Aruba Certified ClearPass Associate 6.5 v7.0
Question 1
What does a client need for it to perform EAP-TLS successfully? (Select two.)
- A. Username and Password
- B. Server Certificate
- C. Pre-shared key
- D. Certificate Authority
- E. Client Certificate
Answer : B,E
Explanation:
Referencehttps://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-
BYOD/Binary-comparison-in-EAP-TLS-Authentication/ta-p/257857
Question 2
What happens when a client successfully authenticates but does not match any
Enforcement Policy rules?
- A. no role is applied to the device
- B. logon profile is applied to the device
- C. default Enforcement profile is applied
- D. guest rule is applied to the device
- E. defaultrule is applied to the device
Answer : C
Explanation:
The first time a device connects, it's allowed on in a limited state (session timeout is a low value and DHCP is allowed) because it doesn't match any Enforcement policy rules based on Endpoint Category. The default enforcement profile is used.
References:
Question 3
Which statement most accurately describes how the HTTP collector words for profiling?
- A. HTTP packets are inspected whena user accesses any guest page on ClearPass.
- B. When a user access the Aruba controller captive portal page, HTTP packets are captured by ClearPass.
- C. HTTP packets are inspected only when a user accesses the ClearPass administration UI page.
- D. When a user accesses any internet page, HTTP packets are captured by ClearPass.
- E. HTTP packets are forwarded from the Controller to ClearPass.
Answer : E
Question 4
Which authentication type allows a device to authenticate with a client certificate?
- A. 802.1X/EAP
- B. WEP Authentication
- C. MAC Authentication
- D. Captive Portal Authentication
- E. Open System Authentication
Answer : A
Explanation:
Referencehttps://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-
BYOD/Binary-comparison-in-EAP-TLS-Authentication/ta-p/257857
Question 5
Which type of ClearPass service is used to process health checks from the OnGuard agent?
- A. WebAuth
- B. RADIUS
- C. TACACS
- D. HTTP
- E. AppAuth
Answer : A
Explanation:
Referencehttps://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest- access-byod/21122/1/OnGuard%20config%20Tech%20Note%20v1.pdf
Question 6
What is the purpose of a guest self-registration page in ClearPass?
- A. to allow employees to get their own devices securely connected to the network
- B. to allow contractors to create their own accounts inActive Directory
- C. to allow employees’ sponsors to create accounts for their guests
- D. to allow employees to easily get their corporate devices on the network
- E. to allow guest users to create a login account for the web login page
Answer : B
Explanation:
Explanation -
Guest self-registration allows an administrator to customize the process for guests to create their own visitor accounts. Self-registration is also referred to as self-provisioned access
Referencehttp://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Content/Configur ation/CustomizingSelfProvisionedAccess.htm
Question 7
An organization wants to ensure a clients antivirus is installed and up to date prior to allowing network access.
Which ClearPass feature can be used to accomplish this?
- A. Guest with sponsor approval
- B. OnGuard
- C. Guest with self-registration
- D. Onboarding
- E. RADIUSAuthorization
Answer : B
Question 8
Which Operating Systems can use Network Access Protection (NAP) policy agents?
(Select two.)
- A. Windows XP
- B. Android
- C. Windows 7
- D. Mac OS X
- E. iOS 6 and higher
Answer : CD
Question 9
Where is the web login page created in the ClearPass UI?
- A. WebAuth Service
- B. Captive Portal Profile
- C. ClearPass Policy Manager
- D. Guest LoginService
- E. ClearPass Guest
Answer : B
Explanation:
Referencehttp://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/C ontent/Configuration/CreateEditWebLogin.htm
Question 10
How is ClearPass enabled to perform DHCP profiling for devices in a network?
- A. by enabling a port mirror on the network access device to mirror all user traffic toClearPass
- B. by enabling DHCP relay on our network access devices so DHCP requests are forwarded to ClearPass
- C. by enabling the ‘DHCP ignore’ feature on network access devices
- D. by configuring ClearPass as a secondary DHCP server on the client
- E. by enabling profiling on ClearPass; configuration of the network access devices is not necessary
Answer : B
Explanation:
Referencehttps://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/
653/1/ClearPass%20Profiling%20TechNote.pdf
Question 11
Refer to the exhibit. A user has enabled ‘department’ and ‘memberOf’ as roles.
What is the direct effect of the user’s action?
- A. The users authentication will be rejected if the user does not have an admin user group membership in AD.
- B. The user’s memberOf attribute is sent back to the controller as a firewall role.
- C. The users department and group membership will be seen in the Access tracker roles section.
- D. The users authentication will be rejected if the user does nothave a department attribute in AD.
- E. The user’s department is sent back to the controller as a firewall role.
Answer : A
Question 12
A ClearPass deployment needs to be designed to determine whether a user authenticating is an HR department employee in the Active Directory Server and whether the users device is healthy.
Which policy service components will the network administrator need to use?
- A. Posture, Authentication and Authorization
- B. Posture and Firewall Roles
- C. Posture and Onboard
- D. Authentication andAuthorization
- E. Posture, Authentication and Onboarding
Answer : A
Explanation:
Referencehttp://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Co ntent/CPPM_UserGuide/About%20ClearPass/About_ClearPass.htm
Question 13
Which most accurately describes the First Applicable rule evaluation algorithm in
Enforcement Policies?
- A. Each rule is checked and once a match is found, the Enforcement profile assigned to that rule is applied and the rule matching stops.
- B. All rules are checked and if there is no match, no Enforcement profile is applied.
- C. Each rule is checked and once a match is found, the Enforcement profile assigned to that rule is applied. along with the default Enforcement profile.
- D. All rules are checked for any matching rules and their respective Enforcement profiles are applied.
Answer : D
Question 14
What is the purpose of a RADIUS IETP Session Timeout attribute being sent to an Aruba
Controller when a guest authenticates successfully?
- A. For the controller to initiate a RADIUS re-authentication automatically when the time limit is reached.
- B. For ClearPass to send a RADIUS CoA message to the client when the time limit is reached.
- C. For the user to initiate a RADIUS re-authentication when the time limit is reached.
- D. For ClearPass to send a RADIUS CoA message when the time limit is reached.
- E. For the Controller to end the user’s authenticated session when the time limit is reached.
Answer : E
Question 15
Based on the self-registration customization, what is the expected outcome?
- A. When the user connects to an ArubaNAD device, the user will be redirected to this self- registration page.
- B. When the user completes the self-registration form, a NAS login request will be sent from the client to ClearPass alternate domain at securelogin.arubanetworks.com.
- C. When the userbrowses to securelogin.arubanetworks.com, the user will be redirected to the self-registration page.
- D. User credentials will be sent to the NAD device when the user clicks the login button on the self-registration receipt page.
- E. When the user clicks the register button on the self-registration page, user credentials will be sent to the NAD.
Answer : B