You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.
As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?
A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows C
Answer : C
EAP (Extensible Authentication Protocol) is a framework that allows different authentication methods to be used for network access. EAP is used for RADIUS/EAP authentication, which is a common method for authenticating domain users on domain computers using certificates. EAP requires that the RADIUS server, such as ClearPass Policy Manager (CPPM), validates the certificates presented by the clients and verifies their identity against an identity source, such as Windows AD. Therefore, the root certificate for the Windows CA that issues the certificates to the clients should have the EAP usage in the ClearPass CA Trust list.
Radsec (RADIUS over TLS) is a protocol that allows secure and encrypted communication between RADIUS servers and clients using TLS. Radsec is used for encrypting all communications between CPPM and the domain controllers, which act as RADIUS clients. Radsec requires that both the RADIUS server and the RADIUS client validate each other's certificates and establish a TLS session. Therefore, the root certificate for the Windows CA that issues the certificates to the domain controllers should have the Radsec usage in the ClearPass CA Trust list.
Refer to the exhibit.
You have been given this certificate to install on a ClearPass server for the RADIUS/EAP and RadSec usages.
What is one issue?
Answer : B
The exhibit shows a screenshot of a certificate that has the following information:
The subject common name (CN) is *.clearpass.local, which is a wildcard domain name that matches any subdomain under clearpass.local.
The subject alternative names (SANs) are DNS Name=clearpass.local and DNS Name=*.clearpass.local, which are the same as the subject CN.
The issuer CN is clearpass.local, which is the same as the subject domain name.
The key usage (KU) is Digital Signature and Key Encipherment, which are required for RADIUS/EAP and RadSec usages.
The extended key usage (EKU) is Server Authentication and Client Authentication, which are also required for RADIUS/EAP and RadSec usages.
The issue with this certificate is that it uses a fully qualified the '.local' domain name, which is a reserved domain name for local networks that cannot be registered on the public Internet. This means that the certificate cannot be verified by any public certificate authority (CA), and therefore cannot be trusted by any external devices or servers that communicate with ClearPass. This could cause problems for RADIUS/EAP and RadSec usages, as they rely on secure and authenticated connections between ClearPass and other devices or servers.
To avoid this issue, the certificate should use a valid domain name that can be registered on the public Internet, such as clearpass.com or clearpass.net. This way, the certificate can be issued by a public CA that is trusted by most devices and servers, and can be verified by them. Alternatively, if the certificate is intended to be used only within a private network, it should be issued by a private CA that is trusted by all devices and servers within that network.
A customer wants CPPM to authenticate non-802.1X-capable devices. An admin has created the service shown in the exhibits below:
What is one recommendation to improve security?
Answer : C
MAC Authentication Bypass (MAB) is a technique that allows non-802.1X-capable devices to bypass the 802.1X authentication process and gain network access based on their MAC addresses. However, MAB has some security drawbacks, such as the possibility of MAC address spoofing or unauthorized devices being added to the network. Therefore, it is recommended to use a custom MAC-Auth authentication method that adds an additional layer of security to MAB.
A custom MAC-Auth authentication method is a method that uses a combination of the MAC address and another attribute, such as a username, password, or certificate, to authenticate the device. This way, the device needs to provide both the MAC address and the additional attribute to gain access, making it harder for an attacker to spoof or impersonate the device. A custom MAC-Auth authentication method can be created and configured in ClearPass Policy Manager (CPPM) by following the steps in the Customizing MAC Authentication - Aruba page.
Refer to the scenario.
A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).
The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).
The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
You are planning to use Azure AD as the authentication source in 802.1X services.
What should you make sure that the customer understands is required?
A company has Aruba gateways that are Implementing gateway IDS/IPS in IDS mode. The customer complains that admins are receiving too frequent of repeat email notifications for the same threat. The threat itself might be one that the admins should investigate, but the customer does not want the email notification to repeat as often.
Which setting should you adjust in Aruba Central?
Answer : B
In the Aruba Central app, set the filter to Global, a group, or a device.
Under Analyze, click Alerts & Events.
Click the Config icon to open the Alert Severities & Notifications page.
Select the Gateway IDS/IPS tab to view the alert categories and severities for gateway IDS/IPS events.
Click on an alert category to expand it and view the alert duration and threshold settings for each severity level.
Enter a value in minutes for the alert duration. This is the time period during which the alert is active and email notifications are sent.
Enter a value for the alert threshold. This is the number of times the alert must be triggered within the alert duration before an email notification is sent.
Click Save.
By increasing the alert duration and/or threshold values, the customer can reduce the number of email notifications for recurring threats, as they will only be sent when the threshold is reached within the duration. For example, if the customer sets the alert duration to 60 minutes and the alert threshold to 10 for a Critical severity level, then an email notification will only be sent if the same threat occurs 10 times or more within an hour.
A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?
Answer : D
The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.
The other options are not correct or relevant for this issue:
Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .