Aruba Certified Network Security Expert Written Exam Version: Demo [ Total Questions: 10] Web: www.examout.co Email: support@examout.co HP HPE6-A84
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any suggestions, please feel free to contact us at feedback@examout.co
Support
If you have any questions about our product, please provide the following items:
exam code screenshot of the question
login id/email
please contact us at and our technical experts will provide support within 24 hours.
Copyright
support@examout.co
The product of each order has its own encryption code, so you should use it independently. Any unauthorized changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Question #:1
A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.
HP - HPE6-A84 Exam Preparation 1 of 13 Pass with Authority Use Examout.co
HP - HPE6-A84 Exam Preparation Pass with Authority Use Examout.co
Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.
What is one step you could recommend trying first?
Send the email notifications directly to a specific folder, and only check the folder once a week.
Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.
Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.
Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.
Answer: C
Question #:2
Refer to the exhibit.
Exam Preparation 3 of 13 Pass with Authority Use Examout.co
A.
B.
C.
D.
A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:
HP - HPE6-A84 Exam Preparation 4 of 13 Pass with Authority Use Examout.co
What is one issue with this configuration?
ARP proxy is not enabled on VLAN 4.
LAG 1 is configured as trusted for ARP inspection but should be untrusted.
DHCP snooping is not enabled on VLAN 4.
Edge ports are not configured as untrusted for ARP inspection.
Answer: D
Question #:3
A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows CA. CPPM should validate these certificates and verify that the users and computers have accounts in Windows AD. The customer requires encryption for all communications between CPPM and the domain controllers.
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.
Which usages should you add to it based on these requirements?
Radec and Aruba infrastructure
EAP and AD/LDAP Server
HP - HPE6-A84 Exam Preparation 5 of 13 Pass with Authority Use Examout.co A. B. C. D. A. B. C.
C. D.
EAP and Radsec LDAP and Aruba infrastructure
Answer: C
Question #:4
Refer to the scenario.
A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
Denied access to other 10.0.0.0/8 subnets
Permitted access to the Internet
Denied access to the WLAN for a period of time if they send any SSH traffic
Denied access to the WLAN for a period of time if they send any Telnet traffic
Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.
The exhibits below show the configuration for the role.
HP - HPE6-A84 Exam Preparation 6 of 13 Pass with Authority Use Examout.co
HP - HPE6-A84 Exam Preparation Pass with Authority Use Examout.co
There are multiple issues with the configuration.
What is one of the changes that you must make to the policies to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, “medical-mobile” rule 1 is “ipv4 any any svc-dhcp permit,” and rule 8 is “ipv4 any any any permit’.)
In the “medical-mobile” policy, change the source in rule 1 to “user.”
In the “medical-mobile” policy, change the subnet mask in rule 3 to 255.255.248.0.
In the “medical-mobile” policy, move rules 6 and 7 to the top of the list.
Move the rule in the “apprf-medical-mobile-sacl” policy between rules 7 and 8 in the “medical-mobile” policy.
Answer: B
Question #:5
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping a customer define an NAE script for AOS-CX switches. The script will monitor statistics from a RADIUS server defined on the switch. You want to future proof the script by enabling admins to select a different hostname or IP address for the monitored RADIUS server when they create an agent from the script.
What should you recommend?
Use this variable, %{radius-ipV when defining the monitor URI in the NAE agent script.
Exam Preparation 8 of 13 Pass with Authority Use Examout.co
A. B. C. D. A.
Define a parameter for the RADIUS server; reference that parameter instead of the server name/ip when defining the monitor URI.
Use a callback action to collect the name of any RADIUS servers defined on the switch at the time the agent is created.
Make the script editable so that admins can edit it on demand when they are creating scripts.
Answer: B
Question #:6
You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.
As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?
Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
Add a custom attribute for userAccountControl to the filters in the AD authentication source.
Install a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.
Answer: C
Question #:7
Refer to the scenario.
A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
Denied access to other 10.0.0.0/8 subnets
HP - HPE6-A84 Exam Preparation 9 of 13 Pass with Authority Use Examout.co
B. C. D. A. B. C. D.
Permitted access to the Internet
Denied access to the WLAN for a period of time if they send any SSH traffic
Denied access to the WLAN for a period of time if they send any Telnet traffic
Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.
The exhibits below show the configuration for the role.
HP - HPE6-A84 Exam Preparation 10 of 13 Pass with Authority Use Examout.co
HP - HPE6-A84 Exam Preparation Pass with Authority Use Examout.co
There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, “medical-mobile” rule 1 is “ipv4 any any svc-dhcp permit,” and rule 8 is “ipv4 any any any permit”.)
In the “medical-mobile” policy, move rules 2 and 3 between rules 7 and 8.
In the “medical-mobile” policy, change the subnet mask in rule 3 to 255.255.248.0.
Move the rule in the “apprf-medical-mobile-sacl” policy between rules 7 and 8 in the “medical-mobile” policy.
In the “medical-mobile” policy, change the source in rule 8 to “user.”
Answer: B
Question #:8
You need to install a certificate on a standalone Aruba Mobility Controller (MC). The MC will need to use the certificate for the Web UI and for implementing RadSec with Aruba ClearPass Policy Manager. You have been given a certificate with these settings:
Subject: CN=mc41.site94.example.com
No SANs
Issuer: CN=ca41.example.com
EKUs: Server Authentication, Client Authentication
What issue does this certificate have for the purposes for which the certificate is intended?
It has conflicting EKUs.
Exam Preparation 12 of 13 Pass with Authority Use Examout.co A. B. C. D. A.
It is issued by a private CA.
It specifies domain info in the CN field instead of the DC field.
It lacks a DNS SAN.
Answer: D
Question #:9
A customer has an AOS 10-based mobility solution, which authenticates clients to Aruba ClearPass Policy Manager (CPPM). The customer has some wireless devices that support WPA2 in personal mode only.
How can you meet these devices’ needs but improve security?
Use MPSK on the WLAN to which the devices connect.
Configure WIDS policies that apply extra monitoring to these particular devices.
Connect these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback.
Enable dynamic authorization (RFC 3576) in the AAA profile for the devices.
Answer: A
Question #:10
A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?
Configuring a relatively high threshold for the gateway threat count alerts
Making sure that the gateways have formed a cluster and operate in default gateway mode
Setting the IDS or IPS policy to the least restrictive option, Lenient
Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors
Answer: B
HP - HPE6-A84 Exam Preparation 13 of 13 Pass with Authority Use Examout.co B. C. D. A. B. C. D. A. B. C. D.
About examout.co
examout.co was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed below.
Sales: sales@examout.co
Feedback: feedback@examout.co
Support: support@examout.co
Any problems about IT certification or our products, You can write us back and we will get back to you within 24 hours.