An IT administrator needs to ensure that requests to different Active Directory servers in a multinational company are properly filtered. How should they configure the network?
Answer : A
Comprehensive and Detailed Explanation From HPE Aruba Networking ClearPass portfolio:
Network Device Groups (NDGs) allow administrators to categorize switches and controllers by location or function. In a multi-site deployment, ClearPass can use a 'Service Rule' that looks at which NDG the request came from. For example, if a request comes from the 'London-Switches' group, ClearPass is configured to use the London AD domain; if it comes from 'Tokyo-APs,' it uses the Tokyo AD source. This prevents 'cross-talk' between global regions and improves authentication speed.
Question 2
In an enterprise environment, a network administrator is tasked with configuring ClearPass to interact with various network access devices (NADs). After navigating to the 'Devices' section under the 'Network' menu, what critical step must the administrator take to add a new NAD to ClearPass properly?
Answer : C
When a RADIUS request reaches ClearPass, the system first attempts to identify the sender. ClearPass uses the Source IP Address of the incoming packet to match it against its configured list of Network Devices. If the IP is not found in the 'Devices' database, the request is dropped as an 'Unknown NAD.' Administrators can add single IPs (e.g., 10.1.1.5) or subnets (e.g., 10.1.1.0/24) to authorize groups of switches or APs.
Question 3
An IT administrator attempts to join a ClearPass server to an Active Directory domain. They notice that the system clocks of the ClearPass server and the AD domain are not in sync. The ClearPass server is 10 minutes behind the AD domain. As a best practice, what should the administrator do?
Answer : B
Manual time setting is a temporary fix and will inevitably drift. The best practice for any distributed system, especially one relying on Kerberos and Active Directory, is to sync all components to the same NTP (Network Time Protocol) source. By pointing both the ClearPass servers and the Domain Controllers to the same authoritative clock, the administrator ensures that the time difference remains near zero, preventing domain join failures and ensuring certificate validity and log accuracy across the entire infrastructure.
Question 4
An IT manager needs to ensure that a user who has lost their smartphone can onboard a new device while blocking access to the old one. What steps should the IT manager follow to meet this need using ClearPass Onboard?
Answer : B
ClearPass Onboard manages security via unique device certificates. When a device is lost, the most critical step is to revoke its certificate. This adds the certificate to the Certificate Revocation List (CRL) or updates the OCSP status, ensuring that if the old device tries to connect, ClearPass will reject it. The manager then marks the device as 'Blocked' and allows the user to repeat the Onboarding process for their new device, which receives its own distinct certificate.
Question 5
A network administrator is troubleshooting an issue where a user is unable to log in to the Policy Manager's web interface. The administrator checks the Access Tracker but does not see any relevant logs. What should the administrator do next based on ClearPass's handling of TACACS requests?
Answer : B
While RADIUS requests (for network access) are almost always found in the Access Tracker, TACACS+ requests (for device administration) that fail early in the process---such as those from an unauthorized source IP---may not appear there. In these cases, the Event Viewer is the correct diagnostic tool. The Event Viewer captures system-level errors, including 'Unknown NAD' alerts for TACACS+ attempts, which will help the administrator identify why the request isn't being processed by a service.
Question 6
A network administrator is troubleshooting connectivity issues between clients and the ClearPass server. They suspect that the firewall configuration might be causing the problem. Which action should the administrator take to ensure the OnGuard agent can properly communicate with the ClearPass server?
Answer : A
Communication between the OnGuard agent and ClearPass requires specific firewall ports to be open. TCP Port 443 (HTTPS) is used for the initial control channel and software updates. TCP Port 6658 is the proprietary port used for the agent's 'heartbeat,' which provides real-time health updates and session monitoring. If either port is blocked, the agent will appear offline or fail to report its posture status.
Question 7
An IT manager needs to ensure that a report generated using the Remote Copy option is automatically saved to a specific file location on the network without logging into Insight. What must they configure in the administration settings?
Answer : C
The Remote Copy feature in Insight allows for automated off-box storage of reports. To facilitate this, ClearPass must have a destination to send the files. The administrator must provide the network address (IP/Hostname) of the target server, the protocol (SFTP or SCP), the correct port, and a set of credentials that have write-access to the destination folder. This allows Insight to 'push' the reports immediately after generation.
All Official Question Types