HP Aruba Certified Network Security Associate HPE6-A78 Exam Questions

Page: 1 / 14
Total 168 questions

Want more questions? Get Premium Access.
()

Question 1

What is a benefit of deploying Aruba ClearPass Device insight?

AHighly accurate endpoint classification for environments with many devices types, including Internet of Things (loT)

Bvisibility into devices' 802.1X supplicant settings and automated certificate deployment

CAgent-based analysts of devices' security settings and health status, with the ability to implement quarantining

DSimpler troubleshooting of ClearPass solutions across an environment with multiple ClearPass Policy Managers

Answer : A

Aruba ClearPass Device Insight offers a significant benefit by providing highly accurate endpoint classification. This feature is particularly useful in complex environments with a wide variety of device types, including IoT devices. Accurate device classification allows network administrators to better understand the nature and behavior of devices on their network, which is crucial for implementing appropriate security policies and ensuring network performance and security.

Question 2

You have an Aruba Mobility Controller (MC). for which you are already using Aruba ClearPass Policy Manager (CPPM) to authenticate access to the Web Ul with usernames and passwords You now want to enable managers to use certificates to log in to the Web Ul CPPM will continue to act as the external server to check the names in managers' certificates and tell the MC the managers' correct rote

in addition to enabling certificate authentication. what is a step that you should complete on the MC?

AVerify that the MC has the correct certificates, and add RadSec to the RADIUS server configuration for CPPM

Binstall all of the managers' certificates on the MC as OCSP Responder certificates

CVerify that the MC trusts CPPM's HTTPS certificate by uploading a trusted CA certificate Also, configure a CPPM username and password on the MC

DCreate a local admin account mat uses certificates in the account, specify the correct trusted CA certificate and external authentication

Answer : C

To enable managers to use certificates to log into the Web UI of an Aruba Mobility Controller (MC), where Aruba ClearPass Policy Manager (CPPM) acts as the external server for authentication, it is essential to ensure that the MC trusts the HTTPS certificate used by CPPM. This involves uploading a trusted CA certificate to the MC that matches the one used by CPPM. Additionally, configuring a username and password for CPPM on the MC might be necessary to secure and facilitate communication between the MC and CPPM. This setup ensures that certificate-based authentication is securely validated, maintaining secure access control for the Web UI.

Aruba Mobility Controller configuration guides that detail the process of setting up certificate-based authentication.

Best practices for secure authentication and certificate management in enterprise network environments.

Question 3

A company has HPE Aruba Networking Mobility Controllers (MCs), campus APs, and AOS-CX switches. The company plans to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to classify endpoints by type. This company is using only CPPM and no other HPE Aruba Networking ClearPass solutions.

The HPE Aruba Networking ClearPass admins tell you that they want to use HTTP User-Agent strings to help profile the endpoints.

What should you do as a part of setting up Mobility Controllers (MCs) to support this requirement?

ACreate datapath mirrors that use the CPPM's IP address as the destination.

BCreate an IF-MAP profile, which specifies credentials for an API admin account on CPPM.

CCreate control path mirrors to mirror HTTP traffic from clients to CPPM.

DCreate a firewall whitelist rule that permits HTTP and CPPM's IP address.

Answer : A

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to classify endpoints, and one of its profiling methods involves analyzing HTTP User-Agent strings to identify device types (e.g., iPhone, Windows laptop). HTTP User-Agent strings are sent in HTTP headers when a client accesses a website. For CPPM to profile devices using HTTP User-Agent strings, it must receive the HTTP traffic from the clients. In this scenario, the company is using Mobility Controllers (MCs), campus APs, and AOS-CX switches, and CPPM is the only ClearPass solution in use.

HTTP User-Agent Profiling: CPPM can passively profile devices by analyzing HTTP traffic, but it needs to receive this traffic. In an AOS-8 architecture, the MC can mirror client traffic to CPPM for profiling. Since HTTP traffic is part of the data plane (user traffic), the MC must mirror the data plane traffic (not control plane traffic) to CPPM.

Option A, 'Create datapath mirrors that use the CPPM's IP address as the destination,' is correct. The MC can be configured to mirror client HTTP traffic to CPPM using a datapath mirror (also known as a GRE mirror). This involves setting up a mirror session on the MC that sends a copy of the client's HTTP traffic to CPPM's IP address. CPPM then analyzes the HTTP User-Agent strings in this traffic to profile the endpoints. For example, the command mirror session 1 destination ip <CPPM-IP> source ip any protocol http can be used to mirror HTTP traffic to CPPM.

Option B, 'Create an IF-MAP profile, which specifies credentials for an API admin account on CPPM,' is incorrect. IF-MAP (Interface for Metadata Access Points) is a protocol used for sharing profiling data between ClearPass and other systems (e.g., Aruba Introspect), but it is not used for sending HTTP traffic to CPPM for profiling. Additionally, IF-MAP is not relevant when only CPPM is in use.

Option C, 'Create control path mirrors to mirror HTTP traffic from clients to CPPM,' is incorrect. Control path (control plane) traffic includes management traffic between the MC and APs (e.g., AP registration, heartbeats), not client HTTP traffic. HTTP traffic is part of the data plane, so a datapath mirror is required, not a control path mirror.

Option D, 'Create a firewall whitelist rule that permits HTTP and CPPM's IP address,' is incorrect. A firewall whitelist rule on the MC might be needed to allow traffic to CPPM, but this is not the primary step for enabling HTTP User-Agent profiling. The key requirement is to mirror the HTTP traffic to CPPM, which is done via a datapath mirror, not a firewall rule.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'To enable ClearPass Policy Manager (CPPM) to profile devices using HTTP User-Agent strings, the Mobility Controller (MC) must mirror client HTTP traffic to CPPM. This is done by creating a datapath mirror session that sends a copy of the client's HTTP traffic to CPPM's IP address. For example, use the command mirror session 1 destination ip <CPPM-IP> source ip any protocol http to mirror HTTP traffic to CPPM. CPPM then analyzes the HTTP User-Agent strings to classify endpoints by type (e.g., iPhone, Windows laptop).' (Page 350, Device Profiling with CPPM Section)

Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes:

'HTTP User-Agent profiling requires ClearPass to receive HTTP traffic from clients. In an Aruba Mobility Controller environment, configure a datapath mirror to send HTTP traffic to ClearPass's IP address. ClearPass will parse the HTTP User-Agent strings to identify device types and operating systems, enabling accurate profiling.' (Page 249, HTTP User-Agent Profiling Section)

HPE Aruba Networking AOS-8 8.11 User Guide, Device Profiling with CPPM Section, Page 350.

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, HTTP User-Agent Profiling Section, Page 249.

===========

Question 4

You have an HPE Aruba Networking Mobility Controller (MC) that is locked in a closet. What is another step that HPE Aruba Networking recommends to protect the MC from unauthorized access?

ASet the local admin password to a long random value that is unknown or locked up securely.

BDisable local authentication of administrators entirely.

CChange the password recovery password.

DUse local authentication rather than external authentication to authenticate admins.

Answer : A

The scenario involves an HPE Aruba Networking Mobility Controller (MC) that is physically secured in a locked closet, which provides protection against physical tampering. However, additional steps are needed to protect the MC from unauthorized access, particularly through administrative interfaces (e.g., SSH, web UI, console).

Option A, 'Set the local admin password to a long random value that is unknown or locked up securely,' is correct. HPE Aruba Networking recommends securing administrative access to the MC by setting a strong, random password for the local admin account (e.g., the default 'admin' user). The password should be long (e.g., 16+ characters), random, and stored securely (e.g., in a password manager or safe). This ensures that even if an attacker gains physical access to the MC (e.g., by bypassing the locked closet) or attempts remote access, they cannot easily guess or brute-force the password.

Option B, 'Disable local authentication of administrators entirely,' is incorrect. Disabling local authentication entirely would prevent any fallback access to the MC if external authentication (e.g., RADIUS, TACACS+) fails. HPE Aruba Networking recommends maintaining a local admin account as a backup, but securing it with a strong password.

Option C, 'Change the password recovery password,' is incorrect. AOS-8 Mobility Controllers do not have a specific 'password recovery password.' Password recovery typically involves physical access to the device (e.g., via the console port) and a factory reset, which would be mitigated by the locked closet. This option is not a standard recommendation for securing the MC.

Option D, 'Use local authentication rather than external authentication to authenticate admins,' is incorrect. HPE Aruba Networking recommends using external authentication (e.g., RADIUS or TACACS+) for centralized management and stronger security (e.g., two-factor authentication). Local authentication should be a fallback, not the primary method, and it must be secured with a strong password.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'To protect the Mobility Controller from unauthorized access, even if it is physically secured in a locked closet, set the local admin password to a long, random value that is unknown or locked up securely. For example, use a password of at least 16 characters generated by a password manager, and store it in a secure location (e.g., a safe). This ensures that the local admin account, which is used as a fallback, is protected against unauthorized access attempts.' (Page 385, Securing Administrative Access Section)

Additionally, the HPE Aruba Networking Security Best Practices Guide notes:

'A recommended step to secure the Mobility Controller is to set a strong, random password for the local admin account. The password should be long (e.g., 16+ characters), randomly generated, and stored securely to prevent unauthorized access, even if the device is physically protected in a locked closet.' (Page 28, Administrative Security Section)

HPE Aruba Networking AOS-8 8.11 User Guide, Securing Administrative Access Section, Page 385.

HPE Aruba Networking Security Best Practices Guide, Administrative Security Section, Page 28.

===========

Question 5

Two wireless clients, client 1 and client 2, are connected to an ArubaOS Mobility Controller. Subnet 10.1.10.10/24 is a network of servers on the other side of the ArubaOS firewall. The exhibit shows all three firewall rules that apply to these clients.

Which traffic is permitted?

Aan HTTPS request from client 1 to 10.1.10.10 and an HTTPS response from 10.1.10.10 to client 1

Ban HTTPS request from client 1 to 10.1.10.10 and an HTTPS request from 10.1.10.11 to client 1

Can HTTPS request from 10.1.10.10 to client 1 and an HTTPS re-sponse from client 1 to 10.1.10.10

Dan HTTPS request from client 1 to client 2 and an HTTPS request from client 2 to client 1

Answer : A

Based on the exhibit showing the firewall rules, the following traffic is permitted:

Client 1 is allowed to send HTTPS traffic to any destination within the subnet 10.1.10.0/24 because there is a permit rule for the user to access svc-https to that subnet.

Responses to initiated connections are typically allowed by stateful firewalls; hence, an HTTPS response from 10.1.10.10 to client 1 is expected to be permitted even though it is not explicitly mentioned in the firewall rules (assuming the stateful nature of the firewall).

Question 6

Refer to the exhibit, which shows the settings on the company's MCs.

--- Mobility Controller

Dashboard General Admin AirWave CPSec Certificates

Configuration

WLANs v Control Plane Security

Roles & Policies Enable CP Sec

Access Points Enable auto cert provisioning:

You have deployed about 100 new Aruba 335-APs. What is required for the APs to become managed?

Ainstalling CA-signed certificates on the APs

Binstalling self-signed certificates on the APs

Capproving the APs as authorized APs on the AP whitelist

Dconfiguring a PAPI key that matches on the APs and MCs

Answer : C

Based on the exhibit, which shows the settings on the company's Mobility Controllers (MCs), with 'Control Plane Security' enabled and 'Enable auto cert provisioning' available, new Aruba 335-APs require approval on the MC to become managed. This is commonly done by adding the APs to an authorized AP whitelist, after which they can be automatically provisioned with certificates generated by the MC.

Question 7

Refer to the exhibit:

port-access role role1 vlan access 11

port-access role role2 vlan access 12

port-access role role3 vlan access 13

port-access role role4 vlan access 14

aaa authentication port-access dot1x authenticator

enable

interface 1/1/1

no shutdown

no routing

vlan access 1

aaa authentication port-access critical-role role1

aaa authentication port-access preauth-role role2

aaa authentication port-access auth-role role3

interface 1/1/2

no shutdown

no routing

vlan access 1

aaa authentication port-access critical-role role1

aaa authentication port-access preauth-role role2

aaa authentication port-access auth-role role3

The exhibit shows the configuration on an AOS-CX switch.

Client1 connects to port 1/1/1 and authenticates to HPE Aruba Networking ClearPass Policy Manager (CPPM). CPPM sends an Access-Accept with this VSA: Aruba-User-Role: role4.

Client2 connects to port 1/1/2 and does not attempt to authenticate.

To which roles are the users assigned?

AClient1 = role3; Client2 = role2

BClient1 = role4; Client2 = role1

CClient1 = role4; Client2 = role2

DClient1 = role3; Client2 = role1

Answer : C

The scenario involves an AOS-CX switch configured for 802.1X port-access authentication. The configuration defines several roles and their associated VLANs:

port-access role role1 vlan access 11: Role1 assigns VLAN 11.

port-access role role2 vlan access 12: Role2 assigns VLAN 12.

port-access role role3 vlan access 13: Role3 assigns VLAN 13.

port-access role role4 vlan access 14: Role4 assigns VLAN 14.

The switch has 802.1X authentication enabled globally (aaa authentication port-access dot1x authenticator enable). Two ports are configured:

Interface 1/1/1:

vlan access 1: Default VLAN is 1.

aaa authentication port-access critical-role role1: If the RADIUS server is unavailable, assign role1 (VLAN 11).

aaa authentication port-access preauth-role role2: Before authentication, assign role2 (VLAN 12).

aaa authentication port-access auth-role role3: After successful authentication, assign role3 (VLAN 13) unless overridden by a VSA.

Interface 1/1/2: Same configuration as 1/1/1.

Client1 on port 1/1/1:

Client1 authenticates successfully, and CPPM sends an Access-Accept with the VSA Aruba-User-Role: role4.

In AOS-CX, the auth-role (role3) is applied after successful authentication unless the RADIUS server specifies a different role via the Aruba-User-Role VSA. Since CPPM sends Aruba-User-Role: role4, and role4 exists on the switch, Client1 is assigned role4 (VLAN 14), overriding the default auth-role (role3).

Client2 on port 1/1/2:

Client2 does not attempt to authenticate (i.e., does not send 802.1X credentials).

In AOS-CX, if a client does not attempt authentication and no other authentication method (e.g., MAC authentication) is configured, the client is placed in the preauth-role (role2, VLAN 12). This role is applied before authentication or when authentication is not attempted, allowing the client limited access (e.g., to perform authentication or access a captive portal).

Option A, 'Client1 = role3; Client2 = role2,' is incorrect because Client1 should be assigned role4 (from the VSA), not role3.

Option B, 'Client1 = role4; Client2 = role1,' is incorrect because Client2 should be assigned the preauth-role (role2), not the critical-role (role1), since the RADIUS server is reachable (Client1 authenticated successfully).

Option C, 'Client1 = role4; Client2 = role2,' is correct. Client1 gets role4 from the VSA, and Client2 gets the preauth-role (role2) since it does not attempt authentication.

Option D, 'Client1 = role3; Client2 = role1,' is incorrect for the same reasons as Option A and Option B.

The HPE Aruba Networking AOS-CX 10.12 Security Guide states:

'After successful 802.1X authentication, the AOS-CX switch assigns the client to the auth-role configured for the port (e.g., aaa authentication port-access auth-role role3). However, if the RADIUS server returns an Aruba-User-Role VSA (e.g., Aruba-User-Role: role4), and the specified role exists on the switch, the client is assigned that role instead of the auth-role. If a client does not attempt authentication and no other authentication method is configured, the client is assigned the preauth-role (e.g., aaa authentication port-access preauth-role role2), which provides limited access before authentication.' (Page 132, 802.1X Authentication Section)

Additionally, the guide notes:

'The critical-role (e.g., aaa authentication port-access critical-role role1) is applied only when the RADIUS server is unavailable. The preauth-role is applied when a client connects but does not attempt 802.1X authentication.' (Page 134, Port-Access Roles Section)

HPE Aruba Networking AOS-CX 10.12 Security Guide, 802.1X Authentication Section, Page 132.

HPE Aruba Networking AOS-CX 10.12 Security Guide, Port-Access Roles Section, Page 134.

===========