HPE6-A84 무료 덤프문제 온라인 액세스

You are reviewing an endpoint entry in ClearPass Policy Manager (CPPM) Endpoints Repository.
What is a good sign that someone has been trying to gain unauthorized access to the network?

• A.The entry shows a profile conflict of having a new profile of Computer for a profiled Printer.
• B.The entry lacks a hostname or includes a hostname with long seemingly random characters.
• C.The entry shows multiple DHCP options under the fingerprints.
• D.The entry shows an Unknown status.

Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.


The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
* EAP-TLS to authenticate users on mobile clients registered in Intune
* TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
* Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
* Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
* Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
* Assign other mobile-onboarded clients to the "mobile-other" firewall role
* Assign medical staff on domain computers to the "medical-domain" firewall role
* All reception staff on domain computers to the "reception-domain" firewall role
* All domain computers with no valid user logged in to the "computer-only" firewall role
* Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
* Publisher = 10.47.47.5
* Subscriber 1 = 10.47.47.6
* Subscriber 2 = 10.47.47.7
* Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
* cp.acnsxtest.com = 10.47.47.5
* cps1.acnsxtest.com = 10.47.47.6
* cps2.acnsxtest.com = 10.47.47.7
* radius.acnsxtest.com = 10.47.47.8
* onboard.acnsxtest.com = 10.47.47.8
You cannot see flow attributes for wireless clients.
What should you check?

• A.Gateway IDS/IPS is enabled on the Aruba gateways, and the gateways have been rebooted.
• B.Deep packet inspection is enabled on the role to which the Aruba APs assign the wireless clients.
• C.Firewall application visibility is enabled on the Aruba gateways, and the gateways have been rebooted.
• D.Deep packet inspection is enabled on the Aruba Aps, and the APs have been rebooted.

Several AOS-CX switches are responding to SNMPv2 GET requests for the public community. The customer only permits SNMPv3. You have asked a network admin to fix this problem. The admin says, "I tried to remove the community, but the CLI output an error." What should you recommend to remediate the vulnerability and meet the customer's requirements?

• A.Setting the snmp-server settings to "snmpv3-only"
• B.Adding an SNMP community with a long random name
• C.Enabling control plane policing to automatically drop SNMP GET requests
• D.Enabling SNMPv3, which implicitly disables SNMPv1/v2

Refer to the exhibit.

Aruba ClearPass Policy Manager (CPPM) is using the settings shown in the exhibit. You reference the tag shown in the exhibit in enforcement policies related to NASes of several types, including Aruba APs, Aruba gateways, and AOS-CX switches.
What should you do to ensure that clients are reclassified and receive the correct treatment based on the tag?

• A.Change the RADIUS action to [Aruba Wireless -Terminate Session] which is supported by all the NASes in question.
• B.Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.
• C.Change the RADIUS action to [Aruba Wireless - Bounce Switch Port] which is supported by all the NASes in question.
• D.Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.
Which integration can you suggest?

• A.Importing clients' MAC addresses to configure known clients for MAC authentication more quickly
• B.Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients
• C.Establishing a double layer of authentication at both the campus edge and the data center DMZ
• D.Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly