• Home
  • Articles
  • [UPDATED 2024] Read HPE6-A84 Study Guide Cover to Cover as Literally [Q10-Q30]

[UPDATED 2024] Read HPE6-A84 Study Guide Cover to Cover as Literally [Q10-Q30]

Share

[UPDATED 2024] Read HPE6-A84 Study Guide Cover to Cover as Literally

100% Real & Accurate HPE6-A84 Questions and Answers with Free and Fast Updates

NEW QUESTION # 10
Refer to the exhibit.

Which security issue is possibly indicated by this traffic capture?

  • A. A command and control channel established with DNS tunneling
  • B. An attempt at a DoS attack by a device acting as an unauthorized DNS server
  • C. A port scan being run on the 10.1.7.0/24 subnet
  • D. An ARP poisoning or man-in-the-middle attempt by the device at 94:60:d5:bf:36:40

Answer: C


NEW QUESTION # 11
A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.

Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.
What is one step you could recommend trying first?

  • A. Send the email notifications directly to a specific folder, and only check the folder once a week.
  • B. Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.
  • C. Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.
  • D. Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.

Answer: B

Explanation:
Explanation
According to the AOS 10 documentation1, WIDS is a feature that monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. WIDS can be configured at different levels, such as low, medium, high, or custom. The higher the level, the more checks are enabled and the more alerts are generated. However, not all checks are equally relevant or indicative of real threats. Some checks may generate false positives or unnecessary alerts that can overwhelm the administrators and reduce the effectiveness of WIDS.
Therefore, one step that could be recommended to reduce the number of email notifications is to change the WIDS level to custom, and enable only the checks most likely to indicate real threats. This way, the administrators can fine-tune the WIDS settings to suit their network environment and security needs, and avoid getting flooded with irrelevant or redundant alerts. Option C is the correct answer.
Option A is incorrect because sending the email notifications directly to a specific folder and only checking the folder once a week is not a good practice for security management. This could lead to missing or ignoring important alerts that require immediate attention or action. Moreover, this does not solve the problem of getting too many emails in the first place.
Option B is incorrect because disabling email notifications for Rogue AP, but leaving the Infrastructure Attack Detected and Client Attack Detected notifications on, is not a sufficient solution. Rogue APs are unauthorized access points that can pose a serious security risk to the network, as they can be used to intercept or steal sensitive data, launch attacks, or compromise network performance. Therefore, disabling email notifications for Rogue APs could result in missing critical alerts that need to be addressed.
Option D is incorrect because disabling just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert, is not a valid assumption. The Infrastructure Attack Detected alert covers a broad range of attacks that target the network infrastructure, such as deauthentication attacks, spoofing attacks, denial-of-service attacks, etc. The Rogue AP and Client Attack Detected alerts are more specific and focus on detecting and classifying rogue devices and clients that may be involved in such attacks.
Therefore, disabling these alerts could result in losing valuable information about the source and nature of the attacks.


NEW QUESTION # 12
A customer has an AOS 10 architecture, consisting of Aruba AP and AOS-CX switches, managed by Aruba Central. The customer wants to obtain information about the clients, such as their general category and OS.
What should you explain?

  • A. You will need to set up Aruba Central as a secondary IP helper for client VLANs, but this will not interfere with existing operations.
  • B. Aruba Central will automatically derive this information using telemetry from the Aruba devices.
  • C. The customer should set up a dedicated switch VSX group to sniff packets and direct them to Aruba Central.
  • D. The customer must deploy Aruba gateways in order to receive any client profiling information.

Answer: B

Explanation:
Explanation
Aruba Central can provide visibility and profiling of clients using the Client Insights feature, which is an AI-powered solution that uses native infrastructure telemetry to identify and classify clients based on their OS and general category. This feature does not require any additional hardware or software, such as gateways, IP helpers, or packet sniffers. It works by collecting and analyzing data from the Aruba APs and AOS-CX switches that are managed by Aruba Central. You can find more information about Client Insights in the Visibility and profiling solutions | HPE Aruba Networking page and the Clients Profile - Aruba page.


NEW QUESTION # 13
The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named "provision." The customer's security team dictates that you must limit these clients' Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the "provision" role.
What should you recommend?

  • A. Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable
  • B. Configuring the "provision" role as a downloadable user role (DUR) in CPPM
  • C. Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)
  • D. Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs

Answer: B


NEW QUESTION # 14
Refer to the scenario.
A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).
The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).
The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
Assume that the Azure AD deployment has the proper prerequisites established.
You are planning the CPPM authentication source that you will reference as the authentication source in
802.1X services.
How should you set up this authentication source?

  • A. As Kerberos type
  • B. AS HTTP type, referencing Azure AD's FODN
  • C. As HTTP type, referencing the Intune extension
  • D. As Active Directory type

Answer: B

Explanation:
Explanation
An authentication source is a configuration element in CPPM that defines how to connect to an external identity provider and retrieve user or device information . CPPM supports various types of authentication sources, such as Active Directory, LDAP, SQL, Kerberos, and HTTP .
To authenticate wireless and wired clients to Azure AD, you need to set up an authentication source as HTTP type, referencing Azure AD's FQDN . This type of authentication source allows CPPM to use REST API calls to communicate with Azure AD and validate the user or device credentials . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .
To use information collected by Intune to make access control decisions, you need to set up another authentication source as HTTP type, referencing the Intune extension . This type of authentication source allows CPPM to use REST API calls to communicate with Intune and retrieve the device compliance status .
You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .


NEW QUESTION # 15
The customer needs a way for users to enroll new wired clients in Intune. The clients should have limited access that only lets them enroll and receive certificates. You plan to set up these rights in an AOS-CX role named "provision." The customer's security team dictates that you must limit these clients' Internet access to only the necessary sites. Your switch software supports IPv4 and IPv6 addresses for the rules applied in the "provision" role.
What should you recommend?

  • A. Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable
  • B. Configuring the "provision" role as a downloadable user role (DUR) in CPPM
  • C. Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL)
  • D. Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs

Answer: B

Explanation:
Explanation
This is because a downloadable user role (DUR) is a feature that allows the switch to use a central ClearPass server to download user-roles to the switch for authenticated users12 A DUR can contain various attributes and rules that define the access level and privileges of the user, such as VLAN, ACL, PoE, reauthentication period, etc3 A DUR can also be customized and updated on the ClearPass server without requiring any changes on the switch1 A DUR can be used to create a "provision" role that allows users to enroll new wired clients in Intune. The
"provision" role can have limited access that only lets them enroll and receive certificates from the Intune service. The "provision" role can also have rules that restrict the Internet access of the users to only the necessary sites, such as the Intune portal and the certificate authority. The rules can be based on IPv4 or IPv6 addresses, depending on the network configuration and preference2
A: Configuring the rules for the "provision" role with IPv6 addresses, which tend to be more stable. This is not a valid recommendation because it does not address how to create and apply the "provision" role on the switch. Moreover, IPv6 addresses do not necessarily tend to be more stable than IPv4 addresses, as both protocols have their own advantages and disadvantages4
B: Enabling tunneling to the MCs on the "provision" role and then setting up the privileges on the MCs. This is not a valid recommendation because it does not explain how to enable tunneling or what MCs are. Moreover, tunneling is a technique that encapsulates one network protocol within another, which adds complexity and overhead to the network communication5
D: Assigning the "provision" role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL). This is not a valid recommendation because it does not explain how to assign a role to a VLAN or how to create a Layer 2 ACL on the switch. Moreover, a Layer 2 ACL is limited in its filtering capabilities, as it can only match on MAC addresses or Ethernet types, which might not be sufficient for restricting Internet access to specific sites


NEW QUESTION # 16
Refer to the scenario.
A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).
Switches are using local port-access policies.
The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.
The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:
* Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
* Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
* VRRP on VLAN 20 = 10.20.20.254
The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.
Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.
What else should you make sure to do?

  • A. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
  • B. Assign VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect.
  • C. Assign sufficient VIA licenses to the gateways based on the number of wired clients that will connect.
  • D. Change the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect.

Answer: A

Explanation:
Explanation
The correct answer is B. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
User-based tunneling (UBT) is a feature that allows the AOS-CX switches to tunnel the traffic from wired clients to a mobility gateway cluster, where they can be assigned a role and a VLAN based on their authentication and authorization 1. To enable UBT, the switches need to have a UBT zone configured with the IP addresses of the gateways, and a UBT client VLAN configured with the ubt-client-vlan command 2.
The UBT client VLAN is a special VLAN that is used to encapsulate the traffic from the tunneled clients before sending it to the gateways. The UBT client VLAN must be different from any other VLANs used on the switch or the network, and it must not be assigned to any ports or interfaces on the switch 2. The UBT client VLAN is only used internally by the switch for UBT, and it is not visible to the clients or the gateways.
In this scenario, the customer wants to tunnel the clients that pass user authentication to the gateway cluster, where they will be assigned to VLAN 20. Therefore, the switch must have a UBT client VLAN configured that is different from VLAN 20 or any other VLANs on the network. For example, the switch can use VLAN
4000 as the UBT client VLAN, as shown in one of the web search results 3. The switch must also have a UBT zone configured with the system IP addresses of the gateways as the primary and backup controllers, as explained in question 3.
The other options are not correct or relevant for this issue:
Option A is not correct because assigning VLAN 20 as the access VLAN on any edge ports to which tunneled clients might connect would conflict with UBT. The access VLAN is the VLAN that is assigned to untagged traffic on a port, and it is used for local switching on the switch 4. If VLAN 20 is assigned as the access VLAN, then the traffic from the clients will not be tunneled to the gateways, but rather switched locally on VLAN 20. This would defeat the purpose of UBT and cause inconsistency in role and VLAN assignment.
Option C is not correct because VIA licenses are not required for UBT. VIA licenses are required for enabling VPN services on Aruba Mobility Controllers for remote access clients using Aruba Virtual Intranet Access (VIA) software . VIA licenses are not related to UBT or wired clients.
Option D is not correct because changing the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect would not affect UBT. The port-access auth-mode mode determines how a port handles authentication requests from multiple clients connected to a single port .
Client-mode is the default mode that allows only one client per port, while multi-client-mode allows multiple clients per port. The port-access auth-mode mode does not affect how UBT works or how traffic is tunneled from a port.


NEW QUESTION # 17
A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows CA. CPPM should validate these certificates and verify that the users and computers have accounts in Windows AD. The customer requires encryption for all communications between CPPM and the domain controllers.
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.
Which usages should you add to it based on these requirements?

  • A. Radec and Aruba infrastructure
  • B. EAP and AD/LDAP Server
  • C. LDAP and Aruba infrastructure
  • D. EAP and Radsec

Answer: D


NEW QUESTION # 18
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
* Permitted to receive IP addresses with DHCP
* Permitted access to DNS services from 10.8.9.7 and no other server
* Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets
* Permitted access to the Internet
Denied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.

What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

  • A. That denylisting is enabled globally on the MCs' firewalls
  • B. That AppRF and WebCC are enabled globally and on the medical-mobile role
  • C. That stateful handling of traffic is enabled globally on the MCs' firewalls and on the medical-mobile role.
  • D. That the MCs are assigned RF Protect licenses

Answer: B

Explanation:
Explanation
AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories 12. These features are required to meet the scenario requirements of denying access to all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic.
To enable AppRF and WebCC, you need to check the following settings:
On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services On the role level, you need to enable AppRF and WebCC under Configuration > Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively 12.
You also need to make sure that the MCs have valid licenses for AppRF and WebCC, which are included in the ArubaOS PEFNG license 3.


NEW QUESTION # 19
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.


The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
EAP-TLS to authenticate users on mobile clients registered in Intune
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
Publisher = 10.47.47.5
Subscriber 1 = 10.47.47.6
Subscriber 2 = 10.47.47.7
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
cp.acnsxtest.com = 10.47.47.5
cps1.acnsxtest.com = 10.47.47.6
cps2.acnsxtest.com = 10.47.47.7
radius.acnsxtest.com = 10.47.47.8
onboard.acnsxtest.com = 10.47.47.8
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.
Which usages should you add to it based on the scenario requirements?

  • A. EAP and Radsec
  • B. Radsec and Aruba infrastructure
  • C. EAP and AD/LDAP Server
  • D. LDAP and Aruba infrastructure

Answer: C


NEW QUESTION # 20
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.
What should you recommend?

  • A. Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created.
  • B. Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script.
  • C. Make the script editable so that admins can edit it on demand when they are creating scripts.
  • D. Define a parameter for the RADIUS server; reference that parameter instead of the server name/ip when defining the monitor URI.

Answer: D


NEW QUESTION # 21
Refer to the scenario.
A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.
In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as
"Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
You want a fast way to find a list of all the IoT clients that have used SSH.
What step can you take?

  • A. Run a search for SSH traffic and loT client IDs in Aruba ClearPass Policy Manager's (CPPM's) accounting information.
  • B. Use Central's Live Events monitoring tool to detect which clients meet the desired criteria.
  • C. Use Central's Gateway IDS/IPS Security Dashboard to search for SSH events and sources.
  • D. Create and apply a Central client profile tag that selects the SSH application and the clients' category.

Answer: D


NEW QUESTION # 22
Refer to the exhibit.

Which security issue is possibly indicated by this traffic capture?

  • A. A command and control channel established with DNS tunneling
  • B. An attempt at a DoS attack by a device acting as an unauthorized DNS server
  • C. An ARP poisoning or man-in-the-middle attempt by the device at 94:60:d5:bf:36:40
  • D. A port scan being run on the 10.1.7.0/24 subnet

Answer: A

Explanation:
Explanation
DNS tunneling is a technique that abuses the DNS protocol to tunnel data or commands between a compromised host and an attacker's server. DNS tunneling can be used to establish a command and control channel, which allows the attacker to remotely control the malware or exfiltrate data from the infected host1 The traffic capture in the exhibit shows some signs of DNS tunneling. The source IP address is 10.1.7.2, which is likely an internal host behind a firewall. The destination IP address is 8.8.8.8, which is a public DNS resolver. The DNS queries are for subdomains of badsite.com, which is likely a malicious domain registered by the attacker. The subdomains have long and random names, such as
0x2a0x2a0x2a0x2a0x2a0x2a0x2a0x2a.badsite.com, which could be used to encode data or commands. The DNS responses have large sizes, such as 512 bytes, which could be used to carry data or commands back to the host2


NEW QUESTION # 23
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to r* eceive IP addresses with DHCP
* Permitted access to DNS services from 10.8.9.7 and no other server
* Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
* Denied access to other 10.0.0.0/8 subnets
* Permitted access to the Internet
* Denied access to the WLAN for a period of time if they send any SSH traffic
* Denied access to the WLAN for a period of time if they send any Telnet traffic
* Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.

There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example,
"medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit".)

  • A. In the "medical-mobile" policy, change the source in rule 8 to "user."
  • B. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical-mobile" policy.
  • C. In the "medical-mobile" policy, move rules 2 and 3 between rules 7 and 8.
  • D. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.

Answer: D

Explanation:
Explanation
The subnet mask in rule 3 of the "medical-mobile" policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet 1. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access.
To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet 1. This way, the rule matches the scenario requirements more precisely.


NEW QUESTION # 24
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets Permitted access to the Internet Denied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.

There are multiple issues with the configuration.
What is one of the changes that you must make to the policies to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit'.)

  • A. In the "medical-mobile" policy, move rules 6 and 7 to the top of the list.
  • B. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical-mobile" policy.
  • C. In the "medical-mobile" policy, change the source in rule 1 to "user."
  • D. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.

Answer: D


NEW QUESTION # 25
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.


The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
EAP-TLS to authenticate users on mobile clients registered in Intune
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
Publisher = 10.47.47.5
Subscriber 1 = 10.47.47.6
Subscriber 2 = 10.47.47.7
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
cp.acnsxtest.com = 10.47.47.5
cps1.acnsxtest.com = 10.47.47.6
cps2.acnsxtest.com = 10.47.47.7
radius.acnsxtest.com = 10.47.47.8
onboard.acnsxtest.com = 10.47.47.8
On CPPM, you are creating the authentication method shown in the exhibit below:

You will use the method for standalone EAP-TLS and for inner methods in TEAP.
What should you do?

  • A. Configure OCSP override and set the OCSP URL to localhost/onboard/mdps ocspphp/2
  • B. Enable authorization.
  • C. Enable certificate comparison.
  • D. Configure OCSP override and leave the OCSP URL blank.

Answer: A


NEW QUESTION # 26
You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.
As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

  • A. Add a custom attribute for userAccountControl to the filters in the AD authentication source.
  • B. Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
  • C. Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
  • D. Install a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.

Answer: A


NEW QUESTION # 27
A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

  • A. Setting the IDS or IPS policy to the least restrictive option, Lenient
  • B. Making sure that the gateways have formed a cluster and operate in default gateway mode
  • C. Configuring a relatively high threshold for the gateway threat count alerts
  • D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors

Answer: D

Explanation:
Explanation
The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.
Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2.
The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3.
The other options are not correct or relevant for this issue:
Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4.
Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option.
The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .
Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .


NEW QUESTION # 28
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.


The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
EAP-TLS to authenticate users on mobile clients registered in Intune
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
Publisher = 10.47.47.5
Subscriber 1 = 10.47.47.6
Subscriber 2 = 10.47.47.7
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
cp.acnsxtest.com = 10.47.47.5
cps1.acnsxtest.com = 10.47.47.6
cps2.acnsxtest.com = 10.47.47.7
radius.acnsxtest.com = 10.47.47.8
onboard.acnsxtest.com = 10.47.47.8
You cannot see flow attributes for wireless clients.
What should you check?

  • A. Deep packet inspection is enabled on the Aruba Aps, and the APs have been rebooted.
  • B. Firewall application visibility is enabled on the Aruba gateways, and the gateways have been rebooted.
  • C. Deep packet inspection is enabled on the role to which the Aruba APs assign the wireless clients.
  • D. Gateway IDS/IPS is enabled on the Aruba gateways, and the gateways have been rebooted.

Answer: C


NEW QUESTION # 29
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:
aaa rfc-3576-server 10.47.47.8
But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

How could you fix this issue?

  • A. Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.
  • B. Configure the MC to obtain the time from a valid NTP server.
  • C. Change the UDP port in the MCs' RFC 3576 server config to 3799.
  • D. Enable RadSec on the MCs' RFC 3676 server config.

Answer: C

Explanation:
Explanation
Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events 1. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol 2.
To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly 3.
In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics .
To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .


NEW QUESTION # 30
......

Reliable Study Materials for HPE6-A84 Exam Success For Sure: https://www.vce4plus.com/HP/HPE6-A84-valid-vce-dumps.html

Get Unlimited Access to HPE6-A84 Certification Exam Cert Guide: https://drive.google.com/open?id=16bAuanJGPrembjrTiS-NhwSTUzUDgRvb

Related Articles

more
HP HPE6-A84 Certification Practice Exam