HPE6-A84試験問題集を提供していますHP問題
HPE6-A84認定ガイドPDFはリアル試験問題で100%カバー率
HP HPE6-A84試験では、セキュリティポリシー、アクセス制御、ネットワークインフラストラクチャセキュリティ、暗号化、脅威の検出と対応など、ネットワークセキュリティに関連するさまざまなトピックをカバーしています。試験は60の複数選択の質問で構成されており、90分以内に完了する必要があります。試験の合格スコアは75%であり、試験に成功した個人には、Aruba Certified Network Security Expert(ACNSE)認定が授与されます。
質問 # 16
Refer to the exhibit.
Which IP address should you record as a possibly compromised client?
- A. 10.254.1.21
- B. 10.1.26.1
- C. 10.1J.100
- D. 10.1.26.151
正解:D
解説:
Explanation
The exhibit shows a screenshot of a Malwarebytes alert that indicates that a website was blocked due to compromise. The alert contains the following information:
The type of protection: Web Protection
The website that was blocked: 10.254.1.21
The port that was used: 80
The process that initiated the connection: C:\Program Files
(x86)\Google\Chrome\Application\chrome.exe
The IP address of the device that initiated the connection: 10.1.26.151 The IP address of the device that initiated the connection is the one that should be recorded as a possibly compromised client, as it indicates that the device tried to access a malicious website that could infect it with malware or steal its data. In this case, the IP address of the possibly compromised client is 10.1.26.151.
質問 # 17
Refer to the exhibit.
Which IP address should you record as a possibly compromised client?
- A. 10.254.1.21
- B. 10.1.26.1
- C. 10.1J.100
- D. 10.1.26.151
正解:D
質問 # 18
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
EAP-TLS to authenticate users on mobile clients registered in Intune
TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role Assign other mobile-onboarded clients to the "mobile-other" firewall role Assign medical staff on domain computers to the "medical-domain" firewall role All reception staff on domain computers to the "reception-domain" firewall role All domain computers with no valid user logged in to the "computer-only" firewall role Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
Publisher = 10.47.47.5
Subscriber 1 = 10.47.47.6
Subscriber 2 = 10.47.47.7
Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
cp.acnsxtest.com = 10.47.47.5
cps1.acnsxtest.com = 10.47.47.6
cps2.acnsxtest.com = 10.47.47.7
radius.acnsxtest.com = 10.47.47.8
onboard.acnsxtest.com = 10.47.47.8
The customer has now decided that it needs CPPM to assign certain mobile-onboarded devices to a
"nurse-call" AOS user role. These are mobile-onboarded devices that are communicating with IP address
10.1.18.12 using port 4343.
What are the prerequisites for fulfilling this requirement?
- A. Creating server-based role assignment rules on gateways that apply roles to clients based on traffic destinations
- B. Creating server-based role assignment rules on APs that apply roles to clients based on traffic destinations
- C. Creating a tag on Central to select the proper destination connection and integrating CPPM with Device Insight
- D. Setting up traffic classes and role mapping rules within Central's global settings
正解:A
質問 # 19
Refer to the scenario.
A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.
In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as
"Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
You want a fast way to find a list of all the IoT clients that have used SSH.
What step can you take?
- A. Use Central's Live Events monitoring tool to detect which clients meet the desired criteria.
- B. Run a search for SSH traffic and loT client IDs in Aruba ClearPass Policy Manager's (CPPM's) accounting information.
- C. Create and apply a Central client profile tag that selects the SSH application and the clients' category.
- D. Use Central's Gateway IDS/IPS Security Dashboard to search for SSH events and sources.
正解:A
解説:
Explanation
This is because the Live Events monitoring tool is a feature that allows you to view and filter real-time events and alerts from your network devices and clients on Aruba Central. You can use the Live Events monitoring tool to detect which IoT clients have used SSH by applying the following filters:
Category: IoT
Application: SSH
The Live Events monitoring tool will then display a list of all the IoT clients that have used SSH, along with other information such as their IP address, MAC address, hostname, SSID, AP name, etc. You can also export the list as a CSV file for further analysis or reporting.
A: Create and apply a Central client profile tag that selects the SSH application and the clients' category. This is not the fastest way to find a list of all the IoT clients that have used SSH because creating and applying a client profile tag is a process that involves several steps and might take some time to take effect. A client profile tag is a feature that allows you to group and classify clients based on various criteria, such as device type, OS, category, application, etc. To create and apply a client profile tag that selects the SSH application and the clients' category, you need to do the following:
Navigate to Clients > Client Profile Tags on Aruba Central.
Click Add Tag and enter a name and description for the tag.
Click Add Rule and select Application as the attribute and SSH as the value.
Click Add Rule again and select Category as the attribute and IoT as the value.
Click Save to create the tag.
Navigate to Clients > Client List on Aruba Central.
Select the clients that you want to apply the tag to and click Assign Tag.
Select the tag that you created and click Apply.
After applying the tag, you can then filter the client list by the tag name and see a list of all the IoT clients that have used SSH. However, this method might not be as fast or accurate as using the Live Events monitoring tool, as it depends on how often the client profile tags are updated and synchronized with Aruba Central.
B: Run a search for SSH traffic and loT client IDs in Aruba ClearPass Policy Manager's (CPPM's) accounting information. This is not the fastest way to find a list of all the IoT clients that have used SSH because running a search in CPPM's accounting information is a process that involves accessing another system and querying a large amount of data. Accounting information is a feature that allows CPPM to collect and store data about network sessions, such as start time, end time, duration, bytes sent/received, etc. To run a search for SSH traffic and IoT client IDs in CPPM's accounting information, you need to do the following:
Log in to CPPM and navigate to Monitoring > Live Monitoring > Accounting.
Click on Advanced Search and enter SSH as the value for Service Name.
Click on Add Filter and enter IoT as the value for Endpoint Category.
Click on Search to run the query.
The query will then return a list of all the network sessions that involved SSH traffic and IoT clients. However, this method might not be as fast or convenient as using the Live Events monitoring tool, as it requires logging in to another system and searching through a large amount of data that might not be relevant or current.
D: Use Central's Gateway IDS/IPS Security Dashboard to search for SSH events and sources. This is not a valid way to find a list of all the IoT clients that have used SSH because the Gateway IDS/IPS Security Dashboard is a feature that only applies to wired network devices connected to Aruba gateways, not wireless devices connected to Aruba APs. The Gateway IDS/IPS Security Dashboard is a feature that allows you to monitor and manage security events and alerts from your wired network devices on Aruba Central. You can use the Gateway IDS/IPS Security Dashboard to search for security events related to SSH, such as brute force attacks or unauthorized access attempts, but not for normal SSH traffic from wireless IoT devices. Therefore, this method will not help you find a list of all the IoT clients that have used SSH.
質問 # 20
Refer to the scenario.
A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.
The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.
For which devices does CPPM require network device entries?
- A. ForAP clusters'virtual IP addresses
- B. Forgateways' actual IP addresses and dynamic authorization VRRP addresses
- C. For APs' actual IP addresses
- D. For gateways' actual IP addresses and AP clusters' virtual IP addresses for dynamic authorization
正解:B
解説:
Explanation
ClearPass Policy Manager (CPPM) requires network device entries for the devices that communicate with it using RADIUS or TACACS+ protocols. In this scenario, the gateways are the devices that act as RADIUS clients and send authentication requests to CPPM for the WLAN users. Therefore, CPPM needs to have network device entries for the gateways' actual IP addresses and the shared secrets that match the ones configured on the gateways.
Additionally, CPPM also requires network device entries for the gateways' dynamic authorization VRRP addresses, which are used for sending CoA messages to the gateways. CoA messages are used to change the attributes or status of a user session on the gateways without requiring re-authentication. For example, CPPM can use CoA to apply policies, roles, or bandwidth limits based on various conditions. To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations.
質問 # 21
Refer to the exhibit.
You have been given this certificate to install on a ClearPass server for the RADIUS/EAP and RadSec usages.
What is one issue?
- A. The certificate does not have an IP subject alternative name
- B. The certificate does not have a URI subject alternative name
- C. The certificate has a wildcard in the subject common name.
- D. The certificate uses a fully qualified the '.local" domain name.
正解:B
質問 # 22
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to r* eceive IP addresses with DHCP
* Permitted access to DNS services from 10.8.9.7 and no other server
* Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
* Denied access to other 10.0.0.0/8 subnets
* Permitted access to the Internet
* Denied access to the WLAN for a period of time if they send any SSH traffic
* Denied access to the WLAN for a period of time if they send any Telnet traffic
* Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.
There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example,
"medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit".)
- A. In the "medical-mobile" policy, change the source in rule 8 to "user."
- B. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.
- C. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical-mobile" policy.
- D. In the "medical-mobile" policy, move rules 2 and 3 between rules 7 and 8.
正解:B
解説:
Explanation
The subnet mask in rule 3 of the "medical-mobile" policy is currently 255.255.252.0, which means that the rule denies access to the 10.1.12.0/22 subnet as well as the adjacent 10.1.16.0/22 subnet 1. This is not consistent with the scenario requirements, which state that only the 10.1.12.0/22 subnet should be denied access, while the rest of the 10.1.0.0/16 range should be permitted access.
To fix this issue, the subnet mask in rule 3 should be changed to 255.255.248.0, which means that the rule only denies access to the 10.1.8.0/21 subnet, which includes the 10.1.12.0/22 subnet 1. This way, the rule matches the scenario requirements more precisely.
質問 # 23
You are working with a developer to design a custom NAE script for a customer. The NAE agent should trigger an alert when ARP inspection drops packets on a VLAN. The customer wants the admins to be able to select the correct VLAN ID for the agent to monitor when they create the agent.
What should you tell the developer to do?
- A. Use a callback action to collect the ID of the VLAN on which admins have enabled NAE monitoring.
- B. Define a VLAN ID parameter; reference that parameter when defining the monitor URI.
- C. Use this variable, %{vlan-id} when defining the monitor URI in the NAE agent script.
- D. Create multiple monitors within the script from which admins can select when they create the agent.
正解:B
解説:
Explanation
A custom NAE script is a Python script that defines the monitors, the alert-trigger logic, and the remedial actions for an NAE agent. A monitor is a URI that specifies the data source and the data type that the NAE agent should collect and analyze. For example, to monitor the ARP inspection statistics on a VLAN, the monitor URI would be something like this:
where <vlan-id> is the ID of the VLAN to be monitored.
To allow the admins to select the correct VLAN ID for the agent to monitor when they create the agent, you need to define a VLAN ID parameter in the NAE script. A parameter is a variable that can be set by the user when creating or modifying an agent. A parameter can be referenced in other parts of the script by using the syntax ${parameter-name}. For example, to define a VLAN ID parameter and reference it in the monitor URI, you would write something like this:
This way, when the admins create or modify the agent, they can enter the VLAN ID that they want to monitor, and the NAE script will use that value in the monitor URI.
You can find more information about how to write custom NAE scripts and use parameters in the NAE Scripting Guide
質問 # 24
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
* Permitted access to DNS services from 10.8.9.7 and no other server
* Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22
* Denied access to other 10.0.0.0/8 subnets
* Permitted access to the Internet
* Denied access to the WLAN for a period of time if they send any SSH traffic
* Denied access to the WLAN for a period of time if they send any Telnet traffic
* Denied access to all high-risk websites
External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The exhibits below show the configuration for the role.
There are multiple issues with the configuration.
What is one of the changes that you must make to the policies to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 8 is "ipv4 any any any permit'.)
- A. In the "medical-mobile" policy, change the subnet mask in rule 3 to 255.255.248.0.
- B. In the "medical-mobile" policy, change the source in rule 1 to "user."
- C. In the "medical-mobile" policy, move rules 6 and 7 to the top of the list.
- D. Move the rule in the "apprf-medical-mobile-sacl" policy between rules 7 and 8 in the "medical-mobile" policy.
正解:C
解説:
Explanation
Rules 6 and 7 in the "medical-mobile" policy are used to deny access to the WLAN for a period of time if the clients send any SSH or Telnet traffic, as required by the scenario. However, these rules are currently placed below rule 5, which permits access to the Internet for any traffic. This means that rule 5 will override rules 6 and 7, and the clients will not be denied access to the WLAN even if they send SSH or Telnet traffic.
To fix this issue, rules 6 and 7 should be moved to the top of the list, before rule 5. This way, rules 6 and 7 will take precedence over rule 5, and the clients will be denied access to the WLAN if they send SSH or Telnet traffic, as expected.
質問 # 25
Refer to the scenario.
A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):
Permitted to receive IP addresses with DHCP
Permitted access to DNS services from 10.8.9.7 and no other server
Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22 Denied access to other 10.0.0.0/8 subnets Permitted access to the Internet Denied access to the WLAN for a period of time if they send any SSH traffic Denied access to the WLAN for a period of time if they send any Telnet traffic Denied access to all high-risk websites External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.
The line below shows the effective configuration for the role.
There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example,
"medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 6 is "ipv4 any any any permit'.)
- A. In the "medical-mobile" policy, change the action for rules 2 and 3 to reject.
- B. Apply the "apprf-medical-mobile-sjcT policy explicitly to the 'medical-mobile' user-role under the
'medical-mobile" policy. - C. In the "medical-mobile" policy, move rule 5 under rule 6.
- D. In the "medical-mobile* policy, change the subnet mask in rule 5 to 255.255.252.0.
正解:D
質問 # 26
Refer to the scenario.
A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.
In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as
"Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
You want a fast way to find a list of all the IoT clients that have used SSH.
What step can you take?
- A. Create and apply a Central client profile tag that selects the SSH application and the clients' category.
- B. Run a search for SSH traffic and loT client IDs in Aruba ClearPass Policy Manager's (CPPM's) accounting information.
- C. Use Central's Live Events monitoring tool to detect which clients meet the desired criteria.
- D. Use Central's Gateway IDS/IPS Security Dashboard to search for SSH events and sources.
正解:A
質問 # 27
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
* EAP-TLS to authenticate users on mobile clients registered in Intune
* TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
* Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
* Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
* Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
* Assign other mobile-onboarded clients to the "mobile-other" firewall role
* Assign medical staff on domain computers to the "medical-domain" firewall role
* All reception staff on domain computers to the "reception-domain" firewall role
* All domain computers with no valid user logged in to the "computer-only" firewall role
* Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
* Publisher = 10.47.47.5
* Subscriber 1 = 10.47.47.6
* Subscriber 2 = 10.47.47.7
* Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
* cp.acnsxtest.com = 10.47.47.5
* cps1.acnsxtest.com = 10.47.47.6
* cps2.acnsxtest.com = 10.47.47.7
* radius.acnsxtest.com = 10.47.47.8
* onboard.acnsxtest.com = 10.47.47.8
On CPPM, you are creating the authentication method shown in the exhibit below:
You will use the method for standalone EAP-TLS and for inner methods in TEAP.
What should you do?
- A. Configure OCSP override and leave the OCSP URL blank.
- B. Configure OCSP override and set the OCSP URL to localhost/onboard/mdps ocspphp/2
- C. Enable authorization.
- D. Enable certificate comparison.
正解:B
質問 # 28
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping the developer find the right URI for the monitor.
Refer to the exhibit.
You have used the REST API reference interface to submit a test call. The results are shown in the exhibit.
Which URI should you give to the developer?
- A. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics.access_rejec
- B. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=a
- C. /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics
- D. /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp
正解:A
解説:
Explanation
This is because this URI specifies the exact attribute that contains the number of access rejects from the RADIUS server, which is the information that the NAE script needs to monitor and trigger an alert.
A: /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics. This is not the correct URI because it returns the entire authstatistics object, which contains more information than the access rejects, such as access accepts, challenges, timeouts, etc. This might make the NAE script more complex and inefficient to parse and process the data.
B: /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=access_ This is not a valid URI because it has two question marks, which is a syntax error. The question mark is used to indicate the start of the query string, which can have one or more parameters separated by ampersands. The correct way to specify multiple attributes is to use a comma-separated list after the question mark, such as?attributes=attr1,attr2,attr3.
C: /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp. This is not a valid URI because it has an extra underscore before servers, which is a typo. The correct resource name is servers, not _servers.
Moreover, this URI does not specify any attributes, which means it will return the default attributes of the RADIUS server object, such as name, port, protocol, etc., but not the authstatistics or access_rejects.
質問 # 29
A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.
Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.
What is one step you could recommend trying first?
- A. Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.
- B. Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.
- C. Send the email notifications directly to a specific folder, and only check the folder once a week.
- D. Disable email notifications for Roque AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.
正解:B
質問 # 30
A customer's admins have added RF Protect licenses and enabled WIDS for a customer's AOS 8-based solution. The customer wants to use the built-in capabilities of APs without deploying dedicated air monitors (AMs). Admins tested rogue AP detection by connecting an unauthorized wireless AP to a switch. The rogue AP was not detected even after several hours.
What is one point about which you should ask?
- A. Whether admins enabled wireless containment
- B. Whether admins set at least one radio on each AP to air monitor mode
- C. Whether the customer is using non-standard Wi-Fi channels in the deployment
- D. Whether APs' switch ports support all the VLANs that are accessible at the edge
正解:B
解説:
Explanation
RF Protect is a feature that enables wireless intrusion detection and prevention system (WIDS/WIPS) capabilities on AOS 8-based solutions. WIDS/WIPS allows detecting and mitigating rogue APs, unauthorized clients, and other wireless threats. RF Protect requires RF Protect licenses to be installed and WIDS to be enabled on the Mobility Master (MM).
To use the built-in capabilities of APs for WIDS/WIPS, without deploying dedicated air monitors (AMs), admins need to set at least one radio on each AP to air monitor mode. Air monitor mode allows the AP to scan the wireless spectrum and report any wireless activity or anomalies to the MM. Air monitor mode does not affect the other radio on the AP, which can still serve clients in access mode. By setting at least one radio on each AP to air monitor mode, admins can achieve full coverage and visibility of the wireless environment and detect rogue APs.
If admins do not set any radio on the APs to air monitor mode, the APs will not scan the wireless spectrum or report any wireless activity or anomalies to the MM. This means that the APs will not be able to detect rogue APs, even if they are connected to the same network. Therefore, admins should check whether they have set at least one radio on each AP to air monitor mode.
質問 # 31
Refer to the scenario.
A customer is using an AOS 10 architecture with Aruba APs and Aruba gateways (two per site). Admins have implemented auto-site clustering for gateways with the default gateway mode disabled. WLANs use tunneled mode to the gateways.
The WLAN security is WPA3-Enterprise with authentication to an Aruba ClearPass Policy Manager (CPPM) cluster VIP. RADIUS communications use RADIUS, not RadSec.
CPPM is using the service shown in the exhibits.
Which step can you take to improve operations during a possible gateway failover event?
- A. Chanqe the WLANs to mixed-mode forwardinq so that vou can select multiple qatewav clusters.
- B. Set up qatewav clusters manually and set VRRP IP addresses for dynamic authorization.
- C. Enable default gateway mode for the gateway clusters.
- D. Use auto-group clustering instead of auto-site clustering for the gateways.
正解:B
解説:
Explanation
Auto-site clustering is a feature that allows gateways in the same site and group to form a cluster automatically. However, this mode does not support VRRP IP addresses, which are required for dynamic authorization (CoA) from ClearPass Policy Manager (CPPM) to the gateways. Dynamic authorization is a mechanism that allows CPPM to change the attributes or status of a client session on the gateways without requiring re-authentication. This is useful for applying policies, roles, or bandwidth limits based on various conditions. Without VRRP IP addresses, CPPM would not be able to send CoA messages to the correct gateway in case of a failover event, resulting in inconsistent or incorrect client behavior.
To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations. You can find more information about how to set up gateway clusters manually and configure VRRP IP addresses in the Gateway Cluster Deployment - Aruba page and the ClearPass Policy Manager User Guide1.
質問 # 32
A company has Aruba gateways and wants to start implementing gateway IDS/IPS. The customer has selected Block for the Fail Strategy.
What might you recommend to help minimize unexpected outages caused by using this particular fall strategy?
- A. Setting the IDS or IPS policy to the least restrictive option, Lenient
- B. Configuring a relatively high threshold for the gateway threat count alerts
- C. Making sure that the gateways have formed a cluster and operate in default gateway mode
- D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors
正解:C
質問 # 33
Refer to the scenario.
This customer is enforcing 802.1X on AOS-CX switches to Aruba ClearPass Policy Manager (CPPM). The customer wants switches to download role settings from CPPM. The "reception-domain" role must have these settings:
- Assigns clients to VLAN 14 on switch 1, VLAN 24 on switch 2, and so on.
- Filters client traffic as follows:
- Clients are permitted full access to 10.1.5.0/24 and the Internet
- Clients are denied access to 10.1.0.0/16
The switch topology is shown here:
How should you configure the VLAN setting for the reception role?
- A. Configure the enforcement profile as a downloadable role, but specify only the role name and leave the VLAN undefined. Then define a 'reception' role with the correct VLAN setting on each individual access layer switch.
- B. Create a separate enforcement profile with a different VLAN ID for each switch. Add all profiles to the profile list in the appropriate enforcement policy rule.
- C. Assign a number-based ID to the access layer switches. Then use this variable in the enforcement profile VLAN settings: %(NAS-ID]4.
- D. Assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings.
正解:D
質問 # 34
Refer to the exhibit.
A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:
What is one issue with this configuration?
- A. Edge ports are not configured as untrusted for ARP inspection.
- B. LAG 1 is configured as trusted for ARP inspection but should be untrusted.
- C. DHCP snooping is not enabled on VLAN 4.
- D. ARP proxy is not enabled on VLAN 4.
正解:A
解説:
Explanation
This is because ARP inspection is a security feature that validates ARP packets in a network and prevents ARP poisoning attacks12 ARP inspection works by intercepting, logging, and discarding ARP packets with invalid IP-to-MAC address bindings1 To enable ARP inspection, the switch needs to know which ports are trusted and which are untrusted. Trusted ports are those that connect to authorized DHCP servers or other network devices that are not vulnerable to ARP spoofing. Untrusted ports are those that connect to end hosts or devices that might send forged ARP packets13 In the exhibit, LAG 1 is configured as a trusted port for ARP inspection, which is correct because it connects to the core switch. However, the edge ports (1/1/1-1/1/24) are not configured as untrusted ports for ARP inspection, which is incorrect because they connect to end hosts that might be compromised by an attacker. By default, all ports are untrusted for ARP inspection, but this can be changed by using the command ip arp inspection trust on the interface configuration mode3 Therefore, to protect VLAN 4 against ARP poisoning, the edge ports should be configured as untrusted for ARP inspection by using the command no ip arp inspection trust on the interface configuration mode. This way, the switch will validate the ARP packets received on these ports against the DHCP snooping database or an ARP access-list and drop any invalid packets34
A: ARP proxy is not enabled on VLAN 4. This is not an issue because ARP proxy is an optional feature that allows the switch to respond to ARP requests on behalf of hosts in different subnets5 It is not related to ARP poisoning or ARP inspection.
B: LAG 1 is configured as trusted for ARP inspection but should be untrusted. This is not an issue because LAG 1 connects to the core switch, which is a trusted device that does not send forged ARP packets.
C: DHCP snooping is not enabled on VLAN 4. This is not an issue because DHCP snooping is a separate feature that prevents rogue DHCP servers from offering IP addresses to clients6 It is not directly related to ARP poisoning or ARP inspection, although it can provide information for ARP inspection validation if enabled
質問 # 35
Refer to the scenario.
A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.
In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as
"Raspberry Pi" clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.
You want an easy way to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM).
What step should you take?
- A. On Central set up CPPM as a Webhook application.
- B. On Central configure APs and gateways to use CPPM as the RADIUS accounting server.
- C. On CPPM create an Endpoint Context Server that points to the Central API.
- D. On CPPM enable Device Insight integration.
正解:C
解説:
Explanation
This is because an Endpoint Context Server (ECS) is a feature that allows ClearPass to receive contextual information from external sources, such as Aruba Central, and use it for policy enforcement and reporting. An ECS can be configured to point to the Aruba Central API and fetch data such as device type, category, OS, applications, traffic flows, etc.
An ECS can be used to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM). The ECS can query the Aruba Central API and retrieve the network traffic flows of the wireless IoT devices that are categorized as "Raspberry Pi" clients. The ECS can then filter the traffic flows by the SSH protocol and send the relevant information to CPPM. CPPM can then use this information for policy decisions, such as allowing or denying SSH access, or triggering alerts or actions.
B: On CPPM enable Device Insight integration. This is not a valid step because Device Insight is a feature that allows ClearPass to discover, profile, and fingerprint devices on the network using deep packet inspection (DPI) and machine learning (ML). Device Insight does not communicate with Aruba Central or receive information from it. Moreover, Device Insight might not be able to detect SSH traffic on encrypted wireless IoT devices without decrypting it first.
C: On Central configure APs and gateways to use CPPM as the RADIUS accounting server. This is not a valid step because RADIUS accounting is a feature that allows network devices to send periodic updates about the status and activity of authenticated users or devices to a RADIUS server, such as CPPM. RADIUS accounting does not communicate with Aruba Central or receive information from it. Moreover, RADIUS accounting might not be able to capture SSH traffic on wireless IoT devices without inspecting it first.
D: On Central set up CPPM as a Webhook application. This is not a valid step because Webhook is a feature that allows Aruba Central to send notifications or events to external applications or services using HTTP requests. Webhook does not communicate with CPPM or send information to it. Moreover, Webhook might not be able to send SSH traffic information on wireless IoT devices without filtering it first.
質問 # 36
Refer to the scenario.
# Introduction to the customer
You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.
The company currently has a Windows domain and Windows CA. The Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients.
The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
* EAP-TLS to authenticate users on mobile clients registered in Intune
* TEAR, with EAP-TLS as the inner method to authenticate Windows domain computers and the users on them To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
Their certificate is valid and is not revoked, as validated by OCSP
The client's username matches an account in AD
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
* Clients with certificates issued by Onboard are assigned the "mobile-onboarded" role
* Clients that have passed TEAP Method 1 are assigned the "domain-computer" role Clients in the AD group "Medical" are assigned the "medical-staff" role Clients in the AD group "Reception" are assigned to the "reception-staff" role The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
* Assign medical staff on mobile-onboarded clients to the "medical-mobile" firewall role
* Assign other mobile-onboarded clients to the "mobile-other" firewall role
* Assign medical staff on domain computers to the "medical-domain" firewall role
* All reception staff on domain computers to the "reception-domain" firewall role
* All domain computers with no valid user logged in to the "computer-only" firewall role
* Deny other clients access
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.
# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
* Publisher = 10.47.47.5
* Subscriber 1 = 10.47.47.6
* Subscriber 2 = 10.47.47.7
* Virtual IP with Subscriber 1 and Subscriber 2 = 10.47.47.8
The customer's DNS server has these entries
* cp.acnsxtest.com = 10.47.47.5
* cps1.acnsxtest.com = 10.47.47.6
* cps2.acnsxtest.com = 10.47.47.7
* radius.acnsxtest.com = 10.47.47.8
* onboard.acnsxtest.com = 10.47.47.8
The customer needs a secure way for users to enroll their new wireless clients in Intune. You are recommending a new WLAN that will provide the users with limited access for the enrollment.
You have set up captive portal for clients on this WLAN to a web page with instructions for enrolling devices.
You will need to add several hostnames to the captive portal allowlist manually.
What is one of those hostnames?
- A. The ClearPass Onboard hostname referenced in an Onboard provisioninG profile
- B. The hostname used by ClearPass Policy ManaGer's RADIUS services
- C. The hostname used by the on-prem domain controllers
- D. The ClearPass Onboard hostname referenced in Intune SCEP profiles
正解:A
質問 # 37
Refer to the exhibit.
Aruba ClearPass Policy Manager (CPPM) is using the settings shown in the exhibit. You reference the tag shown in the exhibit in enforcement policies related to NASes of several types, including Aruba APs, Aruba gateways, and AOS-CX switches.
What should you do to ensure that clients are reclassified and receive the correct treatment based on the tag?
- A. Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.
- B. Change the RADIUS action to [Aruba Wireless - Bounce Switch Port] which is supported by all the NASes in question.
- C. Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.
- D. Change the RADIUS action to [Aruba Wireless -Terminate Session] which is supported by all the NASes in question.
正解:D
質問 # 38
......
HP HPE6-A84(Aruba Certified Network Security Expert Writde)試験は、ネットワークセキュリティを深く理解し、この分野での知識とスキルを検証したいITプロフェッショナル向けに設計されています。この認定試験は、幅広いITソリューションとサービスを提供する大手テクノロジー企業であるHPが提供しています。 HPE6-A84試験は、ARUBA認定プログラムの一部であり、ITの専門家がネットワークセキュリティのスキルと専門知識を構築できるように設計されています。
HP HPE6-A84試験は、60の多肢選択問題に90分以内に回答することが必要な筆記試験です。この試験は、テストと評価のリーディングカンパニーであるPearson VUEによって実施され、世界中の複数の言語で利用できます。試験に合格した候補者は、ネットワークセキュリティの分野でグローバルに認められた資格であるAruba Certified Network Security Expert(ACNSE)の認定を受けます。この認定は、候補者がAruba Networks上で複雑なセキュリティソリューションを設計、構成、トラブルシューティングできる能力を検証します。
合格させるHPE6-A84試験にはリアル問題解答:https://jp.fast2test.com/HPE6-A84-premium-file.html