New Year Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

HPE6-A84 Aruba Certified Network Security Expert Written Exam Questions and Answers

Questions 4

Refer to the scenario.

A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.

The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.

CPPM is using the service shown in the exhibits.

HPE6-A84 Question 4

Which step can you take to improve operations during a possible gateway failover event?

Options:

A.

Chanqe the WLANs to mixed-mode forwardinq so that vou can select multiple qatewav clusters.

B.

Set up qatewav clusters manually and set VRRP IP addresses for dynamic authorization.

C.

Use auto-group clustering instead of auto-site clustering for the gateways.

D.

Enable default gateway mode for the gateway clusters.

Buy Now
Questions 5

The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named “provision.”

The customer’s security team dictates that you must limit these clients’ Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the “provision” role.

What should you recommend?

Options:

A.

Configuring the rules for the “provision” role with IPv6 addresses, which tend to be more stable

B.

Enabling tunneling to the MCs on the “provision” role and then setting up the privileges on the MCs

C.

Configuring the “provision” role as a downloadable user role (DUR) in CPPM

D.

Assigning the “provision” role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)

Buy Now
Questions 6

Several AOS-CX switches are responding to SNMPv2 GET requests for the public community. The customer only permits SNMPv3. You have asked a network admin to fix this problem. The admin says, “I tried to remove the community, but the CLI output an error.”

What should you recommend to remediate the vulnerability and meet the customer’s requirements?

Options:

A.

Enabling control plane policing to automatically drop SNMP GET requests

B.

Setting the snmp-server settings to “snmpv3-only”

C.

Adding an SNMP community with a long random name

D.

Enabling SNMPv3, which implicitly disables SNMPv1/v2

Buy Now
Questions 7

You are configuring gateway IDS/IPS settings in Aruba Central.

For which reason would you set the Fail Strategy to Bypass?

Options:

A.

To permit traffic if the IPS engine falls to inspect It

B.

To enable the gateway to honor the allowlist settings configured in IDS/IPS policies

C.

To tell gateways to stop enforcing IDS/IPS policies if they lose connectivity to the Internet

D.

To avoid wasting IPS engine resources on filtering traffic for unauthenticated clients

Buy Now
Questions 8

A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.

What is a prerequisite for setting up the device role mappings?

Options:

A.

Configuring a NetConductor-based fabric

B.

Configuring Device Insight (client profile) tags in Central

C.

Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight

D.

Creating global role-to-role firewall policies in Central

Buy Now
Questions 9

You are reviewing an endpoint entry in ClearPass Policy Manager (CPPM) Endpoints Repository.

What is a good sign that someone has been trying to gain unauthorized access to the network?

Options:

A.

The entry shows multiple DHCP options under the fingerprints.

B.

The entry shows an Unknown status.

C.

The entry shows a profile conflict of having a new profile of Computer for a profiled Printer.

D.

The entry lacks a hostname or includes a hostname with long seemingly random characters.

Buy Now
Questions 10

Refer to the scenario.

A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.

The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.

For which devices does CPPM require network device entries?

Options:

A.

Forgateways' actual IP addresses and dynamic authorization VRRP addresses

B.

For gateways' actual IP addresses and AP clusters' virtual IP addresses for dynamic authorization

C.

For APs' actual IP addresses

D.

ForAP clusters'virtual IP addresses

Buy Now
Questions 11

Refer to the scenario.

A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

HPE6-A84 Question 11

What is one immediate remediation that you should recommend?

Options:

A.

Changing the switch's DNS server to the mgmt VRF

B.

Setting the clock manually instead of using NTP

C.

Either disabling DHCPv4-snoopinq or leaving it enabled, but also enabling ARP inspection

D.

Disabling Telnet

Buy Now
Questions 12

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

HPE6-A84 Question 12

HPE6-A84 Question 12

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

HPE6-A84 Question 12EAP-TLS to authenticate users on mobile clients registered in Intune

HPE6-A84 Question 12TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

HPE6-A84 Question 12Their certificate is valid and is not revoked, as validated by OCSP

HPE6-A84 Question 12The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

HPE6-A84 Question 12Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

HPE6-A84 Question 12Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

HPE6-A84 Question 12Clients in the AD group “Medical” are assigned the “medical-staff” role

HPE6-A84 Question 12Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

HPE6-A84 Question 12Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

HPE6-A84 Question 12Assign other mobile-onboarded clients to the “mobile-other” firewall role

HPE6-A84 Question 12Assign medical staff on domain computers to the “medical-domain” firewall role

HPE6-A84 Question 12All reception staff on domain computers to the “reception-domain” firewall role

HPE6-A84 Question 12All domain computers with no valid user logged in to the “computer-only” firewall role

HPE6-A84 Question 12Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

HPE6-A84 Question 12

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

HPE6-A84 Question 12Publisher = 10.47.47.5

HPE6-A84 Question 12Subscriber 1 = 10.47.47.6

HPE6-A84 Question 12Subscriber 2 = 10.47.47.7

HPE6-A84 Question 12Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

HPE6-A84 Question 12cp.acnsxtest.com = 10.47.47.5

HPE6-A84 Question 12cps1.acnsxtest.com = 10.47.47.6

HPE6-A84 Question 12cps2.acnsxtest.com = 10.47.47.7

HPE6-A84 Question 12radius.acnsxtest.com = 10.47.47.8

HPE6-A84 Question 12onboard.acnsxtest.com = 10.47.47.8

You cannot see flow attributes for wireless clients.

What should you check?

Options:

A.

Deep packet inspection is enabled on the role to which the Aruba APs assign the wireless clients.

B.

Firewall application visibility is enabled on the Aruba gateways, and the gateways have been rebooted.

C.

Gateway IDS/IPS is enabled on the Aruba gateways, and the gateways have been rebooted.

D.

Deep packet inspection is enabled on the Aruba Aps, and the APs have been rebooted.

Buy Now
Questions 13

Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients’ privileges, ClearPass also should use information collected by Intune to make access control decisions.

Assume that the Azure AD deployment has the proper prerequisites established.

You are planning the CPPM authentication source that you will reference as the authentication source in 802.1X services.

How should you set up this authentication source?

Options:

A.

As Kerberos type

B.

As Active Directory type

C.

As HTTP type, referencing the Intune extension

D.

AS HTTP type, referencing Azure AD's FODN

Buy Now
Questions 14

A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.

What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

Options:

A.

Configuring a relatively high threshold for the gateway threat count alerts

B.

Making sure that the gateways have formed a cluster and operate in default gateway mode

C.

Setting the IDS or IPS policy to the least restrictive option, Lenient

D.

Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors

Buy Now
Questions 15

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

HPE6-A84 Question 15

HPE6-A84 Question 15

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

HPE6-A84 Question 15EAP-TLS to authenticate users on mobile clients registered in Intune

HPE6-A84 Question 15TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

HPE6-A84 Question 15Their certificate is valid and is not revoked, as validated by OCSP

HPE6-A84 Question 15The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

HPE6-A84 Question 15Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

HPE6-A84 Question 15Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

HPE6-A84 Question 15Clients in the AD group “Medical” are assigned the “medical-staff” role

HPE6-A84 Question 15Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

HPE6-A84 Question 15Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

HPE6-A84 Question 15Assign other mobile-onboarded clients to the “mobile-other” firewall role

HPE6-A84 Question 15Assign medical staff on domain computers to the “medical-domain” firewall role

HPE6-A84 Question 15All reception staff on domain computers to the “reception-domain” firewall role

HPE6-A84 Question 15All domain computers with no valid user logged in to the “computer-only” firewall role

HPE6-A84 Question 15Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

HPE6-A84 Question 15

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

HPE6-A84 Question 15Publisher = 10.47.47.5

HPE6-A84 Question 15Subscriber 1 = 10.47.47.6

HPE6-A84 Question 15Subscriber 2 = 10.47.47.7

HPE6-A84 Question 15Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

HPE6-A84 Question 15cp.acnsxtest.com = 10.47.47.5

HPE6-A84 Question 15cps1.acnsxtest.com = 10.47.47.6

HPE6-A84 Question 15cps2.acnsxtest.com = 10.47.47.7

HPE6-A84 Question 15radius.acnsxtest.com = 10.47.47.8

HPE6-A84 Question 15onboard.acnsxtest.com = 10.47.47.8

The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.

You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices. You will need to add several hostnames to the captive portal allowlist manually.

What is one of those hostnames?

Options:

A.

The hostname used by ClearPass Policy ManaGer's RADIUS services

B.

The ClearPass Onboard hostname referenced in an Onboard provisioninG profile

C.

The ClearPass Onboard hostname referenced in Intune SCEP profiles

D.

The hostname used by the on-prem domain controllers

Buy Now
Questions 16

Refer to the scenario.

A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

HPE6-A84 Question 16

What is one recommendation to make?

Options:

A.

Let the RADIUS server confiqure VLANs on LAG 1 dynamically.

B.

Use MDS instead of SHA1 for the NTP authentication key.

C.

Encrypt the certificate in the TA-profile.

D.

Create a control plane ACL to limit the sources that can access the switch with SSH.

Buy Now
Questions 17

Refer to the exhibit.

HPE6-A84 Question 17

A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:

HPE6-A84 Question 17

What is one issue with this configuration?

Options:

A.

ARP proxy is not enabled on VLAN 4.

B.

LAG 1 is configured as trusted for ARP inspection but should be untrusted.

C.

DHCP snooping is not enabled on VLAN 4.

D.

Edge ports are not configured as untrusted for ARP inspection.

Buy Now
Questions 18

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

HPE6-A84 Question 18

HPE6-A84 Question 18

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.

# Requirements for issuing certificates to mobile clients

The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.

The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.

# Requirements for authenticating clients

The customer requires all types of clients to connect and authenticate on the same corporate SSID.

The company wants CPPM to use these authentication methods:

HPE6-A84 Question 18EAP-TLS to authenticate users on mobile clients registered in Intune

HPE6-A84 Question 18TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them

To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:

HPE6-A84 Question 18Their certificate is valid and is not revoked, as validated by OCSP

HPE6-A84 Question 18The client’s username matches an account in AD

# Requirements for assigning clients to roles

After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:

HPE6-A84 Question 18Clients with certificates issued by Onboard are assigned the “mobile-onboarded” role

HPE6-A84 Question 18Clients that have passed TEAP Method 1 are assigned the “domain-computer” role

HPE6-A84 Question 18Clients in the AD group “Medical” are assigned the “medical-staff” role

HPE6-A84 Question 18Clients in the AD group “Reception” are assigned to the “reception-staff” role

The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:

HPE6-A84 Question 18Assign medical staff on mobile-onboarded clients to the “medical-mobile” firewall role

HPE6-A84 Question 18Assign other mobile-onboarded clients to the “mobile-other” firewall role

HPE6-A84 Question 18Assign medical staff on domain computers to the “medical-domain” firewall role

HPE6-A84 Question 18All reception staff on domain computers to the “reception-domain” firewall role

HPE6-A84 Question 18All domain computers with no valid user logged in to the “computer-only” firewall role

HPE6-A84 Question 18Deny other clients access

# Other requirements

Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.

# Network topology

For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

HPE6-A84 Question 18

# ClearPass cluster IP addressing and hostnames

A customer’s ClearPass cluster has these IP addresses:

HPE6-A84 Question 18Publisher = 10.47.47.5

HPE6-A84 Question 18Subscriber 1 = 10.47.47.6

HPE6-A84 Question 18Subscriber 2 = 10.47.47.7

HPE6-A84 Question 18Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8

The customer’s DNS server has these entries

HPE6-A84 Question 18cp.acnsxtest.com = 10.47.47.5

HPE6-A84 Question 18cps1.acnsxtest.com = 10.47.47.6

HPE6-A84 Question 18cps2.acnsxtest.com = 10.47.47.7

HPE6-A84 Question 18radius.acnsxtest.com = 10.47.47.8

HPE6-A84 Question 18onboard.acnsxtest.com = 10.47.47.8

The customer has now decided that it needs CPPM to assign certain mobile-onboarded devices to a “nurse-call” AOS user role. These are mobile-onboarded devices that are communicating with IP address 10.1.18.12 using port 4343.

What are the prerequisites for fulfilling this requirement?

Options:

A.

Setting up traffic classes and role mapping rules within Central's global settings

B.

Creating server-based role assignment rules on APs that apply roles to clients based on traffic destinations

C.

Creating server-based role assignment rules on gateways that apply roles to clients based on traffic destinations

D.

Creating a tag on Central to select the proper destination connection and integrating CPPM with Device Insight

Buy Now
Exam Code: HPE6-A84
Exam Name: Aruba Certified Network Security Expert Written Exam
Last Update: Dec 21, 2024
Questions: 60

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now HPE6-A84 testing engine

PDF (Q&A)

$36.75  $104.99
buy now HPE6-A84 pdf