HP HPE6-A84 Exam Practice Test Instant Access

Question 1

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

AAdd an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.

BEnable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.

CAdd a custom attribute for userAccountControl to the filters in the AD authentication source.

DInstall a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.

Answer : C

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.

Question 2

A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows C

ACPPM should validate these certificates and verify that the users and computers have accounts in Windows AD. The customer requires encryption for all communications between CPPM and the domain controllers.
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.
Which usages should you add to it based on these requirements?

ARadec and Aruba infrastructure

BEAP and AD/LDAP Server

CEAP and Radsec

DLDAP and Aruba infrastructure

Answer : C

EAP (Extensible Authentication Protocol) is a framework that allows different authentication methods to be used for network access. EAP is used for RADIUS/EAP authentication, which is a common method for authenticating domain users on domain computers using certificates. EAP requires that the RADIUS server, such as ClearPass Policy Manager (CPPM), validates the certificates presented by the clients and verifies their identity against an identity source, such as Windows AD. Therefore, the root certificate for the Windows CA that issues the certificates to the clients should have the EAP usage in the ClearPass CA Trust list.

Radsec (RADIUS over TLS) is a protocol that allows secure and encrypted communication between RADIUS servers and clients using TLS. Radsec is used for encrypting all communications between CPPM and the domain controllers, which act as RADIUS clients. Radsec requires that both the RADIUS server and the RADIUS client validate each other's certificates and establish a TLS session. Therefore, the root certificate for the Windows CA that issues the certificates to the domain controllers should have the Radsec usage in the ClearPass CA Trust list.

Question 3

Refer to the exhibit.

You have been given this certificate to install on a ClearPass server for the RADIUS/EAP and RadSec usages.

What is one issue?

AThe certificate has a wildcard in the subject common name.

BThe certificate uses a fully qualified the '.local' domain name.

CThe certificate does not have a URI subject alternative name

DThe certificate does not have an IP subject alternative name

Answer : B

The exhibit shows a screenshot of a certificate that has the following information:

The subject common name (CN) is *.clearpass.local, which is a wildcard domain name that matches any subdomain under clearpass.local.

The subject alternative names (SANs) are DNS Name=clearpass.local and DNS Name=*.clearpass.local, which are the same as the subject CN.

The issuer CN is clearpass.local, which is the same as the subject domain name.

The key usage (KU) is Digital Signature and Key Encipherment, which are required for RADIUS/EAP and RadSec usages.

The extended key usage (EKU) is Server Authentication and Client Authentication, which are also required for RADIUS/EAP and RadSec usages.

The issue with this certificate is that it uses a fully qualified the '.local' domain name, which is a reserved domain name for local networks that cannot be registered on the public Internet. This means that the certificate cannot be verified by any public certificate authority (CA), and therefore cannot be trusted by any external devices or servers that communicate with ClearPass. This could cause problems for RADIUS/EAP and RadSec usages, as they rely on secure and authenticated connections between ClearPass and other devices or servers.

To avoid this issue, the certificate should use a valid domain name that can be registered on the public Internet, such as clearpass.com or clearpass.net. This way, the certificate can be issued by a public CA that is trusted by most devices and servers, and can be verified by them. Alternatively, if the certificate is intended to be used only within a private network, it should be issued by a private CA that is trusted by all devices and servers within that network.

Question 4

A customer wants CPPM to authenticate non-802.1X-capable devices. An admin has created the service shown in the exhibits below:

What is one recommendation to improve security?

AAdding an enforcement policy rule that denies access to endpoints with the Conflict flaq

BUsing Active Directory as the authentication source

CCreating and using a custom MAC-Auth authentication method

DEnabling caching of posture and roles

Answer : C

MAC Authentication Bypass (MAB) is a technique that allows non-802.1X-capable devices to bypass the 802.1X authentication process and gain network access based on their MAC addresses. However, MAB has some security drawbacks, such as the possibility of MAC address spoofing or unauthorized devices being added to the network. Therefore, it is recommended to use a custom MAC-Auth authentication method that adds an additional layer of security to MAB.

A custom MAC-Auth authentication method is a method that uses a combination of the MAC address and another attribute, such as a username, password, or certificate, to authenticate the device. This way, the device needs to provide both the MAC address and the additional attribute to gain access, making it harder for an attacker to spoof or impersonate the device. A custom MAC-Auth authentication method can be created and configured in ClearPass Policy Manager (CPPM) by following the steps in the Customizing MAC Authentication - Aruba page.

Question 5

Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.

You are planning to use Azure AD as the authentication source in 802.1X services.

What should you make sure that the customer understands is required?

AAn app registration on Azure AD that references the CPPM's FQDN

BWindows 365 subscriptions

CCPPM's RADIUS certificate was imported as trusted in the Azure AD directory

DAzure AD Domain Services

Answer : A

To use Azure AD as the authentication source in 802.1X services, you need to configure CPPM as a SAML service provider and Azure AD as a SAML identity provider. This allows CPPM to use Azure AD for user authentication and role mapping. To do this, you need to create an app registration on Azure AD that references the CPPM's FQDN as the reply URL and the entity ID.You also need to grant the app registration the required permissions to access user information from Azure AD1

Question 6

A company has Aruba gateways that are Implementing gateway IDS/IPS in IDS mode. The customer complains that admins are receiving too frequent of repeat email notifications for the same threat. The threat itself might be one that the admins should investigate, but the customer does not want the email notification to repeat as often.

Which setting should you adjust in Aruba Central?

AReport scheduling settings

BAlert duration and threshold settings

CThe IDS policy setting (strict, medium, or lenient)

DThe allowlist settings in the IDS policy

Answer : B

Alert duration and threshold settings are used to control how often and under what conditions email notifications are sent for gateway IDS/IPS events1. By adjusting these settings, the customer can reduce the frequency of repeat email notifications for the same threat, while still being informed of any critical or new threats.

To adjust the alert duration and threshold settings in Aruba Central, the customer can follow these steps1:

In the Aruba Central app, set the filter to Global, a group, or a device.

Under Analyze, click Alerts & Events.

Click the Config icon to open the Alert Severities & Notifications page.

Select the Gateway IDS/IPS tab to view the alert categories and severities for gateway IDS/IPS events.

Click on an alert category to expand it and view the alert duration and threshold settings for each severity level.

Enter a value in minutes for the alert duration. This is the time period during which the alert is active and email notifications are sent.

Enter a value for the alert threshold. This is the number of times the alert must be triggered within the alert duration before an email notification is sent.

Click Save.

By increasing the alert duration and/or threshold values, the customer can reduce the number of email notifications for recurring threats, as they will only be sent when the threshold is reached within the duration. For example, if the customer sets the alert duration to 60 minutes and the alert threshold to 10 for a Critical severity level, then an email notification will only be sent if the same threat occurs 10 times or more within an hour.

Question 7

A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.

What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?

AConfiguring a relatively high threshold for the gateway threat count alerts

BMaking sure that the gateways have formed a cluster and operate in default gateway mode

CSetting the IDS or IPS policy to the least restrictive option, Lenient

DEnabling alerts and email notifications for events related to gateway IPS engine utilization and errors

Answer : D

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.

Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2.

The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3.

The other options are not correct or relevant for this issue:

Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4.

Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .

Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .

HPE6-A84 Aruba Certified Network Security Expert Written Exam Practice Test