter for the RADIUS server, you can make the NAE script more flexible and adaptable to different scenarios and switches. The parameter can be set to a default value, such as cp.acnsxtest.local, but it can also be changed by the user or the script based on the network conditions and requirements. For example, the user can select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script, or the script can automatically detect and update the parameter based on the switch configuration. This way, the NAE script can monitor statistics from any RADIUS server defined on the switch without hard-coding the server name or IP address in the monitor URI.

  A. Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script. This is not a valid recommendation because %{radius-ipV is not a valid variable in NAE scripts. Variables in NAE scripts are prefixed with self ^ramsfname], not with %. Moreover, radius-ipV is not a predefined variable that contains the RADIUS server name or IP address, but rather a generic term that could refer to any IP version. C. Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created. This is not a bad recommendation, but it is not as good as defining a parameter. A callback action is a feature that allows an NAE script to execute a command on the switch and collect its output for further processing or display. A callback action can be used to collect the name of any RADIUS servers defined on the switch by executing a command such as show radius-server or show running-config radius-server and parsing its output. However, a callback action might not be as fast or reliable as using a parameter, as it depends on the availability and responsiveness of the switch and its CLI. D. Make the script editable so that admins can edit it on demand when they are creating scripts. This is not a good recommendation because making the script editable exposes it to potential errors or modifications that could affect its functionality or performance. Making the script editable also requires more effort and expertise from the admins, who might not be familiar with NAE scripting syntax or logic. Moreover, making the script editable does not future proof it, as it does not allow for dynamic changes or updates based on network conditions or requirements. 10of30

• Question 48:

  A customer has an AOS 10-based mobility solution, which authenticates clients to Aruba ClearPass Policy Manager (CPPM). The customer has some wireless devices that support WPA2 in personal mode only.

  How can you meet these devices' needs but improve security?

  A. Use MPSK on the WLAN to which the devices connect.

  B. Configure WIDS policies that apply extra monitoring to these particular devices.

  C. Connect these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback.

  D. Enable dynamic authorization (RFC 3576) in the AAA profile for the devices.

  Correct Answer: A

  MPSK (Multi Pre-Shared Key) is a feature that allows assigning different pre-shared keys (PSKs) to different devices or groups of devices on the same WLAN. MPSK improves security over WPA2 in personal mode, which uses a single PSK for all devices on the WLAN. With MPSK, you can create and manage multiple PSKs, each with its own role, policy, and expiration date. You can also revoke or change a PSK for a specific device or group without affecting other devices on the WLAN. MPSK is compatible with devices that support WPA2 in personal mode only, as they do not need to support any additional protocols or certificates. To use MPSK on the WLAN to which the devices connect, you need to enable MPSK in the WLAN settings and configure the PSKs in Aruba ClearPass Policy Manager (CPPM). You can find more information about how to configure MPSK in the [Configuring Multi Pre- Shared Key - Aruba] page and the [ClearPass Policy Manager User Guide] . The other options are not correct because they either do not improve security or are not applicable for devices that support WPA2 in personal mode only. For example, configuring WIDS policies that apply extra monitoring to these particular devices would not prevent them from being compromised or spoofed, but rather detect and mitigate potential attacks. Connecting these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback, would not provide strong authentication or encryption, as MAC addresses can be easily spoofed or captured. Enabling dynamic authorization (RFC 3576) in the AAA profile for the devices would not affect the authentication process, but rather allow CPPM to change the attributes or status of a user session on the controller without requiring re- authentication.

• Question 49:

  A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.

  What is a prerequisite for setting up the device role mappings?

  A. Configuring a NetConductor-based fabric

  B. Configuring Device Insight (client profile) tags in Central

  C. Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight

  D. Creating global role-to-role firewall policies in Central

  Correct Answer: B

  According to the Aruba Cloud Authentication and Policy Overview1, one of the prerequisites for configuring Cloud Authentication and Policy is to configure Device Insight (client profile) tags in Central. Device Insight tags are used to identify and classify IoT devices based on their behavior and characteristics. These tags can then be mapped to client roles, which are defined in the WLAN configuration for IAPs2. Client roles are used to enforce role-based access policies for the IoT devices. Therefore, option B is the correct answer. Option A is incorrect because NetConductor is not related to Cloud Authentication and Policy. NetConductor is a cloud-based network management solution that simplifies the deployment and operation of Aruba Instant networks. Option C is incorrect because integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight is not a prerequisite for setting up the device role mappings. CPPM and Device Insight can work together to provide enhanced visibility and control over IoT devices, but they are not required for Cloud Authentication and Policy. Option D is incorrect because creating global role-to-role firewall policies in Central is not a prerequisite for setting up the device role mappings. Global role-torole firewall policies are used to define the traffic rules between different client roles across the entire network, but they are not required for Cloud Authentication and Policy.

• Question 50:

  You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

  Which integration can you suggest?

  A. Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

  B. Importing clients' MAC addresses to configure known clients for MAC authentication more quickly

  C. Establishing a double layer of authentication at both the campus edge and the data center DMZ

  D. Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

  Correct Answer: A

  This option allows CPPM to receive real-time information about the network activity and security posture of the clients from the firewall, and then apply appropriate enforcement actions based on the configured policies 12. For example, if a client is detected to be infected with malware or violating the network usage policy, CPPM can quarantine or disconnect the client from the network 2.