A company lacks visibility into the many different types of user and loT devices deployed in its
internal network, making it hard for the security team to address
those devices.
Which HPE Aruba Networking solution should you recommend to resolve this issue?
A
Explanation:
For a company that lacks visibility into various types of user and IoT devices on its internal network,
HPE Aruba Networking ClearPass Device Insight (CPDI) is the recommended solution. CPDI provides
comprehensive visibility and profiling of all devices connected to the network. It uses machine
learning and AI to identify and classify devices, offering detailed insights into their behavior and
characteristics. This enhanced visibility enables the security team to effectively monitor and manage
network devices, improving overall network security and compliance.
Reference: Aruba's documentation on ClearPass Device Insight outlines its capabilities in device
discovery, profiling, and security posture assessment, making it ideal for environments with diverse
and numerous network-connected devices.
A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone
application). In the CPDI security settings, Security Analysis is On,
the Data Source is ClearPass Devices Insight, and Enable Posture Assessment is On. You see that
device has a Risk Score of 90.
What can you know from this information?
A
Explanation:
In HPE Aruba Networking ClearPass Device Insight (CPDI), a device with a Risk Score of 90 indicates
that the posture is unhealthy, and CPDI has detected at least one vulnerability on the device. The risk
score is a reflection of the device's security posture and detected vulnerabilities. A high risk score,
such as 90, typically signifies significant security concerns, including the presence of vulnerabilities
that could be exploited, thereby categorizing the device as a high-risk asset within the network.
Reference: ClearPass Device Insight documentation and security settings guides explain how risk
scores are calculated and interpreted, including the impact of posture assessment and vulnerability
detection on overall device risk ratings.
You have set up a mirroring session between an AOS-CX switch and a management station, running
Wireshark. You want to capture just the traffic sent in the
mirroring session, not the management station's other traffic.
What should you do?
D
Explanation:
To capture only the traffic sent in the mirroring session between an AOS-CX switch and a
management station running Wireshark, you should apply a capture filter that isolates the specific
traffic of interest. In this case, using the filter udp port 5555 will capture the traffic associated with
the mirroring session. This is because AOS-CX switches typically use UDP port 5555 for mirrored
traffic, ensuring that only the relevant mirrored packets are captured and excluding other traffic
generated by the management station.
Reference: Aruba's AOS-CX documentation and network management guides detail the configuration
and monitoring of traffic mirroring sessions, including the use of specific ports for mirrored traffic.
A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to
authenticate managers on its AOS-CX switches. The
company wants CPPM to control which commands managers are allowed to enter. You see there is
no field to enter these commands in ClearPass.
How do you start configuring the command list on CPPM?
A
Explanation:
To control which commands managers are allowed to enter on AOS-CX switches using HPE Aruba
Networking ClearPass Policy Manager (CPPM) as a TACACS+ server, you need to add the Shell service
to the TACACS+ enforcement profiles for the managers. This service allows you to define and enforce
specific command sets and access privileges for users authenticated via TACACS+. By configuring the
Shell service in the enforcement profile, you can specify the commands that are permitted or denied
for the managers, ensuring controlled and secure access to the switch's command-line interface.
Reference: Aruba's ClearPass Policy Manager documentation provides detailed instructions on
setting up TACACS+ services, including configuring Shell profiles for command authorization and
enforcement policies.
HPE Aruba Networking ClearPass Policy Manager (CPPM) uses a service to authenticate clients. You
are now adding the Endpoints Repository as an
authorization source for the service, and you want to add rules to the service's policies that apply
different access levels based, in part, on a client's device
category. You need to ensure that CPPM can apply the new correct access level after discovering new
clients' categories.
What should you enable on the service?
B
Explanation:
To ensure that HPE Aruba Networking ClearPass Policy Manager (CPPM) can apply the correct access
levels based on a client's device category after discovering new clients, you need to enable the
"Profile Endpoints" option in the Service tab. This option allows CPPM to profile and categorize
endpoints dynamically, ensuring that the appropriate access levels are applied based on the device's
characteristics. Enabling this feature ensures that new devices are accurately profiled and that access
policies can be enforced based on the updated device information.
Reference: Aruba ClearPass documentation and profiling guides detail the configuration and use of
endpoint profiling to enhance access control and policy enforcement based on device categories.
A company has AOS-CX switches and HPE Aruba Networking APs, which run AOS-10 and bridge their
SSIDs. Company security policies require 802.1X on all
edge ports, some of which connect to APs.
How should you configure the auth-mode on AOS-CX switches?
C
Explanation:
For a company with AOS-CX switches and HPE Aruba Networking APs running AOS-10, where 802.1X
authentication is required on all edge ports, you should configure all edge ports in client auth-mode.
This mode ensures that each client connecting through the APs is authenticated individually,
maintaining the security policy requirements for 802.1X authentication on all connections.
Reference: Aruba's AOS-CX and ClearPass documentation provide guidelines on configuring 802.1X
authentication modes, emphasizing the use of client auth-mode for scenarios involving multiple
clients connected through access points.
A company has HPE Aruba Networking Central-managed APs. The company wants to block all clients
connected through the APs from using YouTube.
Which steps should you take?
D
Explanation:
To block all clients connected through HPE Aruba Networking Central-managed APs from accessing
YouTube, you should enable DPI (Deep Packet Inspection) and then create application rules to deny
YouTube on the firewall roles. DPI allows the network to inspect and classify traffic based on
application signatures, making it possible to enforce application-specific policies. By creating rules
that specifically block YouTube traffic, you can effectively prevent clients from accessing the service.
Reference: Aruba Central's documentation on firewall and application control provides detailed
instructions on enabling DPI and creating application rules to manage and restrict access to specific
applications such as YouTube.
What is one use case for implementing user-based tunneling (UBT) on AOS-CX switches?
D
Explanation:
Implementing user-based tunneling (UBT) on AOS-CX switches is beneficial for applying enhanced
security features such as deep packet inspection (DPI) to wired traffic. UBT allows the traffic from
specific users or devices to be tunneled to a central controller or security appliance where advanced
security policies, including DPI, can be applied. This approach ensures that even wired traffic benefits
from the same level of security and inspection typically available for wireless traffic, thus enhancing
overall network security.
Reference: Aruba's documentation on UBT and AOS-CX configuration guides detail how to set up
user-based tunneling and the benefits of applying advanced security features like DPI to tunneled
traffic.
A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The
APs will:
. Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM)
. Be assigned to the "APs" role on the switches
. Have their traffic forwarded locally
What information do you need to help you determine the VLAN settings for the "APs" role?
D
Explanation:
To determine the VLAN settings for the "APs" role on AOS-CX switches, it is crucial to know whether
the APs bridge or tunnel traffic on their SSIDs. If the APs are bridging traffic, the VLAN settings on the
switch need to align with the VLANs used by the SSIDs. If the APs are tunneling traffic to a controller
or gateway, the VLAN settings might differ as the traffic is encapsulated and forwarded through the
tunnel. Understanding this aspect ensures that the VLAN configuration on the switches correctly
supports the traffic forwarding method employed by the APs.
Reference: Aruba's AOS-10 and AOS-CX documentation provide guidance on VLAN configuration and
traffic forwarding methods, highlighting the importance of aligning VLAN settings with the APs' traffic
handling mode.
Your company wants to implement Tunneled EAP (TEAP).
How can you set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificated-
based authentication for clients using TEAP?
D
Explanation:
To set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to enforce certificate-based
authentication for clients using Tunneled EAP (TEAP), you need to select an EAP-TLS-type
authentication method for TEAP's inner method. TEAP allows for a combination of certificate-based
(EAP-TLS) and password-based (EAP-MSCHAPv2) authentication. By choosing EAP-TLS as the inner
method, you ensure that the clients are authenticated using their certificates, thus enforcing
certificate-based authentication within the TEAP framework.
Reference: Aruba ClearPass documentation provides detailed steps for configuring TEAP and
selecting appropriate inner authentication methods to ensure secure certificate-based client
authentication.