HPE7-A02 Practice Exam Questions with Answers Aruba Certified Network Security Professional Exam Certification

802.1X Service Rules:

Service rules define the criteria for when a specific service applies (e.g., wireless vs. wired authentication).

For wired 802.1X authentication to work properly, the service rules need to differentiate between wireless and wired connections.

If you copy the wireless service, the rules likely still match wireless-specific criteria. These must be updated to include wired-specific conditions (e.g., NAS IP or port types).

Option Analysis:

Option A (Role mapping policy): Role mapping policies determine user roles based on attributes but are not critical for differentiating wired vs. wireless.

Option B (Authentication methods): Authentication methods (e.g., EAP) remain the same for both wireless and wired 802.1X.

Option C (Authentication source): Authentication sources (like AD or internal database) do not need to change.

Option D (Service rules): Correct. Updating the service rules ensures the new 802.1X service applies specifically to wired connections.

To support the detection of denial of service (DoS) attacks on AOS-CX switches, deploying an NAE (Network Analytics Engine) agent to monitor control plane policing (CoPP) is the best approach. NAE agents provide real-time analytics and monitoring capabilities, allowing administrators to detect anomalies and potential DoS attacks, such as ping or ARP floods, more quickly and efficiently. Control plane policing helps protect the switch’s CPU from unnecessary or malicious traffic, and the NAE agent can alert administrators when thresholds are exceeded, providing a proactive measure to detect and mitigate DoS attacks.

To block all clients connected through HPE Aruba Networking Central-managed APs from accessing YouTube, you should enable DPI (Deep Packet Inspection) and then create application rules to deny YouTube on the firewall roles. DPI allows the network to inspect and classify traffic based on application signatures, making it possible to enforce application-specific policies. By creating rules that specifically block YouTube traffic, you can effectively prevent clients from accessing the service.

Custom Device Fingerprinting on CPPM:

To create a custom fingerprint, you first need to connect a known device of that type to the network.

CPPM will discover the device in its Endpoints Repository, allowing you to analyze its attributes (e.g., MAC OUI, DHCP options) and create custom profiling rules.

Option Analysis:

Option A: Correct. Discovering a known device in the Endpoints Repository is a prerequisite for creating accurate custom fingerprint rules.

Option B: Incorrect. CPDI integration is not required for custom fingerprints on CPPM.

Option C: Incorrect. XML rules are not pre-defined; they are created dynamically based on observed attributes.

Option D: Incorrect. The "Automatically download Endpoint Profiler Fingerprints" setting is unrelated to custom profiling.

HPE Aruba Central Live Monitoring:

Aruba Central provides real-time Live Monitoring of network devices, including:

Application usage statistics.

Trends and changes over time for specific devices.

This information is presented in a clear and easy-to-read format, making it ideal for examining changes in application usage over different time ranges.

Option Analysis:

Option A: Incorrect. ClearPass OnGuard monitors endpoint compliance (e.g., antivirus, OS version) but does not analyze application usage.

Option B: Correct. Aruba Central's Live Monitoring page is specifically designed for this type of analysis.

Option C: Incorrect. ClearPass Insight generates endpoint security reports but does not track application usage.

Option D: Incorrect. ClearPass Device Insight (CPDI) focuses on device profiling and identification, not continuous application monitoring.

For a faster way to discover if a gateway starts detecting threats in traffic, admins should set up email notifications using HPE Aruba Networking Central's global alert settings. This setup ensures that the security team is promptly informed via email whenever the IDS/IPS on the gateways detects any threats, allowing for immediate investigation and response.

1.Email Notifications: By configuring email notifications, admins can receive real-time alerts directly to their inbox, reducing the time to discover and react to security incidents.

2.Global Alert Settings: HPE Aruba Networking Central's global alert settings allow for customization of alerts based on specific security events and thresholds, providing flexibility in monitoring and response.

3.Proactive Monitoring: This proactive approach ensures that the security team is always aware of potential threats without the need to constantly check the Security Dashboard manually.

RADIUS Change of Authorization (CoA):

CoA is triggered when ClearPass determines that a client’s posture status has changed (e.g., Healthy, Quarantine).

The RADIUS enforcement policy is where you configure actions and enforcement profiles that respond to these posture changes.

Option Analysis:

Option A: Correct. RADIUS enforcement policies are used to configure actions, including triggering CoA.

Option B: Incorrect. OnGuard settings configure posture agent behavior, not enforcement rules.

Option C: Incorrect. The posture policy evaluates compliance but does not trigger CoA.

Option D: Incorrect. WEBAUTH enforcement policies are for web-based authentication, not posture-related CoA.

For a company with AOS-CX switches and HPE Aruba Networking APs running AOS-10, where 802.1X authentication is required on all edge ports, you should configure all edge ports in client auth-mode. This mode ensures that each client connecting through the APs is authenticated individually, maintaining the security policy requirements for 802.1X authentication on all connections.

To ensure that the AOS-CX switch properly assigns the "employees" role when using CPPM (ClearPass Policy Manager) as the RADIUS server, you should configure a RADIUS Enforcement profile on CPPM with the Aruba-User-Role VSA (Vendor-Specific Attribute) set to "employees". This configuration ensures that when an endpoint authenticates, CPPM sends the appropriate role assignment to the AOS-CX switch, which then applies the corresponding policies and VLAN settings defined for the "employees" role.

To simplify the setup of 802.1X authentication with HPE Aruba Networking ClearPass Policy Manager (CPPM) and ensure clients are steered to the correct VLANs for local forwarding, you should assign consistent names to VLANs of the same type across the AOS-CX switches and have user-roles reference these names. This approach allows for a more straightforward configuration and management process, as the user roles can apply consistent policies based on VLAN names rather than specific IDs. It also helps in maintaining clarity and reducing errors in VLAN assignments across different switches.

To ensure that HPE Aruba Networking ClearPass Policy Manager (CPPM) can apply the correct access levels based on a client's device category after discovering new clients, you need to enable the "Profile Endpoints" option in the Service tab. This option allows CPPM to profile and categorize endpoints dynamically, ensuring that the appropriate access levels are applied based on the device's characteristics. Enabling this feature ensures that new devices are accurately profiled and that access policies can be enforced based on the updated device information.

RAPIDS Ad-Hoc Detection:

The alert "Detect ad-hoc using Valid SSID" indicates that a device is broadcasting an SSID that matches a valid network SSID in ad-hoc mode. This can be an indication of an infrastructure attack or misconfiguration.

Next Steps:

Use Aruba Central floorplans or AP location data to identify the physical area where the offending device is detected.

Locate and investigate the device to determine if it is malicious or simply misconfigured.

Option Analysis:

Option A: Incorrect. While tuning thresholds is useful for reducing false positives, this step does not directly address a potential threat.

Option B: Incorrect. Faulty drivers can cause similar behavior, but this step is not immediately actionable without locating the device first.

Option C: Correct. Floorplans or AP identities help locate the threat's physical area for further investigation.

Option D: Incorrect. RAPIDS focuses on detecting devices via SSID and MAC, not IP addresses, making this approach less relevant.

To support the requirement for HPE Aruba Networking ClearPass Policy Manager (CPPM) to have HTTP User-Agent strings for profiling devices, you should add the CPPM server's IP address to the IP helper list in all client VLANs on routing switches. This configuration ensures that DHCP requests and other relevant client traffic are forwarded to CPPM, allowing it to capture HTTP User-Agent strings and use them for device profiling.

1.IP Helper Configuration: Adding CPPM to the IP helper list ensures that the switch forwards DHCP and other client traffic to CPPM, enabling it to gather necessary information for profiling.

2.User-Agent Strings: By receiving client traffic, CPPM can analyze HTTP headers and capture User-Agent strings, which provide valuable information about the client's device and browser.

3.Profiling Support: This approach supports the comprehensive profiling of devices, allowing CPPM to apply appropriate policies based on detailed device information.

Contextual Exchange for Better Decisions:

HPE Aruba ClearPass can integrate with third-party solutions like MDM and firewalls to exchange contextual information about endpoints (e.g., device type, posture, location).

This integration allows ClearPass and the third-party solutions to make better access control and security decisions.

For example:

An MDM can inform CPPM about device compliance, and CPPM can adjust enforcement policies dynamically.

Firewalls can receive updated context about users and devices to enforce policies more effectively.

Option Analysis:

Option A: Correct. Exchanging contextual information improves access control decisions.

Option B: Incorrect. CPPM does not provide signature-based threat detection.

Option C: Incorrect. CPPM does not offload policy decisions; it integrates for collaboration.

Option D: Incorrect. CPPM does not replace third-party traffic filtering capabilities.

To integrate HPE Aruba Networking ClearPass Policy Manager (CPPM) with HPE Aruba Networking ClearPass Device Insight (CPDI), one of the necessary tasks is to enable Insight in the CPPM server configuration settings. This configuration allows CPPM to communicate and share data with CPDI, facilitating the integration and enabling enhanced device profiling and policy enforcement capabilities.

1.Insight Enablement: Enabling Insight on the CPPM server allows it to leverage the data and capabilities of CPDI, integrating device profiling information into policy decisions.

2.Data Sharing: This integration ensures that CPPM can receive and use detailed device information from CPDI to make more informed policy enforcement decisions.

3.Configuration: Properly configuring the server settings to enable Insight ensures seamless communication and data flow between CPPM and CPDI.

To determine the VLAN settings for the "APs" role on AOS-CX switches, it is crucial to know whether the APs bridge or tunnel traffic on their SSIDs. If the APs are bridging traffic, the VLAN settings on the switch need to align with the VLANs used by the SSIDs. If the APs are tunneling traffic to a controller or gateway, the VLAN settings might differ as the traffic is encapsulated and forwarded through the tunnel. Understanding this aspect ensures that the VLAN configuration on the switches correctly supports the traffic forwarding method employed by the APs.

When Wireless IDS/IPS infrastructure detection reports RTS (Request to Send) and CTS (Clear to Send) rate anomalies triggered by neighboring APs, it is often an indication of unusual, but not necessarily malicious, behavior. These anomalies can be caused by neighboring APs operating normally but under specific conditions that trigger the alerts. Before assuming a security threat, it is recommended to tune the event thresholds to better match the environment and reduce false positives. This approach helps to distinguish between normal operations and potential DoS attacks.

ClearPass Device Insight Integration:

To integrate ClearPass Device Insight (CPDI) with ClearPass Policy Manager (CPPM), you must enable the Insight feature in the CPPM server configuration settings.

This ensures CPPM can share and receive profiling data with CPDI for device identification.

Option Analysis:

Option A: Incorrect. Root CA certificates are not required for this integration.

Option B: Correct. Enabling Insight on CPPM is essential for the integration to function.

Option C: Incorrect. WMI, SSH, and SNMP are not part of the CPDI integration prerequisites.

Option D: Incorrect. The Data Collector token is relevant to Aruba Central, not CPDI integration.

To configure the HPE Aruba Networking VIA solution for remote employees who need to download their VIA connection profile from the VPN Concentrator (VPNC) and ensure that only those who authenticate with their domain credentials through ClearPass Policy Manager (CPPM) can do so, you need to set up a VIA Authentication Profile. This profile should use the CPPM's RADIUS server group. Once the VIA Authentication Profile is created, you need to reference this profile in the VIA Web Authentication Profile. This configuration ensures that the authentication process requires employees to validate their credentials via CPPM before they can download the VIA connection profile.

Why Monitoring Control Plane Policing (CoPP) with an NAE Agent Is Effective for Detecting DoS Attacks

Control Plane Policing (CoPP): AOS-CX switches use CoPP to protect the CPU from excessive traffic caused by DoS attacks (e.g., ARP floods, ICMP floods). CoPP enforces rate limits and drops malicious traffic at the control plane level.

NAE (Network Analytics Engine) Agent:

The NAE on AOS-CX switches can monitor CoPP counters in real time and trigger alerts if thresholds for certain traffic types (e.g., ICMP, ARP) are exceeded.

Admins can use NAE to automate detection and respond faster to DoS attacks.

Analysis of Each Option

A. Deploy an NAE agent on the switches to monitor control plane policing (CoPP):

Correct:

NAE agents provide real-time visibility into CoPP behavior, helping detect DoS attacks more quickly.

By analyzing CoPP statistics, the NAE can pinpoint abnormal traffic patterns and alert admins.

This is the most efficient and scalable solution for this use case.

B. Configure the switches to implement RADIUS accounting to HPE Aruba Networking ClearPass and enable HPE Aruba Networking ClearPass Insight:

Incorrect:

While ClearPass can provide visibility into user authentication and device activity, it is not specifically designed to detect or mitigate DoS attacks against switches.

C. Implement ARP inspection on all VLANs that support end-user devices:

Incorrect:

ARP inspection helps mitigate ARP spoofing or poisoning, but it does not directly address detection of DoS attacks like ICMP or ARP floods.

It is a preventative measure, not a detection tool.

D. Enabling debugging of security functions on the switches:

Incorrect:

Debugging logs can help troubleshoot specific issues but are not practical for real-time detection of DoS attacks.

Enabling debugging can overload the switch and is not suitable for proactive monitoring.

Final Recommendation

Deploying an NAE agent to monitor CoPP is the best solution because it provides real-time detection, alerting, and insights into traffic patterns that indicate DoS attacks.

References

AOS-CX Network Analytics Engine (NAE) Configuration Guide.

HPE Aruba AOS-CX Control Plane Policing Documentation.

Best Practices for Protecting Switches Against DoS Attacks in Aruba Networks.

To ensure that HPE Aruba Networking APs (AOS-10) properly interact with HPE Aruba Networking ClearPass Policy Manager (CPPM) and dynamically update a client's enforcement profile based on new profile and posture information, you should enable Dynamic Authorization in the RADIUS server settings for CPPM. This allows ClearPass to send Change of Authorization (CoA) requests to the APs, prompting them to reapply the appropriate enforcement profiles based on updated information.

1.Dynamic Authorization: Enabling this feature allows ClearPass to dynamically push changes to the APs whenever there is new relevant information about a client's profile or posture.

2.Change of Authorization (CoA): This mechanism ensures that clients are assigned the correct enforcement profiles in real-time, based on the latest data.

3.Enhanced Policy Enforcement: This setup helps in maintaining accurate and up-to-date policy enforcement for clients on the network.

To configure access control policies for applications and resources that remote clients can access when connected to the VPN, you should configure these policies in the roles to which VIA clients are assigned after IKE (Internet Key Exchange) authentication on the VPNC. These roles define the permissions and access controls for the clients once they are authenticated, ensuring that they can only access the applications and resources allowed by their assigned roles.

1.IKE Authentication: After IKE authentication, clients are assigned specific roles that determine their access privileges.

2.Role-Based Access Control: By configuring access control policies within these roles, you can granularly control what resources and applications the remote clients can access over the VPN.

3.Security: This method ensures that access is managed securely and dynamically based on the role assigned to each client after successful authentication.

Hub-Spoke VPN Configuration:

HPE Aruba Central SD-WAN Orchestrator enables hub-spoke topology where branch gateways (BGWs) connect to VPN concentrators (VPNCs) located at data centers.

A key step in configuring this is defining which VPNCs the BGWs will prefer for connectivity.

The DC Preference List is configured in the BGW groups to prioritize the data centers to which BGWs connect.

Option Analysis:

Option A: Incorrect. VPN pools control IP allocation, not which branches connect to VPNCs.

Option B: Incorrect. IKE policies define key exchange mechanisms but are not part of the connection preference process.

Option C: Correct. Admins configure a DC preference list in BGW groups to determine connectivity priorities with VPNCs.

Option D: Incorrect. IPsec policies define encryption parameters at a global level, but this is not specific to the hub-spoke connection configuration.

When transitioning from Intrusion Detection System (IDS) mode to Intrusion Prevention System (IPS) mode, it’s critical to review and refine configurations to ensure legitimate traffic is not blocked. Here's the reasoning behind each option:

A. Disable traffic inspection and reboot before re-enabling traffic inspection with the new mode.

Incorrect:

Transitioning to IPS mode does not require a full reboot or disabling traffic inspection.

This step is unnecessary and could lead to downtime that impacts network operations.

B. Change the mode on one gateway at a time to establish a smoother transition period.

Incorrect:

While a phased approach might help in some large deployments, it does not directly address the potential for legitimate traffic to be blocked by IPS mode.

IPS operates in real-time, so misconfigured rules or policies need to be addressed before enabling IPS on any gateway.

C. Consider applying a stricter IPS policy to minimize issues during the transition period.

Incorrect:

A stricter IPS policy increases the likelihood of false positives, which could disrupt legitimate business-critical traffic.

During the transition, the focus should be on minimizing disruptions by fine-tuning policies, not making them stricter.

D. Check for legitimate traffic that has been flagged as a threat and allow list the associated rules.

Correct:

In IDS mode, the system only detects and logs suspicious traffic but does not block it. Reviewing these logs for false positives allows the organization to fine-tune policies and allow list legitimate traffic before transitioning to IPS mode.

By doing this, the company ensures that IPS mode will block actual threats while permitting legitimate traffic.

This is a proactive step to prevent unnecessary disruptions to normal operations when IPS mode is enabled.

References

HPE Aruba Gateway IDS/IPS Configuration Guide.

Best Practices for Transitioning from IDS to IPS Modes in Aruba Networks.

Aruba Network Threat Management Documentation.

To minimize disruption time if an AOS-CX switch reboots while implementing DHCP snooping and ARP inspection, you should save the IP-to-MAC bindings to external storage. This ensures that the DHCP snooping and ARP inspection tables, which are crucial for preventing spoofing attacks, are preserved across reboots. When the switch restarts, it can reload these bindings from the external storage, thereby maintaining network security and reducing the downtime associated with rebuilding these tables.

1.Preserving Bindings: Saving IP-to-MAC bindings to external storage ensures that these critical security tables are not lost during a reboot, maintaining network integrity.

2.Security Continuity: This practice helps to quickly restore security features like DHCP snooping and ARP inspection, minimizing the window of vulnerability.

3.Operational Efficiency: By preserving these bindings, the switch can resume normal operations faster, reducing disruption to network services.

Comprehensive Detailed Explanation

In a user-based tunneling (UBT) setup with reserved VLAN mode, VLAN 64 is used for routing traffic at the gateways. Since the IoT traffic is tunneled to the AOS-10 gateway:

On the gateways:

VLAN 64 must be configured in the iot-wired role for routing purposes.

On the switches:

VLAN 64 does not need to be configured on the access switch physical uplinks because the IoT traffic is tunneled directly to the gateway and does not rely on VLAN configurations at the access layer switches.

Reserved VLAN mode:

Ensures that traffic is encapsulated within the UBT tunnel, and VLANs like 64 are only relevant at the gateway for routing and enforcement.

Therefore, the correct configuration is to define VLAN 64 in the iot-wired role on the AOS-10 gateways and not on any physical interfaces.

References

Aruba AOS-CX UBT configuration guide.

Aruba AOS-10 Gateway Role and VLAN Management documentation.

The "Detect Valid SSID Misuse" event in Aruba's Wireless Intrusion Detection System (WIDS) indicates that a valid SSID, associated with your network, is being broadcast from an unauthorized source. This scenario often signals a potential rogue access point attempting to deceive clients into connecting to it (e.g., for credential harvesting or man-in-the-middle attacks).

1. Explanation of Each Option

A. Clients are failing to authenticate to corporate SSIDs. You should first check for misconfigured authentication settings and then investigate a possible threat:

Incorrect:

This event is not related to authentication failures by legitimate clients.

Misconfigured authentication settings would lead to events like "authentication failures" or "radius issues," not "valid SSID misuse."

B. Admins have likely misconfigured SSID security settings on some of the company's APs. You should have them check those settings:

Incorrect:

This event refers to an external device broadcasting your SSID, not misconfiguration on the company’s authorized APs.

WIDS differentiates between valid corporate APs and rogue APs.

C. Hackers are likely trying to pose as authorized APs. You should use the detecting radio information and immediately track down the device that triggered the event:

Correct:

This is the most likely cause of the "detect valid SSID misuse" event. A rogue AP broadcasting a corporate SSID could lure clients into connecting to it, exposing sensitive credentials or traffic.

Immediate action includes:

Using the radio information from the event logs to identify the rogue AP's location.

Physically locating and removing the rogue device.

Strengthening WIPS/WIDS policies to prevent further misuse.

D. This event might be a threat but is almost always a false positive. You should wait to see the event over several days before following up on it:

Incorrect:

While false positives are possible, "valid SSID misuse" is a critical security event that should not be ignored.

Delaying action increases the risk of successful attacks against your network.

2. Recommended Steps to Address the Event

Review Event Logs:

Gather details about the rogue AP, such as SSID, MAC address, channel, and signal strength.

Locate the Rogue Device:

Use the detecting AP's radio information and signal strength to triangulate the rogue AP's physical location.

Respond to the Threat:

Remove or disable the rogue device.

Notify the security team for further investigation.

Prevent Future Misuse:

Strengthen security policies, such as enabling client whitelists or enhancing WIPS protection.

References

Aruba WIDS/WIPS Configuration and Best Practices Guide.

Aruba Central Security Event Analysis Documentation.

Wireless Threat Management Using Aruba Networks.

In a client-to-site VPN based on tunnel-mode IPsec, the remote clients and a gateway at the main site are responsible for the IPsec encapsulation. The remote clients initiate the VPN connection and encapsulate their traffic in IPsec, which is then decapsulated by the gateway at the main site.

1.IPsec Encapsulation: The remote clients encapsulate their traffic using IPsec protocols before sending it over the internet to the main site.

2.Gateway Role: The gateway at the main site receives the encapsulated traffic, decapsulates it, and forwards it to the internal network. Similarly, traffic from the main site to the remote clients is encapsulated by the gateway and decapsulated by the clients.

3.Security: This setup ensures that data is securely transmitted between the remote clients and the main site, protecting it from eavesdropping and tampering.

When configuring 802.1X authentication on edge ports of an AOS-CX switch and assigning VoIP phones to a "voice" role, the correct approach is to configure VLAN 12 as the allowed trunk VLAN in the "voice" role. This setup ensures that traffic tagged for VLAN 12 is appropriately managed by the role applied to the VoIP phones. In AOS-CX switches, the role-based VLAN configuration allows for more granular control and ensures that the VoIP phones' traffic is handled correctly without altering the edge port settings, which typically operate with default settings for authentication.

802.1X Authentication Workflow: Requires the root CA certificate of the issuing authority for the supplicants’ certificates. This ensures that the server can validate the client certificate during the EAP-TLS handshake.

Trusted CA Usage: In ClearPass, certificates with "Trusted CA" usage are used for validating client and server identities during secure authentication exchanges.

Option A: Incorrect. The "ClearPass Server certificate" is used for server-side identity verification and is not used to validate client certificates.

Option B: Incorrect. Database usage is unrelated to RADIUS/EAP or certificate validation.

Option C: Incorrect. While LDAP/AD integration supports certificate validation, this is not the primary purpose of Trusted CAs for 802.1X.

Option D: Correct. Trusted CAs for EAP are required to validate client certificates during the authentication process.

By uploading the root CA as a "Trusted CA with EAP usage," the CPPM can properly authenticate the certificates presented by the supplicants during EAP-TLS negotiations.

When using "Tips

" conditions within an 802.1X service's enforcement policy, you should enable caching roles and posture attributes from previous sessions in the service's enforcement settings. This ensures that ClearPass retains posture information from previous authentications, which is necessary for making decisions based on the current posture state of an endpoint. By caching these attributes, ClearPass can apply appropriate enforcement actions based on the device's posture status.

One use case that companies can fulfill using HPE Aruba Networking ClearPass Policy Manager's (CPPM's) Device Profiler is leveraging artificial intelligence to more accurately identify Internet of Things (IoT) devices. ClearPass Device Profiler uses AI and machine learning to analyze network traffic and device behavior, providing detailed and accurate identification of IoT devices on the network. This helps in managing and securing diverse and numerous IoT devices by ensuring they are correctly profiled and assigned appropriate access policies.

To tunnel VoIP phone traffic from AOS-CX switches to an HPE Aruba Networking gateway, you need to configure a User-Based Tunneling (UBT) reserved VLAN on the switches. This VLAN is dedicated for tunneling purposes and ensures that the VoIP traffic is correctly identified and tunneled to the gateway where security policies can be applied.

1.UBT Configuration: Setting a UBT reserved VLAN ensures that the switch knows which VLAN to use for tunneling traffic to the gateway.

2.Traffic Tunneling: The reserved VLAN helps in segregating the VoIP traffic, ensuring it is handled securely and according to the configured policies at the gateway.

3.Policy Application: By tunneling the traffic, the gateway can apply advanced security policies to the VoIP traffic.

Rogue AP Containment Methods:

HPE Aruba Networking recommends using wireless deauthentication as the preferred method for rogue AP containment.

Deauthentication sends deauth frames to clients connected to rogue APs, causing them to disconnect. This method is effective without introducing unnecessary disruptions to the wired infrastructure.

Key Points:

Wireless Deauthentication is simple, efficient, and widely supported across client devices.

Tarpit Containment is more aggressive and may cause unintentional disruptions to legitimate clients.

Wired Containment involves blocking traffic at the switch level but is complex and may impact legitimate infrastructure traffic.

Option Analysis:

Option A: Correct. Wireless deauthentication is the recommended method as it targets rogue AP clients without excessive network impact.

Option B: Incorrect. Combining wireless tarpit and wired containment is overkill and not typically recommended.

Option C: Incorrect. Wireless tarpit can be effective but is generally not the first choice due to its aggressive nature.

Option D: Incorrect. Wired containment is more complex and reserved for specific use cases, not general recommendations.