You have configured an AOS-CX switch to implement 802.1X on edge ports. Assume ports operate in
the default auth-mode. VolP phones are assigned to the
"voice" role and need to send traffic that is tagged for VLAN 12.
Where should you configure VLAN 12?
D
Explanation:
When configuring 802.1X authentication on edge ports of an AOS-CX switch and assigning VoIP
phones to a "voice" role, the correct approach is to configure VLAN 12 as the allowed trunk VLAN in
the "voice" role. This setup ensures that traffic tagged for VLAN 12 is appropriately managed by the
role applied to the VoIP phones. In AOS-CX switches, the role-based VLAN configuration allows for
more granular control and ensures that the VoIP phones' traffic is handled correctly without altering
the edge port settings, which typically operate with default settings for authentication.
Reference: Detailed configuration and role assignment practices for AOS-CX switches can be found in
Aruba's configuration guides and documentation related to AOS-CX switch deployments.
You need to set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to provide certificate-
based authentication of 802.1X supplicants.
How should you upload the root CA certificate for the supplicants' certificates?
C
Explanation:
To set up HPE Aruba Networking ClearPass Policy Manager (CPPM) for certificate-based
authentication of 802.1X supplicants, you need to upload the root CA certificate as a Trusted CA with
the EAP usage. This configuration allows the ClearPass server to validate the certificates presented
by the supplicants during the 802.1X authentication process. By marking the certificate for EAP
usage, ClearPass can properly authenticate the supplicant devices using the trusted certificate
authority (CA) that issued their certificates.
Reference: Configuration guidelines and best practices for ClearPass Policy Manager are available in
Aruba's ClearPass documentation, specifically detailing the steps for uploading and configuring root
CA certificates for EAP-based authentication.
A company has AOS-CX switches. The company wants to make it simpler and faster for admins to
detect denial of service (DoS) attacks, such as ping or ARP
floods, launched against the switches.
What can you do to support this use case?
A
Explanation:
To support the detection of denial of service (DoS) attacks on AOS-CX switches, deploying an NAE
(Network Analytics Engine) agent to monitor control plane policing (CoPP) is the best approach. NAE
agents provide real-time analytics and monitoring capabilities, allowing administrators to detect
anomalies and potential DoS attacks, such as ping or ARP floods, more quickly and efficiently. Control
plane policing helps protect the switch’s CPU from unnecessary or malicious traffic, and the NAE
agent can alert administrators when thresholds are exceeded, providing a proactive measure to
detect and mitigate DoS attacks.
Reference: Aruba's documentation on AOS-CX and NAE agents provides detailed information on
configuring and deploying NAE for network monitoring and security purposes.
You have run an Active Endpoint Security Report on HPE Aruba Networking ClearPass. The report
indicates that hundreds of endpoints have MAC addresses but
no known IP addresses.
What is one step for addressing this issue?
B
Explanation:
When the Active Endpoint Security Report on HPE Aruba Networking ClearPass indicates that
endpoints have MAC addresses but no known IP addresses, one effective step to address this issue is
to add CPPM's (ClearPass Policy Manager) IP address to the IP helper list on routing switches. This
configuration ensures that DHCP requests are forwarded to the ClearPass server, allowing it to track
and report the IP addresses assigned to the endpoints. This helps ClearPass maintain an accurate
mapping of MAC addresses to IP addresses, improving endpoint visibility and security management.
Reference: ClearPass configuration guides and best practices documentation outline the importance
of integrating ClearPass with network infrastructure using IP helper addresses to ensure
comprehensive endpoint visibility and management.
An admin has configured an AOS-CX switch with these settings:
port-access role employees
vlan access name employees
This switch is also configured with CPPM as its RADIUS server.
Which enforcement profile should you configure on CPPM to work with this configuration?
D
Explanation:
To ensure that the AOS-CX switch properly assigns the "employees" role when using CPPM (ClearPass
Policy Manager) as the RADIUS server, you should configure a RADIUS Enforcement profile on CPPM
with the Aruba-User-Role VSA (Vendor-Specific Attribute) set to "employees". This configuration
ensures that when an endpoint authenticates, CPPM sends the appropriate role assignment to the
AOS-CX switch, which then applies the corresponding policies and VLAN settings defined for the
"employees" role.
Reference: Aruba's ClearPass documentation and AOS-CX configuration guides detail the integration
and configuration of RADIUS enforcement profiles using Aruba-User-Role VSAs for role-based access
control.
The security team needs you to show them information about MAC spoofing attempts detected by
HPE Aruba Networking ClearPass Policy Manager (CPPM).
What should you do?
B
Explanation:
To show the security team information about MAC spoofing attempts detected by HPE Aruba
Networking ClearPass Policy Manager (CPPM), you should use ClearPass Insight to run an Active
Endpoint Security report. ClearPass Insight provides comprehensive reporting capabilities that
include detailed information on security incidents, such as MAC spoofing attempts. By generating
this report, you can provide the security team with a clear overview of the detected spoofing
activities, including the endpoints involved and the context of the events.
Reference: The ClearPass documentation and Insight reporting guide offer detailed instructions on
generating and interpreting Active Endpoint Security reports, which include data on MAC spoofing
and other security incidents.
You need to set up an HPE Aruba Networking VIA solution for a customer who needs to support 2100
remote employees. The customer wants employees to
download their VIA connection profile from the VPNC. Only employees who authenticate with their
domain credentials to HPE Aruba Networking ClearPass Policy
Manager (CPPM) should be able to download the profile. (A RADIUS server group for CPPM is
already set up on the VPNC.)
How do you configure the VPNC to enforce that requirement?
A
Explanation:
To configure the HPE Aruba Networking VIA solution for remote employees who need to download
their VIA connection profile from the VPN Concentrator (VPNC) and ensure that only those who
authenticate with their domain credentials through ClearPass Policy Manager (CPPM) can do so, you
need to set up a VIA Authentication Profile. This profile should use the CPPM's RADIUS server group.
Once the VIA Authentication Profile is created, you need to reference this profile in the VIA Web
Authentication Profile. This configuration ensures that the authentication process requires
employees to validate their credentials via CPPM before they can download the VIA connection
profile.
Reference: Aruba's VIA deployment and configuration guides provide detailed steps on setting up
authentication profiles and integrating ClearPass for secure profile distribution.
A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone
application). You have identified a device, which is currently
classified as one type, but you want to classify it as a custom type. You also want to classify all
devices with similar attributes as this type, both already-discovered
devices and new devices discovered later.
What should you do?
B
Explanation:
When using HPE Aruba Networking ClearPass Device Insight (CPDI) and you need to reclassify a
device to a custom type and apply this classification to all devices with similar attributes, both
already discovered and newly discovered, you should follow these steps:
1. Navigate to the device details in CPDI.
2. Select the option to reclassify the device.
3. Create a user rule based on the desired attributes of the device.
4. Choose the "Save & Reclassify" option.
This process ensures that the device is reclassified according to the new custom type and that the
rule is applied to all existing and future devices with matching attributes, maintaining consistent
classification across the network.
Reference: The ClearPass Device Insight user guide includes detailed instructions on device
classification, rule creation, and managing device attributes to maintain accurate network visibility
and security.
You are deploying a virtual Data Collector for use with HPE Aruba Networking ClearPass Device
Insight (CPDI). You have identified VLAN 101 in the data center
as the VLAN to which the Data Collector should connect to receive its IP address and connect to HPE
Aruba Networking Central.
Which Data Collector virtual ports should you tell the virtual admins to connect to VLAN 101?
D
Explanation:
When deploying a virtual Data Collector for HPE Aruba Networking ClearPass Device Insight (CPDI), it
is essential to ensure that the correct virtual port is connected to the designated VLAN. In this case,
VLAN 101 is used to receive the IP address and connect to Aruba Central. The best practice is to use
the virtual port with the lowest port ID. This is typically the primary port used for management and
network connectivity in virtual environments, ensuring proper network integration and
communication.
Reference: Aruba's ClearPass Device Insight deployment guides and virtual appliance setup
documentation provide detailed instructions on configuring network interfaces and VLAN
assignments.
A company assigns a different block of VLAN IDs to each of its access layer AOS-CX switches. The
switches run version 10.07. The IDs are used for standard
purposes, such as for employees, VolP phones, and cameras. The company wants to apply 802.1X
authentication to HPE Aruba Networking ClearPass Policy
Manager (CPPM) and then steer clients to the correct VLANs for local forwarding.
What can you do to simplify setting up this solution?
A
Explanation:
To simplify the setup of 802.1X authentication with HPE Aruba Networking ClearPass Policy Manager
(CPPM) and ensure clients are steered to the correct VLANs for local forwarding, you should assign
consistent names to VLANs of the same type across the AOS-CX switches and have user-roles
reference these names. This approach allows for a more straightforward configuration and
management process, as the user roles can apply consistent policies based on VLAN names rather
than specific IDs. It also helps in maintaining clarity and reducing errors in VLAN assignments across
different switches.
Reference: Aruba's AOS-CX configuration guides and ClearPass integration documentation emphasize
the importance of using consistent naming conventions and user-role configurations for efficient
network management and security enforcement.
A company lacks visibility into the many different types of user and loT devices deployed in its
internal network, making it hard for the security team to address
those devices.
Which HPE Aruba Networking solution should you recommend to resolve this issue?
A
Explanation:
For a company that lacks visibility into various types of user and IoT devices on its internal network,
HPE Aruba Networking ClearPass Device Insight (CPDI) is the recommended solution. CPDI provides
comprehensive visibility and profiling of all devices connected to the network. It uses machine
learning and AI to identify and classify devices, offering detailed insights into their behavior and
characteristics. This enhanced visibility enables the security team to effectively monitor and manage
network devices, improving overall network security and compliance.
Reference: Aruba's documentation on ClearPass Device Insight outlines its capabilities in device
discovery, profiling, and security posture assessment, making it ideal for environments with diverse
and numerous network-connected devices.
A company is using HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone
application). In the CPDI security settings, Security Analysis is On,
the Data Source is ClearPass Devices Insight, and Enable Posture Assessment is On. You see that
device has a Risk Score of 90.
What can you know from this information?
A
Explanation:
In HPE Aruba Networking ClearPass Device Insight (CPDI), a device with a Risk Score of 90 indicates
that the posture is unhealthy, and CPDI has detected at least one vulnerability on the device. The risk
score is a reflection of the device's security posture and detected vulnerabilities. A high risk score,
such as 90, typically signifies significant security concerns, including the presence of vulnerabilities
that could be exploited, thereby categorizing the device as a high-risk asset within the network.
Reference: ClearPass Device Insight documentation and security settings guides explain how risk
scores are calculated and interpreted, including the impact of posture assessment and vulnerability
detection on overall device risk ratings.
You have set up a mirroring session between an AOS-CX switch and a management station, running
Wireshark. You want to capture just the traffic sent in the
mirroring session, not the management station's other traffic.
What should you do?
D
Explanation:
To capture only the traffic sent in the mirroring session between an AOS-CX switch and a
management station running Wireshark, you should apply a capture filter that isolates the specific
traffic of interest. In this case, using the filter udp port 5555 will capture the traffic associated with
the mirroring session. This is because AOS-CX switches typically use UDP port 5555 for mirrored
traffic, ensuring that only the relevant mirrored packets are captured and excluding other traffic
generated by the management station.
Reference: Aruba's AOS-CX documentation and network management guides detail the configuration
and monitoring of traffic mirroring sessions, including the use of specific ports for mirrored traffic.
A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to
authenticate managers on its AOS-CX switches. The
company wants CPPM to control which commands managers are allowed to enter. You see there is
no field to enter these commands in ClearPass.
How do you start configuring the command list on CPPM?
A
Explanation:
To control which commands managers are allowed to enter on AOS-CX switches using HPE Aruba
Networking ClearPass Policy Manager (CPPM) as a TACACS+ server, you need to add the Shell service
to the TACACS+ enforcement profiles for the managers. This service allows you to define and enforce
specific command sets and access privileges for users authenticated via TACACS+. By configuring the
Shell service in the enforcement profile, you can specify the commands that are permitted or denied
for the managers, ensuring controlled and secure access to the switch's command-line interface.
Reference: Aruba's ClearPass Policy Manager documentation provides detailed instructions on
setting up TACACS+ services, including configuring Shell profiles for command authorization and
enforcement policies.
HPE Aruba Networking ClearPass Policy Manager (CPPM) uses a service to authenticate clients. You
are now adding the Endpoints Repository as an
authorization source for the service, and you want to add rules to the service's policies that apply
different access levels based, in part, on a client's device
category. You need to ensure that CPPM can apply the new correct access level after discovering new
clients' categories.
What should you enable on the service?
B
Explanation:
To ensure that HPE Aruba Networking ClearPass Policy Manager (CPPM) can apply the correct access
levels based on a client's device category after discovering new clients, you need to enable the
"Profile Endpoints" option in the Service tab. This option allows CPPM to profile and categorize
endpoints dynamically, ensuring that the appropriate access levels are applied based on the device's
characteristics. Enabling this feature ensures that new devices are accurately profiled and that access
policies can be enforced based on the updated device information.
Reference: Aruba ClearPass documentation and profiling guides detail the configuration and use of
endpoint profiling to enhance access control and policy enforcement based on device categories.