option
Questions
ayuda
daypo
CREATE TEST
search.php

A.C.P NS

COMMENTS STATISTICS RECORDS
TAKE THE TEST
Title of test:
A.C.P NS

Description:
A.C.P NS

Creation Date: 2025/03/15

Category: Others

Number of questions: 130

Rating:(0)
Share the Test:
Nuevo ComentarioNuevo Comentario
New Comment
NO RECORDS
Content:

You have configured an AOS-CX switch to implement 802.1X on edge ports. Assume ports operate in the default auth-mode. VolP phones are assigned to the "voice" role and need to send traffic that is tagged for VLAN 12. Where should you configure VLAN 12?. As the trunk native VLAN on edge ports and the trunk native VLAN on the "voice" role. As a trunk allowed VLAN on edge ports and the trunk native VLAN in the "voice" role. As the trunk native VLAN in the "voice" role (and not in the edge port settings). As the allowed trunk VLAN in the "voice" role (and not in the edge port settings).

You need to set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to provide certificatebased authentication of 802.1X supplicants. How should you upload the root CA certificate for the supplicants certificates?. As a ClearPass Server certificate with the RADIUS/EAP usage. As a Trusted CA with the AD/LDAP usage. As a Trusted CA with the EAP usage. As a ClearPass Server certificate with the Database usage.

A company has AOS-CX switches. The company wants to make it simpler and faster for admins to detect denial of service (DoS) attacks, such as ping or ARP floods, launched against the switches. What can you do to support this use case?. Deploy an NAE agent on the switches to monitor control plane policing (CoPP). Implement ARP inspection on all VLANs that support end-user devices. Configure the switches to implement RADIUS accounting to HPE Aruba Networking ClearPass and enable HPE Aruba Networking ClearPass Insight. Enabling debugging of security functions on the switches.

You have run an Active Endpoint Security Report on HPE Aruba Networking ClearPass. The report indicates that hundreds of endpoints have MAC addresses but no known IP addresses. What is one step for addressing this issue?. Set up network devices to implement RADIUS accounting to CPPM. Add CPPM's IP address to the IP helper list on routing switches. Set up switches to implement ARP inspection on client VLANs. Configure CPPM as a Syslog destination on network devices.

An admin has configured an AOS-CX switch with these settings: port-access role employees vlan access name employees This switch is also configured with CPPM as its RADIUS server. Which enforcement profile should you configure on CPPM to work with this configuration?. RADIUS Enforcement type with HPE-User-Role VSA set to "employees". HPE Aruba Networking Downloadable Role Enforcement type with role name set to "employees". HPE Aruba Networking Downloadable Role Enforcement type with gateway role name set to "employees". RADIUS Enforcement type with Aruba-User-Role VSA set to "employees".

The security team needs you to show them information about MAC spoofing attempts detected by HPE Aruba Networking ClearPass Policy Manager (CPPM). What should you do?. Export the Access Tracker records on CPPM as an XML file. Use ClearPass Insight to run an Active Endpoint Security report. Integrate CPPM with ClearPass Device Insight (CPDI) and run a security report on CPDI. Show the security team the CPPM Endpoint Profiler dashboard.

You need to set up an HPE Aruba Networking VIA solution for a customer who needs to support 2100 remote employees. The customer wants employees to download their VIA connection profile from the VPNC. Only employees who authenticate with their domain credentials to HPE Aruba Networking ClearPass Policy Manager (CPPM) should be able to download the profile. (A RADIUS server group for CPPM is already set up on the VPNC.) How do you configure the VPNC to enforce that requirement?. Set up a VIA Authentication Profile that uses CPPM's server group; reference that profile in the VIA Web Authentication Profile. Reference CPPM's server group in an AAA profile; then, apply that profile to the VPNC's Internetfacing ports. Create a new VPN Authentication Profile and then reference CPPM's default server group in that profile. Set up a VIA Authentication Profile that uses CPPM's server group; reference that profile in the VIA Connection Profile.

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). You have identified a device, which is currently classified as one type, but you want to classify it as a custom type. You also want to classify all devices with similar attributes as this type, both already discovered devices and new devices discovered later. What should you do?. Create a user tag from the Generic Devices page, select the desired attributes for the tag, and save the tag. In the device details, select reclassify, create a user rule based on its attributes, and choose "Save & Reclassify.". In the device details, select filter, create a user tag based on the device attributes, and save the tag. Create a user rule from the Generic Devices page, select the desired attributes for the rule, and choose "Save.".

You are deploying a virtual Data Collector for use with HPE Aruba Networking ClearPass Device Insight (CPDI). You have identified VLAN 101 in the data center as the VLAN to which the Data Collector should connect to receive its IP address and connect to HPE Aruba Networking Central. Which Data Collector virtual ports should you tell the virtual admins to connect to VLAN 101?. The one with the lowest MAC address. The one with the highest port ID. The one with the highest MAC address. The one with the lowest port ID.

A company assigns a different block of VLAN IDs to each of its access layer AOS-CX switches. The switches run version 10.07. The IDs are used for standard purposes, such as for employees, VolP phones, and cameras. The company wants to apply 802.1X authentication to HPE Aruba Networking ClearPass Policy Manager (CPPM) and then steer clients to the correct VLANs for local forwarding. What can you do to simplify setting up this solution?. Assign consistent names to VLANs of the same type across the AOS-CX switches and have userroles reference names. Use the trunk allowed VLAN setting to assign multiple VLAN IDs to the same role. Change the VLAN IDs across the AOS-CX switches so that they are consistent. Avoid configuring the VLAN in the role; use trunk VLANs to assign multiple VLANs to the port instead.

A company lacks visibility into the many different types of user and loT devices deployed in its internal network, making it hard for the security team to address those devices. Which HPE Aruba Networking solution should you recommend to resolve this issue?. HPE Aruba Networking ClearPass Device Insight (CPDI). HPE Aruba Networking Network Analytics Engine (NAE). HPE Aruba Networking Mobility Conductor. HPE Aruba Networking ClearPass OnBoard.

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). In the CPDI security settings, Security Analysis is On, the Data Source is ClearPass Devices Insight, and Enable Posture Assessment is On. You see that device has a Risk Score of 90. What can you know from this information?. The posture is unhealthy, and CPDI has also detected at least one vulnerability on the device. The posture is unhealthy, but CPDI has not detected any vulnerabilities on the device. The posture is healthy, but CPDI has detected multiple vulnerabilities on the device. The posture is unknown, and CPDI has detected exactly four vulnerabilities on the device.

You have set up a mirroring session between an AOS-CX switch and a management station, running Wireshark. You want to capture just the traffic sent in the mirroring session, not the management station's other traffic. What should you do?. Apply this capture filter: ip proto 47. Edit protocol preferences and enable ARUBA_ERM. Edit protocol preferences and enable HPE_ERM. Apply this capture filter: udp port 5555.

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. The company wants CPPM to control which commands managers are allowed to enter. You see there is no field to enter these commands in ClearPass. How do you start configuring the command list on CPPM?. Add the Shell service to the managers' TACACS+ enforcement profiles. Edit the TACACS+ settings in the AOS-CX switches' network device entries. Create an enforcement policy with the TACACS+ type. Edit the settings for CPPM's default TACACS+ admin roles.

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses a service to authenticate clients. You are now adding the Endpoints Repository as an authorization source for the service, and you want to add rules to the service's policies that apply different access levels based, in part, on a client's device category. You need to ensure that CPPM can apply the new correct access level after discovering new clients' categories. What should you enable on the service?. The Posture Compliance option in the Service tab. The Profile Endpoints option in the Service tab. The Use cached Roles and Posture attributes from previous sessions option in the Enforcement tab. The Audit End-host option in the Service tab.

A company has AOS-CX switches and HPE Aruba Networking APs, which run AOS-10 and bridge their SSIDs. Company security policies require 802.1X on all edge ports, some of which connect to APs. How should you configure the auth-mode on AOS-CX switches?. Configure all edge ports in device auth-mode. Leave all edge ports in client auth-mode and configure device auth-mode in the AP role. Configure all edge ports in client auth-mode. Leave all edge ports in device auth-mode and configure client auth-mode in the AP role.

A company has HPE Aruba Networking Central-managed APs. The company wants to block all clients connected through the APs from using YouTube. Which steps should you take?. Deploy gateways and have the APs tunnel traffic to the gateways. Then, enable the gateway IDS/IPS engine. Enable Client IPS at the "custom" level, and then specify the check for YouTube. Enable WebCC on all client firewall roles. Then, create WebCC category rules that deny suspicious URLs. Enable DPI. Then, create application rules to deny YouTube on the firewall roles.

What is one use case for implementing user-based tunneling (UBT) on AOS-CX switches?. Centralizing the distribution of wired traffic without requiring HPE Aruba Networking gateways. Tunneling traffic directly to a third-party firewall in a client data center. Adding 802.1X while continuing to use the existing VLAN and ACL structure in the Ethernet network. Applying enhanced security features such as deep packet inspection (DPI) to wired traffic.

A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The APs will: Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM) Be assigned to the "APs" role on the switches Have their traffic forwarded locally What information do you need to help you determine the VLAN settings for the "APs" role?. Whether the APs have static or DHCP-assigned IP addresses. Whether the switches are using local user-roles (LURs) or downloadable user-roles (DURs). Whether the switches have established tunnels with an HPE Aruba Networking gateway. Whether the APs bridge or tunnel traffic on their SSIDs.

Your company wants to implement Tunneled EAP (TEAP). How can you set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificatedbased authentication for clients using TEAP?. For the service using TEAP, set the authentication source to an internal database. Select a service certificate when you specify TEAP as a service's authentication method. Create an authentication method named "TEAP" with the type set to EAP-TLS. Select an EAP-TLS-type authentication method for the TEAP method's inner method.

Admins have recently turned on Wireless IDS/IPS infrastructure detection at the high level on HPE Aruba Networking APs. When you check WIDS events, you see several RTS rate and CTS rate anomalies, which were triggered by neighboring APs. What can you interpret from this event?. These neighboring APs are likely to be wireless clients that are inappropriately bridging their wired and wireless NICs; you should track down and remove them. These neighboring APs might be hackers trying to launch a DoS, but are more likely operating normally; you should start by tuning the event thresholds. These neighboring APs are actually rogue APs, and you should enable wireless tarpit containment on them. These neighboring APs are actually rogue APs, and you should enable wireless de-authentication containment on them.

HPE Aruba Networking Central displays an alert about an Infrastructure Attack that was detected. You go to the Security > RAPIDS events and see that the attack was "Detect adhoc using Valid SSID." What is one possible next step?. Use HPE Aruba Networking Central floorplans or the detecting AP identities to locate the general area for the threat. Look for the IP address associated with the offender and then check for that IP address among HPE Aruba Networking Central clients. Make sure that you have tuned the threshold for that check, as false positives are common for it. Make sure that clients have updated drivers, as faulty drivers are a common explanation for this attack type.

A company has a variety of HPE Aruba Networking solutions, including an HPE Aruba Networking infrastructure and HPE Aruba Networking ClearPass Policy Manager (CPPM). The company passes traffic from the corporate LAN destined to the data center through a third-party SRX firewall. The company would like to further protect itself from internal threats. What is one solution that you can recommend?. Have the third-party firewall send Syslogs to CPPM, which can work with network devices to lock internal attackers out of the network. Use tunnel mode SSIDs and user-based tunneling (UBT) on AOS-CX switches to pass all internal traffic directly through the third-party firewall. Add ClearPass Device Insight (CPDI) to the solution; integrate it with the third-party firewall to develop more complete device profiles. Configure CPPM to poll the third-party firewall for a broad array of information about internal clients, such as profile and posture.

A company wants to apply a standard configuration to all AOS-CX switch ports and have the ports dynamically adjust their configuration based on the identity of the user or device that connects. They want to centralize configuration of the identity-based settings as much as possible. What should you recommend?. Having HPE Aruba Networking ClearPass Policy Manager (CPPM) send standard RADIUS AVPs to customize port settings. Having switches pull port configurations dynamically from HPE Aruba Networking Activate. Having switches download user-roles from HPE Aruba Networking gateways. Having switches download user-roles from HPE Aruba Networking ClearPass Policy Manager (CPPM).

A company issues user certificates to domain computers using its Windows CA and the default user certificate template. You have set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to authenticate 802.1X clients with those certificates. However, during tests, you receive an error that authorization has failed because the usernames do not exist in the authentication source. What is one way to fix this issue and enable clients to successfully authenticate with certificates?. Configure rules to strip the domain name from the username. Change the authentication method list to include both PEAP MSCHAPv2 and EAP-TLS. Add the ClearPass Onboard local repository to the authentication source list. Remove EAP-TLS from the authentication method list and add TEAP there instead.

You need to use "Tips:Posture" conditions within an 802.1X service's enforcement policy. Which guideline should you follow?. Enable caching roles and posture attributes from previous sessions in the service's enforcement settings. Create rules that assign postures in the service's role mapping policy. Enable profiling in the service's general settings. Select the Posture Policy type for the service's enforcement policy.

You have created this rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) service's enforcement policy: IF Authorization [Endpoints Repository] Conflict EQUALS true THEN apply "quarantine_profile" What information can help you determine whether you need to configure cluster-wide profiler parameters to ignore some conflicts?. Whether the company has rare Internet of Things (loT) devices. Whether some devices are incapable of captive portal or 802.1X authentication. Whether the company has devices that use PXE boot. Whether some devices are running legacy operating systems.

A company has HPE Aruba Networking APs, which authenticate users to HPE Aruba Networking ClearPass Policy Manager (CPPM). What does HPE Aruba Networking recommend as the preferred method for assigning clients to a role on the AOS firewall?. Configure CPPM to assign the role using a RADIUS enforcement profile with a RADIUS:IETF Username attribute. Configure CPPM to assign the role using a RADIUS enforcement profile with an Aruba-User-Role VSA. Create server rules on the APs to assign clients to roles based on RADIUS IETF attributes returned by CPPM. Create user rules on the APs to assign clients to roles based on a variety of criteria.

A security team needs to track a device's communication patterns and identify patterns such as how many destinations the device is accessing. Which Aruba solution can show this information at a glance?. HPE Aruba Networking ClearPass Insight Endpoints and Network Dashboards. HPE Aruba Networking ClearPass Policy Manager (CPPM) live monitoring Access Tracker. HPE Aruba Networking ClearPass Device Insight (CPDI) under a device's network activity. AOS-CX Analytics Dashboard using the system-installed NAE agent.

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. You want to assign managers to groups on the AOS-CX switch by name. How do you configure this setting in a CPPM TACACS+ enforcement profile?. Add the Shell service and set autocmd to the group name. Add the Shell service and set priv-Ivl to the group name. Add the Aruba:Common service and set Aruba-Admin-Role to the group name. Add the Aruba:Common service and set Aruba-Priv-Admin-User to the group name.

What is one use case that companies can fulfill using HPE Aruba Networking ClearPass Policy Manager's (CPPM's) Device Profiler?. Identifying device security vulnerabilities by CVE ID and receiving remediation recommendations. Leveraging artificial intelligence to more accurately identify Internet of Things (loT) devices. Quarantining devices that do not have the required antivirus software installed on them. Assigning different AOS firewall roles to users on computers and the same users on smartphones.

A company needs to enforce 802.1X authentication for its Windows domain computers to HPE Aruba Networking ClearPass Policy Manager (CPPM). The company needs the computers to authenticate as both machines and users in the same session. Which authentication method should you set up on CPPM?. TEAP. PEAP MSCHAPv2. EAP-TTLS. EAP-TLS.

A company is implementing HPE Aruba Networking Wireless IDS/IPS (WIDS/WIPS) on its AOS-10 APs, which are managed in HPE Aruba Networking Central. What is one requirement for enabling detection of rogue APs?. Each VLAN in the network assigned on at least one AP's or AM's port. A Foundation with Security license for each of the APs. One AM deployed for every one AP deployed. A manual radio profile that enables non-regulatory channels.

A company uses HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application option). In the details for a generic device cluster, you see a recommendation for "Windows 8" with 70% accuracy. What does this mean?. CPDI has detected that these devices match about 70% of the system rule for defining "Windows 8" devices. CPDI has matched these devices against several, conflicting system rules. 70% of those rules are for "Windows 8" devices. CPDI has grouped this cluster with similar classified devices. 70% of those classified devices are "Windows 8.". CPDI has used MAC OUI to group these devices together. The average device's MAC address matches 70% of the "Windows 8" OUI.

All of the switches in the exhibit are AOS-CX switches. What is the preferred configuration on Switch-2 for preventing rogue OSPF routers in this network?. Disable OSPF entirely on VLANs 10-19. Configure OSPF authentication on VLANs 10-19 in password mode. Configure OSPF authentication on Lag 1 in MD5 mode. Configure passive-interface as the OSPF default and disable OSPF passive on Lag 1.

A company has HPE Aruba Networking gateways that implement gateway IDS/IPS. Admins sometimes check the Security Dashboard, but they want a faster way to discover if a gateway starts detecting threats in traffic. What should they do?. Use Syslog to integrate the gateways with HPE Aruba Networking ClearPass Policy Manager (CPPM) event processing. Integrate HPE Aruba Networking ClearPass Device Insight (CPDI) with Central and schedule hourly reports. Set up email notifications using HPE Aruba Networking Central's global alert settings. Set up Webhooks that are attached to the HPE Aruba Networking Central Threat Dashboard.

What is a use case for the HPE Aruba Networking ClearPass OnGuard dissolvable agent?. Continuously monitoring Windows domain clients for compliance. Implementing a one-time compliance scan. Auto-remediating posture issues on clients. Periodically scanning Linux clients for security issues.

Which use case is fulfilled by applying a time range to a firewall rule on an AOS device?. Enforcing the rule only during the specified time range. Tuning the session timeout for sessions established with this rule. Locking clients that violate the rule for the specified time range. Setting the time range over which hit counts for the rule are aggregated.

A company wants HPE Aruba Networking ClearPass Policy Manager (CPPM) to respond to Syslog messages from its Palo Alto Next Generation Firewall (NGFW) by quarantining clients involved in security incidents. Which step must you complete to enable CPPM to process the Syslogs properly?. Configure the Palo Alto as a context server on CPPM. Install a Palo Alto Extension through ClearPass Guest. Enable Insight and ingress event processing on the CPPM server. Configure CPPM to trust the root CA certificate for the NGFW.

A company is implementing a client-to-site VPN based on tunnel-mode IPsec. Which devices are responsible for the IPsec encapsulation?. Gateways at the remote clients' locations and devices accessed by the clients at the main site. The remote clients and devices accessed by the clients at the main site. The remote clients and a gateway at the main site. Gateways at the remote clients' locations and a gateway at the main site.

You are setting up an HPE Aruba Networking VIA solution for a company. You need to configure access control policies for applications and resources that remote clients can access when connected to the VPN. Where on the VPNC should you configure these policies?. In the tunneled network settings within the VIA Connection Profile. In the cloud security settings using IPsec maps. In the roles to which VIA clients are assigned after IKE authentication. In the roles to which VIA clients are assigned after VIA Web authentication.

A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this client's traffic over a 15 minute time period and then send the traffic to them in a PCAP file. What should you do?. Go to the client's AP in HPE Aruba Networking Central. Use the "Security" page to run a packet capture. Access the CLI for the client's AP. Set up a mirroring session between its radio and a management station running Wireshark. Access the CLI for the client's AP's switch. Set up a mirroring session between the AP's port and a management station running Wireshark. Go to that client in HPE Aruba Networking Central. Use the "Live Events" page to run a packet capture.

Assume that an AOS-CX switch is already implementing DHCP snooping and ARP inspection successfully on several VLANs. What should you do to help minimize disruption time if the switch reboots?. Configure the switch to act as an ARP proxy. Create static IP-to-MAC bindings for the DHCP and DNS servers. Save the IP-to-MAC bindings to external storage. Configure the IP helper address on this switch, rather than a core routing switch.

You need to create a rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) role mapping policy that references a ClearPass Device Insight Tag. Which Type (namespace) should you specify for the rule?. Application. Tips. Device. Endpoint.

You are using OpenSSL to obtain a certificate signed by a Certification Authority (CA). You have entered this command: openssl req -new -out file1.pem -newkey rsa:3072 -keyout file2.pem Enter PEM pass phrase: ********** Verifying - Enter PEM pass phrase: ********** Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Sunnyvale Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com Organizational Unit Name (eg, section) []:Infrastructure Common Name (e.g. server FQDN or YOUR name) []:radius.example.com What is one guideline for continuing to obtain a certificate?. You should use a third-party tool to encrypt file2.pem before sending it and file1.pem to the CA. You should concatenate file1.pem and file2.pem into a single file, and submit that to the desired CA to sign. You should submit file1.pem, but not file2.pem, to the desired CA to sign. You should submit file2.pem, but not file1.pem, to the desired CA to sign.

A company needs you to integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI). What is one task you should do to prepare?. Install the root CA for CPPM's HTTPS certificate as trusted in the CPDI application. Configure WMI, SSH, and SNMP external accounts for device scanning on CPPM. Enable Insight in the CPPM server configuration settings. Collect a Data Collector token from HPE Aruba Networking Central.

You have installed an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch to monitor a particular function. Which additional step must you complete to start the monitoring?. Reboot the switch. Enable NAE, which is disabled by default. Edit the script to define monitor parameters. Create an agent from the script.

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI) and has integrated the two. CPDI admins have created a tag. CPPM admins have created rules that use that tag in the wired 802.1X and wireless 802.1X services' enforcement policies. The company requires CPPM to apply the tag-based rules to a client directly after it learns that the client has that tag. What is one of the settings that you should verify on CPPM?. The "Device Sync" setting is set to 1 in the ClearPass Device Insight Integration settings. Both 802.1X services have the "Profile Endpoints" option enabled and an appropriate CoA profile selected in the Profiler tab. Both 802.1X services have the "Use cached Role and Posture attributes from the previous sessions" setting. The "Polling Interval" is set to 1 in the ClearPass Device Insight Integration settings.

A company has HPE Aruba Networking APs and AOS-CX switches, as well as HPE Aruba Networking ClearPass. The company wants CPPM to have HTTP User-Agent strings to use in profiling devices. What can you do to support these requirements?. Add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches. Schedule periodic subnet scans of all client subnets on CPPM. Configure mirror sessions on the APs and switches to copy client HTTP traffic to CPPM. On the APs and switches, configure a redirect to ClearPass Guest in the role for devices being profiled.

Which statement describes Zero Trust Security?. Companies should focus on protecting their resources rather than on protecting the boundaries of their internal network. Companies must apply the same access controls to all users, regardless of identity. Companies that support remote workers cannot achieve zero trust security and must determine if the benefits outweigh the cost. Companies can achieve zero trust security by strengthening their perimeter security to detect a wider range of threats.

What is a use case for running periodic subnet scans on devices from HPE Aruba Networking ClearPass Policy Manager (CPPM)?. Using DHCP fingerprints to determine a client's device category and OS. Detecting devices that fail to comply with rules defined in CPPM posture policies. Identifying issues with authenticating and authorizing clients. Using WMI to collect additional information about Windows domain clients.

A company has an HPE Aruba Networking ClearPass cluster with several servers. ClearPass Policy Manager (CPPM) is set up to:Update client attributes based on Syslog messages from third-party appliances. Have the clients reauthenticate and apply new profiles to the clients based on the updates To ensure that the correct profiles apply, what is one step you should take?. Configure a CoA action for all tag updates in the ClearPass Device Insight integration settings. Tune the CoA delay on the ClearPass servers to a value of 5 seconds or greater. Set the cluster's Endpoint Context Servers polling interval to a value of 5 seconds or less. Configure the cluster to periodically clean up (delete) unknown endpoints.

A company wants to turn on Wireless IDS/IPS infrastructure and client detection at the high level on HPE Aruba Networking APs. The company does not want to enable any prevention settings. What should you explain about HPE Aruba Networking recommendations?. HPE Aruba Networking recommends turning on both wired and wireless prevention whenever you enable detection at high. HPE Aruba Networking recommends using hybrid AP mode, as opposed to Air Monitors (AMs), when implementing detection without prevention. HPE Aruba Networking recommends disabling client detection when you configure infrastructure detection at high, as infrastructure detection includes all the client checks and more. HPE Aruba Networking recommends configuring infrastructure and client detection at a custom level and disabling or tuning some of the settings that are likely to produce false positives.

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). In the CPDI interface, you go to the Generic Devices page and see the view shown in the exhibit. What correctly describes what you see?. Each cluster is a group of unclassified devices that CPDI's machine learning has discovered to have similar attributes. Each cluster is a group of devices that match one of the tags configured by admins. Each cluster is all the devices that have been assigned to the same category by one of CPDI's builtin system rules. Each cluster is a group of devices that have been classified with user rules, but for which CPDI offers different recommendations.

A company has AOS-CX switches and HPE Aruba Networking ClearPass Policy Manager (CPPM). The company wants switches to implement 802.1X authentication to CPPM and download user roles. What is one task that you must complete on the switches to support this use case?. Specify CPPM as the RADIUS server with the exact CN in CPPM's HTTPS certificate. Install the root CA certificate for CPPM's RADIUS certificate in a TA profile on the switches. Configure empty user-roles with names that match enforcement profile names on CPPM. Specify a ClearPass username and password that match the name and RADIUS secret in a CPPM network.

What is a benefit of Online Certificate Status Protocol (OCSP)?. It lets a device query whether a single certificate is revoked or not. It lets a device dynamically renew its certificate before the certificate expires. It lets a device download all the serial numbers for certificates revoked by a CA at once. It lets a device determine whether to trust a certificate without needing any root certificates installed.

(Note that the HPE Aruba Networking Central interface shown here might look slightly different from what you see in your HPE Aruba Networking Central interface as versions change; however, similar concepts continue to apply.) An HPE Aruba Networking 9x00 gateway is part of an HPE Aruba Networking Central group that has the settings shown in the exhibit. What would cause the gateway to drop traffic as part of its IDPS settings?. Its site-to-site VPN connections failing. Traffic matching a rule in the active ruleset. Its IDPS engine failing. Traffic showing anomalous behavior.

A company has wired VolP phones, which transmit tagged traffic and connect to AOS-CX switches. The company wants to tunnel the phones' traffic to an HPE Aruba Networking gateway for applying security policies. What is part of the correct configuration on the AOS-CX switches?. UBT mode set to VLAN extend. A VXLAN VNI mapped to the VLAN assigned to the VolP phones. VLANs assigned to the VolP phones configured on the switch uplinks. A UBT reserved VLAN set to a VLAN dedicated for that purpose.

You are establishing a cluster of HPE Aruba Networking ClearPass servers. (Assume that they are running version 6.9.). For which type of certificate it is recommended to install a CA-signed certificate on the Subscriber before it joins the cluster?. Database. HTTPS. RADIUS/EAP. RadSec.

You are setting up an HPE Aruba Networking VIA solution for a company. You have already created a VPN pool with IP addresses for the remote clients. During tests, however, the clients do not receive IP addresses from that pool. What is one setting to check?. That the pool uses valid, public IP addresses that are assigned to the company. That the pool is associated with the role to which the VIA clients are being assigned. That the pool uses an IP subnet that is different from any subnet configured on the VPNC. That the pool is referenced in the clients' VIA Connection Profile.

What is a typical use case for using HPE Aruba Networking ClearPass Onboard to provision devices?. Enabling unmanaged devices to succeed at certificate-based 802.1X. Enabling managed Windows domain computers to succeed at certificate-based 802.1X. Enhancing security for loT devices that need to authenticate with MAC-Auth. Enforcing posture-based assessment on managed Windows domain computers.

A company is using HPE Aruba Networking Central SD-WAN Orchestrator to establish a hub-spoke VPN between branch gateways (BGWs) at 1444 site and VPNCs at multiple data centers. What is part of the configuration that admins need to complete?. At the global level, create default IPsec policies for the SD-WAN Orchestrator to use. In BGWs' groups, select the VPNCs to which to connect in a DC preference list. In VPNCs' groups, establish VPN pools to control which branches connect to which VPNCs. In BGWs' and VPNCs' groups, create default IKE policies for the SD-WAN Orchestrator to use.

A company has HPE Aruba Networking APs (AOS-10), which authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). CPPM is set up to receive a variety of information about clients' profile and posture. New information can mean that CPPM should change a client's enforcement profile. What should you set up on the APs to help the solution function correctly?. In the security settings, configure dynamic denylisting. In the RADIUS server settings for CPPM, enable Dynamic Authorization. In the WLAN profiles, enable interim RADIUS accounting. In the RADIUS server settings for CPPM, enable querying the authentication status.

A company wants HPE Aruba Networking ClearPass Policy Manager (CPPM) to respond to Syslog messages from its Check Point firewall. You have added the firewall as an event source and set up an event service. However, test Syslog messages are not triggering the expected actions. What is one CPPM setting that you should check?. ClearPass Device Insight integration is disabled. The Check Point Extension is installed through ClearPass Guest. The CoA delay value is set to 0 on the server. Ingress Event Dictionaries for Check Point messages are enabled.

An AOS-CX switch has been configured to implement UBT to a cluster of three HPE Aruba Networking gateways. How does the switch determine to which gateways to tunnel UBT users' traffic?. The switch tunnels all users' traffic to the gateway configured as the primary gateway in the UBT zone, unless that gateway fails. The switch tunnels each user's traffic to the particular gateway assigned as that user's active user designed gateway. The switch load balances client traffic across the primary and standby gateway configured in the UBT zone. The switch tunnels all users' traffic to the gateway assigned as the switch's active device designated gateway.

What correctly describes an HPE Aruba Networking AP's Device (TPM) certificate?. It is signed by an HPE Aruba Networking CA and is trusted by many HPE Aruba Networking solutions. It works well as a captive portal certificate for guest SSIDs. It is a self-signed certificate that should not be used in production. It is installed on APs after they connect to and are provisioned by HPE Aruba Networking Central.

You have downloaded a packet capture that you generated on HPE Aruba Networking Central. When you open the capture in Wireshark, you see the output shown in the exhibit. What should you do in Wireshark so that you can better interpret the packets?. Choose to decode UDP port 5555 packets as ARUBA_ERM and set the Aruba ERM Type to 0. Edit preferences for IEEE 802.11 and chose to ignore the Protection bit with IV. Apply the following display filter: wlan.fc.type == 1. Edit the Enabled Protocols and make sure that 802.11, GRE, and Aruba_ERM are enabled.

A company wants to implement Virtual Network based Tunneling (VNBT) on a particular group of users and assign those users to an overlay network with VNI 3000. Assume that an AOS-CX switch is already set up to: Implement 802.1X to HPE Aruba Networking ClearPass Policy Manager (CPPM) . Participate in an EVPN VXLAN solution that includes VNI 3000 Which setting should you configure in the users' AOS-CX role to apply VNBT to them when they connect?. Gateway zone set to "3000" with no gateway role set. Gateway zone set to "vni-3000" with no gateway role set. Access VLAN set to the VLAN mapped to VNI 3000. Access VLAN ID set to "3000".

A company uses both HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI). What is one way integrating the two solutions can help the company implement Zero Trust Security?. CPPM can provide CPDI with custom device fingerprint definitions in order to enhance the company's total visibility. CPDI can provide CPPM with extra information about users' identity; CPPM can then use that information to apply the correct identity-based enforcement. CPPM can inform CPDI that it has assigned a particular Aruba-User Role to a client; CPDI can then use that information to reclassify the client. CPDI can use tags to inform CPPM that clients are using prohibited applications; CPPM can then tell the network infrastructure to quarantine those clients.

What role can Internet Key Exchange (IKE)/IKEv2 play in an HPE Aruba Networking client-to-site VPN?. It provides an alternative to IPsec that is suitable for legacy clients. It provides a more modern and secure alternative to IPsec. It helps to negotiate the IPsec SA automatically and securely. It helps remote clients download IPsec profiles for later use.

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. The company wants CPPM to control which commands managers are allowed to enter. Which service must you add to the managers' TACACS+ enforcement profile?. Cpass:HTTP. Shell. ARAP. Aruba:Common.

An AOS-CX switch has this admin user account configured on it: netadmin in the operators group. You have configured these commands on an AOS-CX switch: tacacs-server host cp.example.com key plaintext &12xl,powmay7855 aaa authentication login ssh group tacacs local aaa authentication allow-fail-through A user accesses the switch with SSH and logs in as netadmin with the correct password. When the switch sends a TACACS+ request to the ClearPass server at cp.example.com, the server does not send a response. Authentication times out. What happens?. The user is logged in and granted operator access. The user is logged in and allowed to enter auditor commands only. The user is logged in and granted administrators access. The user is not allowed to log in.

A port-access role for AOS-CX switches has this policy applied to it: plaintext Copy code port-access policy mypolicy 10 class ip zoneC action drop 20 class ip zoneA action drop 100 class ip zoneB The classes have this configuration: plaintext Copy code class ip zoneC 10 match tcp 10.2.0.0 eq https class ip zoneA 10 match ip any 10.1.0.0 class ip zoneB 10 match ip any 10.0.0.0 The company wants to permit clients in this role to access 10.2.12.0 with HTTPS. What should you do?. Add this rule to zoneC: 5 match any 10.2.12.0 eq https. Add this rule to zoneA: 5 ignore tcp any 10.2.12.0 eq https. Add this rule to zoneB: 5 match tcp any 10.2.12.0 eq https. Add this rule to zoneC: 5 ignore tcp any 10.2.12.0 eq https.

You are setting up HPE Aruba Networking SSE to prohibit users from uploading and downloading files from Dropbox. What is part of the process?. Adding a web category that includes Dropbox. Installing the HPE Aruba Networking SSE root certificate on clients. Deploying a connector that can reach the remote users. Deploying a connector that can reach Dropbox.

You are setting up user-based tunneling (UBT) between access layer AOS-CX switches and AOS-10 gateways. You have selected reserved (local) VLAN mode. Tunneled devices include IoT devices, which should be assigned to: Roles: iot on the switches and iot-wired on the gateways VLAN: 64, for which the gateways route traffic. IoT devices connect to the access layer switches' edge ports, and the access layer switches reach the gateways on their uplinks. Where must you configure VLAN 64?. In the iot-wired role and on no physical interfaces. In the iot role and the iot-wired role and on no physical interfaces. In the iot-wired role and the access switch uplinks. In the iot role and the access switch uplinks.

A company has a third-party security appliance deployed in its data center. The company wants to pass all traffic for certain clients through that device before forwarding that traffic toward its ultimate destination. Which AOS-CX switch technology fulfills this use case?. Virtual Network Based Tunneling (VNBT). MC-LAG. Network Analytics Engine (NAE). Device profiles.

You manage AOS-10 APs with HPE Aruba Networking Central. A role is configured on these APs with the following rules: Allow UDP on port 67 to any destination Allow any to network 10.1.6.0 Deny any to network 10.1.0.0 + log Deny any to network 10.0.0.0 Allow any to any destination You add this new rule immediately before rule 2: Deny SSH to network 10.1.4.0 + denylist What happens when a client assigned to this role sends SSH traffic to 10.1.11.42?. The traffic is permitted. The traffic is dropped and logged. The traffic is dropped (without any logging or further action against the client). The traffic is dropped, and the client is denylisted.

HPE Aruba Networking ClearPass Device Insight (CPDI) could not classify some endpoints using system and user rules. Using machine learning, it did assign those endpoints to a cluster and discover a recommendation. In which of these circumstances does CPDI automatically classify the endpoints based on that recommendation?. The recommendation has 96% confidence, and it is based on 13 classified devices. The recommendation has 98% confidence, and it is based on 5 classified devices. The recommendation has 93% confidence, and it is based on 36 classified devices. The recommendation has 100% confidence, and it is based on 4 classified devices.

You are setting up HPE Aruba Networking SSE. Which use case requires you to apply a non-default device posture in a rule?. Applying threat inspection to users when they access certain websites. Checking whether a client has antivirus software as a condition for receiving access to resources. Redirecting compromised clients to a remediation server. Integrating with HPE Aruba Networking ClearPass OnGuard.

All of the switches in the exhibit are AOS-CX switches. What is the preferred configuration on Switch-2 for preventing rogue OSPF routers in this network?. Configure OSPF authentication on VLANs 10-19 in password mode. Configure OSPF authentication on Lag 1 in MD5 mode. Disable OSPF entirely on VLANs 10-19. Configure passive-interface as the OSPF default and disable OSPF passive on Lag 1.

Which issue can an HPE Aruba Networking Secure Web Gateway (SWG) solution help customers address?. The organization needs a faster way to quarantine clients that have generated threats, as detected by thirdparty firewalls. Hybrid workers are exposing their computers to risky internet sites and infection by malware when they work from home. Remote workers need access to private data center applications without exposing those applications to unauthorized users. The organization currently has no way to prevent users from exfiltrating sensitive data from SaaS applications.

A company has several use cases for using its AOS-CX switches' HPE Aruba Networking Network Analytics Engine (NAE). What is one guideline to keep in mind as you plan?. Each switch model has a maximum number of supported monitors, and one agent might have multiple monitors. You can install multiple scripts on a switch, but you can deploy only one agent per script. The switch will permit you to deploy as many NAE agents as you want, but they might degrade the switch functionality. When you use custom scripts, you can create as many agents from each script as you want.

A company has been running Gateway IDS/IPS on its gateways in IDS mode for several weeks. The company wants to transition to IPS mode. What is one step you should recommend?. Disable traffic inspection and reboot before re-enabling traffic inspection with the new mode. Change the mode on one gateway at a time to establish a smoother transition period. Consider applying a stricter IPS policy to minimize issues during the transition period. Check for legitimate traffic that has been flagged as a threat and allow list the associated rules.

A ClearPass Policy Manager (CPPM) service includes these settings: Role Mapping Policy: Evaluate: Select first Rule 1 conditions: Authorization:AD:Groups EQUALS Managers Authentication:TEAP-Method-1-Status EQUALS Success Rule 1 role: manager Rule 2 conditions: Authentication:TEAP-Method-1-Status EQUALS Success Rule 2 role: domain-comp Default role: [Other] Enforcement Policy: Evaluate: Select first Rule 1 conditions: Tips Role EQUALS manager AND Tips Role EQUALS domain-comp Rule 1 profile list: domain-manager Rule 2 conditions: Tips Role EQUALS manager Rule 2 profile list: manager-only Rule 3 conditions: Tips Role EQUALS domain-comp Rule 3 profile list: domain-only Default profile: [Deny access] A client is authenticated by the service. CPPM collects attributes indicating that the user is in the Contractors group, and the client passed both TEAP methods. Which enforcement policy will be applied?. [Deny Access Profile]. manager-only. domain-manager. domain-only.

A company has HPE Aruba Networking APs managed by HPE Aruba Networking Central. You have set up a WLAN to enforce WPA3 with 802.1X authentication. What happens if the client fails authentication?. The AP assigns the client to the WLAN's default role. The AP drops the client because authentication aborts. The AP assigns the client to the WLAN's critical role. The AP assigns the client to the WLAN's initial role.

A company wants you to integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI). What is one aspect of the integration that you should explain?. CPPM no longer supports any Device Profiler features and relies on CPDI for this profile information. CPDI must be configured as an audit server on CPPM for the integration to be successful. CPDI must have security analysis disabled on it for the integration to be successful. CPPM can submit profile information to CPDI, but if CPDI derives a different classification, CPDI takes precedence.

An HPE Aruba Networking 9x00 gateway is part of an HPE Aruba Networking Central group that has the settings shown in the exhibit. What would cause the gateway to drop traffic as part of its IDPS settings?. Its site-to-site VPN connections failing. Traffic matching a rule in the active ruleset. Its IDPS engine failing. Traffic showing anomalous behavior.

You are establishing a cluster of HPE Aruba Networking ClearPass servers. (Assume that they are running version 6.9.). For which type of certificate is it recommended to install a CA-signed certificate on the Subscriber before it joins the cluster?. HTTPS. Database. RADIUS/EAP. RadSec.

A company has HPE Aruba Networking gateways that implement gateway IDS/IPS. Admins sometimes check the Security Dashboard, but they want a faster way to discover if a gateway starts detecting threats in traffic. What should they do?. Set up Webhooks that are attached to the HPE Aruba Networking Central Threat Dashboard. Use Syslog to integrate the gateways with HPE Aruba Networking ClearPass Policy Manager (CPPM) event processing. Set up email notifications using HPE Aruba Networking Central's global alert settings. Integrate HPE Aruba Networking ClearPass Device Insight (CPDI) with Central and schedule hourly reports.

A company has Aruba APs that are controlled by Central and that implement WIDS. When you check WIDS events, you see a "detect valid SSID misuse" event. What can you interpret from this event, and what steps should you take?. Clients are failing to authenticate to corporate SSIDs. You should first check for misconfigured authentication settings and then investigate a possible threat. Admins have likely misconfigured SSID security settings on some of the company's APs. You should have them check those settings. Hackers are likely trying to pose as authorized APs. You should use the detecting radio information and immediately track down the device that triggered the event. This event might be a threat but is almost always a false positive. You should wait to see the event over several days before following up on it.

A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application). In the CPDI security settings, Security Analysis is On, the Data Source is ClearPass Device Insight, and Enable Posture Assessment is On. You see that a device has a Risk Score of 90. What can you know from this information?. The posture is unknown, and CPDI has detected exactly four vulnerabilities on the device. The posture is healthy, but CPDI has detected multiple vulnerabilities on the device. The posture is unhealthy, and CPDI has also detected at least one vulnerability on the device. The posture is unhealthy, but CPDI has not detected any vulnerabilities on the device.

Which statement describes Zero Trust Security?. Companies must apply the same access controls to all users, regardless of identity. Companies that support remote workers cannot achieve zero trust security and must determine if the benefits outweigh the cost. Companies should focus on protecting their resources rather than on protecting the boundaries of their internal network. Companies can achieve zero trust security by strengthening their perimeter security to detect a wider range of threats.

A company has AOS-CX switches. The company wants to make it simpler and faster for admins to detect denial of service (DoS) attacks, such as ping or ARP floods, launched against the switches. What can you do to support this use case?. Deploy an NAE agent on the switches to monitor control plane policing (CoPP). Configure the switches to implement RADIUS accounting to HPE Aruba Networking ClearPass and enable HPE Aruba Networking ClearPass Insight. Implement ARP inspection on all VLANs that support end-user devices. Enabling debugging of security functions on the switches.

A company has AOS-CX switches at the access layer, managed by HPE Aruba Networking Central. You have identified suspicious activity on a wired client. You want to analyze the client's traffic with Wireshark, which you have on your management station. What should you do?. Access the client's switch's CLI from your management station. Access the switch shell and run a TCP dump on the client port. Go to the client's switch in HPE Aruba Networking Central. Use the "Security" page to run a packet capture. Set up a policy that implements a captive portal redirect to your management station. Apply that policy to the client's port. Set up a mirror session on the client's switch; set the client port as the source and your station IP address as the tunnel destination.

HPE Aruba Networking Central displays a Gateway Threat Count alert in the alert list. How can you gather more information about what caused the alert to trigger?. Use HPE Aruba Networking Central tools to run a Network Check on the gateway with which the alert is associated. Use Live Monitoring on the gateway to download a packet capture of recent traffic flowing through the gateway. Check the threat list for the gateway associated with the alert. Access threat details and download packet info. Check the gateway's Audit Trail in HPE Aruba Networking Central for more details about the threats that triggered the alert.

The following firewall role is configured on HPE Aruba Networking Central-managed APs: wlan access-rule employees index 3 rule any any match 17 67 67 permit rule any any match any 53 53 permit rule 10 5 5.0 255.255 255.0 match any any any deny rule 10.5 0.0 255.255 0.0 match 6 80 80 permit rule 10.5 0.0 255.255.0.0 match 6 443 443 permit rule 10.5.0.0 255.255.0.0 match any any any deny rule any any match any any any permit A client has authenticated and been assigned to the employees role. The client has IP address 10.2.2.2. Which correctly describes behavior in this policy?. HTTPS traffic from 10.2.2.2 to 10.5.5.5 is denied. HTTPS traffic from 10.2.2.2 to 203.0.113.12 is denied. Traffic from 10.5.3.3 in an active HTTPS session between 10.2.2.2 and 10.5.3.3 is permitted. Traffic from 198.51.100.12 in an active HTTP session between 10.2.2.2 and 198.51.100.12 is denied.

You need to set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to provide certificatebased authentication of 802.1X supplicants. How should you upload the root CA certificate for the supplicants certificates?. As a ClearPass Server certificate with the RADIUS/EAP usage. As a ClearPass Server certificate with the Database usage. As a Trusted CA with the AD/LDAP usage. As a Trusted CA with the EAP usage.

You are setting up policy rules in HPE Aruba Networking SSE. You want to create a single rule that permits users in a particular user group to access multiple applications. What is an easy way to meet this need?. Associate the applications directly with the IdP used to authenticate the users; choose any for the destination in the policy rule. Apply the same tag to the applications; select the tag as a destination in the policy rule. Place all the applications in the same connector zone; select that zone as a destination in the policy rule. Select the applications within a non-default web profile; select that profile in the policy rule.

A company has a variety of HPE Aruba Networking solutions, including an HPE Aruba Networking infrastructure and HPE Aruba Networking ClearPass Policy Manager (CPPM). The company passes traffic from the corporate LAN destined to the data center through a third-party SRX firewall. The company would like to further protect itself from internal threats. What is one solution that you can recommend?. Have the third-party firewall send Syslogs to CPPM, which can work with network devices to lock internal attackers out of the network. Add ClearPass Device Insight (CPDI) to the solution, integrate it with the third-party firewall to develop more complete device profiles. Configure CPPM to poll the third-party firewall for a broad array of information about internal clients, such as profile and posture. Use tunnel mode SSIDs and user-based tunneling (UBT) on AOS-CX switches to pass all internal traffic directly through the third-party firewall.

The exhibit shows a saved packet capture, which you have opened in Wireshark. You want to focus on the complete conversation between 10.1.70.90 and 10.1.79.11 that uses source port 5448. What is a simple way to do this in Wireshark?. Apply a capture filter that selects for both the 10.1.70.90 and 10.1.79.11 IP addresses. Click the Source column and then the Destination column to sort the packets into the desired order. Apply a capture filter that selects for TCP port 5448. Right-click one of the packets between those addresses and choose to follow the stream.

These packets have been captured from VLAN 10. which supports clients that receive their IP addresses with DHCP. What can you interpret from the packets that you see here?. Someone is possibly implementing a MAC spoofing attack to gain unauthorized access. The mirroring session that captured the packets was likely misconfigured and captured duplicate traffic. An admin has likely misconfigured two clients to use the same DHCP settings. Someone is possibly implementing an ARP poisoning and MITM attack.

A company is using HPE Aruba Networking Central SD-WAN Orchestrator to establish a hub-spoke VPN between branch gateways (BGWs) at 1164 site and VPNCs at multiple data centers. What is part of the configuration that admins need to complete?. In VPNCs groups, establish VPN pools to control which branches connect to which VPNCs. In BGWs and VPNCs groups, create default IKE policies for the SD-WAN Orchestrator to use. In BGWs groups, select the VPNCs to which to connect in a DC preference list. At the global level, create default IPsec policies for the SD-WAN Orchestrator to use.

A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The APs will: Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM) Be assigned to the "APs" role on the switches Have their traffic forwarded locally What information do you need to help you determine the VLAN settings for the "APs" role?. Whether the switches are using local user-roles (LURs) or downloadable user-roles (DURs). Whether the APs bridge or tunnel traffic on their SSIDs. Whether the switches have established tunnels with an HPE Aruba Networking gateway. Whether the APs have static or DHCP-assigned IP addresses.

A company has AOS-CX switches, which authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). CPPM is set up to receive a variety of information about clients' profile and posture. New information can mean that CPPM should change a client's enforcement profile. What should you set up on the switches to help the solution function correctly?. Enable RADIUS accounting to CPPM, including interim RADIUS accounting. Configure a RADIUS track that references CPPM's FQDN or IP address. Enable dynamic authorization, and specify CPPM as a dynamic authorization client. Re-configure the authentication server on the switch specifying CPPM as a TACACS server.

A company already uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as the RADIUS server for authenticating wireless clients with 802.1X. Now you are setting up 802.1X on AOS-CX switches to authenticate many of those same clients on wired connections. You decide to copy CPPM's wireless 802.1X service and then edit it with a new name and enforcement policy. What else must you change for authentication to work properly?. Role mapping policy. Authentication methods. Authentication source. Service rules.

You are configuring the HPE Aruba Networking ClearPass Device Insight Integration settings on ClearPass Policy Manager (CPPM). For which use case should you set the 'Tag Updates Action" to "apply for all tag updates"?. When the Device Insight integration poll interval is set to a relatively long interval but you still want CPPM to be informed quickly about devices' new tags. When Device Insight tags are only used to identify dangerous devices, and you want to disconnect those devices without having to set up new rules in enforcement policies. When CPPM is gathering posture information for CPDI, and you want CPDI to always have access to the most up-to-date information. When you plan to have CPPM issue CoAs for clients with new tags, but do not want to have to list those specific tags in the Device Integration settings in advance.

You are helping an organization deploy HPE Aruba Networking SSE. What is one reason to recommend that the company install agents on remote users' devices?. To run posture checks and apply different permissions based on those checks. To permit admins to manage the HPE Aruba Networking SSE policy rules. To permit users to access private servers using SSH. To run threat inspection on clients in a local sandbox rather than in the cloud.

You want to examine the applications that a device is using and look for any changes in application usage over several different ranges. In which HPE Aruba Networking solution can you view this information in an easy-toview format?. HPE Aruba Networking ClearPass OnGuard agent installed on the device. HPE Aruba Networking Central within a device's Live Monitoring page. HPE Aruba Networking ClearPass Insight using an Active Endpoint Security report. HPE Aruba Networking ClearPass Device Insight (CPDI) in the device's network activity.

A company wants to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to profile Linux devices. You have decided to schedule a subnet scan of the devices' subnets. Which additional step should you complete before scheduling the scan?. Set up SSH accounts on CPPM and map them to the Linux devices' subnets. Enable WMI probing in the cluster-wide parameters. Enable the Data Port in the ClearPass server settings and connect that port to the network. Configure SNMP in the network device settings for the switches that support the Linux devices.

HPE Aruba Networking switches are implementing MAC-Auth to HPE Aruba Networking ClearPass Policy Manager (CPPM) for a company's printers. The company wants to quarantine a client that spoofs a legitimate printer's MAC address. You plan to add a rule to the MAC-Auth service enforcement policy for this purpose. What condition should you include?. Endpoint Compliance EQUALS false. Endpoint Device Insight Tag EXISTS. Authorization: [Endpoints Repository] Compromised EQUALS true. Authorization: [Endpoints Repository] Conflict EQUALS true.

A company wants to apply role-based access control lists (ACLs) on AOS-CX switches, which are implementing authentication to HPE Aruba Networking ClearPass Policy Manager (CPPM). The company wants to centralize configuration as much as possible. Which correctly describes your options?. You can configure the role on CPPM; however, the CPPM role must reference a policy name that is configured on the switch. You can configure the role name on CPPM; however, the role settings, including policy and classes, must be configured locally on the switch. You can configure the role, its policy, and the classes referenced in the policy all on CPPM. You can configure the role and its policy on CPPM; however, the classes referenced in the policy must be configured locally on the switch.

A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The security team wants you to capture traffic from a particular wireless client. You should capture this clients traffic over a 15-minute time period and then send the traffic to them in a PCAP file. What should you do?. Access the CLI for the clients AP. Set up a mirroring session between its radio and a management station running Wireshark. Go to the clients AP in HPE Aruba Networking Central. Use the "Security" page to run a packet capture. Go to that client in HPE Aruba Networking Central. Use the "Live Events" page to run a packet capture. Access the CLI for the clients AP's switch. Set up a mirroring session between the APs port and a management station running Wireshark.

A company needs you to integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI). What is one task you should do to prepare?. Install the root CA for CPPMs HTTPS certificate as trusted in the CPDI application. Enable Insight in the CPPM server configuration settings. Configure WMI, SSH, and SNMP external accounts for device scanning on CPPM. Collect a Data Collector token from HPE Aruba Networking Central.

A company wants you to create a custom device fingerprint on CPPM with rules for profiling a group of specialized devices. What is one requirement?. Connecting a known device of this type and getting it discovered in CPPM's Endpoints Repository. Enabling HPE Aruba Networking ClearPass Device Insight integration with the correct Data Collector token. Pre-defining the desired attributes and rules in an XML format file. Disabling the "Automatically download Endpoint Profiler Fingerprints" feature in cluster-wide parameters.

The exhibit shows the TACACS+ enforcement profile that HPE Aruba Networking ClearPass Policy Manager (CPPM) assigns to a manager. When this manager logs into an AOS-CX switch, what does the switch do?. Assigns the manager operator-level privileges. Assigns the manager administrator-level privileges. Rejects the manager with an error message. Assigns the manager auditor-level privileges.

You are using Wireshark to view packets captured from HPE Aruba Networking infrastructure, but youre not sure that the packets are displaying correctly. In which circumstance does it make sense to configure Wireshark to ignore protection bits with the IV for the 802.11 protocol?. When the traffic was captured on the data plane of an HPE Aruba Networking gateway and sent to a remote IP. When the traffic was mirrored from an AOS-CX switch port connected to an AP. When the traffic was captured from an AP with HPE Aruba Networking Central. When the traffic was captured on the control plane of an HPE Aruba Networking MC and sent to a remote IP.

You have enabled "rogue AP containment" in the Wireless IPS settings for a companys HPE Aruba Networking APs. What form of containment does HPE Aruba Networking recommend?. Wireless deauthentication only. Wireless tarpit and wired containment. Wireless tarpit only. Wired containment.

The exhibit shows the 802.1X-related settings for Windows domain clients. What should admins change to make the settings follow best security practices?. Specify at least two server names under the "Connect to these servers" field. Select the desired Trusted Root Certificate Authority and select the check box next to "Don't prompt users.". Under the "Connect to these servers" field, use a wildcard in the server name. Clear the check box for using simple certificate selection and select the desired certificate manually.

You have verified that AOS-CX Switch-1 has constructed an IP-to-MAC binding table in VLANs 10-19. Now you need to enable ARP inspection for the endpoint connected to Switch-1. What must you do first to prevent traffic disruption?. Configure ARP inspection on VLANs 10-19 on Switch-2. Configure DHCP snooping on VLANs 10-19 on Switch-2. Configure Switch-1 uplinks as trusted ARP inspection ports. Create a static IP-to-MAC binding on Switch-1 for the DHCP server.

A company has AOS-CX switches and HPE Aruba Networking APs, which run AOS-10 and bridge their SSIDs. Company security policies require 802.1X on all edge ports, some of which connect to APs. How should you configure the auth-mode on AOS-CX switches?. Leave all edge ports in client auth-mode and configure device auth-mode in the AP role. Configure all edge ports in client auth-mode. Configure all edge ports in device auth-mode. Leave all edge ports in device auth-mode and configure client auth-mode in the AP role.

You need to create a rule in an HPE Aruba Networking ClearPass Policy Manager (CPPM) role mapping policy that references a ClearPass Device Insight Tag. Which Type (namespace) should you specify for the rule?. Endpoint. TIPS. Device. Application.

What is one benefit of integrating HPE Aruba Networking ClearPass Policy Manager (CPPM) with third-party solutions such as Mobility Device Management (MDM) and firewalls?. CPPM can exchange contextual information about clients with third-party solutions, which helps make better decisions. CPPM can make the third-party solutions more secure by adding signature-based threat detection capabilities. CPPM can offload policy decisions to the third-party solutions, enabling CPPM to respond to authentication requests more quickly. CPPM can take over filtering internal traffic so that the third-party solutions have more processing power to devote to filtering external traffic.

What is a benefit of Online Certificate Status Protocol (OCSP)?. It lets a device determine whether to trust a certificate without needing any root certificates installed. It lets a device query whether a single certificate is revoked or not. It lets a device download all the serial numbers for certificates revoked by a CA at once. It lets a device dynamically renew its certificate before the certificate expires.

You have created a Web-based Health Check Service that references a posture policy. You want the service to trigger a RADIUS change of authorization (CoA) when a client receives a Healthy or Quarantine posture. Where do you configure those rules?. In a RADIUS enforcement policy. In the Agents and Software Updates > OnGuard Settings. In the posture policy. In a WEBAUTH enforcement policy.

You have configured an AOS-CX switch to implement 802.1X on edge ports. Assume ports operate in the default auth-mode. VoIP phones are assigned to the "voice" role and need to send traffic that is tagged for VLAN 12. Where should you configure VLAN 12?. As the trunk native VLAN on edge ports and the trunk native VLAN on the "voice" role. As the allowed trunk VLAN in the "voice" role (and not in the edge port settings). As a trunk allowed VLAN on edge ports and the trunk native VLAN in the "voice" role. As the trunk native VLAN in the "voice" role (and not in the edge port settings).

A company has AOS-CX switches and HPE Aruba Networking ClearPass Policy Manager (CPPM). The company wants switches to implement 802.1X authentication to CPPM and download user roles. What is one task that you must complete on CPPM to support this use case?. Export roles on CPPM to a file that uses XML format. Create an admin account for the switch on CPPM with the HPE Aruba Networking User Role Download privilege level. Configure RADIUS enforcement profiles that specify the HPE-User-Role VSA. Upload the switch TPM certificate as a trusted CA certificate with the Others usage.

A company uses both HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI). What is one way integrating the two solutions can help the company implement Zero Trust Security?. CPPM can inform CPDI that it has assigned a particular Aruba-User Role to a client CPDI can then use that information to reclassify the client. CPDI can use tags to inform CPPM that clients are using prohibited applications. CPPM can then tell the network infrastructure to quarantine those clients. CPPM can provide CPDI with custom device fingerprint definitions in order to enhance the company's total visibility. CPDI can provide CPPM with extra information about users' identity. CPPM can then use that information to apply the correct identity-based enforcement.

A company has HPE Aruba Networking infrastructure devices. The devices authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). You want CPPM to track information about clients, such as their IP addresses and their network bandwidth utilization. What should you set up on the network infrastructure devices to help that happen?. Logging with CPPM configured as a Syslog server. Dynamic authorization enabled in the RADIUS settings for CPPM. RADIUS accounting to CPPM, including interim updates. An IF-MAP interface with CPPM as the destination.

HPE Aruba Networking Central displays an alert about an Infrastructure Attack that was detected. You go to the Security > RAPIDS events and see that the attack was "Detect adhoc using Valid SSID." What is one possible next step?. Make sure that you have tuned the threshold for that check as false positives are common for it. Make sure that clients have updated drivers, as faulty drivers are a common explanation for this attack type. Use HPE Aruba Networking Central floorplans or the detecting AP identities to locate the general area for the threat. Look for the IP address associated with the offender and then check for that IP address among HPE Aruba Networking Central clients.

An AOS-CX switch has been configured to implement UBT to two HPE Aruba Networking gateways that implement VRRP on the users' VLAN. What correctly describes how the switch tunnels UBT users' traffic to those gateways?. The switch always sends the users' traffic to the VRRP master. The switch always sends all users' traffic to the primary gateway configured in the UBT zone. The switch always load shares the users' traffic across both gateways. The switch always sends all users' traffic to the gateway assigned as the active device designed gateway.
Report abuse