Refer to the exhibit.
Which IP address should you record as a possibly compromised client?
A. 10.1.26.151
B. 10.1J.100
C. 10.1.26.1
D. 10.254.1.21
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.
The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be
provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
1.
EAP-TLS to authenticate users on mobile clients registered in Intune
2.
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
1.
Their certificate is valid and is not revoked, as validated by OCSP
2.
The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
1.
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
2.
Clients that have passed TEAP Method 1 are assigned the "domain-computer" role
3.
Clients in the AD group "Medical" are assigned the "medical-staff" role
4.
Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
1.
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
2.
Assign other mobile-onboarded clients to the "mobile-other" firewall role
3.
Assign medical staff on domain computers to the "medical-domain" firewall role
4.
All reception staff on domain computers to the "reception-domain" firewall role
5.
All domain computers with no valid user logged in to the "computer-only" firewall role
6.
Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not
managed by Central at this point.
# ClearPass cluster IP addressing and hostnames A customer's ClearPass cluster has these IP addresses:
1.
Publisher = 10.47.47.5
2.
Subscriber 1 = 10.47.47.6
3.
Subscriber 2 = 10.47.47.7
4.
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
1.
cp.acnsxtest.com = 10.47.47.5
2.
cps1.acnsxtest.com = 10.47.47.6
3.
cps2.acnsxtest.com = 10.47.47.7
4.
radius.acnsxtest.com = 10.47.47.8
5.
onboard.acnsxtest.com = 10.47.47.8
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.
Which usages should you add to it based on the scenario requirements?
A. EAP and AD/LDAP Server
B. LDAP and Aruba infrastructure
C. Radsec and Aruba infrastructure
D. EAP and Radsec
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is
shown here.
The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be
provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
1.
EAP-TLS to authenticate users on mobile clients registered in Intune
2.
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
1.
Their certificate is valid and is not revoked, as validated by OCSP
2.
The client's username matches an account in AD # Requirements for assigning clients to roles After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
1.
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
2.
Clients that have passed TEAP Method 1 are assigned the "domain-computer" role
3.
Clients in the AD group "Medical" are assigned the "medical-staff" role
4.
Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
1.
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
2.
Assign other mobile-onboarded clients to the "mobile-other" firewall role
3.
Assign medical staff on domain computers to the "medical-domain" firewall role
4.
All reception staff on domain computers to the "reception-domain" firewall role
5.
All domain computers with no valid user logged in to the "computer-only" firewall role
6.
Deny other clients access # Other requirements Communications between ClearPass servers and on-prem AD domain controllers must be encrypted. # Network topology For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not
managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
1.
Publisher = 10.47.47.5
2.
Subscriber 1 = 10.47.47.6
3.
Subscriber 2 = 10.47.47.7
4.
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
1.
cp.acnsxtest.com = 10.47.47.5
2.
cps1.acnsxtest.com = 10.47.47.6
3.
cps2.acnsxtest.com = 10.47.47.7
4.
radius.acnsxtest.com = 10.47.47.8
5.
onboard.acnsxtest.com = 10.47.47.8
The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.
You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.
What is one of those hostnames?
A. The hostname used by ClearPass Policy ManaGer's RADIUS services
B. The ClearPass Onboard hostname referenced in an Onboard provisioninG profile
C. The ClearPass Onboard hostname referenced in Intune SCEP profiles
D. The hostname used by the on-prem domain controllers
A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?
A. Configuring a relatively high threshold for the gateway threat count alerts
B. Making sure that the gateways have formed a cluster and operate in default gateway mode
C. Setting the IDS or IPS policy to the least restrictive option, Lenient
D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors
How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?
A. It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.
B. It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.
C. It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.
D. It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.
The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named "provision."
The customer's security team dictates that you must limit these clients' Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the "provision" role.
What should you recommend?
A. Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable
B. Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs
C. Configuring the "provision" role as a downloadable user role (DUR) in CPPM
D. Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.
What should you recommend?
A. Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script.
B. Define a parameter for the RADIUS server; reference that parameter instead of the server name/ip when defining the monitor URI.
C. Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created.
D. Make the script editable so that admins can edit it on demand when they are creating scripts.
A customer has an AOS 10-based mobility solution, which authenticates clients to Aruba ClearPass Policy Manager (CPPM). The customer has some wireless devices that support WPA2 in personal mode only.
How can you meet these devices' needs but improve security?
A. Use MPSK on the WLAN to which the devices connect.
B. Configure WIDS policies that apply extra monitoring to these particular devices.
C. Connect these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback.
D. Enable dynamic authorization (RFC 3576) in the AAA profile for the devices.
A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.
What is a prerequisite for setting up the device role mappings?
A. Configuring a NetConductor-based fabric
B. Configuring Device Insight (client profile) tags in Central
C. Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight
D. Creating global role-to-role firewall policies in Central
You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.
Which integration can you suggest?
A. Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients
B. Importing clients' MAC addresses to configure known clients for MAC authentication more quickly
C. Establishing a double layer of authentication at both the campus edge and the data center DMZ
D. Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only HP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your HPE6-A84 exam preparations and HP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.