Halloween Special - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

HPE6-A84 Aruba Certified Network Security Expert Written Exam Questions and Answers

Questions 4

Refer to the scenario.

An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.

You are helping the developer understand how to develop an NAE script for this use case.

The developer explains that they plan to define the rule with logic like this:

monitor > value

However, the developer asks you what value to include.

What should you recommend?

Options:

A.

Checking one of the access switches' RADIUS statistics and adding 10 to the number listed for rejects

B.

Defining a baseline and referring to it for the value

C.

Using 10 (per hour) as a good starting point for the value

D.

Defining a parameter and referring to it (self ^ramsfname]) for the value

Buy Now
Questions 5

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

HPE6-A84 Question 5

HPE6-A84 Question 5

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

HPE6-A84 Question 5EAP-TLS to authenticate users on mobile clients registered in Intune

HPE6-A84 Question 5TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

HPE6-A84 Question 5Their certificate is valid and is not revoked, as validated by OCSP

HPE6-A84 Question 5The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

HPE6-A84 Question 5Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

HPE6-A84 Question 5Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

HPE6-A84 Question 5Clients in the AD group “Medical” are assigned the “medical-staff” role

HPE6-A84 Question 5Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

HPE6-A84 Question 5Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

HPE6-A84 Question 5Assign other mobile-onboarded clients to the “mobile-other” firewall role

HPE6-A84 Question 5Assign medical staff on domain computers to the “medical-domain” firewall role

HPE6-A84 Question 5All reception staff on domain computers to the “reception-domain” firewall role

HPE6-A84 Question 5All domain computers with no valid user logged in to the “computer-only” firewall role

HPE6-A84 Question 5Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

HPE6-A84 Question 5

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

HPE6-A84 Question 5Publisher = 10.47.47.5

HPE6-A84 Question 5Subscriber 1 = 10.47.47.6

HPE6-A84 Question 5Subscriber 2 = 10.47.47.7

HPE6-A84 Question 5Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

HPE6-A84 Question 5cp.acnsxtest.com = 10.47.47.5

HPE6-A84 Question 5cps1.acnsxtest.com = 10.47.47.6

HPE6-A84 Question 5cps2.acnsxtest.com = 10.47.47.7

HPE6-A84 Question 5radius.acnsxtest.com = 10.47.47.8

HPE6-A84 Question 5onboard.acnsxtest.com = 10.47.47.8

On CPPM, you are creating the authentication method shown in the exhibit below:

HPE6-A84 Question 5

You will use the method for standalone EAP-TLS and for inner methods in TEAP.

What should you do?

Options:

A.

Configure OCSP override and set the OCSP URL to localhost/onboard/mdps ocspphp/2

B.

Enable certificate comparison.

C.

Enable authorization.

D.

Configure OCSP override and leave the OCSP URL blank.

Buy Now
Questions 6

When would you implement BPDU protection on an AOS-CX switch port versus BPDU filtering?

Options:

A.

Use BPDU protection on edge ports to protect against rogue devices when the switch implements MSTP; use BPDU filtering to protect against rogue devices when the switch implements PVSTP+.

B.

Use BPDU protection on edge ports to prevent rogue devices from connecting; use BPDU filtering on inter-switch ports for specialized use cases.

C.

Use BPDU protection on inter-switch ports to ensure that they are selected as root; use BPDU filtering on edge ports to prevent rogue devices from connecting.

D.

Use BPDU protection on edge ports to permanently lock out rogue devices; use BPDU filtering on edge ports to temporarily lock out rogue devices.

Buy Now
Questions 7

Refer to the exhibit.

HPE6-A84 Question 7

Which IP address should you record as a possibly compromised client?

Options:

A.

10.1.26.151

B.

10.1J.100

C.

10.1.26.1

D.

10.254.1.21

Buy Now
Questions 8

Refer to the exhibit.

HPE6-A84 Question 8

Which security issue is possibly indicated by this traffic capture?

Options:

A.

An attempt at a DoS attack by a device acting as an unauthorized DNS server

B.

A port scan being run on the 10.1.7.0/24 subnet

C.

A command and control channel established with DNS tunneling

D.

An ARP poisoning or man-in-the-middle attempt by the device at 94:60:d5:bf:36:40

Buy Now
Questions 9

Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients’ privileges, ClearPass also should use information collected by Intune to make access control decisions.

The customer wants you to configure CPPM to collect information from Intune on demand during the authentication process.

What should you tell the Intune admins about the certificates issued to clients?

Options:

A.

They must be issued by a well-known, trusted CA.

B.

They must include the Intune ID in the subject name.

C.

They must include the client MAC address in the subject name.

D.

They must be issued by a ClearPass Onboard CA.

Buy Now
Questions 10

You want to use Device Insight tags as conditions within CPPM role mapping or enforcement policy rules.

What guidelines should you follow?

Options:

A.

Create an HTTP authentication source to the Central API that queries for the tags. To use that source as the type for rule conditions, add it an authorization source for the service in question.

B.

Use the Application type for the rule conditions; no extra authorization source is required for services that use policies with these rules.

C.

Use the Endpoints Repository type for the rule conditions; Add Endpoints Repository as a secondary authentication source for services that use policies with these rules.

D.

Use the Endpoint type for the rule conditions; no extra authorization source is required for services that use policies with these rules.

Buy Now
Questions 11

A customer has an AOS 10 architecture, consisting of Aruba AP and AOS-CX switches, managed by Aruba Central. The customer wants to obtain information about the clients, such as their general category and OS.

What should you explain?

Options:

A.

The customer must deploy Aruba gateways in order to receive any client profiling information.

B.

You will need to set up Aruba Central as a secondary IP helper for client VLANs, but this will not interfere with existing operations.

C.

Aruba Central will automatically derive this information using telemetry from the Aruba devices.

D.

The customer should set up a dedicated switch VSX group to sniff packets and direct them to Aruba Central.

Buy Now
Questions 12

How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?

Options:

A.

It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.

B.

It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.

C.

It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.

D.

It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.

Buy Now
Questions 13

Refer to the exhibit.

HPE6-A84 Question 13

A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:

HPE6-A84 Question 13

What is one issue with this configuration?

Options:

A.

ARP proxy is not enabled on VLAN 4.

B.

LAG 1 is configured as trusted for ARP inspection but should be untrusted.

C.

DHCP snooping is not enabled on VLAN 4.

D.

Edge ports are not configured as untrusted for ARP inspection.

Buy Now
Questions 14

Refer to the scenario.

An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.

You are helping the developer understand how to develop an NAE script for this use case.

You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.

What should you recommend?

Options:

A.

Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script.

B.

Define a parameter for the RADIUS server; reference that parameter instead of the server name/ip when defining the monitor URI.

C.

Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created.

D.

Make the script editable so that admins can edit it on demand when they are creating scripts.

Buy Now
Questions 15

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

HPE6-A84 Question 15

HPE6-A84 Question 15

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

HPE6-A84 Question 15EAP-TLS to authenticate users on mobile clients registered in Intune

HPE6-A84 Question 15TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

HPE6-A84 Question 15Their certificate is valid and is not revoked, as validated by OCSP

HPE6-A84 Question 15The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

HPE6-A84 Question 15Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

HPE6-A84 Question 15Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

HPE6-A84 Question 15Clients in the AD group “Medical” are assigned the “medical-staff” role

HPE6-A84 Question 15Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

HPE6-A84 Question 15Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

HPE6-A84 Question 15Assign other mobile-onboarded clients to the “mobile-other” firewall role

HPE6-A84 Question 15Assign medical staff on domain computers to the “medical-domain” firewall role

HPE6-A84 Question 15All reception staff on domain computers to the “reception-domain” firewall role

HPE6-A84 Question 15All domain computers with no valid user logged in to the “computer-only” firewall role

HPE6-A84 Question 15Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

HPE6-A84 Question 15

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

HPE6-A84 Question 15Publisher = 10.47.47.5

HPE6-A84 Question 15Subscriber 1 = 10.47.47.6

HPE6-A84 Question 15Subscriber 2 = 10.47.47.7

HPE6-A84 Question 15Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

HPE6-A84 Question 15cp.acnsxtest.com = 10.47.47.5

HPE6-A84 Question 15cps1.acnsxtest.com = 10.47.47.6

HPE6-A84 Question 15cps2.acnsxtest.com = 10.47.47.7

HPE6-A84 Question 15radius.acnsxtest.com = 10.47.47.8

HPE6-A84 Question 15onboard.acnsxtest.com = 10.47.47.8

You have started to create a CA to meet the customer’s requirements for issuing certificates to mobile clients, as shown in the exhibit below.

HPE6-A84 Question 15

What change will help to meet those requirements and the requirements for authenticating clients?

Options:

A.

Change the EST authentication method to use an external validator.

B.

Change the EST Digest Algorithm to SHA-512.

C.

Recreate the CA as a registration authority under Azure AD.

D.

Specify an OCSP responder, setting the hostname to localhost.

Buy Now
Questions 16

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

HPE6-A84 Question 16

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.

What else should you make sure to do?

Options:

A.

Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.

B.

Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.

C.

Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.

D.

Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Buy Now
Questions 17

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

HPE6-A84 Question 17

HPE6-A84 Question 17

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

HPE6-A84 Question 17EAP-TLS to authenticate users on mobile clients registered in Intune

HPE6-A84 Question 17TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

HPE6-A84 Question 17Their certificate is valid and is not revoked, as validated by OCSP

HPE6-A84 Question 17The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

HPE6-A84 Question 17Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

HPE6-A84 Question 17Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

HPE6-A84 Question 17Clients in the AD group “Medical” are assigned the “medical-staff” role

HPE6-A84 Question 17Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

HPE6-A84 Question 17Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

HPE6-A84 Question 17Assign other mobile-onboarded clients to the “mobile-other” firewall role

HPE6-A84 Question 17Assign medical staff on domain computers to the “medical-domain” firewall role

HPE6-A84 Question 17All reception staff on domain computers to the “reception-domain” firewall role

HPE6-A84 Question 17All domain computers with no valid user logged in to the “computer-only” firewall role

HPE6-A84 Question 17Deny other clients’ access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

HPE6-A84 Question 17

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

HPE6-A84 Question 17Publisher = 10.47.47.5

HPE6-A84 Question 17Subscriber 1 = 10.47.47.6

HPE6-A84 Question 17Subscriber 2 = 10.47.47.7

HPE6-A84 Question 17Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

HPE6-A84 Question 17cp.acnsxtest.com = 10.47.47.5

HPE6-A84 Question 17cps1.acnsxtest.com = 10.47.47.6

HPE6-A84 Question 17cps2.acnsxtest.com = 10.47.47.7

HPE6-A84 Question 17radius.acnsxtest.com = 10.47.47.8

HPE6-A84 Question 17onboard.acnsxtest.com = 10.47.47.8

You have created a role mapping policy as shown in the exhibits below.

HPE6-A84 Question 17

What is one change that you need to make to this policy?

Options:

A.

In rule 1 change Subject-CN to Issuer-CN.

B.

Move rules 2 and 3 to the top of the list.

C.

Change the rules evaluation mechanism to first applicable.

D.

Change the default role to 'mobile-onboarded*

Buy Now
Questions 18

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

HPE6-A84 Question 18

The gateway cluster has two gateways with these IP addresses:

• Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21

o VLAN 20 (users) = 10.20.20.1

o VLAN 4094 (WAN) = 198.51.100.14

• Gateway 2

o VLAN 4085 (system IP) = 10.20.4.22

o VLAN 20 (users) = 10.20.20.2

o VLAN 4094 (WAN) = 198.51.100.12

• VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you are using the “myzone” name for the UBT zone.

Which is a valid minimal configuration for the AOS-CX port-access roles?

Options:

A.

port-access role eth-internet gateway-zone zone myzone gateway-role eth-user

B.

port-access role internet-only gateway-zone zone myzone gateway-role eth-internet

C.

port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20

D.

port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access 20

Buy Now
Exam Code: HPE6-A84
Exam Name: Aruba Certified Network Security Expert Written Exam
Last Update: Oct 25, 2024
Questions: 60

PDF + Testing Engine

$48  $159.99

Testing Engine

$36  $119.99
buy now HPE6-A84 testing engine

PDF (Q&A)

$30  $99.99
buy now HPE6-A84 pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 31 Oct 2024