Pre-Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

HPE6-A84 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

HPE6-A84 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: Aruba Certified Network Security Expert Written Exam
  • Last Update: Oct 8, 2024
  • Questions and Answers: 60
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

HPE6-A84 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

HPE6-A84 Practice Exam Questions with Answers Aruba Certified Network Security Expert Written Exam Certification

Question # 6

You need to install a certificate on a standalone Aruba Mobility Controller (MC). The MC will need to use the certificate for the Web UI and for implementing RadSec with Aruba ClearPass Policy Manager. You have been given a certificate with these settings:

HPE6-A84 question answerSubject: CN=mc41.site94.example.com

HPE6-A84 question answerNo SANs

HPE6-A84 question answerIssuer: CN=ca41.example.com

HPE6-A84 question answerEKUs: Server Authentication, Client Authentication

What issue does this certificate have for the purposes for which the certificate is intended?

A.

It has conflicting EKUs.

B.

It is issued by a private CA.

C.

It specifies domain info in the CN field instead of the DC field.

D.

It lacks a DNS SAN.

Full Access
Question # 7

Refer to the scenario.

A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):

HPE6-A84 question answerPermitted to receive IP addresses with DHCP

HPE6-A84 question answerPermitted access to DNS services from 10.8.9.7 and no other server

HPE6-A84 question answerPermitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

HPE6-A84 question answerDenied access to other 10.0.0.0/8 subnets

HPE6-A84 question answerPermitted access to the Internet

HPE6-A84 question answerDenied access to the WLAN for a period of time if they send any SSH traffic

HPE6-A84 question answerDenied access to the WLAN for a period of time if they send any Telnet traffic

HPE6-A84 question answerDenied access to all high-risk websites

External devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.

The exhibits below show the configuration for the role.

HPE6-A84 question answer

What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?

A.

That denylisting is enabled globally on the MCs’ firewalls

B.

That stateful handling of traffic is enabled globally on the MCs’ firewalls and on the medical-mobile role.

C.

That AppRF and WebCC are enabled globally and on the medical-mobile role

D.

That the MCs are assigned RF Protect licenses

Full Access
Question # 8

You want to use Device Insight tags as conditions within CPPM role mapping or enforcement policy rules.

What guidelines should you follow?

A.

Create an HTTP authentication source to the Central API that queries for the tags. To use that source as the type for rule conditions, add it an authorization source for the service in question.

B.

Use the Application type for the rule conditions; no extra authorization source is required for services that use policies with these rules.

C.

Use the Endpoints Repository type for the rule conditions; Add Endpoints Repository as a secondary authentication source for services that use policies with these rules.

D.

Use the Endpoint type for the rule conditions; no extra authorization source is required for services that use policies with these rules.

Full Access
Question # 9

Several AOS-CX switches are responding to SNMPv2 GET requests for the public community. The customer only permits SNMPv3. You have asked a network admin to fix this problem. The admin says, “I tried to remove the community, but the CLI output an error.”

What should you recommend to remediate the vulnerability and meet the customer’s requirements?

A.

Enabling control plane policing to automatically drop SNMP GET requests

B.

Setting the snmp-server settings to “snmpv3-only”

C.

Adding an SNMP community with a long random name

D.

Enabling SNMPv3, which implicitly disables SNMPv1/v2

Full Access
Question # 10

You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.

Which integration can you suggest?

A.

Sending Syslogs from the firewall to CPPM to signal CPPM to change the authentication status for misbehaving clients

B.

Importing clients' MAC addresses to configure known clients for MAC authentication more quickly

C.

Establishing a double layer of authentication at both the campus edge and the data center DMZ

D.

Importing the firewall's rules to program downloadable user roles for AOS-CX switches more quickly

Full Access
Question # 11

Refer to the exhibit.

HPE6-A84 question answer

You have been given this certificate to install on a ClearPass server for the RADIUS/EAP and RadSec usages.

What is one issue?

A.

The certificate has a wildcard in the subject common name.

B.

The certificate uses a fully qualified the '.local" domain name.

C.

The certificate does not have a URI subject alternative name

D.

The certificate does not have an IP subject alternative name

Full Access
Question # 12

Refer to the scenario.

A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.

In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as “Raspberry Pi” clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.

You want an easy way to communicate the information that an IoT client has used SSH to Aruba ClearPass Policy Manager (CPPM).

What step should you take?

A.

On CPPM create an Endpoint Context Server that points to the Central API.

B.

On CPPM enable Device Insight integration.

C.

On Central configure APs and gateways to use CPPM as the RADIUS accounting server.

D.

On Central set up CPPM as a Webhook application.

Full Access
Question # 13

How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?

A.

It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.

B.

It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.

C.

It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.

D.

It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.

Full Access
Question # 14

A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).

HPE6-A84 question answer

The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:

aaa rfc-3576-server 10.47.47.8

But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:

HPE6-A84 question answer

How could you fix this issue?

A.

Change the UDP port in the MCs’ RFC 3576 server config to 3799.

B.

Enable RadSec on the MCs’ RFC 3676 server config.

C.

Configure the MC to obtain the time from a valid NTP server.

D.

Make sure that CPPM is using an ArubaOS Wireless RADIUS CoA enforcement profile.

Full Access
Question # 15

Refer to the exhibit.

HPE6-A84 question answer

Which security issue is possibly indicated by this traffic capture?

A.

An attempt at a DoS attack by a device acting as an unauthorized DNS server

B.

A port scan being run on the 10.1.7.0/24 subnet

C.

A command and control channel established with DNS tunneling

D.

An ARP poisoning or man-in-the-middle attempt by the device at 94:60:d5:bf:36:40

Full Access
Question # 16

Refer to the scenario.

This customer is enforcing 802.1X on AOS-CX switches to Aruba ClearPass Policy Manager (CPPM). The customer wants switches to download role settings from CPPM. The “reception-domain” role must have these settings:

— Assigns clients to VLAN 14 on switch 1, VLAN 24 on switch 2, and so on.

— Filters client traffic as follows:

— Clients are permitted full access to 10.1.5.0/24 and the Internet

— Clients are denied access to 10.1.0.0/16

The switch topology is shown here:

HPE6-A84 question answer

How should you configure the VLAN setting for the reception role?

A.

Assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings.

B.

Configure the enforcement profile as a downloadable role, but specify only the role name and leave the VLAN undefined. Then define a 'reception' role with the correct VLAN setting on each individual access layer switch.

C.

Assign a number-based ID to the access layer switches. Then use this variable in the enforcement profile VLAN settings: %(NAS-ID]4.

D.

Create a separate enforcement profile with a different VLAN ID for each switch. Add all profiles to the profile list in the appropriate enforcement policy rule.

Full Access
Question # 17

Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients’ privileges, ClearPass also should use information collected by Intune to make access control decisions.

Assume that the Azure AD deployment has the proper prerequisites established.

You are planning the CPPM authentication source that you will reference as the authentication source in 802.1X services.

How should you set up this authentication source?

A.

As Kerberos type

B.

As Active Directory type

C.

As HTTP type, referencing the Intune extension

D.

AS HTTP type, referencing Azure AD's FODN

Full Access
Question # 18

A customer has an AOS 10-based mobility solution, which authenticates clients to Aruba ClearPass Policy Manager (CPPM). The customer has some wireless devices that support WPA2 in personal mode only.

How can you meet these devices’ needs but improve security?

A.

Use MPSK on the WLAN to which the devices connect.

B.

Configure WIDS policies that apply extra monitoring to these particular devices.

C.

Connect these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback.

D.

Enable dynamic authorization (RFC 3576) in the AAA profile for the devices.

Full Access