更新済みの2024年01月 HPE6-A84試験練習テスト問題
検証済みHPE6-A84問題集と解答100%一発合格保証で更新された問題集
質問 # 13
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).
The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:
aaa rfc-3576-server 10.47.47.8
But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:
How could you fix this issue?
- A. Enable RadSec on the MCs' RFC 3676 server config.
- B. Change the UDP port in the MCs' RFC 3576 server config to 3799.
- C. Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.
- D. Configure the MC to obtain the time from a valid NTP server.
正解:B
質問 # 14
You need to install a certificate on a standalone Aruba Mobility Controller (MC). The MC will need to use the certificate for the Web UI and for implementing RadSec with Aruba ClearPass Policy Manager. You have been given a certificate with these settings:
Subject: CN=mc41.site94.example.com
No SANs
Issuer: CN=ca41.example.com
EKUs: Server Authentication, Client Authentication
What issue does this certificate have for the purposes for which the certificate is intended?
- A. It lacks a DNS SAN.
- B. It has conflicting EKUs.
- C. It is issued by a private CA.
- D. It specifies domain info in the CN field instead of the DC field.
正解:A
質問 # 15
Several AOS-CX switches are responding to SNMPv2 GET requests for the public community. The customer only permits SNMPv3. You have asked a network admin to fix this problem. The admin says, "I tried to remove the community, but the CLI output an error." What should you recommend to remediate the vulnerability and meet the customer's requirements?
- A. Enabling SNMPv3, which implicitly disables SNMPv1/v2
- B. Adding an SNMP community with a long random name
- C. Enabling control plane policing to automatically drop SNMP GET requests
- D. Setting the snmp-server settings to "snmpv3-only"
正解:D
質問 # 16
Refer to the exhibit.
Aruba ClearPass Policy Manager (CPPM) is using the settings shown in the exhibit. You reference the tag shown in the exhibit in enforcement policies related to NASes of several types, including Aruba APs, Aruba gateways, and AOS-CX switches.
What should you do to ensure that clients are reclassified and receive the correct treatment based on the tag?
- A. Change the RADIUS action to [Aruba Wireless - Bounce Switch Port] which is supported by all the NASes in question.
- B. Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.
- C. Change the RADIUS action to [Aruba Wireless -Terminate Session] which is supported by all the NASes in question.
- D. Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.
正解:C
質問 # 17
Refer to the scenario.
A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).
The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).
The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
You are planning to use Azure AD as the authentication source in 802.1X services.
What should you make sure that the customer understands is required?
- A. CPPM's RADIUS certificate was imported as trusted in the Azure AD directory
- B. Windows 365 subscriptions
- C. An app registration on Azure AD that references the CPPM's FQDN
- D. Azure AD Domain Services
正解:C
解説:
Explanation
To use Azure AD as the authentication source in 802.1X services, you need to configure CPPM as a SAML service provider and Azure AD as a SAML identity provider. This allows CPPM to use Azure AD for user authentication and role mapping. To do this, you need to create an app registration on Azure AD that references the CPPM's FQDN as the reply URL and the entity ID. You also need to grant the app registration the required permissions to access user information from Azure AD1
質問 # 18
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping the developer find the right URI for the monitor.
Refer to the exhibit.
You have used the REST API reference interface to submit a test call. The results are shown in the exhibit.
Which URI should you give to the developer?
- A. /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp
- B. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=a
- C. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics
- D. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics.access_rejec
正解:D
解説:
Explanation
This is because this URI specifies the exact attribute that contains the number of access rejects from the RADIUS server, which is the information that the NAE script needs to monitor and trigger an alert.
A: /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics. This is not the correct URI because it returns the entire authstatistics object, which contains more information than the access rejects, such as access accepts, challenges, timeouts, etc. This might make the NAE script more complex and inefficient to parse and process the data.
B: /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=access_ This is not a valid URI because it has two question marks, which is a syntax error. The question mark is used to indicate the start of the query string, which can have one or more parameters separated by ampersands. The correct way to specify multiple attributes is to use a comma-separated list after the question mark, such as?attributes=attr1,attr2,attr3.
C: /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp. This is not a valid URI because it has an extra underscore before servers, which is a typo. The correct resource name is servers, not _servers.
Moreover, this URI does not specify any attributes, which means it will return the default attributes of the RADIUS server object, such as name, port, protocol, etc., but not the authstatistics or access_rejects.
質問 # 19
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).
The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:
aaa rfc-3576-server 10.47.47.8
But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:
How could you fix this issue?
- A. Enable RadSec on the MCs' RFC 3676 server config.
- B. Change the UDP port in the MCs' RFC 3576 server config to 3799.
- C. Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.
- D. Configure the MC to obtain the time from a valid NTP server.
正解:B
解説:
Explanation
Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events 1. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol 2.
To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly 3.
In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics .
To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization 3 .
質問 # 20
Refer to the scenario.
A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).
The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).
The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
Assume that the Azure AD deployment has the proper prerequisites established.
You are planning the CPPM authentication source that you will reference as the authentication source in
802.1X services.
How should you set up this authentication source?
- A. As Kerberos type
- B. AS HTTP type, referencing Azure AD's FODN
- C. As HTTP type, referencing the Intune extension
- D. As Active Directory type
正解:B
質問 # 21
You are working with a developer to design a custom NAE script for a customer. The NAE agent should trigger an alert when ARP inspection drops packets on a VLAN. The customer wants the admins to be able to select the correct VLAN ID for the agent to monitor when they create the agent.
What should you tell the developer to do?
- A. Define a VLAN ID parameter; reference that parameter when defining the monitor URI.
- B. Use a callback action to collect the ID of the VLAN on which admins have enabled NAE monitoring.
- C. Use this variable, %{vlan-id} when defining the monitor URI in the NAE agent script.
- D. Create multiple monitors within the script from which admins can select when they create the agent.
正解:A
解説:
Explanation
A custom NAE script is a Python script that defines the monitors, the alert-trigger logic, and the remedial actions for an NAE agent. A monitor is a URI that specifies the data source and the data type that the NAE agent should collect and analyze. For example, to monitor the ARP inspection statistics on a VLAN, the monitor URI would be something like this:
where <vlan-id> is the ID of the VLAN to be monitored.
To allow the admins to select the correct VLAN ID for the agent to monitor when they create the agent, you need to define a VLAN ID parameter in the NAE script. A parameter is a variable that can be set by the user when creating or modifying an agent. A parameter can be referenced in other parts of the script by using the syntax ${parameter-name}. For example, to define a VLAN ID parameter and reference it in the monitor URI, you would write something like this:
This way, when the admins create or modify the agent, they can enter the VLAN ID that they want to monitor, and the NAE script will use that value in the monitor URI.
You can find more information about how to write custom NAE scripts and use parameters in the NAE Scripting Guide
質問 # 22
Which element helps to lay the foundation for solid network security forensics?
- A. Ensuring that all network devices use a correct, consistent clock
- B. Enable BPDU protection and loop protection on edqe switch ports
- C. Enabling debug-level information for network infrastructure device logs
- D. Implementing 802.1X authentication on switch ports that connect to APs
正解:A
質問 # 23
Refer to the scenario.
A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:
What is one recommendation to make?
- A. Use MDS instead of SHA1 for the NTP authentication key.
- B. Encrypt the certificate in the TA-profile.
- C. Let the RADIUS server confiqure VLANs on LAG 1 dynamically.
- D. Create a control plane ACL to limit the sources that can access the switch with SSH.
正解:B
質問 # 24
What is a common characteristic of a beacon between a compromised device and a command and control server?
- A. Use of less common protocols such as SNAP
- B. Lack of encryption
- C. Use of IPv6 addressing instead of IPv4 addressing
- D. Periodic transmission of small, identically sized packets
正解:D
解説:
Explanation
A beacon is a type of network traffic that is sent from a compromised device to a command and control (C2) server, which is a remote system that controls the malicious activities of the device . A beacon is used to establish and maintain communication between the device and the C2 server, as well as to receive instructions or exfiltrate data .
A common characteristic of a beacon is that it is periodic, meaning that it is sent at regular intervals, such as every few minutes or hours . This helps the C2 server to monitor the status and availability of the device, as well as to avoid detection by network security tools .
Another common characteristic of a beacon is that it is small and identically sized, meaning that it contains minimal or fixed amount of data, such as a simple acknowledgment or a random string . This helps the device to conserve bandwidth and resources, as well as to avoid detection by network security tools .
質問 # 25
Refer to the scenario.
A hospital has an AOS10 architecture that is managed by Aruba Central. The customer has deployed a pair of Aruba 9000 Series gateways with Security licenses at each clinic. The gateways implement IDS/IPS in IDS mode.
The Security Dashboard shows these several recent events with the same signature, as shown below:
Which step could give you valuable context about the incident?
- A. View firewall sessions on the APs and record the threat sources' type and OS.
- B. View the RAPIDS Security Dashboard and see if the threat sources are listed as rogues.
- C. Find the Central client profile for the threat sources and note their category and family.
- D. View the user-table on APs and record the threat sources' 802.11 settings.
正解:B
質問 # 26
Refer to the scenario.
A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).
Switches are using local port-access policies.
The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.
The plan for the enforcement policy and profiles is shown below:
The gateway cluster has two gateways with these IP addresses:
* Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
* Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
* VRRP on VLAN 20 = 10.20.20.254
The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.
You are setting up the UBT zone on an AOS-CX switch.
Which IP addresses should you define in the zone?
- A. Primary controller = 10 20 4 21: backup controller not defined
- B. [Primary controller = 198.51.100.14; backup controller = 10.20.4.21
- C. Primary controller = 10.20.4.21; backup controller = 10.20.4.22
- D. Primary controller = 10.20.20.254; backup controller, not defined
正解:C
解説:
Explanation
To configure user-based tunneling (UBT) on an AOS-CX switch, you need to specify the IP addresses of the mobility gateways that will receive the tunneled traffic from the switch 1. The primary controller is the preferred gateway for the switch to establish a tunnel, and the backup controller is the alternative gateway in case the primary controller fails or becomes unreachable 1. The IP addresses of the gateways should be their system IP addresses, which are used for inter-controller communication and cluster discovery 2.
In this scenario, the customer has a gateway cluster with two gateways, each with a system IP address on VLAN 4085. Therefore, the switch should use these system IP addresses as the primary and backup controllers for UBT. The IP addresses of the gateways on VLAN 20 and VLAN 4094 are not relevant for UBT, as they are used for user traffic and WAN connectivity, respectively 2. The VRRP IP address on VLAN 20 is also not applicable for UBT, as it is a virtual IP address that is not associated with any specific gateway 3.
Therefore, the best option is to use 10.20.4.21 as the primary controller and 10.20.4.22 as the backup controller for UBT on the switch. This will ensure high availability and cluster discovery for the tunneled traffic from the switch to the gateway cluster 12.
質問 # 27
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
* EAP-TLS to authenticate users on mobile clients registered in Intune
* TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
* Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
* Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
* Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
* Assign other mobile-onboarded clients to the "mobile-other" firewall role
* Assign medical staff on domain computers to the "medical-domain" firewall role
* All reception staff on domain computers to the "reception-domain" firewall role
* All domain computers with no valid user logged in to the "computer-only" firewall role
* Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
* Publisher = 10.47.47.5
* Subscriber 1 = 10.47.47.6
* Subscriber 2 = 10.47.47.7
* Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
* cp.acnsxtest.com = 10.47.47.5
* cps1.acnsxtest.com = 10.47.47.6
* cps2.acnsxtest.com = 10.47.47.7
* radius.acnsxtest.com = 10.47.47.8
* onboard.acnsxtest.com = 10.47.47.8
On CPPM, you are creating the authentication method shown in the exhibit below:
You will use the method for standalone EAP-TLS and for inner methods in TEAP.
What should you do?
- A. Enable certificate comparison.
- B. Configure OCSP override and set the OCSP URL to localhost/onboard/mdps ocspphp/2
- C. Configure OCSP override and leave the OCSP URL blank.
- D. Enable authorization.
正解:B
質問 # 28
......
HP HPE6-A84(Aruba Certified Network Security Expert Writde)認定試験は、ネットワークセキュリティの専門家のスキルと知識をテストする包括的な試験です。この試験は、Aruba製品と技術を使用して安全なネットワークインフラストラクチャを設計、実装、および管理するために必要なスキルをテストするように設計されています。試験に合格した候補者は、Aruba認定ネットワークセキュリティの専門家として認定され、Aruba製品と技術を使用して安全なネットワークインフラストラクチャを設計、実装、および管理する能力を実証します。
HPE6-A84試験は、60問の多肢選択問題からなる筆記試験です。受験者は90分以内に試験を完了する必要があります。この試験は英語と日本語で受験できます。試験の合格基準は70%です。試験に合格した受験者は、ネットワークセキュリティの専門家として認められ、組織のネットワークを守るための効果的なセキュリティ対策を実施するスキルと知識を持つことができます。
合格できるHP ACA - Network Security HPE6-A84試験問題集には60問があります:https://jp.fast2test.com/HPE6-A84-premium-file.html