Pass the HP ACA - Network Security HPE6-A84 Questions and answers with ValidTests

Exam HPE6-A84 Premium Access

View all detail and faqs for the HPE6-A84 exam

Go to Exam

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions

Questions # 11:

A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows CA. CPPM should validate these certificates and verify that the users and computers have accounts in Windows AD. The customer requires encryption for all communications between CPPM and the domain controllers.

You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.

Which usages should you add to it based on these requirements?

Options:

Radec and Aruba infrastructure

EAP and AD/LDAP Server

EAP and Radsec

LDAP and Aruba infrastructure

Expert Solution

Questions # 12:

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

Question # 12

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

Question # 12 EAP-TLS to authenticate users on mobile clients registered in Intune

Question # 12 TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Question # 12 Their certificate is valid and is not revoked, as validated by OCSP

Question # 12 The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Question # 12 Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Question # 12 Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Question # 12 Clients in the AD group “Medical” are assigned the “medical-staff” role

Question # 12 Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Question # 12 Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Question # 12 Assign other mobile-onboarded clients to the “mobile-other” firewall role

Question # 12 Assign medical staff on domain computers to the “medical-domain” firewall role

Question # 12 All reception staff on domain computers to the “reception-domain” firewall role

Question # 12 All domain computers with no valid user logged in to the “computer-only” firewall role

Question # 12 Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

Question # 12

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Question # 12 Publisher = 10.47.47.5

Question # 12 Subscriber 1 = 10.47.47.6

Question # 12 Subscriber 2 = 10.47.47.7

Question # 12 Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

Question # 12 cp.acnsxtest.com = 10.47.47.5

Question # 12 cps1.acnsxtest.com = 10.47.47.6

Question # 12 cps2.acnsxtest.com = 10.47.47.7

Question # 12 radius.acnsxtest.com = 10.47.47.8

Question # 12 onboard.acnsxtest.com = 10.47.47.8

The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.

You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.

What is one of those hostnames?

Options:

The hostname used by ClearPass Policy ManaGer's RADIUS services

The ClearPass Onboard hostname referenced in an Onboard provisioninG profile

The ClearPass Onboard hostname referenced in Intune SCEP profiles

The hostname used by the on-prem domain controllers

Expert Solution

Questions # 13:

A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.

Question # 13

Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.

What is one step you could recommend trying first?

Options:

Send the email notifications directly to a specific folder, and only check the folder once a week.

Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.

Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.

Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.

Expert Solution

Answer

Explanation

According to the AOS 10 documentation1, WIDS is a feature that monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. WIDS can be configured at different levels, such as low, medium, high, or custom. The higher the level, the more checks are enabled and the more alerts are generated. However, not all checks are equally relevant or indicative of real threats. Some checks may generate false positives or unnecessary alerts that can overwhelm the administrators and reduce the effectiveness of WIDS.

Therefore, one step that could be recommended to reduce the number of email notifications is to change the WIDS level to custom, and enable only the checks most likely to indicate real threats. This way, the administrators can fine-tune the WIDS settings to suit their network environment and security needs, and avoid getting flooded with irrelevant or redundant alerts. Option C is the correct answer.

Option A is incorrect because sending the email notifications directly to a specific folder and only checking the folder once a week is not a good practice for security management. This could lead to missing or ignoring important alerts that require immediate attention or action. Moreover, this does not solve the problem of getting too many emails in the first place.

Option B is incorrect because disabling email notifications for Rogue AP, but leaving the Infrastructure Attack Detected and Client Attack Detected notifications on, is not a sufficient solution. Rogue APs are unauthorized access points that can pose a serious security risk to the network, as they can be used to intercept or steal sensitive data, launch attacks, or compromise network performance. Therefore, disabling email notifications for Rogue APs could result in missing critical alerts that need to be addressed.

Option D is incorrect because disabling just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert, is not a valid assumption. The Infrastructure Attack Detected alert covers a broad range of attacks that target the network infrastructure, such as deauthentication attacks, spoofing attacks, denial-of-service attacks, etc. The Rogue AP and Client Attack Detected alerts are more specific and focus on detecting and classifying rogue devices and clients that may be involved in such attacks. Therefore, disabling these alerts could result in losing valuable information about the source and nature of the attacks.

Questions # 14:

A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.

What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

Options:

Configuring a relatively high threshold for the gateway threat count alerts

Making sure that the gateways have formed a cluster and operate in default gateway mode

Setting the IDS or IPS policy to the least restrictive option, Lenient

Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors

Expert Solution

Answer

Explanation

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.

Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2.

The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3.

The other options are not correct or relevant for this issue:

Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4.

Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .

Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .

Questions # 15:

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

Question # 15

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

What is one change that you should make to the solution?

Options:

Change the ubt-client-vlan to VLAN 13.

Configure edge ports in VLAN trunk mode.

Remove VLAN assignments from role configurations on the gateways.

Configure the UBT solution to use VLAN extend mode.

Expert Solution

Questions # 16:

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

Question # 16

# Requirements for issuing certificates to mobile clients

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

Question # 16 EAP-TLS to authenticate users on mobile clients registered in Intune

Question # 16 TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Question # 16 Their certificate is valid and is not revoked, as validated by OCSP

Question # 16 The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Question # 16 Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Question # 16 Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Question # 16 Clients in the AD group “Medical” are assigned the “medical-staff” role

Question # 16 Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Question # 16 Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Question # 16 Assign other mobile-onboarded clients to the “mobile-other” firewall role

Question # 16 Assign medical staff on domain computers to the “medical-domain” firewall role

Question # 16 All reception staff on domain computers to the “reception-domain” firewall role

Question # 16 All domain computers with no valid user logged in to the “computer-only” firewall role

Question # 16 Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

Question # 16

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Question # 16 Publisher = 10.47.47.5

Question # 16 Subscriber 1 = 10.47.47.6

Question # 16 Subscriber 2 = 10.47.47.7

Question # 16 Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

Question # 16 cp.acnsxtest.com = 10.47.47.5

Question # 16 cps1.acnsxtest.com = 10.47.47.6

Question # 16 cps2.acnsxtest.com = 10.47.47.7

Question # 16 radius.acnsxtest.com = 10.47.47.8

Question # 16 onboard.acnsxtest.com = 10.47.47.8

You have started to create a CA to meet the customer’s requirements for issuing certificates to mobile clients, as shown in the exhibit below.

Question # 16

What change will help to meet those requirements and the requirements for authenticating clients?

Options:

Change the EST authentication method to use an external validator.

Change the EST Digest Algorithm to SHA-512.

Recreate the CA as a registration authority under Azure AD.

Specify an OCSP responder, setting the hostname to localhost.

Expert Solution

Questions # 17:

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

Question # 17

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

Question # 17

How could you fix this issue?

Options:

Change the UDP port in the MCs’ RFC 3576 server config to 3799.

Enable RadSec on the MCs’ RFC 3676 server config.

Configure the MC to obtain the time from a valid NTP server.

Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Expert Solution

Questions # 18:

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

Question # 18

# Requirements for issuing certificates to mobile clients

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

Question # 18 EAP-TLS to authenticate users on mobile clients registered in Intune

Question # 18 TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

Question # 18 Their certificate is valid and is not revoked, as validated by OCSP

Question # 18 The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

Question # 18 Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

Question # 18 Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

Question # 18 Clients in the AD group “Medical” are assigned the “medical-staff” role

Question # 18 Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

Question # 18 Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

Question # 18 Assign other mobile-onboarded clients to the “mobile-other” firewall role

Question # 18 Assign medical staff on domain computers to the “medical-domain” firewall role

Question # 18 All reception staff on domain computers to the “reception-domain” firewall role

Question # 18 All domain computers with no valid user logged in to the “computer-only” firewall role

Question # 18 Deny other clients’ access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

Question # 18

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

Question # 18 Publisher = 10.47.47.5

Question # 18 Subscriber 1 = 10.47.47.6

Question # 18 Subscriber 2 = 10.47.47.7

Question # 18 Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

Question # 18 cp.acnsxtest.com = 10.47.47.5

Question # 18 cps1.acnsxtest.com = 10.47.47.6

Question # 18 cps2.acnsxtest.com = 10.47.47.7

Question # 18 radius.acnsxtest.com = 10.47.47.8

Question # 18 onboard.acnsxtest.com = 10.47.47.8

You have created a role mapping policy as shown in the exhibits below.

Question # 18

What is one change that you need to make to this policy?

Options:

In rule 1 change Subject-CN to Issuer-CN.

Move rules 2 and 3 to the top of the list.

Change the rules evaluation mechanism to first applicable.

Change the default role to 'mobile-onboarded*

Expert Solution

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: validbest

Pass the HP ACA - Network Security HPE6-A84 Questions and answers with ValidTests

Exam HPE6-A84 Premium Access

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options: