HPE6-A84 Aruba Certified Network Security Expert Written Exam Questions and Answers

Questions 4

Refer to the scenario.

A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.

The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.

For which devices does CPPM require network device entries?

Options:

Forgateways' actual IP addresses and dynamic authorization VRRP addresses

For gateways' actual IP addresses and AP clusters' virtual IP addresses for dynamic authorization

For APs' actual IP addresses

ForAP clusters'virtual IP addresses

Buy Now

Questions 5

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

How could you fix this issue?

Options:

Change the UDP port in the MCs’ RFC 3576 server config to 3799.

Enable RadSec on the MCs’ RFC 3676 server config.

Configure the MC to obtain the time from a valid NTP server.

Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Buy Now

Questions 6

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Clients in the AD group “Medical” are assigned the “medical-staff” role

Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Assign other mobile-onboarded clients to the “mobile-other” firewall role

Assign medical staff on domain computers to the “medical-domain” firewall role

All reception staff on domain computers to the “reception-domain” firewall role

All domain computers with no valid user logged in to the “computer-only” firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.

You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.

What is one of those hostnames?

Options:

The hostname used by ClearPass Policy ManaGer's RADIUS services

The ClearPass Onboard hostname referenced in an Onboard provisioninG profile

The ClearPass Onboard hostname referenced in Intune SCEP profiles

The hostname used by the on-prem domain controllers

Buy Now

Questions 7

You are working with a developer to design a custom NAE script for a customer. The NAE agent should trigger an alert when ARP inspection drops packets on a VLAN. The customer wants the admins to be able to select the correct VLAN ID for the agent to monitor when they create the agent.

What should you tell the developer to do?

Options:

Use this variable, %{vlan-id} when defining the monitor URI in the NAE agent script.

Define a VLAN ID parameter; reference that parameter when defining the monitor URI.

Create multiple monitors within the script from which admins can select when they create the agent.

Use a callback action to collect the ID of the VLAN on which admins have enabled NAE monitoring.

Buy Now

Questions 8

Refer to the exhibit.

Which security issue is possibly indicated by this traffic capture?

Options:

An attempt at a DoS attack by a device acting as an unauthorized DNS server

A port scan being run on the 10.1.7.0/24 subnet

A command and control channel established with DNS tunneling

An ARP poisoning or man-in-the-middle attempt by the device at 94:60:d5:bf:36:40

Buy Now

Questions 9

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

# Requirements for issuing certificates to mobile clients

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Clients in the AD group “Medical” are assigned the “medical-staff” role

Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Assign other mobile-onboarded clients to the “mobile-other” firewall role

Assign medical staff on domain computers to the “medical-domain” firewall role

All reception staff on domain computers to the “reception-domain” firewall role

All domain computers with no valid user logged in to the “computer-only” firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

The customer has now decided that it needs CPPM to assign certain mobile-onboarded devices to a “nurse-call” AOS user role. These are mobile-onboarded devices that are communicating with IP address 10.1.18.12 using port 4343.

What are the prerequisites for fulfilling this requirement?

Options:

Setting up traffic classes and role mapping rules within Central's global settings

Creating server-based role assignment rules on APs that apply roles to clients based on traffic destinations

Creating server-based role assignment rules on gateways that apply roles to clients based on traffic destinations

Creating a tag on Central to select the proper destination connection and integrating CPPM with Device Insight

Buy Now

Questions 10

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.

What else should you make sure to do?

Options:

Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.

Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.

Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.

Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Buy Now

Answer:

Explanation:

The correct answer is B. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.

User-based tunneling (UBT) is a feature that allows the AOS-CX switches to tunnel the traffic from wired clients to a mobility gateway cluster, where they can be assigned a role and a VLAN based on their authentication and authorization 1. To enable UBT, the switches need to have a UBT zone configured with the IP addresses of the gateways, and a UBT client VLAN configured with the ubt-client-vlan command 2.

The UBT client VLAN is a special VLAN that is used to encapsulate the traffic from the tunneled clients before sending it to the gateways. The UBT client VLAN must be different from any other VLANs used on the switch or the network, and it must not be assigned to any ports or interfaces on the switch 2. The UBT client VLAN is only used internally by the switch for UBT, and it is not visible to the clients or the gateways.

In this scenario, the customer wants to tunnel the clients that pass user authentication to the gateway cluster, where they will be assigned to VLAN 20. Therefore, the switch must have a UBT client VLAN configured that is different from VLAN 20 or any other VLANs on the network. For example, the switch can use VLAN 4000 as the UBT client VLAN, as shown in one of the web search results 3. The switch must also have a UBT zone configured with the system IP addresses of the gateways as the primary and backup controllers, as explained in question 3.

The other options are not correct or relevant for this issue:

Option A is not correct because assigning VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect would conflict with UBT. The access VLAN is the VLAN that is assigned to untagged traffic on a port, and it is used for local switching on the switch 4. If VLAN 20 is assigned as the access VLAN, then the traffic from the clients will not be tunneled to the gateways, but rather switched locally on VLAN 20. This would defeat the purpose of UBT and cause inconsistency in role and VLAN assignment.
Option C is not correct because VIA licenses are not required for UBT. VIA licenses are required for enabling VPN services on Aruba Mobility Controllers for remote access clients using Aruba Virtual Intranet Access (VIA) software . VIA licenses are not related to UBT or wired clients.
Option D is not correct because changing the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect would not affect UBT. The port-access auth-mode mode determines how a port handles authentication requests from multiple clients connected to a single port . Client-mode is the default mode that allows only one client per port, while multi-client-mode allows multiple clients per port. The port-access auth-mode mode does not affect how UBT works or how traffic is tunneled from a port.

Questions 11

Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients’ privileges, ClearPass also should use information collected by Intune to make access control decisions.

You are planning to use Azure AD as the authentication source in 802.1X services.

What should you make sure that the customer understands is required?

Options:

An app registration on Azure AD that references the CPPM's FQDN

Windows 365 subscriptions

CPPM's RADIUS certificate was imported as trusted in the Azure AD directory

Azure AD Domain Services

Buy Now

Questions 12

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

You are setting up the UBT zone on an AOS-CX switch.

Which IP addresses should you define in the zone?

Options:

Primary controller = 10.20.4.21; backup controller = 10.20.4.22

[Primary controller = 198.51.100.14; backup controller = 10.20.4.21

Primary controller = 10 20 4 21: backup controller not defined

Primary controller = 10.20.20.254; backup controller, not defined

Buy Now

Questions 13

A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows CA. CPPM should validate these certificates and verify that the users and computers have accounts in Windows AD. The customer requires encryption for all communications between CPPM and the domain controllers.

You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.

Which usages should you add to it based on these requirements?

Options:

Radec and Aruba infrastructure

EAP and AD/LDAP Server

EAP and Radsec

LDAP and Aruba infrastructure

Buy Now

Questions 14

A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.

What is a prerequisite for setting up the device role mappings?

Options:

Configuring a NetConductor-based fabric

Configuring Device Insight (client profile) tags in Central

Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight

Creating global role-to-role firewall policies in Central

Buy Now

Questions 15

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

Options:

Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

Importing clients' MAC addresses to configure known clients for MAC authentication more quickly

Establishing a double layer of authentication at both the campus edge and the data center DMZ

Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Buy Now

Questions 16

Refer to the scenario.

A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

What is one immediate remediation that you should recommend?

Options:

Changing the switch's DNS server to the mgmt VRF

Setting the clock manually instead of using NTP

Either disabling DHCPv4-snoopinq or leaving it enabled, but also enabling ARP inspection

Disabling Telnet

Buy Now

Questions 17

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

# Requirements for issuing certificates to mobile clients

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

EAP-TLS to authenticate users on mobile clients registered in Intune

TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Their certificate is valid and is not revoked, as validated by OCSP

The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Clients in the AD group “Medical” are assigned the “medical-staff” role

Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Assign other mobile-onboarded clients to the “mobile-other” firewall role

Assign medical staff on domain computers to the “medical-domain” firewall role

All reception staff on domain computers to the “reception-domain” firewall role

All domain computers with no valid user logged in to the “computer-only” firewall role

Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Publisher = 10.47.47.5

Subscriber 1 = 10.47.47.6

Subscriber 2 = 10.47.47.7

Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

cp.acnsxtest.com = 10.47.47.5

cps1.acnsxtest.com = 10.47.47.6

cps2.acnsxtest.com = 10.47.47.7

radius.acnsxtest.com = 10.47.47.8

onboard.acnsxtest.com = 10.47.47.8

On CPPM, you are creating the authentication method shown in the exhibit below:

You will use the method for standalone EAP-TLS and for inner methods in TEAP.

What should you do?

Options:

Configure OCSP override and set the OCSP URL to localhost/onboard/mdps ocspphp/2

Enable certificate comparison.

Enable authorization.

Configure OCSP override and leave the OCSP URL blank.

Buy Now

Questions 18

A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.

Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.

What is one step you could recommend trying first?

Options:

Send the email notifications directly to a specific folder, and only check the folder once a week.

Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.

Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.

Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.

Buy Now

Answer:

Explanation:

According to the AOS 10 documentation1, WIDS is a feature that monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. WIDS can be configured at different levels, such as low, medium, high, or custom. The higher the level, the more checks are enabled and the more alerts are generated. However, not all checks are equally relevant or indicative of real threats. Some checks may generate false positives or unnecessary alerts that can overwhelm the administrators and reduce the effectiveness of WIDS.

Therefore, one step that could be recommended to reduce the number of email notifications is to change the WIDS level to custom, and enable only the checks most likely to indicate real threats. This way, the administrators can fine-tune the WIDS settings to suit their network environment and security needs, and avoid getting flooded with irrelevant or redundant alerts. Option C is the correct answer.

Option A is incorrect because sending the email notifications directly to a specific folder and only checking the folder once a week is not a good practice for security management. This could lead to missing or ignoring important alerts that require immediate attention or action. Moreover, this does not solve the problem of getting too many emails in the first place.

Option B is incorrect because disabling email notifications for Rogue AP, but leaving the Infrastructure Attack Detected and Client Attack Detected notifications on, is not a sufficient solution. Rogue APs are unauthorized access points that can pose a serious security risk to the network, as they can be used to intercept or steal sensitive data, launch attacks, or compromise network performance. Therefore, disabling email notifications for Rogue APs could result in missing critical alerts that need to be addressed.

Option D is incorrect because disabling just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert, is not a valid assumption. The Infrastructure Attack Detected alert covers a broad range of attacks that target the network infrastructure, such as deauthentication attacks, spoofing attacks, denial-of-service attacks, etc. The Rogue AP and Client Attack Detected alerts are more specific and focus on detecting and classifying rogue devices and clients that may be involved in such attacks. Therefore, disabling these alerts could result in losing valuable information about the source and nature of the attacks.

ACA - Network Security |

Exam Code: HPE6-A84

Exam Name: Aruba Certified Network Security Expert Written Exam

Last Update: Jul 26, 2024

Questions: 60

HPE6-A84 PDF

$28 ~~$80~~

Add to Cart

HPE6-A84 Testing Engine

$33.25 ~~$95~~

Add to Cart

HPE6-A84 PDF + Testing Engine

$45.5 ~~$130~~

Add to Cart

Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtreat

cramtick logo

Navigation:

Hot Vendors:

HPE6-A84 Aruba Certified Network Security Expert Written Exam Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

HPE6-A84 PDF

HPE6-A84 Testing Engine

HPE6-A84 PDF + Testing Engine

Quick Links

Recently New Released Certification Exams

Site Secure